AuditXYZ

Compliance Framework

Personal Data Protection Act B.E. 2562 (2019) (Thailand)

Thailand's PDPA is a comprehensive data protection law modeled on the GDPR, establishing consent requirements, data subject rights, breach notification obligations, and cross-border transfer restrictions for organizations processing personal data in Thailand.

$5,000–$70,0003–9 months2019 (fully enforced June 1, 2022)
Request a ConsultationSee process
Issuing BodyNational Legislative Assembly of Thailand / Personal Data Protection Committee (PDPC)
First Published2019-05-27
Latest Version2019 (fully enforced June 1, 2022)
Typical Cost$5,000–$70,000
Typical Timeline3–9 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit. The PDPC may investigate complaints. Data controllers must maintain records of processing activities.
Geographythailand

PDPA Thailand: The Complete Guide

Thailand's Personal Data Protection Act, enacted in 2019 and fully enforceable since June 1, 2022, is the country's first comprehensive data protection law. Heavily influenced by the GDPR, the PDPA establishes a framework for protecting personal data collected, used, or disclosed by organizations operating in Thailand or targeting Thai residents.

What the PDPA Covers

The PDPA recognizes six lawful bases for processing personal data: consent, contract performance, vital interests, legal obligation, public interest, and legitimate interests. Consent must be freely given, specific, informed, and may be withdrawn at any time.

Sensitive personal data — including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, and sexual orientation — requires explicit consent for processing, except in limited circumstances such as legal claims or vital interests.

Data subjects are granted comprehensive rights including the right to access, rectification, erasure, restriction, data portability, and the right to object. Controllers must respond to requests within 30 days. The law also requires notification of data breaches to the PDPC within 72 hours of discovery.

Who Needs to Comply

The PDPA applies to data controllers and processors that collect, use, or disclose personal data in Thailand, regardless of whether the processing occurs within the country. It also applies extraterritorially to organizations outside Thailand that offer goods or services to individuals in Thailand or monitor their behavior.

Certain sectors including government agencies acting within their statutory authority and media organizations may have modified obligations under the law.

Enforcement and Penalties

The PDPA establishes both administrative and criminal penalties. Administrative fines reach up to 5 million Thai Baht (approximately $140,000). Criminal penalties include imprisonment of up to one year and fines up to 1 million Baht for certain offenses. The Expert Committee may also award compensation to data subjects.

Practical Compliance Steps

  1. Lawful basis assessment — Identify and document the legal basis for each processing activity
  2. Consent management — Implement mechanisms for obtaining, recording, and withdrawing consent
  3. Data subject rights — Build intake and response workflows within 30-day deadlines
  4. DPO appointment — Designate a Data Protection Officer if required based on processing activities
  5. Cross-border transfers — Implement adequate safeguards for international data transfers
  6. Records of processing — Maintain written records of all processing activities as required

Get the PDPA (Thailand) starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

pdpa-singaporegdprappipipl

Get matched with a PDPA (Thailand) auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

APPI
Framework
Japan's APPI is one of Asia's longest-standing data protection laws, recently strengthened with enhanced cross-border transfer rules, mandatory breach reporting, and expanded individual rights. The EU has recognized Japan as providing adequate protection.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
PDPA (Singapore)
Framework
Singapore's PDPA governs the collection, use, and disclosure of personal data by private organizations, with mandatory breach notification, DPO appointment requirements, and the Do Not Call Registry.
View
PIPL
Framework
China's PIPL is one of the world's strictest data protection laws, combining GDPR-like individual rights with stringent cross-border transfer controls, data localization requirements, and significant penalties for non-compliance.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View