The Personal Data Protection Act BE 2562 (2019) (PDPA) is the primary law regulating the processing of personal data in Thailand. Similar to other jurisdictions, “personal data” in Thailand is defined as any data that, by itself or in combination with other data, can be traced back to an individual, excluding the data of deceased persons.

The PDPA focuses on the protection of data subjects whose personal data is processed – including by collection, storage, use, disclosure, etc – regardless of the original source of such personal data. Entities that make decisions and process personal data (known as “Personal Data Controllers” or “controllers” under the PDPA) are required to have a lawful basis for processing any personal data and to maintain proper security measures to prevent any loss, unauthorised access, use or disclosure of personal data. These requirements also apply to service providers who process personal data as instructed by or on behalf of a controller (known as “Personal Data Processors” or “processors” under the PDPA).

The PDPA, which is mainly based on the General Data Protection Regulation (GDPR) of the European Union (EU), has created obligations on the private sector and government (ie, both Personal Data Controllers and Personal Data Processors) regardless of the mode of processing (ie, both automated and non-automated processing), especially regarding burden of proof.

The PDPA itself applies to most activities, with certain exemptions such as:

• household activities;
• the operation of public authority for public safety; and
• media and fine arts activities that are in accordance with professional ethics.

For businesses regulated by specific supervisory authorities (such as banks and insurance businesses), the PDPA allows those supervisory authorities to issue the standard form or guideline for their operators to follow.

The Personal Data Protection Committee (PDPC) is a supervising authority under the PDPA, while the PDPA established the Office of the PDPC to support the PDPC in developing and facilitating enforcement. Under the PDPA, the PDPC shall have several duties, such as:

• providing a master plan of operation for the promotion and protection of personal data;
• promoting and supporting government agencies and private sectors in order to conduct evaluation of the operational results of such master plan;
• determining measures or guidelines of the operation in relation to data protection, in order to comply with the PDPA;
• issuing notifications or rules for the execution of the PDPA; and
• providing advice or consultancy for any persons.

In addition, the PDPC shall appoint expert committees to consider any complaints under the PDPA, including investigating any act in connection with personal data, settling disputes and carrying out any act assigned by the PDPC.

As mentioned in 1.2 Regulators, the expert committee will consider and investigate any complaints on behalf of the PDPC in accordance with the PDPC’s rules. If any complaint does not comply with such rules, the expert committee shall not accept such complaint for consideration.

If the expert committee’s consideration or investigation finds that such complaint can be settled, and if the relevant parties are willing to settle, the expert committee must proceed with the dispute settlement before issuance of any order mandating the operator (either the controller or processor) to perform or rectify their act, or prohibiting the operator from carrying out an act that would cause damage to the data subject.

If the operator does not then comply with the expert committee’s order, the administrative procedure will be applied (including the power to order seizure, attachment and sale by auction as allowed by law). The expert committee’s order shall be final. Any party may appeal such order in accordance with the administrative procedure within 15 days after receiving such order.

In this regard, a PDPC Notification on Administrative Penalties relates to the enforcement of administrative penalties and sets out the criteria for how administrative penalties (as determined by the expert committee) are used. The expert committee will consider and apply administrative penalties to a controller or processor based on the level of seriousness of such offence. Offences are separated into two groups: serious and non-serious offences. Under the Notification on Administrative Penalties, the expert committee is empowered to levy administrative penalties as follows.

Serious Offences

The expert committee can impose administrative fines on a controller and/or processor. In addition, administrative fines can be imposed on offenders who fail to comply with an order from the expert committee to remedy a violation. Such orders include remedying, stopping, suspending or seizing related processing activities.

Non-Serious Offences

The expert committee may issue orders to remedy, stop, suspend or seize related processing activities, or it may carry out any other acts to stop/minimise the damage within a specific time.

On 21 August 2024, the expert committee issued a maximum administrative fine of THB7 million to a major online retail company in Thailand for failing to protect personal data, as required by the PDPA. The company had collected data from over 100,000 customers but did not appoint a data protection officer (DPO) or implement adequate security measures, leading to data leaks to call centre scams. Additionally, the company failed to report the data breach promptly, violating several provisions of the PDPA. The expert committee ordered the company to improve its security measures, arrange for staff training and report all remedy measures back to the Office of the PDPC. This case marks the first major administrative fine imposed under the PDPA, highlighting the government’s commitment to enforcing data protection laws and enhancing public trust in online transactions and government projects that require personal data for identity verification.

Thailand has introduced the Draft Royal Decree on Business Operations that Use Artificial Intelligence Systems (the “Draft Royal Decree”), influenced by the EU AI Act, for public hearings in 2022 to regulate AI based on risk levels. The Draft Royal Decree mandates that providers of high-risk AI systems implement various measures, such as a risk management system, data governance, record-keeping and cybersecurity measures. Apart from the controlling side, Thailand has also introduced the Draft Act on Promotion and Support for Artificial Intelligence to enhance AI development through regulatory sandboxes and support from relevant authorities. These draft regulations aim to build trust in AI systems along with ensuring the protection of personal data by enforcing stringent data protection measures and compliance requirements. Unfortunately, since these drafts are still under development by the responsible authorities, the current safeguards for the protection of personal data in the context of AI systems will be governed by the provisions of the PDPA. This existing legal framework will continue to protect personal data until the AI-specific regulations are finalised and enacted, thereby ensuring a seamless transition to more specialised AI data protection standards.

Implementation of the primary concept of AI regulation in Thailand derived from the Draft Royal Decree, as mentioned in 1.5 AI Regulation, will significantly impact data protection in relation to AI systems by imposing strict requirements on AI system providers to ensure data security and transparency. The regulations will mandate comprehensive data governance and risk management practices, aligning with the PDPA to safeguard personal data. The authors believe that the regulations will complement the PDPA in the future to ensure that AI systems will be developed and deployed responsibly while protecting individuals’ data privacy.

As described in 1.3 Enforcement Proceedings and Fines, the PDPA provides the expert committee with an enforcement power to issue an administrative order for addressing any misconduct under the PDPA. However, most cases have been discharged or have ceased at the expert committee stage, and there are no court cases regarding personal data that are publicly available in Thailand.

In addition to the powers of the expert committee, the PDPA covers three types of liabilities:

• criminal liabilities;
• administrative liabilities; and
• civil liabilities.

For criminal liabilities, the authority may pursue a criminal case against any commercial operator who has breached the PDPA. Any use or disclosure of sensitive data without consent, and which has caused damage to the data subject, carries penalties of imprisonment of up to six months, a fine of up to THB500,000 or both. However, any use or disclosure, if undertaken for undue benefit of the commercial operator, will double the above-stated maximum imprisonment duration and fine amount. In this regard, the relevant director or manager of the juristic person may be subject to the same penalties as the juristic person.

As described in 1.3 Enforcement Proceedings and Fines, the PDPC Notification on Administrative Penalties governs the enforcement and criteria relating to administrative liabilities.

For civil liabilities, a damaged data subject may bring a civil suit against a controller and/or processor who has wronged them. The PDPA expressly allows the court to award punitive damages, which is generally rare in Thailand, and such damages shall not exceed two times the actual damages (if the court believes the breach is severe). As this civil liability is based on tort law and privacy cases often involve more than one impacted data subject, class actions are allowed for privacy cases.

As described in 1.3 Enforcement Proceedings and Fines and 2.1 General Overview, there have been no significant litigation cases in privacy or data protection law in Thailand, as most cases tend to be resolved at the expert committee level.

In Thailand, the concept of collective redress exists within the legal framework, commonly referred to as a “class action”. However, its application and procedures remain limited and are still evolving. Victims of data protection violations are entitled to file a case against offenders through the class action mechanism, as data protection breaches typically fall under tort claims. In practice, for high-profile cases (affecting many individuals), the Office of the PDPC often encourages victims to provide their information before initiating an investigation and taking appropriate action.

There are no specific regulations concerning the use of internet of things (IoT) services in Thailand. The providers of IoT services shall be deemed as controllers or processors under the PDPA, depending on whether such service providers are determining the processing activities and fall under the provisions of the PDPA. The role obligations are as follows.

Controllers

Controllers must:

• provide appropriate security measures for preventing the unauthorised or unlawful loss, access to, use, alteration, correction or disclosure of personal data;
• in a circumstance where personal data is disclosed to other persons, take action to prevent such person from using or disclosing such personal data unlawfully or without authorisation;
• establish a system to erase or destroy personal data when the retention period ends, the data becomes irrelevant or is beyond the purpose for which it has been collected or the data subject puts in a request or withdraws consent, except when the data is needed in relation to freedom of expression, legal claims or compliance with the law; and
• notify the Office of the PDPC of any personal data breach.

Processors

Processors must:

• carry out the processing of personal data only pursuant to the instruction given by the controllers, except where such instruction violates any laws or any provisions in the PDPA;
• provide appropriate security measures for preventing unauthorised or unlawful loss, access to, use, alteration, correction or disclosure of personal data; and
• notify the controller of personal data breaches.

As mentioned in 3.1 Objectives and Scope of Data Regulation, there are no specific regulations concerning the use of IoT services or data processing services in Thailand; only general PDPA provisions shall be applied.

Concerning rights and obligations under applicable data regulation, please see 3.1 Objectives and Scope of Data Regulation.

Concerning regulators and enforcement, please see 1.2 Regulators and 1.3 Enforcement Proceedings and Fines.

Currently, there is no specific legislation in Thailand that regulates the use of cookies, but as the use of cookies is considered to fall under the processing of personal data, it shall also fall under the principles of the PDPA as follows:

• strictly necessary cookies or essential cookies are required for the basic functioning of a website, and explicit consent is not required as they can be used on a contractual basis;
• performance and functional cookies are used to enhance user experience and improve website performance, and explicit consent from users is required prior to the use of such cookies; and
• targeting and advertising cookies track user behaviour for personalised advertising and are not necessary for any functions on the website, so explicit consent for their use is required.

Concerning the general requirements for using any type of cookie, the PDPA requires controllers to provide clear information about the purpose and function of each type of cookie, typically through a cookie policy and cookie banners or pop-ups that are designed to inform users and obtain their consent. The details therein shall be similar to other notifications for data processing provided to data subjects, namely the types of cookies used on the website, the personal data to be processed, the purposes of processing, the retention period, the rights of data subjects, etc. In addition, users must have the ability to manage their cookie preferences, withdraw consent, and access or delete data collected through cookies.

Generally, online marketing may be based on legitimate interest or consent of the data subject. Personalised advertising is regarded as too intrusive for data subjects, and consent under the PDPA is therefore required.

In addition to the PDPA, online marketing may be classified as computer data or electronic mail under the Computer-Related Crime Act BE 2550 (2007). Where an operator sends any computer data or electronic data (such as via email, short message service (SMS) or comments) to another person in a manner that disturbs that person, such operator must give that person an easy opportunity to cancel or provide notification of their wish to deny receipt of such computer data or electronic mail (ie, an opt-out option). Otherwise, such operator shall be liable to a fine not exceeding THB2 million. Once any person requests cessation, the operator must stop sending such marketing messages immediately (ie, after no more than seven days).

Similar to other relationships, the enactment of the PDPA has significantly impacted the employment relationship, particularly in terms of how employers collect, use and manage employees’ personal data. The PDPA requires employers to obtain specific consent from employees before collecting their personal data, including sensitive personal data, ensuring transparency from recruitment through the entire employment life cycle.

The PDPA emphasises data minimisation and purpose limitation, requiring employers to collect only the personal data necessary for specific purposes related to employment – eg, to fulfil the employment process, provide employee benefits or manage payroll. Employers must ensure that personal data is used solely for the purposes for which it was collected and in accordance with the employees’ privacy policy. In addition, employers also have the obligations to maintain data security and comply with other provisions regarding the controllers’ obligations under the PDPA (for more details, please see 3.1 Objectives and Scope of Data Regulation).

As data subjects, employees are granted several rights under the PDPA, such as the right to access, correct and delete their personal data and the right to withdraw consent for data processing, among others. Employers must establish procedures to facilitate these rights, allowing employees to control their personal data, thereby enhancing privacy and trust in the employer-employee relationship.

There are no specific regulations concerning the transfer of personal data in asset deals in Thailand. Only general PDPA provisions are applicable to this area.

The PDPA does not provide for the concept of absolute restriction for any type of transfer of personal data outside the jurisdiction of Thailand. Instead, controllers, as the transferors, may be subject to several obligations and/or must ensure that the transferee meets the qualifications as prescribed under the PDPA.

In general, in the case of transfer of personal data outside Thailand, the countries in which the transferee is located should have adequate personal data protection measures. The list of countries deemed to have adequate personal data protection measures is set to be prescribed by the PDPC; however, such list has not yet been prescribed. Two key criteria to consider in determining whether a country has adequate personal data protection measures are as follows:

• whether the legal safeguards for personal data protection in such country are of the same standard as or higher than those under the PDPA; and
• whether such country has a proper authority or organisation for enforcing the above-mentioned safeguards.

In any event, even upon the prescription of such list, several exemptions exist where the controller may transfer the personal data to countries not on the list (regarding compliance with the law, obtaining consent from the data subject, the execution of a contract to which the data subject is one of the parties, etc).

Another exemption to the limitation of personal data transfer to only those countries included on the list applies when the following qualifications are fulfilled:

• where such transfer is within a group of undertakings or enterprises; and
• where the transferor of the personal data applies the binding corporate rules (BCRs), which have already been approved by the PDPC office, to such transfer.

During the period when no list is prescribed for those countries deemed to have adequate personal data protection, or when the BCRs have not been approved by the PDPC office, the PDPA stipulates that the transferor provide appropriate security measures, to be enacted in accordance with the rights of the data subject, as well as effective legal remedial measures such as appropriate standard contractual clauses (SCCs) for cross-border transfer and a certificate. Under the PDPA’s notification, SCCs from the Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses for Cross-Border Data Flows and GDPR SCCs are acceptable.

Cross-border transfer does not require government notification or approval.

In certain cases, operators have to retain documents on their premises, such as accounting documents and a VAT certificate. However, an operator can duplicate and transfer such data internationally (see 5.1 Restrictions on International Data Transfers for more details).

There are no blocking statutes under Thai privacy laws.

On 25 December 2023, the PDPC introduced two notifications regarding cross-border transfers of personal data under Sections 28 and 29, with the details summarised as follows.

Notification Regarding Criteria for Adequate Countries (Section 28)

This notification outlines two key criteria for determining if a destination country qualifies as having adequate data protection standards:

• the legal system pertaining to personal data protection in the destination country must be at least equivalent to or more stringent than the PDPA; and
• the country must have a proper authority or organisation to enforce its data protection laws.

In any case, the transferor is entitled to assess the adequacy of the destination country’s data protection standard by itself. Additionally, the PDPC may consider and issue a list of adequate countries in the near future.

Notification Regarding Appropriate Safeguards (Section 29)

In the absence of an “adequacy list”, cross-border transfers can only occur if data exporters implement appropriate safeguards to ensure PDPA-compliant protection standards. This notification sets out types of and criteria for certain acceptable safeguards under the PDPA, which shall include BCRs, SCCs and certifications.

• BCRs are legally binding data protection policies adhered to by related parties, including related groups or affiliated companies, for cross-border data transfers. In any case, the parties to the transfer must obtain PDPC approval prior to the application of BCRs.
• SCCs are standardised data protection provisions that ensure compliance with data protection laws. They must address data processing activities and legal compliance, regulating controllers and processors to maintain data security standards. This notification allows the parties involved in data transfer to refer to SCCs from certain international models, including those of the EU and ASEAN.
• Controllers or processors may consider obtaining a certification for their cross-border data transfer and related processing activities; the details are subject to further announcement.