The Personal Data Protection Act B.E. 2562 (2019) (PDPA) is the primary law regulating the processing of personal data in Thailand. As in other jurisdictions, “personal data” is defined as any data which, by itself or in combination with other data, can be used to identify an individual, excluding data relating to deceased persons in particular.

The PDPA focuses on the protection of data subjects whose personal data is processed, including through collection, storage, use, disclosure and other forms of processing, regardless of the original source of such personal data. Entities that determine the purposes and means of processing personal data (known as “Personal Data Controllers” or “controllers” under the PDPA) are required to have a lawful basis for processing any personal data and to maintain proper security measures to prevent any loss, unauthorised access, use or disclosure of personal data. These requirements also apply to service providers that process personal data as instructed by or on behalf of a controller (known as “Personal Data Processors” or “processors” under the PDPA).

The PDPA is based mainly on the EU General Data Protection Regulation (GDPR) , and imposes obligations on the private sector and government bodies (ie, both Personal Data Controllers and Personal Data Processors) regardless of the mode of processing (ie, both automated and non-automated processing), especially regarding burden of proof.

The PDPA itself applies to most activities, subject to certain exemptions, such as:

• household activities;
• the operation of public authorities for public safety purposes; and
• media and fine arts activities carried out in accordance with professional ethics.

For businesses regulated by specific supervisory authorities (such as banks and insurance businesses), the PDPA allows those supervisory authorities to issue the standard forms or guidelines for their operators to follow.

The PDPA has explicit extraterritorial reach. If a controller/processor is outside Thailand, the PDPA can still apply if the relevant personal data relates to data subjects in Thailand, and the activities involve either:

• the offering of goods or services to individuals in Thailand (irrespective of whether payment is required); or
• the monitoring of behaviour that takes place in Thailand.

In this regard, the PDPA operates alongside other laws governing non-personal data and cybersecurity, and generally applies as a supplementary framework to such laws. Certain sector-specific or special laws may impose stricter requirements relating to security, governance or compliance than those prescribed under the PDPA. Accordingly, organisations must assess on a case-by-case basis whether any specific or industry-related laws apply to their operations, and ensure compliance with the higher or more stringent standards where applicable.

The general principles for the processing of personal data under the PDPA are broadly aligned with the seven principles of the GDPR, and can be summarised as follows.

• Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly and transparently, with clear information provided to data subjects.
• Purpose limitation – personal data must be collected for specific and legitimate purposes and not used beyond those purposes, unless permitted by law.
• Data minimisation – only personal data that is necessary for the stated purpose may be collected and processed.
• Accuracy – personal data must be accurate, up to date, and corrected where necessary.
• Storage limitation – personal data must not be retained longer than necessary, unless retention is required by law.
• Integrity and confidentiality (security) – appropriate technical and organisational measures must be in place to protect personal data.
• Accountability – data controllers are responsible for PDPA compliance and must be able to demonstrate such compliance.

Lawful Bases for Processing Personal Data Under the PDPA

Under the PDPA, personal data may be processed only where a lawful basis applies. If no lawful basis is available, consent must be obtained.

Key lawful bases include the following.

• Consent – freely given, informed and explicit (especially for sensitive personal data).
• Research and statistics – necessary for research or statistical purposes, subject to appropriate safeguards for data subjects’ rights and freedoms.
• Contractual necessity – necessary for entering into or performing a contract with the data subject.
• Legal obligation – necessary to comply with applicable laws.
• Vital interests – necessary to prevent danger to life, body or health.
• Public task/public interest – necessary for tasks carried out in the public interest or under official authority.
• Legitimate interests – necessary for legitimate interests of the controller or a third party, provided such interests do not override the data subject’s fundamental rights and freedoms.

Data Subject Rights Under the PDPA

Under the PDPA, data subjects are entitled to the following rights.

• Right of access – to request access to and obtain a copy of their personal data.
• Right to rectification – to request correction of inaccurate or incomplete personal data.
• Right to erasure (right to be forgotten) – to request deletion or anonymisation of personal data when it is no longer necessary or unlawfully processed.
• Right to restriction of processing – to request temporary suspension of processing in specific circumstances.
• Right to data portability – to request personal data in a structured, commonly used and machine-readable format, where applicable.
• Right to object – to object to processing based on legitimate interests, direct marketing or other grounds prescribed by law.
• Right to withdraw consent – to withdraw consent at any time, without affecting prior lawful processing.
• Right to lodge a complaint – to lodge a complaint with the Personal Data Protection Committee (PDPC).

Main PDPA Compliance “To-Dos” for Organisations (as Data Controllers)

The primary compliance requirements are as follows:

• identifying and documenting all personal data processing activities;
• determining and recording the lawful basis for each processing activity;
• preparing and maintaining PDPA-compliant privacy notices;
• establishing procedures for handling data subject rights requests;
• implementing appropriate technical and organisational security measures;
• managing third parties through data processing agreements; and
• training employees on PDPA compliance and data protection awareness.

Under the PDPA, “sensitive personal data” includes personal data relating to the following matters, among others:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• sexual behaviour;
• criminal convictions;
• health data, disability and genetic data;
• biometric data; and
• trade union membership.

The processing of sensitive personal data is prohibited by default, unless a specific legal basis applies.

Permitted Grounds for Processing

Sensitive personal data may be processed only where one of the following applies.

• Explicit consent – consent must be explicit, informed and specific, and must be clearly distinguishable from other matters.

• Vital interests – necessary to prevent or suppress danger to the life, body or health of a person, where the data subject is incapable of giving consent.

• Legal obligations – required for compliance with laws relating to labour protection, social security or other statutory duties.

• Public interest/official authority – necessary for the performance of duties carried out in the public interest or for the exercise of official authority.

• Medical and public health purposes – necessary for preventative medicine, medical diagnosis, healthcare services or public health, subject to appropriate safeguards.

• Research or statistical purposes – necessary for research or statistics, provided suitable measures are in place to protect data subjects’ rights and freedoms.

Additional strict security measures must be implemented when processing sensitive personal data. In particular, personal data relating to criminal convictions or criminal offences is subject to specific sub-regulations under the PDPA. Such data may be collected and retained only to the extent necessary or as required by law, and must not be retained for more than six months from the date of collection, unless otherwise permitted or required by applicable law.

Personal Data Relating to Minors

Under the PDPA, a minor is a person under 20 years of age, unless legally married.

Consent requirements

• Where consent is relied upon as the lawful basis for processing, consent must be obtained from the parent or legal guardian.
• If the minor is under ten years of age, parental or legal guardian consent is required in all cases.
• If the minor has legal capacity under applicable law, consent may be obtained directly from the minor.

Controllers must exercise heightened care when processing minors’ data, ensuring transparency, fairness and security, and avoiding unnecessary or excessive data collection.

Under the PDPA, truly anonymised data (ie, data that can no longer identify a natural person, whether directly or indirectly) falls outside the scope of the PDPA. Once data is irreversibly anonymised, it is no longer considered personal data and may be used without relying on a lawful basis under the PDPA. However, the process of anonymisation itself involves the processing of personal data (and often sensitive health data) and must therefore comply with the PDPA until anonymisation is completed.

Note that health data may be processed without consent where the processing is:

• necessary for medical purposes, public health, scientific research or statistics, as authorised by applicable laws; and
• subject to appropriate safeguards to protect data subjects’ rights and freedoms, such as data minimisation, access controls and security measures.

This exemption may apply where companies act on behalf of healthcare providers (eg, as data processors) in connection with healthcare systems or medical technologies.

At present, Thailand does not have a specific or binding AI law governing the use of personal data in AI systems or automated decision-making. As a result, the processing of personal data in AI models is regulated primarily under the PDPA, and organisations must comply with general data protection principles such as lawfulness, purpose limitation, data minimisation, transparency, security and accountability.

The PDPA does not establish a dedicated risk-based classification for AI systems, nor does it prohibit specific AI use cases. In practice, organisations are expected to adopt a risk-based approach, especially where AI involves large-scale processing, sensitive personal data, or automated decision-making with significant effects. Regulators have recommended conducting Data Protection Impact Assessments (DPIAs) as a key tool to identify and mitigate privacy risks. Transparency regarding AI use, sound data governance and appropriate human oversight are therefore treated as regulatory expectations rather than strict statutory requirements.

Under the PDPA, where a personal data breach occurs, the data controller must act without delay and, in any event, notify the PPDPC within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects’ rights and freedoms. The controller must first identify the nature and cause of the breach and assess the associated risks, taking into account factors such as the type and sensitivity of the data involved, the number of affected data subjects, the likelihood of misuse, and the potential impact on individuals. Where the breach is likely to result in a high risk, affected data subjects must also be notified without undue delay. The controller must then implement remedial and mitigation measures, including containment and recovery actions, and establish preventative measures to avoid recurrence. The PDPC has the authority to investigate data breaches, request information and impose administrative sanctions. In addition, affected data subjects may bring civil claims, including collective or mass actions, for damages arising from PDPA violations.

In this regard, over the past year the PDPC has adopted a more proactive and assertive enforcement approach. Where a data breach is reported or detected through dark web disclosures or public discussions on social media, the PDPC may initiate inquiries and summon the organisation to provide explanations and information, even before a formal notification is submitted. In some cases, such summonses have been publicly announced through the PDPC’s official social media platforms, increasing reputational and regulatory exposure. As a result, organisations are expected to exercise heightened caution and preparedness in managing data breach risks, including timely internal assessments, clear communication strategies and well-documented response measures.

The PDPC is the supervising authority under the PDPA. The PDPA also established the Office of the PDPC to support the PDPC in developing and facilitating enforcement. Under the PDPA, the PDPC has several duties, such as:

• ensuring the preparation and implementation of the master plan for the promotion and protection of personal data;
• promoting and supporting government agencies and the private sectors in evaluating the operational results of such master plan;
• determining measures or guidelines relating to data protection operations in order to comply with the PDPA;
• issuing notifications or rules for the implementation of the PDPA; and
• providing advice or consultancy to any persons.

In addition, the PDPC shall appoint expert committees to consider any complaints under the PDPA, including investigating any acts in connection with personal data, settling disputes and carrying out other tasks assigned by the PDPC.

As mentioned in 1.7 Regulators, an expert committee is responsible for considering and investigating any complaints on behalf of the PDPC in accordance with the PDPC’s rules. If any complaint does not comply with such rules, the expert committee will not accept such complaint for consideration.

If, following consideration or investigation, the expert committee finds that such complaint is capable of settlement and the relevant parties are willing to settle, the expert committee must proceed with dispute settlement before issuing any order mandating the operator (whether the controller or processor) to perform or rectify their act, or prohibiting the operator from carrying out an act that would cause damage to a data subject.

If the operator fails to comply with the expert committee’s order, administrative procedures will be applied (including powers to order seizure, attachment and sale by auction, as allowed by law). The expert committee’s order is final, although any party may appeal such order in accordance with administrative procedure within 15 days of receiving such order.

In this regard, a PDPC Notification on Administrative Penalties governs the enforcement of administrative penalties and sets out the criteria for how administrative penalties (as determined by the expert committee) are used. The expert committee will determine and apply administrative penalties based on the seriousness of such offence. Offences are categorised into two groups: serious and non-serious offences. Under the Notification on Administrative Penalties, the expert committee is empowered to impose administrative penalties accordingly.

Serious Offences

The expert committee can impose administrative fines on a controller and/or processor. In addition, administrative fines can be imposed on offenders who fail to comply with an order of the expert committee to remedy a violation, including orders to remedy, stop, suspend or seize related processing activities.

Non-Serious Offences

The expert committee may issue orders to remedy, stop, suspend or seize related processing activities, or may take other actions to stop/minimise damage within a specified period.

Significant Enforcement Actions and Trends January 2024 to January 2026

From “awareness-building” to real fines and public case summaries

Thailand’s PDPC has moved into visible enforcement through administrative fines. This includes a landmark fine of THB7 million (the first high-profile fine under the PDPA) linked to a customer data leak that was later exploited in call centre scams. The findings included insufficient security measures and a failure to appoint a DPO.

Multi-case enforcement across sectors, including healthcare and processors

On 1 August 2025, the PDPC publicly highlighted five cases spanning both the public and private sectors (state agency online services, a private hospital’s mishandling of medical record destruction, consumer businesses, and a reservation-system incident). Total fines to date amount to approximately THB21.5 million. Importantly, enforcement also extended to data processors (not only controllers), and repeatedly targeted deficiencies in security controls, breach reporting and DPO appointment as core failures.

Proactive investigations triggered by “signals” (dark web + social media), not just formal complaints

In January 2025, PDPC action in relation to an alleged breach followed a post advertising data for sale on the dark web, with the organisation instructed to investigate and report within 72 hours; the PDPC also described the role of its Eagle Eye unit in monitoring online sources (including the dark web and social platforms).

Regulator communications and reputational pressure via public channels

In April 2025, the PDPC publicly confirmed an investigation into a major company’s incident and indicated that it would require a detailed internal report (covering scope, root cause, impacts and risk assessment). The report was announced via PDPC’s Facebook page, signalling that enforcement risk can quickly become a public-facing issue.

Biometric data enforcement: suspension and deletion orders (Worldcoin/iris scanning)

On 24 November 2025, Thai authorities stated that the PDPC ordered relevant service providers/entities to suspend iris scanning and delete/destroy iris and personal data already collected. This action reflected heightened expectations for biometric processing (consent quality, necessity and security).

Practical Takeaways for Organisations

The last 24 months show that the PDPC is prioritising the following aspects (in practice).

• Security controls as the first line requirement (access controls, password practices, monitoring, periodic reviews/risk assessments).
• Breach response maturity being treated as equally important as prevention – prompt triage, documented risk assessment, timely notification and remediation.
• DPO and governance not treated as mere “paperwork” – absence or ineffectiveness treated as a serious aggravating factor.
• Processor governance as an enforceable obligation: due diligence, clear DPAs, oversight and ensuring processors can detect/notify/contain incidents.
• Healthcare/records handling and destruction as high-sensitivity areas – physical records and vendors remaining in scope.
• Proactive scrutiny if a leak becomes visible on the dark web or social media – the PDPC demands rapid clarification and evidence.
• Biometrics (eg, iris scans) attracting a heightened enforcement posture, including suspension and deletion orders.

In addition to enforcement under the PDPA, Thailand strengthened criminal enforcement through the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No 2) B.E. 2568 (2025) (effective from 13 April 2025). This decree introduces specific criminal offences targeting the misuse of personal data (including data relating to deceased persons) in connection with technology crimes. Where a person collects, possesses or discloses such data with intent to enable criminal activity, the penalty is imprisonment for up to one year and/or a fine of up to THB100,000. Where the conduct involves a commercial/exploitative element (eg, buying, selling, exchanging or unlawfully profiting from the data), the penalty increases to imprisonment for up to five years and/or a fine of up to THB500,000.

As described in 1.8 Enforcement Proceedings and Fines, the PDPA grants the expert committee enforcement powers to issue administrative orders to address any misconduct under the PDPA. However, most cases have been discharged or have ceased at the expert committee stage, and there are no publicly available high court cases in Thailand regarding personal data.

In addition to the powers of the expert committee, the PDPA provides for three types of liability:

• criminal liability;
• administrative liability; and
• civil liability.

For criminal liability, the authority may pursue criminal proceedings against any commercial operator that has breached the PDPA. Any use or disclosure of sensitive data without consent that causes damage to the data subject is punishable by imprisonment of up to six months or a fine of up to THB500,000, or both. However, where any use or disclosure is carried out for the undue benefit of the commercial operator, the above-stated maximum term of imprisonment and the maximum fine will be doubled. In this regard, a director or manager of a juristic person may be subject to the same penalties as the juristic person.

As described in 1.8 Enforcement Proceedings and Fines, there is a PDPC Notification on Administrative Penalties that governs the enforcement and criteria relating to administrative liabilities.

For civil liabilities, a damaged data subject may bring a civil suit against the controller and/or processor that has caused the damage. The PDPA expressly allows courts to award punitive damages, which are generally rare in Thailand, provided that such damages do not exceed twice the amount of actual damages (if the court considers the breach to be severe). As this civil liability is based on tort law and privacy cases often involve more than one impacted data subject, class actions are allowed for privacy cases.

As described in 1.8 Enforcement Proceedings and Fines and 2.1 Privacy Litigation Overview, there have been no significant litigation cases in the area of privacy or data protection law in Thailand, as most matters are typically resolved at the expert committee level. At present, there is only a first-instance court judgment concerning the unlawful sale of personal data, and it remains to be seen whether this approach will be upheld or further clarified by the higher courts.

In Thailand, the concept of collective redress exists within the legal framework, commonly referred to as a “Class Action”. However, its application and procedural development remain limited and continue to evolve. Victims of data protection violations are entitled to file a case against offenders through the Class Action mechanism, as data protection breaches typically fall within the scope of tort claims. In practice, in high-profile cases (affecting many individuals), the Office of the PDPC often encourages all victims to provide their information before an investigation is initiated and appropriate action is taken.

Thailand does not currently have a single, horizontal “non-personal data act” that comprehensively governs ownership/access/use-sharing of machine-generated or industrial data (eg, IoT device data) in the same manner as the EU Data Act. Instead, non-personal data is mainly governed through a patchwork of:

• cybersecurity and cybercrime laws (security/incident response and criminal offences);
• trade secret/IP rules (confidentiality and proprietary datasets); and
• public sector data governance and access frameworks (digital government, open data, official information).

The PDPA applies as a supplementary law to other applicable statutes, to the extent that it does not conflict with such laws.

There is no specific law addressing the rights and obligations, as mentioned in 3.1 Objectives and Scope of Data Regulation.

There is no specific law addressing regulators and enforcement matters, as mentioned in 3.1 Objectives and Scope of Data Regulation.

Currently, there is no specific legislation in Thailand that regulates the use of cookies. However, as the use of cookies is considered the processing of personal data, it falls under the principles of the PDPA, which apply to different types of cookies as follows.

• Strictly necessary cookies or essential cookies are necessary for the basic functioning of a website. Explicit consent is not required as they can be used on a contractual basis.
• Performance and functional cookies are used to enhance user experience and improve website performance. Explicit consent from users is required prior to the use of such cookies.
• Targeting and advertising cookies track user behaviour for personalised advertising and are not necessary for any functions on the website, so explicit consent is required.

For the general requirements applicable to any types of cookies, the PDPA requires controllers to provide clear information about the purpose and function of each type of cookie, typically through a cookie policy and cookie banners or pop-ups that inform users and obtain their consent. The information provided shall be consistent with other notifications for data processing provided to data subjects – the types of cookies used on the website, the personal data to be processed, the purposes of processing, the retention period, the rights of data subjects, etc. In addition, users must be given the ability to manage their cookie preferences, withdraw consent, and access or delete data collected through cookies.

Generally, online marketing may be based on the legitimate interests of the data subject, or on the consent given thereby. Personalised advertising is regarded as overly intrusive for data subjects, and therefore consent under the PDPA is required.

In addition to the PDPA, online marketing activities may fall within the scope of computer data or electronic mail under the Computer-Related Crime Act B.E. 2550 (2007). Where an operator sends any computer data or electronic data (such as email, SMS or comments) to another person in a manner that disturbs that person, such operator must provide that person with an easy means to cancel or notify the wish to refuse receipt of such computer data or electronic mail (ie, an opt-out option). Failing to do so may result in a fine not exceeding THB2 million. Once any person has requested to refuse such receipt, the operator must stop sending such marketing messages immediately (ie, no later than seven days after the request).

Similar to other relationships, the enactment of the PDPA has significantly impacted the employment relationship, particularly in relation to how employers collect, use and manage employees’ personal data. The PDPA requires employers to obtain specific consent from employees before collecting personal data or sensitive personal data, while ensuring transparency from recruitment throughout the entire employment lifecycle.

The PDPA emphasises data minimisation and purpose limitation, requiring employers to collect only the personal data necessary for specific purposes related to employment – completing the employment process, providing employee benefits, managing payroll, etc. Employers must ensure that personal data is used solely for the purposes for which it was collected and in accordance with the information provided in the employees’ privacy policy. In addition, employers are required to maintain data security measures and comply with other provisions regarding the controllers’ obligations under the PDPA (please see 3.1 Objectives and Scope of Data Regulation for more detail).

As data subjects, employees are granted several rights under the PDPA, such as:

• the right to access, correct and delete their personal data;
• the right to withdraw consent for data processing; and
• other related rights.

Employers must establish procedures to facilitate these rights, allowing employees to exercise control over their personal data and thereby enhancing privacy and trust in the employer-employee relationship.

There are no specific regulations in Thailand concerning the transfer of personal data in asset deals. Only the general PDPA provisions are applicable to this area.

The PDPA does not provide for the concept of absolute restriction for any type of transfer of personal data outside the jurisdiction of Thailand. Instead, controllers, as transferors, may be subject to several obligations and/or must ensure that the transferee meets the qualifications prescribed under the PDPA.

In general, in the case of transferring personal data outside Thailand, the countries in which the transferee is located should have adequate personal data protection measures in place. The list of countries deemed to have adequate personal data protection measures is set to be prescribed by the PDPC; however, such list has not yet been issued. Two key criteria for assessing whether a country is deemed to have adequate personal data protection measures are:

• whether the legal safeguards for personal data protection in such country are of a standard equivalent to or higher than those under the PDPA; and
• whether such country has a competent authority or organisation responsible for enforcing the above-mentioned safeguards.

In any event, even after such list is prescribed, several exemptions exist under which a controller may transfer personal data to countries outside such list (transfers necessary for compliance with the law, transfers based on the data subject’s consent, transfers required for the performance of a contract to which the data subject is a party, etc).

Another exemption to the limitation on personal data transfers to only those countries included in such list applies where the following conditions are fulfilled:

• such transfer is made within a group of undertakings or enterprises; and
• such transferor of the personal data applies binding corporate rules (BCRs) that have already been approved by the PDPC office to such transfer.

Where no list is prescribed for those countries deemed to have adequate personal data protection measures, or where the BCRs have not yet been approved by the PDPC office, the PDPA stipulates that the transferor must provide appropriate security measures in accordance with the rights of the data subjects, together with effective legal remedial measures, such as appropriate standard contractual clauses (SCCs) for cross-border transfers and certification mechanisms. Under a PDPA notification, SCCs based on the ASEAN Model Contractual Clauses for Cross-Border Data Flows and GDPR SCCs are acceptable.

Cross-border transfers do not require any government notification or approval.

In certain cases, operators have to retain some documents on their premises, such as accounting documents and VAT certificates. However, operators can duplicate and transfer such data outside Thailand (see 5.1 Restrictions on International Data Transfers for more details).

There are no blocking statutes under Thai privacy laws.

On 29 September 2025, the PDPC issued the Rules on the submission, consideration, examination, certification and supervision of personal data protection policies within the same affiliated business or group of undertakings (B.E. 2568 (2025)), which establish a formal certification regime for BCRs under the PDPA. The Rules confirm that there are two types of BCRs: BCRs for Controllers (BCR-C) and BCRs for Processors (BCR-P), each of which may be used as an appropriate safeguard for cross-border personal data transfers from Thailand regardless of the adequacy status of the destination country. A Thai “anchor” entity must be established under Thai law and maintain a place of business in Thailand (eg, the Thai headquarters or another designated Thai group member responsible for PDPA matters) and act as the Liable BCR Member for the purposes of PDPC interaction and enforcement.

Applications and supporting documents must be prepared in Thai (with certified translations where necessary) and submitted to the PDPC Office. The PDPC Office conducts a completeness check within 15 days and aims to complete substantive review within approximately 180 days. Possible outcomes of the review are approval, conditional approval (subject to corrections) or rejection, and conditional decisions or rejections may be appealed. BCR certification remains valid indefinitely unless amended or revoked by the PDPC, and no official government filing fee is currently imposed under the Rules. This formal regime provides a durable, programmatic compliance framework for cross-border transfers among affiliated entities, potentially reducing reliance on multiple bilateral mechanisms such as SCCs.

The introduction of this certification process signals the PDPC’s move towards a more clearly defined and structured pathway for intra-group transfers under the PDPA.