Thai PDPA
Comply with the PDPA
The Personal Data Protection Act 2019 (PDPA) is the first consolidated legislation providing general data protection within Thailand, coming into full force and effect on June 1, 2022. The PDPA is based on the GDPR and contains many similar provisions, although they differ in areas such as anonymization. The PDPC has issued various sub-regulations and guidelines under the PDPA.
Visit our Thailand Jurisdiction Dashboard for further information on Thailand's Data Protection Landscape.
PDPA v. GDPR
OneTrust DataGuidance, in collaboration with Blumenthal Richter & Sumet, has produced a PDPA v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the PDPA comparative to the GDPR. In the tab above, you can also leverage this information through our PDPA v. GDPR Comparison.
On March 24, 2024, the draft regulations on international data transfers, under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA) came into effect, following its publication, on December 25, 2023, in the Official
On March 7, 2024, the Personal Data Protection Committee (PDPC) announced that it signed a Memorandum of Understanding (MOU) with the Engineering Institute of Thailand (EIT) to jointly define, promote, support, and create standards according to the Personal Data Protection Act (PDPA) for the engineering sector.
On February 15, 2024, the Ministry of Digital Economy and Society (MDES) announced the findings of a joint investigation into personal data trading networks, that led to the arrest of nine individuals involved in the illegal trade of personal data.
On February 12, 2024, the Personal Data Protection Committee (PDPC) announced the Ministry of Digital Economy and Society's (MDES) seven flagship priorities for 2024, including:
On January 29, 2024, the Ministry of Digital Economy and Society (MDES) launched the Personal Data Protection Act Center (PDPA Center) to provide comprehensive personal data protection services, including receiving complaints and providing advice on personal data protection to citizens and various agencies.
On January 14, 2024, the Royal Decree outlining exceptions to data controller obligations under the Personal Data Protection Act (PDPA) came into force, following its publication, on August 17, 2023, in the Official Gazette.
On December 28, 2023, the Personal Data Protection Committee (PDPC) announced two regulations on international data transfers under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA), respectively, as published in the Royal Gazette on December 25, 2023.
On December 6, 2023, the Personal Data Protection Committee (PDPC) published two forms in relation to its previous notification regarding the requirement to appoint personal data protection officers (DPO) where personal data pr
On December 1, 2023, the Ministry of Digital Economy and Society (MDES) convened a meeting in collaboration with the Office of the Personal Data Protection Commission (PDPC), the Office of the Insurance Commission (OIC), and members of the insurance business network to discuss the prevention of personal data violations in the insurance sector.
On October 31 and November 16, 2023, the Electronic Transaction Development Agency (ETDA) published two subordinate regulations under the Royal Decree on Digital Platform Services (DPS) (the Royal Decree).
On November 14, 2023, the Personal Data Protection Committee (PDPC) released for public consultation a draft notification on the collection and processing of personal data related to criminal records in alignment with Section 26(3) of the Personal Data Protection Act (PDPA).
On November 21, 2023, the Ministry of Digital Economy and Society (MDES) revealed a 12-month plan to address data leaks and high-risk cyber systems following incidents of public information leaks and trading.
What measures were taken in the first 30 days?
On October 27, 2023, the Personal Data Protection Committee (PDPC) released for public consultation draft regulations on international data transfers, under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA), respectively.
Data transfers under Section 28 of the PDPA
On September 4, 2023, the National Broadcasting and Telecommunications Commission's (NBTC) Notification on measures to protect telecommunications service users' rights regarding personal data, privacy rights, and freedom of telecommunications was published in the Royal Gazette and entered into force the following day.
On September 14, 2023, the Personal Data Protection Committee (PDPC) published in the Government Gazette the notification on data protection officer (DPO) appointment, following a public consultation.
The Electronic Transactions Development Agency (ETDA) issued, on August 28, 2023, a press release detailing recent efforts to push the adoption of the AI Governance Guidelines for Executives, developed by the ETDA's Artificial Intelligence Governance Clinic (AIGC). Specifically, the Guidelines are divided into three sections, covering artificial
In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and
The rapid ascent of artificial intelligence (AI) has paved the way for a new era of innovation and is reshaping our daily lives. The emergence of generative AI, a content-generating tool, is a recent example of how quickly these developments can take place.
In line with the intent of the law under the Electronic Transactions Act B.E. 2544 (2001) (ETA) to maintain financial and commercial security and strengthen the reliability and credibility of data message systems, the Royal Decree on Regulating the Digital Platforms which are Subject to Prior Notification B.E.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022.
The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022.
The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022.
Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era.
OneTrust DataGuidance and Blumenthal Richter & Sumet provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Thailand's Personal Data Protection Act (PDPA). The report, which was last updated in May 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PDPA with the GDPR.
You can access the latest version of the report here.
Key highlights
The PDPA and the GDPR share some similarities, particularly in regard to their territorial scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- provide legal basis for the lawful processing of personal information;
- provide special protections for the processing of minors' personal data;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory and corrective powers.
However, despite their similarities, the PDPA and the GDPR also differ sometimes in their approach, such as:
- the PDPA does not apply to some public bodies;
- the PDPA does not differentiate or refer to automated and non-automated processing;
- the PDPA does not explicitly address the principles of accountability; and
- the GDPR defines Pseudonymization, while the PDPA does not.