Thai PDPA
Comply with the PDPA
The Personal Data Protection Act 2019 (PDPA) is the first consolidated legislation providing general data protection within Thailand, coming into full force and effect on June 1, 2022. The PDPA is based on the GDPR and contains many similar provisions, although they differ in areas such as anonymization. The PDPC has issued various sub-regulations and guidelines under the PDPA.
Visit our Thailand Jurisdiction Dashboard for further information on Thailand's Data Protection Landscape.
PDPA v. GDPR
OneTrust DataGuidance, in collaboration with Blumenthal Richter & Sumet, has produced a PDPA v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the PDPA comparative to the GDPR. In the tab above, you can also leverage this information through our PDPA v. GDPR Comparison.
On August 21, 2024, the Ministry of Digital Economy and Society (MDES) announced that the second expert committee of the Personal Data Protection Committee (PDPC) imposed an administrative fine of 7 million THB (approx. $204,665) on a company for violations of the Personal Data Protection Act 2019 (PDPA), following complaints.
On August 21, 2024, the Personal Data Protection Committee (PDPC) announced that it had issued a fine of THB 7 million (approx. $204,280) on an unnamed company for violations of the Personal Data Protection Act (PDPA) following a data breach. The PDPC noted that it was the first administrative fine issued under the PDPA.
On July 11, 2024, the Personal Data Protection Committee (PDPC) announced that it is investigating a personal data leak of government scholarship students from the information system of the Civil Service Commission Office (CSC), following notification and instruction from the Ministry of Digital Economy and Society (MDES).
On July 13, 2024, the Personal Data Protection Committee (PDPC) announced that it had signed a Memorandum of Understanding (MoU) with the Export-Import Bank of Thailand (EXIM Bank).
On June 13, 2024, the Personal Data Protection Committee (PDPC) released a draft notification for public consultation on criteria for deletion or destruction of personal data or de-identifying personal data.
On March 22, 2024, the Personal Data Protection Committee (PDPC) published its annual report for 2023. The PDPC summarized the work it had done for the 2023 fiscal year into four parts, including:
On March 1, 2024, the Personal Data Protection Committee (PDPC) published the national master plan for the protection of personal data, which outlines the PDPC's strategies for developing and enhancing the data protection framework in Thailand from 2024 - 2027.
On March 24, 2024, the draft regulations on international data transfers, under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA) came into effect, following its publication, on December 25, 2023, in the Official
On March 7, 2024, the Personal Data Protection Committee (PDPC) announced that it signed a Memorandum of Understanding (MOU) with the Engineering Institute of Thailand (EIT) to jointly define, promote, support, and create standards according to the Personal Data Protection Act (PDPA) for the engineering sector.
On February 15, 2024, the Ministry of Digital Economy and Society (MDES) announced the findings of a joint investigation into personal data trading networks, that led to the arrest of nine individuals involved in the illegal trade of personal data.
On February 12, 2024, the Personal Data Protection Committee (PDPC) announced the Ministry of Digital Economy and Society's (MDES) seven flagship priorities for 2024, including:
On January 29, 2024, the Ministry of Digital Economy and Society (MDES) launched the Personal Data Protection Act Center (PDPA Center) to provide comprehensive personal data protection services, including receiving complaints and providing advice on personal data protection to citizens and various agencies.
On January 14, 2024, the Royal Decree outlining exceptions to data controller obligations under the Personal Data Protection Act (PDPA) came into force, following its publication, on August 17, 2023, in the Official Gazette.
On December 28, 2023, the Personal Data Protection Committee (PDPC) announced two regulations on international data transfers under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA), respectively, as published in the Royal Gazette on December 25, 2023.
On December 6, 2023, the Personal Data Protection Committee (PDPC) published two forms in relation to its previous notification regarding the requirement to appoint personal data protection officers (DPO) where personal data pr
On December 1, 2023, the Ministry of Digital Economy and Society (MDES) convened a meeting in collaboration with the Office of the Personal Data Protection Commission (PDPC), the Office of the Insurance Commission (OIC), and members of the insurance business network to discuss the prevention of personal data violations in the insurance sector.
The Personal Data Protection Act B.E. 2563 (A.D. 2019) of Thailand (PDPA), effective from June 1, 2022, is the key legislation of Thailand that provides comprehensive protection for personal data. Local and foreign entities that collect, use, or disclose personal data of data subjects in Thailand are subject to the PDPA.
The rapid ascent of artificial intelligence (AI) has paved the way for a new era of innovation and is reshaping our daily lives. The emergence of generative AI, a content-generating tool, is a recent example of how quickly these developments can take place.
In line with the intent of the law under the Electronic Transactions Act B.E. 2544 (2001) (ETA) to maintain financial and commercial security and strengthen the reliability and credibility of data message systems, the Royal Decree on Regulating the Digital Platforms which are Subject to Prior Notification B.E.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors.
OneTrust DataGuidance and Blumenthal Richter & Sumet provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Thailand's Personal Data Protection Act (PDPA). The report, which was last updated in May 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PDPA with the GDPR.
You can access the latest version of the report here.
Key highlights
The PDPA and the GDPR share some similarities, particularly in regard to their territorial scope. Both laws:
- regulate the transfer of data to third parties;
- require organizations to implement appropriate security measures with respect to personal information;
- provide legal basis for the lawful processing of personal information;
- provide special protections for the processing of minors' personal data;
- impose monetary penalties for non-compliance; and
- provide supervisory authorities with investigatory and corrective powers.
However, despite their similarities, the PDPA and the GDPR also differ sometimes in their approach, such as:
- the PDPA does not apply to some public bodies;
- the PDPA does not differentiate or refer to automated and non-automated processing;
- the PDPA does not explicitly address the principles of accountability; and
- the GDPR defines Pseudonymization, while the PDPA does not.