Support Centre


Comply with the PDPA

The Personal Data Protection Act 2019 (PDPA) is the first consolidated legislation providing general data protection within Thailand, coming into full force and effect on June 1, 2022. The PDPA is based on the GDPR and contains many similar provisions, although they differ in areas such as anonymization. The PDPC has issued various sub-regulations and guidelines under the PDPA.

Visit our Thailand Jurisdiction Dashboard for further information on Thailand's Data Protection Landscape.


OneTrust DataGuidance, in collaboration with Blumenthal Richter & Sumet, has produced a PDPA v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the PDPA comparative to the GDPR. In the tab above, you can also leverage this information through our PDPA v. GDPR Comparison.

OneTrust DataGuidance and Blumenthal Richter & Sumet provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Thailand's Personal Data Protection Act (PDPA). The report, which was last updated in May 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PDPA with the GDPR.

You can access the latest version of the report here.

Key highlights

The PDPA and the GDPR share some similarities, particularly in regard to their territorial scope. Both laws:

  • regulate the transfer of data to third parties;
  • require organizations to implement appropriate security measures with respect to personal information;
  • provide legal basis for the lawful processing of personal information;
  • provide special protections for the processing of minors' personal data;
  • impose monetary penalties for non-compliance; and
  • provide supervisory authorities with investigatory and corrective powers.

However, despite their similarities, the PDPA and the GDPR also differ sometimes in their approach, such as:

  • the PDPA does not apply to some public bodies;
  • the PDPA does not differentiate or refer to automated and non-automated processing;
  • the PDPA does not explicitly address the principles of accountability; and
  • the GDPR defines Pseudonymization, while the PDPA does not.