Thailand passes Personal Data Protection Act

By Peter Tyllack


On the 27th of May 2019, Thailand published a new Personal Data Protection Act („PDPA“) in the Royal Government Gazette. This is an important milestone for data protection in Thailand.

The Personal Data Protection Act (PDPA)

The new Thai PDPA was heavily inspired by the European Union’s General Data Protection Regulation 2016/679 („GDPR“), as it adopts several GDPR principles.

Central purpose of the PDPA is the protection of personal data of individuals (the “data subjects”). This is achieved by various provisions, such as:

  • Rights of data subjects
  • Obligations of data controllers / data processors
  • Restrictions of transfer of personal data to third countries
  • Requirement to obtain consent for the collection, processing and use of personal data
  • Requirement to ensure sufficient security measures for storing personal data, especially for sensitive personal data
  • Regulations on data breach notifications
  • Requirement for data controllers outside Thailand to appoint local representatives.
  • As part of the implementation of the PDPA, a Personal Data Protection Commission will be responsible for the issuance of supplementary regulations and guidelines.

Going forward, many data controllers and data processors will have to appoint data protection officers and will have to implement measures to inform authorities and/or data subjects in case of data breaches.

The new PDPA will not only be relevant for Thai companies, but also for extraterritorial companies that do business in Thailand. The PDPA will be applicable to all data processing activities relating to the offering of services and goods to data subjects in Thailand. As a result, many extraterritorial companies that offer their services to Thai residents will be in scope of the new PDPA.

Classic chessmen on a dark brown wooden table

Data Subject’s Rights

The PDPA focusses on the data subjects’ rights. Similar to the EU’s GDPR, data subjects can for example:
  • Withdraw their consent to the collection of personal data
  • Object to the collection, disclosure or use of their personal data
  • Request access to the personal data collected by a data controller
  • Request the deletion of collected personal data or the suspension of its use
  • Demand that the data controller maintains accurate and complete data
  • File complaints if the data controller violates the data subjects rights

Responsibilities of the Data Controller / Data Processor

“Data controller” means a person or entity that can make decisions regarding the collection, use or disclosure of personal data. As part of the PDPA, the data controller has to (e.g.):

  • inform the data owner of the objectives and impact of the collection, use or disclosure of personal data
  • implement adequate security measures and protect the personal data
  • maintain adequate records relating to the processing activities
  • delete personal data when no longer required or when consent is withdrawn
  • report data breaches within 72 hours

“Data processor” means a person or entity that processes personal data on behalf of a data controller. The data controller has to instruct the data processor, who strictly has to follow these instructions when using or processing the personal data. Like the data controller, the data processor also has to ensure appropriate security measures to protect the personal data and maintain adequate records of the data processing.


Failure to comply with the new Personal Data Protection Act may expose companies to civil, criminal and administrative sanctions.

Violations of the new PDPA, even for negligence, may result in significant damage claims by data subjects (up to twice the amount of the actual damages). Possible criminal penalties include imprisonment as well as criminal fines. In addition, administrative fines up to 5 million THB (currently ca. 140,000 €) are possible.

Grace Period

The PDPA has a grace period of one year, during which supplementary rules for the implementation will likely be issued by the Personal Data Protection Commission.

Many different classic keys on a dark brown wooden table

How to prepare for the new PDPA

The Thai PDPA can be a game changer for many companies. While in the past personal data protection was often taken quite lightly, non-compliance with the new Personal Data Protection Act can have severe consequences. Thai companies as well as extraterritorial companies that are doing business in Thailand will face challenges to implement the necessary measures.

Achieving and maintaining compliance with the PDPA will not only result in higher operating costs for companies, but also will force companies to consider carefully how they approach data protection, as the regulations in the PDPA are not as detailed as in the GDPR.

While it remains to be seen what guidelines and interpretations the Personal Data Protection Commission will publish and if the PDPA will be consistently implemented, companies should start with the implementation of the PDPA as soon as possible, starting with an analysis of the status quo, the mapping of regulations and the identification of gaps. Once the gaps have been identified, companies can start to implement measures to achieve the required level of security and data protection, e.g. by introducing data management processes and by redefining their IT landscape.

IT Consultants like Neos can help companies implement the necessary technical and organizational measures by leveraging best-of-breed IT technologies, Cloud Services and Security Information and Event Management Systems (SIEM) to achieve "Privacy by Design".

Due to the complexity and the severity of potential consequences, the implementation of the PDPA should be made a priority of top management.