According to recent studies, 162 countries have enacted data privacy laws — in Thailand, that law is the Personal Data Protection Act (PDPA).
Thailand’s PDPA applies to businesses both inside and outside the country and gives individuals rights over how their personal information is collected and used.
In this guide, you’ll learn everything you need to know about Thailand’s data protection law, including who it applies to, what it requires, and the penalties for violating it.
Key Takeaways
Summary of how Thailand’s PDPA impacts businesses worldwide:
Thailand’s Personal Data Protection Act is the primary consumer data protection law that protects individuals in Thailand.
It describes the rights individuals have over their personal information, outlines specific guidelines entities must follow to legally collect and use consumer information, and lists the penalties for violating those requirements.
Signed in 2019, Thailand’s Personal Data Protection Act officially took effect on June 1, 2022.
To help you understand how to comply with Thailand’s PDPA, we’ve included the definitions of some key terms as they appear in the English translation of the law below:
Thailand’s PDPA covers the personal information of natural persons in Thailand.
It also covers the collection and processing of personal data by controllers or processors based in Thailand, regardless of where the collected data comes from.
There are several requirements that businesses complying with Thailand’s PDPA must follow.
Under Thailand’s PDPA, entities can legally process personal data for the following reasons:
According to Thailand’s data privacy law, consent must be explicitly given in a written statement or electronically when possible.
When requesting user consent, a covered entity must provide a notification or disclosure about the data processing.
The user must then freely agree to the processing of their own accord and retain the right to easily withdraw consent at any time.
Thailand’s PDPA requires entities to appoint a data protection officer who’s responsible for:
Data processors and controllers must also provide users with contact information for their DPO.
Entities must inform users about how long they retain data at or before the point of data collection.
If unable to provide a date, the entity must explain the process used to determine how long the data will be kept.
To process special categories of data — like sensitive personal information — the entity must obtain explicit consent from the data subject.
However, data controllers may collect information related to criminal records if authorized by an official authority.
Controllers and processors under Thailand’s PDPA must enter into a contractual agreement that requires both parties to follow all requirements outlined by the law.
Part of the agreement must include the maintenance of personal data records and activities and compliance with rules set forth by the Personal Data Protection Committee (PDPC).
Several data privacy laws exist around the world, including the following:
You can compare Thailand’s PDPA to the other global privacy laws in the table below.
Data Privacy Law | Requires opt-in consent* | Mandates publishing a privacy policy | Outlines contractual obligations with third parties | Holds businesses accountable for data security | Has specific requirements for international data transfers | Requires additional guidelines for categories of sensitive (special) information |
Thailand PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | |
Argentina PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
CCPA | ✓ | ✓ | ✓ | ✓ | ||
GDPR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
LGPD | ✓ | ✓ | ✓ | ✓ | ✓ | |
PIPEDA | ✓ | ✓ | ✓ | |||
POPIA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Privacy Act 1988 | ✓ | ✓ | ✓ | ✓ | ||
Privacy Act 2020 | ✓ | ✓ | ✓ | ✓ | ✓ |
*With some exceptions for some laws.
Learn about data privacy laws and bills moving through the U.S. by checking out our interactive U.S. state privacy law tracker!
Thailand’s PDPA impacts consumers by granting them certain rights over how their personal data gets collected and used, including the right to:
Users also have the right to be informed about what data is being collected about them, why it is being collected, and what that data’s retention period is.
The Personal Data Protection Act applies to the data of any natural, living person in Thailand.
However, any data collected and used in a household or personal context is exempt.
Thailand’s PDPA impacts businesses in more ways than just the lawful bases and data retention requirements previously mentioned — it also affects privacy and cookie policies.
According to Thailand’s PDPA, businesses must inform individuals about the following details before or at the point of data collection:
An easy way to meet this guidance is to present your users with a privacy policy that meets these notification requirements.
Once individuals are already informed about the collection, they do not have to be presented with such a notice again.
Thailand’s PDPA affects your cookie policy because users protected by the law have the right to be informed of data collection at or before the point of collection, and internet cookies collect personal data from users.
You must ensure your users are aware of what cookies your website uses, what they do, and why you use them before they’re placed on their browsers.
To meet this requirement, you should present your users with an accurate cookie policy.
You can use our free cookie policy generator to do this in minutes.
Any business in Thailand that collects and processes personal data must comply with the Personal Data Protection Act.
Businesses outside of Thailand that offer goods or services to individuals in the country and monitor their online behavior must also comply with the act, regardless of whether a financial transaction occurs.
The following entities are exempt from following Thailand’s PDPA:\
To comply with Thailand’s PDPA, businesses should update their privacy policies and cookie policies to meet all requirements for properly informing users about data collection.
Implementing a consent management platform with a properly configured consent banner enables you to meet opt-in and opt-out requirements outlined by the law.
Finally, to make it easy to receive and respond to requests from users to follow through on their rights, put a Data Subject Access Request (DSAR) form on your site.
In Thailand, the PDPA is enforced by the Personal Data Protection Committee (PDPC).
The PDPC also drafts and releases sub-regulations and guidelines for the law.
They can determine how entities should interpret PDPA compliance, issue notifications to those who violate the law, and establish future rules or guidelines.
Violating Thailand’s PDPA can lead to fines of up to THB 5 million ($145,000) and criminal penalties.
Businesses might also be forced to cease all data processing activities.
Termly offers a Consent Management Platform (CMP) that businesses can configure to meet the opt-in and opt-out consent requirements required by Thailand’s PDPA.
Our team is also working on updates to our Privacy Policy Generator, so it will include the necessary information to comply with the notification requirements outlined by Thailand’s privacy law.
Vetted by our legal team and data privacy experts, our Generator asks simple questions about your business and data processing activities and builds a unique policy based on your answers.
Check back to learn when these updates are live.
While the PDPA is the most significant data privacy law in Thailand, a few other pieces of legislation exist, including the following:
Thailand’s Personal Data Protection Act is a comprehensive law that gives individuals in the country more control over how their data is collected, processed, and used.
If you’re subject to the PDPA, update your privacy policy to meet the notification requirements outlined by the law.
With resources like our Privacy Policy Generator, complying with data privacy laws has never been easier.
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author