A comparison of data protection laws: Thailand

    By Chumpicha Vivitasevi and Thaya Uthayophas, Weerawong Chinnavat & Partners

    Data is the oil of the information age. Despite the varied and complex socioeconomic and political landscapes, many Asian jurisdictions are taking giant strides in strengthening personal data safeguards




    Thailand’s Personal Data Protection Act, 2019 (PDPA) was promulgated to protect natural persons from the unauthorised or unlawful collection, use or disclosure of their personal data. The law came into force on 27 May 2019, but its full enforcement has been postponed twice, most recently until 1 June 2022.


    The PDPA provides for the establishment of the Personal Data Protection Committee (PDPC) with duties including:

    • Determining measures or procedures for the protection of personal data;
    • Issuing notifications or regulations;
    • Announcing criteria for data protection procedures and the protection of data transferred overseas; and
    • Preparing a master plan to support and protect personal data.

    The PDPC also has the power to appoint sub-committees for the consideration or performance of any acts, and provides for the establishment of an expert committee under it to investigate and consider complaints, as well as settling disputes in connection with personal data.

    Finally, the PDPA provides for the establishment of the office of the PDPC and a supervisory commission. The office performs academic and administrative tasks for the PDPC, its committee and the supervisory commission. The office also has the power to review and certify policy for international data transfer.


    The PDPA regulates the collection, use and disclosure of personal data (collectively, the act of processing data) by a data controller or a data processor in Thailand, regardless of whether the act of processing data takes place in the country.

    If a data controller or a data processor is outside Thailand, the PDPA applies to the act of processing data of subjects in Thailand, where the activities of the data controller or data processor involve: (1) offering goods or services to data subjects in Thailand, regardless of whether any payment is made by the data subjects; and (2) monitoring data subjects’ behaviour in Thailand. However, the PDPA does not apply to:

    • Data collected for personal benefit or household activities of such person only;
    • Data concerning the operations of public authorities;
    • Data collected solely for activities in relation to mass media, fine arts or literature;
    • Data that fall under the duties and power of parliament or parliamentary committees;
    • Data concerning trials and adjudications of courts, as well as work operations of officers in legal proceedings; and
    • Data collected by a credit bureau company and its members.


    Chumpicha Vivitasevi, Weerawong Chinnavat & Partners
    Chumpicha Vivitasevi
    Weerawong Chinnavat & Partners in Bangkok
    Tel: +66 2264 8000 (ext. 8116)
    Email: chumpicha.v@weerawongcp.com

    The PDPA defines personal data as any information related to an identifiable person, directly or indirectly, but excludes information about deceased persons.

    There are two types of personal data – general personal data and sensitive data. General personal data comprises personal data of any type that is not sensitive data. Sensitive data includes personal data on race, ethnic origin, political opinion, cult, religious or philosophical belief, sexual behaviour, criminal record, disability, trade union information, health data, genetic data, biometric data, and any other information that may similarly impact the data subject, as prescribed by the PDPC.

    Unless there is a lawful basis allowing otherwise, processing of personal data requires explicit consent of the data subject. However, lawful bases for processing personal data without consent include: research; vital interests; contract; tasks carried out in the public interest or under official authority; the legitimate interest of the data controller (balanced against the rights of the data subject); legitimate non-profit activities; public data; legal claims; and legal obligation.


    International transfer of personal data is only permitted under the PDPA in a limited number of circumstances, including: (1) where the transfer is to a destination country with adequate data protection standards, as determined by the PDPC; (2) the transfer is based on a group data protection policy that has been reviewed and approved by the office of the PDPC; and (3) under specific derogations, including where the transfer is for compliance with the law or where the consent has been obtained, provided that the data subject has been informed of the inadequacy of the data protection standards of the destination country.


    Thaya Uthayophas, Weerawong Chinnavat & Partners
    Thaya Uthayophas
    Weerawong Chinnavat & Partners in Bangkok
    Tel: +62 2264 8000 (ext. 8070)
    Email: thaya.u@weerawongcp.com

    The PDPA makes a distinction between a data controller, who has the authority to make decisions on the act of processing data, and a data processor, who operates in relation to the act of processing data pursuant to orders given by, or on behalf of, a data controller.

    The data controller must implement security measures and verification procedures, as well as provide notification of any violations to the office of the PDPC. The PDPA requires the data controller to take appropriate measures to prevent the unauthorised or unlawful loss, access, use, alteration, correction or disclosure of personal data. The data controller must enter into an agreement with the data processor to ensure compliance with the PDPA.

    The data processor is responsible for implementing security measures, notifying the data controller of any violations, and preparing and maintaining logs.


    Transparency is a key principle under the PDPA, and the data controller must inform the data subject of the following before, or at the time of, data collection:

    • Purpose of the collection, including its legal basis;
    • Impact of not providing information;
    • Data to be collected and period of storage;
    • Categories of persons or entities to whom the personal data may be disclosed;
    • Contact information, addresses and contact details of the data controller and the controller’s representative or data protection officer (as applicable); and
    • Rights of data subjects.

    In addition, the act of processing data must be conducted in accordance with the purpose previously notified to the data subject, unless the data subject has been informed of a new purpose and prior consent has been obtained.

    For accountability under the PDPA, the data controller must also maintain the following records and make them available for inspection by the data subject and the office of the PDPC:

    • Personal data collected;
    • Purpose of the collection;
    • Details of the data controller;
    • Retention period for the personal data;
    • Rights and methods in accessing the personal data;
    • Uses or disclosures of personal data exempted from the consent requirement;
    • Rejections of requests or objections; and
    • Explanation of appropriate security measures to prevent data breaches.


    The PDPA requires the data controller to notify the office of the PDPC within 72 hours of becoming aware of any personal data breach, unless the breach is unlikely to compromise the rights and freedoms of data subjects. If a breach poses high risks to the rights and freedoms of data subjects, the data controller must notify them and take remedial measures immediately.


    Data subjects have rights against the data controller, including the right to request access to, and obtain a copy of, their personal data, to data portability, to object to processing, to be forgotten, to restrict the use of personal data, and to amend their data for accuracy purposes.


    Penalties for non-compliance with the PDPA include criminal, administrative and civil penalties. Criminal penalties include imprisonment for up to one year and/or fines of up to THB1 million (USD29,250). If the violation is caused by the instruction or omission of a person responsible for a company, the person may also be subject to the same penalties. Civil liabilities include punitive damages of up to twice the amount of actual damages, and civil damages may be claimed under a class action lawsuit. The PDPC is authorised to order administrative fines of up to THB3 million for general data and THB5 million for sensitive data.


    Public hearings have been conducted on three groups of draft sub-regulations, which are all currently under consideration by the PDPC concerning the following matters:

    • Criteria and methods for obtaining consent;
    • Processing of personal data;
    • Proper data protection methods for sensitive personal data;
    • Criteria and protections for data transfer overseas;
    • Activity records, methods for data subject requests, and reports on breaches;
    • Data protection officers;
    • Appointment of foreign representatives;
    • Industry exceptions for compliance with specific provisions;
    • Duties with regard to data subject rights;
    • Duties of data processors;
    • A code of conduct;
    • Data protection impact assessment and automated decision making; and
    • Personal data protection standards and certifications.
    WCP Logo

    22/F, Mercury Tower, 540 Ploenchit Road, Lumpini
    Pathumwan, Bangkok 10330, Thailand
    Tel: +662 264 8215