PDPA
Personal Data Protection Act B.E. 2562 (2019)
Thailand's Personal Data Protection Act B.E. 2562 was enacted in 2019 and, after repeated postponements, became fully effective on 1 June 2022. Modeled closely on the EU GDPR, it sets out lawful bases for processing, data subject rights, and obligations for controllers and processors. The PDPC began issuing administrative fines from 2024.
Who it applies to
Data controllers and processors in Thailand, and those outside Thailand that offer goods or services to, or monitor the behavior of, data subjects in Thailand.
Identity requirements
- Establish a lawful basis such as consent before collecting, using, or disclosing personal data, with explicit consent for sensitive data
- Provide privacy notices and uphold data subject rights including access, rectification, erasure, portability, and objection
- Appoint a Data Protection Officer where required by the nature or scale of processing
- Notify the PDPC of a personal data breach within 72 hours where feasible, and affected individuals for high-risk breaches
- Implement appropriate security measures and maintain records of processing activities
- Ensure adequate protection or appropriate safeguards for cross-border transfers of personal data
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Consent must be freely given, specific, and informed, with explicit consent for sensitive data such as biometrics. |
| Breach notification | Controllers must notify the PDPC within 72 hours where feasible and inform affected individuals of high-risk breaches. |
| Data residency & cross-border transfer | Transfers abroad require an adequate level of protection or recognized safeguards. |
| Audit, logging & accountability | Controllers and processors must keep records of processing activities to demonstrate compliance. |
| Identity verification (KYC/proofing) | Collection of identity and sensitive data such as biometrics triggers explicit-consent and security obligations. |
Penalties
Penalties combine administrative fines up to 5 million baht per violation, criminal sanctions of up to one year imprisonment for serious sensitive-data offenses, and civil liability including punitive damages up to twice the actual damages.
PDPA: frequently asked questions
- When did Thailand's PDPA come into full force?
- Enacted in 2019, its operative provisions were postponed several times and took full effect on 1 June 2022.
- Who enforces the PDPA?
- The Personal Data Protection Committee (PDPC) and its Office administer and enforce the law.
- What are the maximum administrative fines?
- Administrative fines can reach 5 million baht per violation, alongside possible criminal and civil liability.