The Personal Data Protection Act (PDPA) Thailand is a comprehensive data privacy law that came into effect on June 1, 2022. It governs the collection, use, and disclosure of personal data by both public and private entities within Thailand, as well as organizations outside Thailand that offer goods or services to individuals in the country. The PDPA is modeled after the EU’s GDPR and aims to protect the privacy rights of individuals while promoting responsible data usage.
Businesses must understand that PDPA compliance involves more than just updating privacy policies. It requires implementing systems for obtaining and managing consent, ensuring lawful data processing, enabling data subject rights (such as access and deletion requests), and maintaining data security. Organizations should also assign a Data Protection Officer (DPO) if their core activities involve regular processing of personal data on a large scale.
To be in compliance, businesses operating in or serving users in Thailand must:
Consent management:
Obtain valid consent for collecting and processing personal data
Audit:
Audit all data collection practices, including consent mechanisms, data security, third-party data sharing
Update privacy policy:
Implement and keep up-to-date privacy policies
All organizations that collect, use, or disclose personal data in Thailand—regardless of their location—must comply with the PDPA. This includes Thai companies, multinational corporations with Thai customers, and online platforms targeting Thai residents. Both data controllers and data processors have defined responsibilities under the law.
Thailand’s law grants consumers various data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Request data in a structured, commonly used format
Cookies are treated as a form of personal data under the PDPA if they can identify an individual directly or indirectly. As such, using cookies for analytics, advertising, or personalization purposes typically requires prior user consent. Only strictly necessary cookies can be deployed without consent. Transparency, user control, and clear opt-out options are essential to align with PDPA rules.
Non-compliance with the PDPA can result in significant penalties, including administrative fines up to 5 million THB, civil liabilities (including compensation for damages), and criminal penalties such as imprisonment or additional fines depending on the severity of the violation. These consequences underline the importance of proactive compliance measures.
To check your compliance with the PDPA Thailand, businesses should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Consent management:
Ensure consent banners are implemented correctly, enable users to withdraw consent at any time, and maintain consent logs
Check with partner contracts:
Review third-party data-sharing practices
Train staff:
Ensure that employees have training to understand and comply with PDPA
The PDPA applies to the processing of personal data conducted by data controllers and data processors in Thailand. It also applies to processing personal data of individuals located in Thailand, even if the data controller or processor is outside Thailand, when the processing is for offering goods or services or monitoring behavior of individuals in Thailand. The law covers both private and public sectors, regulating collection, use, disclosure, and retention of personal data.
Personal data is defined as any information relating to an identified or identifiable natural person (data subject). This includes names, ID numbers, location data, online identifiers, or other information that can directly or indirectly identify a person.
Sensitive data (also called sensitive personal data) is a subset of personal data that, if disclosed or misused, could cause harm or discrimination. Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for identification purposes), health data or sex life or sexual orientation data. Processing sensitive data generally requires stricter protections and explicit consent.
The Personal Data Protection Committee (PDPC) is the main regulatory body overseeing enforcement, issuing guidelines, and ensuring compliance with the PDPA in Thailand.
The PDPA includes some exemptions, such as data processing for personal or household activities without commercial or professional intent; data processed solely for journalistic, artistic, academic, or research purposes under specific conditions; and data processed for national security, public safety, or legal enforcement. Government agencies may have some exemptions depending on specific laws and circumstances.
Thailand’s Personal Data Protection Committee (PDPC) website provides the primary information about the PDPA, while government gazettes publish the legal text. Thai law firms specializing in data privacy will be best placed to advise on more specific matters.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
