I. Introduction: Why Foreign Businesses Cannot Ignore Thailand's PDPA
If your company collects, uses, or stores personal data from Thailand — whether from employees, customers, or website visitors — you are likely subject to Thailand's Personal Data Protection Act.1 This is true even if your business is registered overseas and has no physical presence in the kingdom. The PDPA has extraterritorial reach, meaning it catches any organization that processes personal data of Thai residents, regardless of where the company itself is based.
For foreign businesses, this creates a legal obligation that extends far beyond Thailand's borders. Unlike some privacy regimes that only apply to domestic enterprises, the PDPA holds foreign companies to the same standard as Thai-registered companies. Failure to comply can result in administrative fines up to 5 million Thai baht per violation, criminal penalties including imprisonment, and civil liability for damages.
This article is a practical guide for international companies navigating the PDPA. We examine who must comply, the key obligations, the rights of data subjects, and how Thailand's approach compares to other leading privacy regimes like the European Union's GDPR.
II. Who Is Subject to the PDPA? (Territorial Scope)
The PDPA's extraterritorial reach is set out in Section 5(2).2 The Act applies to any data controller or data processor who is located outside Thailand, provided that:
(a) The organization offers goods or services to data subjects in Thailand; or (b) The organization monitors the behaviour of data subjects in Thailand.
This language is similar to Article 3 of the EU's General Data Protection Regulation (GDPR), which extends to "any organisation worldwide" that offers goods or services or monitors behaviour of EU residents. The practical effect is the same: if you run an e-commerce site, mobile app, or online service accessible to Thai users, you are processing personal data of Thai residents and the PDPA applies.
The second limb — "monitoring behaviour" — captures activities like using analytics, tracking cookies, and profiling. This means that even if you do not sell anything in Thailand, if you collect behavioural data from Thai visitors to your website, you must comply with the PDPA.
The PDPA applies to foreign companies if they: (a) offer goods or services to Thai residents, or (b) monitor their behaviour. Location of the company is irrelevant. A US software company serving Thai customers, a European SaaS provider with Thai users, or a Chinese e-commerce platform serving Thai buyers all fall under the PDPA.
III. Data Controllers vs. Data Processors
One of the most important distinctions in the PDPA is between a data controller and a data processor. Understanding this distinction is critical because the obligations differ significantly.
A data controller3 is a person or organization that decides why personal data is collected and how it is used. The controller determines the purposes and means of processing. Typically, this is your company — the business that benefits from the data. Controllers bear the primary compliance burden under the PDPA.
A data processor4 is a person or organization that processes personal data on behalf of, and on the instructions of, a controller. A processor does not decide why or how the data is used; it merely carries out the controller's instructions. Examples include cloud service providers, payment processors, and data analytics vendors.
If your company is a controller, you must obtain a lawful basis for processing (discussed below) and comply with data subject rights requests. If you are a processor, your obligations are primarily contractual — you must ensure that your processing adheres to your contract with the controller and implement appropriate security measures. A processor cannot legally process data for purposes other than those specified by the controller.
In practice, a company may be both a controller and a processor at different times. For example, a human resources consultancy may be a processor when it processes payroll data on behalf of an employer (controller), but a controller when it uses that anonymized data for its own research or business intelligence.
IV. Six Lawful Bases for Processing Personal Data
Before you can collect or use personal data, you must have a lawful basis for doing so. The PDPA recognizes six lawful bases, set out in Section 19.5 A data controller must identify at least one lawful basis for each processing activity. Without a lawful basis, processing is unlawful.
1. Consent — The data subject has given clear, specific, and informed permission. Consent must be freely given; it cannot be a condition of receiving a service if the service does not actually require the data. Withdrawal of consent must be as easy as giving it.6
2. Performance of a Contract — Processing is necessary to perform a contract with the data subject, or to take steps at the subject's request before entering into a contract. For example, an e-commerce platform may process an address and payment details because processing is necessary to fulfil the purchase order.
3. Vital Interests — Processing is necessary to protect the vital interests of the data subject or another person. This is a narrow exception used in life-or-death situations, such as processing medical data to save someone's life in an emergency.
4. Legitimate Interests7 — Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the rights and freedoms of the data subject. This basis requires a balancing test: you must weigh your business interest against the privacy expectations of the individual.
5. Compliance with Legal Obligations — Processing is required by law. For example, an employer must process employee tax identification numbers because Thai labour law requires it.
6. Public Task — Processing is necessary for the performance of a public task or governmental function. This basis is typically used by government agencies and public bodies, not by private companies.
Each lawful basis has different requirements and implications. Consent is straightforward but can be withdrawn at any time. Legitimate interests is flexible but requires careful documentation and justification. Controllers should map each processing activity to a specific lawful basis and be prepared to explain why that basis applies if challenged by the Personal Data Protection Committee (PDPC), Thailand's data protection authority.
V. Sensitive Personal Data: The Stricter Category
Not all personal data is treated equally under the PDPA. Sensitive personal data receives heightened protection. Section 23 defines eight categories of sensitive data,8 and Section 26 imposes stricter rules for their processing.9
The eight categories are: (1) racial or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) sexual behaviour or orientation; (5) criminal records; (6) health data; (7) disability; and (8) genetic data, biometric data, and trade union membership.
The core rule: collection of sensitive data generally requires explicit consent. Unlike ordinary personal data, which may be collected based on other lawful bases, sensitive data almost always requires the data subject to have actively and explicitly agreed to collection. This consent must be specific to the type of sensitive data and the purpose. It cannot be buried in a terms-of-service checkbox.
Limited exceptions exist. A controller may collect sensitive data without explicit consent if: (a) the data subject is unable to give consent (e.g., unconscious in a hospital), and processing is vital to the subject's interests; (b) processing is necessary for a public health purpose; (c) processing is necessary to pursue a legal claim; or (d) processing is necessary for purposes of archiving, scientific research, or historical or statistical purposes.
For many foreign businesses, the key takeaway is this: avoid collecting sensitive data unless absolutely necessary. If you must collect it (e.g., health data for an insurance platform, or criminal records for a background-check service), obtain explicit written consent and implement robust security measures.
VI. Eight Rights of Data Subjects
The PDPA grants data subjects eight core rights. Controllers must be prepared to respond to requests exercising these rights promptly — typically within 30 days.
1. Right of Access (Section 30)10 — A data subject may request access to any personal data relating to them that the controller holds, and obtain a copy in a readily usable format, free of charge.
2. Right to Correction and Completion (Section 35)11 — A data subject may request that inaccurate or incomplete data be corrected or completed.
3. Right to Deletion/Right to Be Forgotten (Section 33)12 — A data subject may request deletion or destruction of their personal data, or anonymization, when the data is no longer necessary for its original purpose or when consent is withdrawn.
4. Right to Data Portability (Section 31)13 — A data subject may request their personal data in a commonly used, machine-readable format (such as CSV or XML) and request that the controller transmit it to another controller.
5. Right to Object (Section 32)14 — A data subject may object to processing, particularly when the controller relies on legitimate interests or direct marketing.
6. Right to Restriction of Processing (Section 34)15 — A data subject may request that processing be temporarily suspended, for example, while the accuracy of data is being verified or while a dispute is being resolved.
7. Right to Know About Automated Decision-Making — A data subject has the right to request information about automated decision-making (e.g., algorithmic profiling) and can challenge such decisions.
8. Right to Lodge a Complaint — A data subject may file a complaint with the Personal Data Protection Committee if they believe their rights have been violated.
Foreign companies must establish processes to respond to these requests. This means implementing systems to locate and retrieve personal data, procedures to verify the identity of requesters, and timelines to respond. Large-scale operations should designate a Data Protection Officer (DPO) or establish a dedicated team to manage subject access requests and other rights inquiries.
VII. Cross-Border Data Transfers
The PDPA restricts the transfer of personal data outside Thailand's borders. Section 37 provides the framework.16 Data may be transferred abroad only if:
(a) The destination country has an adequate level of protection as determined by the Personal Data Protection Committee, or (b) Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules.
As of 2025, the PDPC has announced that certain jurisdictions meet the adequacy standard, including the European Union. For jurisdictions not on this list, controllers must implement contractual safeguards — typically Standard Contractual Clauses (SCCs) — that impose equivalent PDPA-like obligations on the recipient of the data.
VIII. Thailand's PDPA vs. the EU's GDPR: Key Differences
The PDPA was largely modelled on the EU's General Data Protection Regulation (GDPR),17 which entered force in 2018. Understanding the differences is important for companies subject to both laws.
Territorial Scope: Both laws have extraterritorial reach.18 Both apply to organizations outside the jurisdiction that offer goods or services or monitor behaviour of residents.
Consent Mechanism: Both require explicit, informed, freely given consent for most processing. Both recognize that consent must be freely given and easily withdrawn.
Lawful Bases: The PDPA's six lawful bases mirror the GDPR's framework. Both recognize consent, contract, legal obligation, vital interests, and public task. Both include a legitimate interests basis that requires balancing.
Sensitive Data: The PDPA's eight categories of sensitive data are largely identical to the GDPR's special categories. Both impose heightened restrictions.
Data Subject Rights: Both regimes grant eight core rights: access, correction, deletion, portability, objection, restriction, automated decision-making transparency, and the right to lodge complaints.
Penalties — Major Difference: The GDPR imposes fines of up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements.19 The PDPA allows administrative fines up to 5 million Thai baht per violation — roughly EUR 130,000 at current exchange rates.20 This represents a significant gap in financial deterrence.
The bottom line: if you operate in both jurisdictions, compliance with the GDPR will largely put you in compliance with the PDPA, but not vice versa.
IX. Penalties
Violations of the PDPA carry administrative, criminal, and civil consequences.
Administrative Fines: The Personal Data Protection Committee can impose fines of up to 5 million baht per unlawful act.20 Each violation constitutes a separate offence, so fines can accumulate rapidly.
Criminal Penalties: Intentional or reckless collection, use, or disclosure of sensitive personal data for personal gain or to benefit a third party can result in imprisonment up to one year and/or a fine up to 1 million baht.21
Civil Liability: Data subjects may sue controllers or processors for damages, including non-patrimonial (moral) damages. A company that mishandles data may face claims for injury to reputation, emotional distress, or loss of opportunity.
X. Practical Checklist for Foreign Businesses
To comply with the PDPA, foreign businesses should:
1. Conduct a Data Audit — Map all personal data your company collects, stores, and processes relating to Thai residents. Identify the lawful basis for each processing activity.
2. Obtain Lawful Basis Documentation — Document why each processing activity is necessary and which of the six lawful bases applies. If relying on legitimate interests, conduct and document a balancing test.
3. Update Privacy Notices — Publish a transparent privacy policy in Thai and English that explains what data you collect, why, how long you keep it, and the rights of data subjects.
4. Implement Data Subject Rights Procedures — Establish a process to respond to access requests, deletion requests, objections, and other rights inquiries within 30 days.
5. Review Consent Mechanisms — If you rely on consent, replace pre-ticked boxes with clear, affirmative consent for each purpose. Allow easy withdrawal of consent.
6. Assess Sensitive Data Handling — If you collect any of the eight categories of sensitive data, obtain explicit consent and implement heightened security measures.
7. Review Vendor Contracts — Ensure your contracts with processors (cloud providers, vendors, payment processors) include PDPA-compliant data protection terms. Your company remains liable if a processor violates the PDPA.
8. Implement Security Measures — The PDPA requires "reasonable" measures to protect data against unauthorized access, disclosure, alteration, and destruction. This includes encryption, access controls, employee training, and incident response procedures.
9. Draft a Breach Notification Plan — Have a process in place to notify affected parties and regulators if a data breach occurs.
10. Monitor PDPC Guidance — The Personal Data Protection Committee issues guidance and enforcement decisions regularly. Stay informed about evolving standards and adjust your practices accordingly.
For many foreign companies, compliance with the PDPA is not as complex as compliance with the GDPR, but the law's extraterritorial reach means it applies to you if you serve Thai customers. Taking these steps now will minimize legal risk and protect your company's reputation.