ARTICLE
28 February 2025

Law Over Borders: Data Protection 2025 – Thailand

TG
Tilleke & Gibbins

Contributor

Tilleke & Gibbins logo
Tilleke & Gibbins is a leading Southeast Asian regional law firm with over 190 lawyers and consultants practicing in Cambodia, Indonesia, Laos, Myanmar, Thailand, and Vietnam. We provide full-service legal solutions to the top investors and high-growth companies that drive economic expansion in Asia.
Explore Firm Details
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was enacted in 2019 and became fully enforceable from June 1, 2022.
Thailand Privacy
Gvavalin Mahakunkitchareon,Nopparat Lalitkomon, and Wilin Somya
Your Author LinkedIn Connections

Introduction

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was enacted in 2019 and became fully enforceable from June 1, 2022. The PDPA is the first comprehensive legislation in Thailand regulating the collection, use, disclosure, transfer and/or otherwise processing of personal data.

The enactment of the PDPA aims at unifying and strengthening personal data protection in Thailand while ensuring that the country's personal data protection standards align with global privacy standards — particularly the General Data Protection Regulation (GDPR) of the European Union (EU) — and ensure that personal data is securely and appropriately protected. To accomplish this, the PDPA prescribes rules, mechanisms, measures and procedures to regulate personal data-related matters.

1 . What national laws regulate the collection, use and disclosure of personal data?

The main legislation regulating the processing of personal data in Thailand is the PDPA. Apart from the PDPA, there are also certain sector-specific data protection and privacy laws, for example:

  • The National Health Act B.E. 2550 (2007), which requires personal health data to be kept confidential and prohibits damaging disclosure of such data unless it is done according to the wishes of the relevant person or is otherwise required by a specific law.
  • The Mental Health Act B.E. 2551 (2008), which stipulates that a patient is entitled to have their illness and treatment information kept confidential, unless the disclosure is otherwise permitted by the law.
  • The Notification of the National Broadcasting and Telecommunications Commission Re: Measures to Protect Telecommunications Service Users' Rights Regarding Personal Data, Privacy Rights, and Freedom of Telecommunications, which imposes obligations on telecommunications license holders in relation to the processing of personal data.

2 . To whom do the laws apply?

The PDPA imposes obligations on two key players: the data controller, defined by the PDPA as a person or legal entity having power to make determinations on the processing of personal data; and the data processor, which is a person or legal entity who Processes personal data on behalf, or pursuant to the instructions, of the data controller.

The PDPA protects the processing of data subjects' personal data. A "data subject" is a living individual who can be identified or is identifiable by personal data. While the PDPA does not define who the data subject is, the above description of "data subject" can be inferred from the definition of the term "personal data," which is defined as any data pertaining to an individual that enables identification of that individual, whether directly or indirectly, excluding specifically data on a deceased person.

3 . What is the territorial scope of the law?

In general, the PDPA is enforceable against data controllers and data processors in Thailand, regardless of where the processing activity takes place. In addition, the PDPA has extraterritorial effect, which means that data controllers and data processors not in Thailand are also obligated to comply with the provisions of the PDPA if the processing activity is to: (i) offer goods or services to data subjects in Thailand, regardless of whether payment is made by the data subjects; or (ii) monitor behavior of data subjects in Thailand. Hence, by providing services to data subjects in Thailand, offshore entities would be subject to the extraterritorial scope of the PDPA.

4 . What acts and operations relating to personal data are regulated?

There is no definition of "processing" of personal data under the PDPA. However, according to the provisions of the PDPA, it could be inferred that "processing" refers to any acts carried out on the personal data such as collection, use, disclosure, transfer, retention, deletion, destruction and/or otherwise processing.

5 . What personal data does the law regulate?

As described in Question 2, above, according to the PDPA, the term "personal data" is defined broadly as any data pertaining to an individual that enables identification of that individual, whether directly or indirectly, excluding data on a deceased person. Therefore, any data that enables the identification of a data subject, whether directly (e.g., full name, etc.) or indirectly (e.g., date of birth, telephone number, workplace and job title, etc.) would fall within the scope of the PDPA. Any processing of such data must be carried out in compliance with the PDPA.

The Notification of the Personal Data Protection Committee Re: Rules for the Deletion, Destruction or De-identification of Personal Data B.E. 2567 (2024) prescribes rules for the anonymization of data, for example, there must be processes to delete or remove data that directly identifies a data subject, etc.

6 . Are any types of personal data subject to a higher level of protection under the law?

Section 26 of the PDPA provides a list of personal data that is subject to different requirements in terms of the legal bases for processing and that could result in a more severe harm and penalties in case of a breach. This list of personal data is substantially similar to the list of the special categories of personal data under the GDPR, i.e., personal data pertaining to ethnicity, race, political opinions, doctrinal, religious or philosophical beliefs, sexual behavior, criminal records, health information, disability, labor union, genetic data, biometric data, or any other data that may affect a data subject in the manner prescribed by the Personal Data Protection Committee (PDPC).

For sensitive personal data, explicit consent is generally required, unless the processing falls within any of the following:

  • it is to prevent or suppress a danger to life, body or health where the data subject is not capable of giving consent for any reason;
  • it is carried out in the course of legitimate activities with appropriate safeguards by foundations, associations or any other not-for-profit bodies;
  • it is information that is disclosed to the public with the explicit consent of the data subject;
  • it is necessary for the establishment, compliance, exercise or defense of a legal claim; or
  • it is necessary for compliance with a law to achieve a purpose with respect to:
    • preventive medicine or occupational medicine, the assessment of an employee's working capacity, medical diagnosis, the provision of health or social care, medical treatment, or the management of health or social care systems and services;
    • public health interests (e.g., protecting against dangerous cross-border diseases);
    • the employment protection, social security, national health security, or social health welfare of an entitled person;
    • scientific, historical, or statistical research purposes or other public interests; or
    • substantial public interest, with provision of suitable measures to protect the fundamental rights and interest of the data subject.

7 . What requirements must be fulfilled in order to process personal data?

Consent is generally required for the processing of personal data, unless it falls under one of the following exceptions to the consent requirement:

  • it is for the achievement of a purpose relating to the preparation of historical documents or archives for public interest, or for a purpose relating to research or statistics;
  • it is for preventing or suppressing a danger to a person's life, body or health;
  • it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  • it is necessary for the performance of a task carried out by the data controller in the public interest;
  • it is necessary for the legitimate interests of the data controller or any other persons or legal entities; or
  • it is necessary for compliance with a law to which the controller is subject.

For consent to be considered valid and binding upon the data subject, the consent request must be made in accordance with the requirements under the PDPA. For example, the consent request must be clearly distinguished from other parts, use plain language, be in a form that is easily accessible and understandable, not be conditional upon entering into a contract or provision of service that is not relevant or necessary, etc.

Please see above, Question 6, for the legal bases for the processing of sensitive personal data.

8 . What obligations apply when processing personal data?

Data controller

Obligations of the data controller include, among other things, the following:

  • Data minimization. The data controller must only collect personal data to the extent necessary for their lawful purposes.
  • Purpose limitation. The PDPA generally prohibits the processing of personal data for purposes that the data subject has not been notified of. However:
    • Where the processing of personal data for new purpose requires consent, the data subject must be informed of the new purpose, and consent from the data subject must be obtained.
    • Personal data can be Processed for a new purpose if that new purpose is permitted by an applicable law or the PDPA.
  • Legal basis. The data controller can only Process personal data where there is a legal basis. Therefore, the data controller must establish the legal basis for each processing activity, such as consent, legitimate interest, contractual necessity, vital interest, legal obligation, etc.
  • Consent request requirement. Where the processing requires consent, the consent request must be made in accordance with the consent request requirements prescribed by the PDPA. Otherwise, the consent obtained would be invalid and not binding on the data subject. Any processing based on such invalid consent constitutes processing without legal basis. Consent request requirements must, among other things, be: made in writing or via electronic means, unless impossible by its nature; use plain language; be clearly separated from other parts; and be made before or at the time of processing of personal data, etc. The PDPA also prescribes specific requirements on the processing of personal data of minors, incompetent persons and quasi-incompetent persons.
  • Notification requirement. The data controller must notify data subjects of the following information before or at the time of collection of their personal data: information on the purposes of the collection, use, and disclosure of the personal data; categories of personal data that will be collected; retention period; rights of the data subject; and categories of person or legal entity the personal data will be disclosed to, etc.
  • Record of processing activities. The data controller must maintain records of processing activities in written or electronic form. The record must be made available for examination by the data subject or the Office of the Personal Data Protection Committee ("Office of PDPC") when requested. The record of processing activities must contain information required under the PDPA, such as categories of personal data collected, purposes of collection, information on the data controller, record on the rejection of data subject requests to exercise certain rights, etc. Small businesses, as defined under the Notification of the PDPC Re: Exemption to the Record of Processing Activities Requirement for Data Controllers That Are Small Businesses B.E. 2565 (2022), are only required to maintain the record on the rejection of data subject requests to exercise certain rights.
  • Data Breach Notification. According to the Notification of the PDPC Re: Rules and Procedures for the Data Breach Notification B.E. 2565 (2022) ("Data Breach Notification"), "personal data breach" is defined as any breach of security that leads to loss or unauthorized or unlawful access, use, change, alteration, or disclosure of personal data, whether the breach occurs intentionally, willfully, by negligence, without authorization or unlawfully, or due to computer crime, cyber threat, any mistake, accident, or any other reasons. According to the PDPA, the data controller must notify the Office of PDPC of the personal data breach without delay and within 72 hours upon becoming aware of the incident, unless the breach has no risk of affecting the rights and freedom of any individuals. If the personal data breach has a high risk of affecting rights and freedom of any individuals, apart from notifying the Office of PDPC, the data controller must also notify the data subjects of the personal data breach as well as remedial actions without undue delay. In case of delayed notification, the data controller may ask the Office of PDPC to consider exempting the administrative penalty due to an unavoidable necessity or any other reasons as prescribed by the Data Breach Notification. The data controller may submit the request to the Office of PDPC to consider waiving the administrative penalty within 15 days of becoming aware of the incident. However, the decision depends on the sole discretion of the Office of PDPC.
  • Implementation of adequate security measures. The data controller must implement adequate security measures at least meeting the minimum requirements set forth by the Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022) ("Security Measures Notification"). The data controller must also review its security measures when there is a necessity or a change in technology to ensure the effectiveness of the security measures.
  • Response to data subject requests to exercise rights. The data controller must respond to and proceed with requests from data subjects to exercise their rights under the PDPA, unless there are legal grounds under the PDPA to reject the request. For more information on the rights of data subjects, please see below, Question 9.

Data processor

Obligations of the data processor include, among other things, the following:

  • Processing of personal data. The data processor must only Process personal data pursuant to the instruction of the data controller, except where the instruction is contrary to the law.
  • Implementation of appropriate security measures. The Security Measures Notification requires data controllers to include the obligation of the data processor to implement security measures as prescribed therein in the agreement with the data processor.
  • Data Breach Notification. The data processor must notify the data controller of any personal data breach. The Data Breach Notification requires the data controller to ensure that the agreement with its data processor imposes an obligation on the data processor to notify the data controller of a personal data breach without delay and within 72 hours of becoming aware of the incident.
  • Record of processing activities. The data processor must maintain a record of processing activities in written or electronic form and the record of processing activities must be made available for examination by the data controller, the Office of PDPC, or their designated persons. Information that must be recorded is prescribed by the Notification of the PDPC Re: Rules and Procedures for the Preparation and Maintenance of the Record of Processing Activities by the Data Processor B.E. 2565 (2022). This includes, for example: types or characteristics of the processing of personal data carried out by the data processor on behalf of or pursuant to the instruction of the data controller; whether personal data is transferred outside of Thailand; or the category of the person or entity receiving the personal data, etc. Small businesses are exempted from this requirement. However, currently, the PDPC has not yet issued a subordinate regulation on the exemption criteria.

Others

Some of the other obligations under the PDPA include the following:

  • Data localization and cross-border transfer restrictions. The PDPA does not impose any data localization requirement; however, it does impose restrictions on the cross-border transfer of personal data. Examples of the legislation in Thailand that impose data localization requirements are:
    • The Credit Information Business Act B.E. 2545 (2008) (CIBA), which only applies to credit information companies, prohibits controllers and processors of such companies from operating, controlling, or processing credit information offshore. Definitions of the "controller" and "processor" under the CIBA are different from the definition of the data controller and data processor under the PDPA.
    • Bank of Thailand (BOT) Notification No. SorNorChor. 12/2561 sets forth obligations upon certain BOT payment licensees to process domestic debit card transactions locally, such as authorization, acquiring, clearing, and settlement (known as Local Switch). However, the BOT payment licensees, with the approval of the BOT, can engage an overseas IT service provider to perform certain functions, such as: (i) receiving and sending information on a debit card transaction between a payment facilitator and an acquirer, and receiving and sending debit card transaction between payment facilitators; and (ii) receiving and sending information for the benefit of internal data management of the issuer, acquirer or facilitator.

For information on cross-border transfer restrictions, please see below, Question 11.

  • Appointment of data protection officer. Under the PDPA, it is mandatory for data controllers and data processors to appoint a data protection officer (DPO) if, among other things:
    • the activities of the data controller or data processor in relation to the processing of personal data require "regular monitoring of the personal data or the system" by reason of "having large-scale personal data" as prescribed by the notification of the PDPC; or
    • the core activity of the data controller or data processor is the processing of special categories of personal data.

Appointment of a DPO requires notification of the Office of PDPC. The PDPC may issue subordinate regulations at a later stage to stipulate required qualifications of the DPO.

  • Appointment of local representative. Overseas data controllers and data processors that fall within the extraterritorial scope of the PDPA (see above, Question 3) are obligated to appoint a representative in Thailand, in writing, without limitation to liability in relation to the processing of personal data. This obligation will be exempted if the processing does not involve special categories of personal data or large-scale personal data.

9 . What rights does the data subject have in relation to personal data?

Subject to the conditions and limitations under the PDPA, data subjects are entitled to the following rights:

  • Right to access. The right to request access to personal data, and to request the disclosure of how personal data has been acquired by the data controller without consent.
  • Right to data portability. The right to request personal data in the format which is generally readable and usable by automatic tools or devices, and which can be disclosed and used by automatic means, and to request that personal data in said format be transmitted to another data controller.
  • Right to object. The right to object to the processing personal data, for example where the data controller processes personal data for the performance of a task carried out in the public interest, for direct marketing purposes, or when necessary for the exercising of official authority vested in the data controller.
  • Right to suspend. A data subject has the right to request that the use of personal data be suspended under certain circumstances, such as where the personal data is no longer necessary for the purposes for which it has originally been collected, or where a data subject requested to exercise the right to rectification and the data controller is in the process of examining the request, etc.
  • Right to withdraw consent. A data subject has the right to withdraw consent at any time, and the data subject must be able to withdraw consent as easily as when giving consent. The data subject must also be notified of any consequence of withdrawing the consent. The withdrawal of consent would not affect the lawfulness of the processing of personal data that has been carried out by the data controller prior to the withdrawal.
  • Right to erasure. A data subject has the right to request that the data controller erase, destroy, or de-identify personal data in certain circumstances, such as when the personal data is no longer necessary for the purposes for which it was Processed, when a data subject has withdrawn their consent for the processing of personal data and the data controller cannot rely on any legal bases other than consent; when a data subject has exercised his or her right to object to the processing of personal data for direct marketing purposes; or when the processing of personal data is not lawful, etc.
  • Right to rectification. A data subject has the right to request that their personal data be rectified so that it is accurate, up to date, complete, and not misleading.
  • Right to lodge complaint. A data subject has the right to lodge a complaint with the Office of the PDPC if the data subject believes that the data controller or data processor, including their employees and personnel, have violated or failed to comply with the PDPA.

10 . What rules regulate the sending of commercial or direct marketing communications?

The sending of commercial or direct marketing communications is governed by the Computer Crimes Act B.E. 2550 (2007) (CCA). According to the Ministerial Notification on the Characteristics and the Method of Sending Data Deemed Not Causing a Disturbance to the Recipient B.E. 2560 (2017) ("Ministerial Notification"), which was issued by virtue of the CCA, the sending of commercial or direct marketing communications is generally regarded as a commission of an offense in causing disturbance to the recipient, unless:

  • consent has been obtained from the recipient for the sending of the marketing communication; and
  • each marketing communication sent to the recipient contains details and procedures enabling the recipient to easily opt out/unsubscribe from receiving such communications.

Therefore, consent must be obtained for the sending of commercial sales communications via email as required by the Ministerial Notification. The CCA and the Ministerial Notification, however, do not prescribe any specific procedures on how consent is to be obtained.

In relation to the PDPA, the data controller is to assess and identify the appropriate legal basis for the processing of personal data for the purposes of sending commercial or direct marketing communications. In the event that the data controller will rely on consent, consent requests must be made in accordance with the consent request requirement under the PDPA. However, if the data controller wishes to rely on legitimate interest, it would be advisable that a legitimate interest assessment be carried out to ensure that there is a necessity to process personal data for the legitimate interest of the data controller or third party, and such legitimate interest is not overridden by the data subject's fundamental rights in relation to their personal data.

When the data controller decides to rely on legal basis other than consent, the provisions of the CCA must still be complied with, particularly as the CCA does have extraterritorial effect.

11 . What rules and requirements regulate the transfer of personal data outside your jurisdiction?

The PDPA generally permits the cross-border transfer of personal data by the data controller to a destination country or international organization that has adequate personal data protection standards ("Whitelisted Countries") as prescribed by the PDPC. Currently, the PDPC has not yet announced the list of Whitelisted Countries. In determining which destination countries and international organizations will be regarded as Whitelisted Countries, it must be taken into consideration as to whether the destination country or international organization has legal measures or mechanisms regarding personal data protection that are consistent with the personal data protection laws of Thailand, particularly in relation to the obligations of the data controller to implement appropriate security measures and personal data protection measures that enable the enforceability of the data subject's rights, as well as the effective legal remedies.

Cross-border transfer of personal data by the data controller is also permitted if personal data is transferred under any of the following circumstances:

  • where the law so prescribes;
  • where the consent of the data subject is obtained after the data subject has been informed about the insufficient personal data protection standards of the destination country or international organization;
  • where it is necessary to comply with a contract under which the data subject is a contracting party;
  • where it is an act compliant with a contract between the data controller and other persons, or legal entities, for the interests of the data subject;
  • for vital interests; or
  • for public interests.

In addition to the above, the PDPA permits the cross-border transfer of personal data where personal data will be transferred within the same group of undertakings in order to jointly operate the business ("Affiliated Entities"), provided that a personal data protection policy for the cross-border transfer of personal data among Affiliated Entities ("Binding Corporate Rules") has been examined and certified by the Office of the PDPC. Where there are no Whitelisted Countries or Binding Corporate Rules, cross-border transfer of personal data is permitted if appropriate safeguards are implemented pursuant to the notification of the PDPC ("Appropriate Safeguards"), for example, adoption of the ASEAN Model Contractual Clauses for Cross Border Data Flows or the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries that are issued by virtue of the GDPR, subject to the conditions stipulated by the notification of the PDPC.

The requirements on Binding Corporate Rules and Appropriate Safeguards also apply to the data processor.

12 . What are the investigatory and enforcement powers of the regulator?

The PDPC is the authority responsible for the administration and enforcement of the PDPA, including the issuance of notifications or rules for the execution of the PDPA and performance of any other acts as prescribed by the PDPA. Examples include designating the law's Expert Committee, which is responsible for considering and handling complaints in relation to the personal data and making determinations on the imposition of administrative penalties. The Expert Committee also has the power to request any person to make a statement of fact.

Furthermore, the competent official under the PDPA has the following duties and powers:

  • to request that the data controller, the data processor, or any person, in writing, provides information or submits any documents or evidence in connection with actions or offenses under the PDPA; and
  • to investigate, gather facts, and report to the Expert Committee in the event that the data controller, data processor, or any person has committed an offense or caused damage due to their violation of or non-compliance with the PDPA or notifications issued in accordance with the PDPA.

13 . What are the sanctions and remedies for non-compliance with data protection laws?

Non-compliance with or violation of the PDPA could result in the following penalties and/or liabilities:

  • Civil Liability. Where the non-compliance with or violation causes damage to the data subject, the data controller or the data processor must compensate the injured data subject with the actual damages. In certain cases, the court may also order punitive damages of up to twice the value of actual damages.
  • Administrative Penalties. The administrative fine ranges from THB 1 million to THB 5 million, depending on the offense committed. As described above, the Expert Committee is empowered to decide on the imposition of administrative penalties. If the Expert Committee considers the offense to be non-severe, it may impose other administrative measures rather than an administrative fine (e.g., issuance of warning, order to rectify the act, order to suspend processing, etc.). On the other hand, if the Expert Committee determines that the offense committed is severe, or if the offender fails to comply with certain orders of the Expert Committee, administrative fines will be imposed.
  • Criminal Penalties. Use, disclosure or transfer of sensitive personal data in violation of the PDPA with specific intent (e.g., in a manner that is likely to cause other person to suffer any damage, impair the reputation of the person, or expose the other person to scorn, hatred, or humiliation, etc.) could be subject to criminal penalties of imprisonment of six months to one year and/or a fine of THB 500,000 to THB 1 million. If the offense is committed due to an act or omission of a legal entity's director, manager or person responsible for its operations, that person may also be held liable for the offense.

During the third quarter of 2024, the first order to impose an administrative fine was issued. A major private company was fined THB 7 million for noncompliance with specific PDPA requirements. These included:

  • failure to appoint a DPO when it is mandated to do so;
  • failure to implement appropriate security measures as required by the PDPA, resulting in the unauthorized disclosure of personal data to a call center gang (phone scam fraudsters); and
  • failure to notify the Office of PDPC of a notifiable personal data breach within the required timeframe.

In addition to the monetary fine, the Expert Committee also issued a corrective order requiring the company to undertake certain actions, threatening an additional administrative fine if the company failed to comply with the order.

This landmark decision indicates that the authority is becoming more active in enforcing the law. Therefore, businesses operating in or with connections to Thailand should reassess their processing activities as well as their personal data protection plans, procedures, processes and strategies to ensure adherence to the legal requirements under the PDPA.

Originally published by Global Legal Posts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Gvavalin Mahakunkitchareon
Gvavalin Mahakunkitchareon
Photo of Nopparat Lalitkomon
Nopparat Lalitkomon
Photo of Wilin Somya
Wilin Somya
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More