At present, Thailand does not have any general statutory law governing data protection or privacy. However, the Constitution of the Kingdom of Thailand does recognize the protection of privacy rights. In addition, statutory laws in some specific areas (such as telecommunications, banking and financial businesses ("Specific Businesses") as well as other non-business related laws, such as certain provisions under Thai Penal Code and the Child Protection Act B.E. 2543 (2003), do provide a certain level of protection against any unauthorised collection, processing, disclosure and transfer of personal data.

Recently, the draft Personal Information Protection Act ("Draft"), which has been reviewed by the Council of State, was given to the Committee for House of Representative Coordination to review and analyse if there are any practical issues on applying the law and how the Data Protection Committee should be formed.

The Draft is being reviewed by the Office of the Public Sector Development Commission and will be submitted to the Cabinet for approval later. The current Draft provides protection of personal data by restricting the gathering, using, disclosing and altering of any personal data without the consent of the data owner. The Draft also imposes both criminal penalties and civil liability for any violation of the Draft and calls for the establishment of a Protection of Personal Data Commission to regulate compliance with the Draft.

Notwithstanding the above, at present, no clear indication exists as to when the Draft will be final, or whether it will ultimately be enacted into binding law.


According to the Draft, "personal data" means any information or data relating to an identified natural person or that can identify a natural person by reference to the facts, data or any other materials about that natural person.

The information or data may be in the form of documents, files, reports, books, charts, portraits, photos, films, recorded images or sounds that may be kept or stored in computer machines or in any other means that can be used to make the recorded information or data seen. Personal Data shall also include facts about, or behaviours of, a deceased person.


Not available in the present Draft.


None at present – see detail in "Law" section above.


No registration requirement with respect to the collection or use of personal data exists.


No requirement exists in Thailand for an organisation to appoint a data protection officer.


Statutory laws provide a certain level of protection for the accumulation, retention and release of personal data for Specific Businesses.

For example, a telecommunications operator may collect personal data from customers only for the purpose of its business operation and as permissible by law. The collection of sensitive information, such as physical handicaps or genetics, is strictly prohibited. Operators must also have proper security measures in place to protect customers' data, including any of their personal data. Any release of personal data, except disclosure for national security purposes, requires the data owner's consent.

According to the Child Protection Act, the guardian of a child's safety or a child's safety protector are forbidden to disclose the name, surname, picture or any information regarding the child and the child's guardian in a manner which is likely to be detrimental to the reputation, esteem or entitlements of the child. This is also applied mutatis mutandis to a competent official, social worker, psychologist or person having the duty to protect a child's safety, who has come into the possession of such information as a result of the performance of his or her duties. It is also forbidden for any person to advertise or disseminate by means of the mass media or any other form of information technology the disclosed information in violation of the aforementioned provisions.

If no specific statutory law is applicable then generally, the collection and processing of personal data with the consent (preferably written) of the data owner is permissible.


Under the Thai Civil and Commercial Code, a person who wilfully, negligently, or unlawfully injures the life, body, health, liberty, property or any right of another person has committed a wrongful act and is required to compensate the victim. Disclosure or transfer of data may be considered a wrongful act if it causes damage to the data owner.

In practice, the prior written consent of the data owner should be obtained before transferring the data to any third person. Disclosure of data without the consent of the data owner is permissible in very limited circumstances (e.g. pursuant to an order from a government authority or Thai court).


Data controllers in Specific Businesses are required to maintain an appropriate level of security to protect any stored personal data from unauthorised access. Failure to comply with this requirement normally results in both imprisonment and monetary penalties.

Data controllers in non-Specific Businesses are also recommended to implement appropriate security measures to protect personal data from unauthorised access. If unauthorised access causes any damage to the data owner, the data controller may also be liable under the Thai Civil and Commercial Code for committing a wrongful act by failing to prevent the unauthorised access.


No notification requirement exists with respect to privacy or data protection law.


No organisation in Thailand is primarily responsible for the enforcement of privacy or data protection law.


Presently, there is no specific law that prohibits the use of personal data for the purposes of electronic marketing. The availability of option for opt-in and opt-out is just the practice as a norm and not yet the law.


At present, there is no provision under the relevant laws and the Draft that specifically prohibits or controls the placing of cookies on users' computers.

Although there are provisions under the Computer Crime Act B.E. 2550 (2007), imposing punishments for certain computer data alterations, the computer cookies or location tracing mechanisms are excluded as they will not cause any of the above alterations to happen to computers. Those below acts are punishable:

  • Any person who illegally damages, destroys, corrects, changes or amends a third party's computer data, either in whole or in part, shall be subject to imprisonment for no longer than 5 years or a fine of not more than THB 100,000, or both.
  • Any person who illegally commits any act that causes the working of a third party's computer system to be suspended, delayed, hindered or disrupted to the extent that the computer system fails to operate normally shall be subject to imprisonment for no longer than 5 years or a fine of not more than THB 100,000, or both.
  • Any person sending computer data or electronic mail to another person and covering up the source of such aforementioned data in a manner that disturbs the other person's normal operation of their computer system shall be subject to a fine of not more than THB 100,000.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to