The first Thailand Personal Data Protection Act B.E. 2562 (2019) (the "PDPA") was finally introduced on 27 May 2019 and became effective on 28 May 2019. The PDPA contains provisions of personal data protection, use and disclosure of personal data, complaint, etc.

Under the PDPA, "Personal Data" broadly covers information of a natural person that is able to directly or indirectly identify such person, but excluding information of a deceased. The PDPA also defines "Personal Data Controller" and "Personal Data Processor", who shall have the responsibilities and liabilities under the PDPA in handling "Personal Data".  

"Personal Data Controller" includes a natural or juristic person having the authority to make decisions on collection, usage and disclosure of Personal Data, and "Personal Data Processor" means a natural or juristic person who carries out the collection, usage and disclosure of Personal Data in accordance with the instruction of or on behalf of "Personal Data Controller", provided "Personal Data Processor" and "Personal Data Controller" must be separate person. 

Extraterritorial Application

Personal data controller and personal data processor locating outside Thailand are also subject to the PDPA, if the collection, usage and disclosure of Personal Data of the owner of such Personal Data in Thailand are carried out for the following activities: (i) offer of product or service to owner of the Personal Data in Thailand whether there is payment by such owner or not; and (ii) monitoring of behaviours of the owner of the Personal Data occurring in Thailand. 

Consent of Personal Data Owner

The personal data controller must obtain express consent (whether in writing or through electronic system) from the personal data owner prior to or at the time of collecting, using or disclosing of the personal data. Purposes of collecting, using or disclosing of the personal data must be clearly stated and separated from other contents in the request for consent. 

Basically, personal data owner can revoke his/her consent at any time. However, a revocation shall not affect the previous collection, usage or disclosure, which has been legally consented by the owner of such personal data.

Personal data controller must collect, use or disclose the personal data only in accordance with the purpose notified to the owner before or at the time of such collection, usage or disclosure. 

Collection of Personal Data

Except for certain limited circumstances, personal data shall be collected directly from the owner.

The PDPA also prescribes the duties of the personal data controller to inform the personal data owner of certain things before or at the time of collection such as purpose of the collection, the type of person or government authority to which the personal data may be disclosed, the contact information of personal data controller.

The PDPA also set forth certain circumstances to which the collection of personal data may be conducted without consent of the owner such as for purpose of protecting and restraining danger to life, body and health of a natural person or as necessary to comply with the contract to which the personal data owner is a party. 

Transfer of Personal Data

Subject to limited exceptions, personal data could be transferred to a recipient outside Thailand only if such recipient country or international organization, as the case may be, has sufficient measure for personal data protection as per the regulations to be stipulated by the Personal Data Protection Committee.

Rights of Data Owners 

The data owner has the right to request for access and obtain copy of his/her personal data from the personal data controller or seek disclosure of the source of information where the personal data is obtained without the data owner's consent.


The PDPA imposes both civil and criminal penalties for non-compliance where the fines could be up to Baht 5,000,000 and the imprisonment could be up to one year. The PDPA also provides the court with the authority to order the personal data controller or personal data processor to pay the punitive damages in addition to the actual damages determined by the court of up to twice of such actual damages.


The PDPA provides a period of one year for all persons and entities which are considered as personal data controller or personal data processor to prepare and start taking necessary actions for compliance. The regulations and notifications to be issued under the PDPA shall be introduced within one year from the effective date of the PDPA.

Originally published in REVERSEinquiries: Volume 1, Issue 5.
Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.