Data & Privacy · Thailand
Data protection & privacy laws in Thailand (2026)
Thailand shaded by its data & privacy status
Thailand has a comprehensive, GDPR-style data-protection regime under the Personal Data Protection Act B.E. 2562 (2019), which entered into full force on 1 June 2022. It is administered and enforced by the Personal Data Protection Committee (PDPC) and its Office, which issue subordinate regulations and have, since August 2025, begun imposing substantial administrative fines after an initial awareness-building period.
Key points
The PDPA (B.E. 2562/2019) is a single, economy-wide personal-data law modeled on the EU GDPR. Enacted 28 May 2019, its main operative provisions took full effect on 1 June 2022 after repeated extensions.
The Personal Data Protection Committee and its Office (the PDPC) is the regulator. It was formally established in January 2022, issues subordinate regulations and guidelines, and is chaired/structured with government and honorary expert members. Official portal: pdpc.or.th.
Controllers must establish a lawful basis (often consent) and notify data subjects of purpose, implement appropriate security measures, keep records of processing, appoint a Data Protection Officer where core activities involve large-scale processing (DPO rules effective Dec 2023), and notify the PDPC of breaches within 72 hours.
The PDPA grants rights to be informed, access, rectification, erasure/de-identification, restriction, objection, withdrawal of consent, data portability, and the right to lodge complaints with the PDPC — closely tracking GDPR rights.
Section 29 transfer rules (PDPC Notification of 2023, effective March 2024) require destinations to have adequate protection or be safeguarded by approved mechanisms such as Binding Corporate Rules or Standard Contractual Clauses. As of 2025 no adequacy list has been published, so transfers generally require these safeguards.
The PDPA carries administrative fines up to THB 5 million, civil/punitive damages, and criminal penalties (up to one year imprisonment and/or THB 1 million fine) for certain offences. In August 2025 the PDPC issued eight fines across five cases totaling about THB 21.5 million, marking a shift to active enforcement.
Timeline - major decisions & events
Thailand's PDPC ordered Tools for Humanity (Worldcoin/World) to suspend iris-scan biometric enrollment and delete approximately 1.2 million Thais' iris records, finding violations of PDPA sensitive-data consent rules and cross-border transfer requirements. It was the first major PDPC enforcement action specifically targeting biometric data.
Bangkok Post ↗The PDPC announced eight orders in five cases (public and private sector) totalling THB 14.5 million — including a hospital fined after a contractor used patient records as sweet wrapping, and a collectibles company whose processor faced THB 3 million in fines. Running cumulative fines since 2022 surpassed THB 21.5 million, marking a clear escalation in enforcement intensity.
Tilleke & Gibbins ↗Two years after full enforcement began, the PDPC imposed its inaugural administrative fine (the statutory maximum of THB 7 million) on IT retailer JIB Computer Group for a data breach enabling call-centre fraud, failure to appoint a DPO, inadequate security measures, and missing the 72-hour breach-notification deadline. The case set the enforcement benchmark for all subsequent PDPA actions.
Nishimura & Asahi ↗Two subordinate regulations gazetted in December 2023 (Whitelist Adequacy Notification under s.28 and BCR/Appropriate-Safeguards Notification under s.29) became legally effective, requiring Thai data controllers to verify that destination countries meet adequacy standards or to use SCCs or BCRs before sending personal data abroad. No country has yet been placed on the whitelist.
PDPC Thailand ↗After two consecutive one-year postponements, all substantive chapters of the Personal Data Protection Act B.E. 2562 (2019) — including data-subject rights, lawful-basis obligations, and the administrative penalty regime — became fully enforceable on 1 June 2022. The Personal Data Protection Committee had been formally constituted in January 2022, providing the independent regulatory authority the Act required.
Ministry of Digital Economy and Society (Thailand) ↗A second amendment to the postponement Royal Decree, published 8 May 2021, extended the compliance deferral by another year to 1 June 2022, citing the PDPC's incomplete constitution and businesses' need for further preparation time. The two back-to-back deferrals meant the PDPA's substantive provisions remained unenforced for three years after royal assent.
Tilleke & Gibbins ↗A Royal Decree published 21 May 2020 exempted most organisations from PDPA data-subject-rights and controller obligations until 31 May 2021, citing the PDPC's incomplete formation and the need for stakeholder readiness. It was Thailand's first of two successive one-year deferrals of the landmark law.
Norton Rose Fulbright ↗An amendment to the 2007 Computer Crime Act, adopted by the junta-appointed National Legislative Assembly and gazetted 24 January 2017 (effective 24 May 2017), broadened cybercrime definitions, introduced court oversight for government access to traffic data, and criminalised dissemination of false information that could damage national security — cementing the CCA as the primary digital-privacy backstop in the years before the PDPA.
Wikipedia (Royal Gazette B.E. 2560) ↗Thailand - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →