Quick answer: Thailand's Personal Data Protection Act (PDPA) has been fully enforceable since June 1, 2022. Often called "Thailand's GDPR," the PDPA was heavily influenced by GDPR but has key differences in consent requirements, enforcement, and cross-border transfer rules. Fines can reach THB 5 million (~€130,000) plus criminal penalties of up to 1 year imprisonment.
What Is the PDPA?
The PDPA (B.E. 2562/2019) is Thailand's first comprehensive data protection law. It applies to any person or organization — whether based in Thailand or not — that collects, uses, or discloses personal data of individuals in Thailand.
The law is enforced by the PDPC (Personal Data Protection Committee) and the Office of the Personal Data Protection Committee (OPDPC).
PDPA vs GDPR: Side-by-Side Comparison
| Aspect | Thailand PDPA | EU GDPR |
|---|---|---|
| In force | June 1, 2022 (full enforcement) | May 25, 2018 |
| Scope | Data of individuals in Thailand | Data of individuals in EU/EEA |
| Extraterritorial? | Yes — applies to foreign organizations targeting Thailand | Yes — applies to foreign organizations targeting EU |
| Legal bases for processing | 6 bases: consent, contract, vital interests, legal obligation, public task, legitimate interest | 6 bases (essentially identical) |
| Consent standard | Must be freely given, specific, informed. Must be as easy to withdraw as to give | Same (Art. 7) |
| Sensitive data | Includes race, ethnicity, political opinions, religion, criminal records, health, disability, union membership, genetic data, biometric data, sexual orientation | Similar categories (Art. 9) |
| DPO requirement | Required for public bodies, large-scale monitoring, large-scale sensitive data processing | Same (Art. 37) |
| Data breach notification | 72 hours to PDPC if risk of harm to data subjects | 72 hours to DPA |
| Data subject rights | Access, rectification, deletion, restriction, portability, objection | Same plus right to not be subject to automated decisions |
| Automated decision-making | Not explicitly addressed | Art. 22 — right not to be subject to automated decisions |
| Cross-border transfers | Adequate protection required in receiving country (PDPC approval needed) | Adequacy decisions, SCCs, BCRs |
| Admin fines | Up to THB 5 million (~€130,000) | Up to €20M or 4% of revenue |
| Criminal penalties | Up to 1 year imprisonment + THB 1 million fine | None at EU level (some member states have criminal penalties) |
| Compensatory damages | Up to 2x actual damages (punitive) | Actual damages only |
| Class actions | Allowed (organizations can file on behalf of data subjects) | Varies by member state |
Key Differences to Watch
1. Criminal Penalties
Unlike GDPR, the PDPA includes criminal sanctions. Using or disclosing sensitive personal data without consent, or transferring data abroad in a way that causes harm, can result in:
- Up to 6 months imprisonment for unauthorized use/disclosure of personal data
- Up to 1 year imprisonment + THB 1 million fine for unauthorized use/disclosure of sensitive personal data, or for processing that causes harm to reputation, discriminatory treatment, or financial damage
2. Punitive Damages
Thai courts can award up to double the actual damages as punitive damages for intentional or grossly negligent violations — a concept not available under GDPR.
3. Cross-Border Transfer Complexity
The PDPA's cross-border transfer rules are less mature than GDPR's. As of 2026:
- The PDPC has not yet published a formal list of adequate countries
- Standard Contractual Clauses (Thai-specific) are being developed but not yet finalized
- In practice, most organizations rely on consent or the contract necessity exception for cross-border transfers
- Group companies can use binding corporate rules (BCRs) but the approval process is unclear
4. Consent Withdrawal Must Be Easy
The PDPA explicitly states that withdrawing consent must be "as easy as giving it". If consent was given with one click, it must be withdrawable with one click. Dark patterns like hiding the withdrawal option in deep menus or requiring phone calls to unsubscribe are explicitly prohibited.
PDPA Compliance Checklist for Websites
| # | Action | Priority |
|---|---|---|
| 1 | Publish a Thai-language privacy policy covering all PDPA requirements (Sec. 23) | Critical |
| 2 | Implement cookie consent with clear accept/reject options and category management | Critical |
| 3 | Ensure consent withdrawal is as easy as consent giving (one-click unsubscribe) | Critical |
| 4 | Appoint a DPO if processing sensitive data at large scale or systematic monitoring | High |
| 5 | Set up 72-hour data breach notification process to PDPC | High |
| 6 | Implement data subject rights mechanisms (access, deletion, portability) | High |
| 7 | Document all processing activities and legal bases | High |
| 8 | Review cross-border data transfers (Google Analytics, cloud services, CDNs) | High |
| 9 | Implement appropriate security measures (encryption, access control, security headers) | High |
| 10 | Conduct DPIA for high-risk processing (not mandatory but recommended by PDPC) | Medium |
Enforcement Examples
While enforcement was initially slow after the June 2022 enforcement date, the PDPC has been increasingly active:
- Telecom sector: The PDPC investigated major Thai telecom operators for data breaches and unauthorized marketing practices
- Banking: Financial institutions have been scrutinized for sharing customer data with third-party insurers without proper consent
- E-commerce: Online platforms have faced complaints about excessive data collection and non-compliant consent forms
- Social media: International platforms have been notified about compliance requirements for Thai user data processing
Impact on International Businesses
If your company already complies with GDPR, you're mostly compliant with the PDPA. Key additional steps:
- Thai-language privacy notice — required if targeting Thai users
- Review cross-border transfer basis — you can't rely on SCCs yet (not published); use consent or contract necessity
- Consent withdrawal mechanism — verify it meets the "as easy as giving" standard
- Criminal risk assessment — ensure no processing exposes individuals to criminal liability
Frequently Asked Questions
Does the PDPA apply to my business if I'm based in Europe?
Yes, if you offer goods/services to individuals in Thailand, monitor their behavior, or process their personal data. The PDPA has extraterritorial reach similar to GDPR.
Is Thailand considered "adequate" under GDPR?
No. Thailand does not have an EU adequacy decision. EU→Thailand transfers require SCCs, BCRs, or another GDPR transfer mechanism. Conversely, Thailand has not yet published its own adequacy list for PDPA cross-border transfers.
If I comply with GDPR, am I PDPA compliant?
Mostly, but not automatically. GDPR compliance covers about 80-90% of PDPA requirements. The main gaps are: Thai-language privacy notice, specific criminal liability provisions, punitive damages exposure, and cross-border transfer mechanisms (which are less developed under the PDPA). Scan your website withPrivacyChecker to identify compliance gaps across multiple regulations.