Thailand’s Personal Data Protection Act (PDPA) has been in full effect since June 2022, and enforcement has shifted into a higher gear since 2024. The PDPC has issued administrative fines, and in February 2026 published draft guidelines on AI and personal data processing. The assumption that “posting a privacy policy is enough” is increasingly dangerous. This article maps the PDPA’s statutory structure, then examines three critical practical themes: enforcement cases, the AI-PDPA nexus, and cross-border data transfers.
← Vol. 1: Thailand’s Digital Law Map
PDPA Statutory Structure — 95 Sections at a Glance
The Personal Data Protection Act B.E. 2562 consists of 95 sections organized as follows:
| Chapter | Key Content |
|---|---|
| Chapter 1 (General Provisions) | Purpose, definitions, scope of application |
| Chapter 2 (Collection, Use, Disclosure) | Lawful bases, data subject rights, sensitive data rules |
| Chapter 3 (Data Subject Rights) | Access, rectification, erasure, objection, portability |
| Chapter 4 (Controller Obligations) | Privacy notice, DPO, breach notification, processor management |
| Chapter 5 (Cross-Border Transfers) | Adequacy decisions, appropriate safeguards |
| Chapter 6 (PDPC and Expert Committees) | PDPC organization and powers |
| Chapters 7–8 (Complaints and Remedies) | Complaint handling, administrative appeals |
| Chapter 9 (Penalties) | Administrative penalties, criminal penalties, civil liability |
Scope and Extraterritorial Application
Section 5 defines the scope. The PDPA applies to personal data collection, use, or disclosure occurring in Thailand. Critically, it also applies to data controllers and processors outside Thailand when they offer goods or services to data subjects in Thailand, or monitor the behavior of data subjects in Thailand. A Japanese parent company managing Thai subsidiary employee data may therefore fall within scope.
Six Lawful Bases — Statutory Framework (Sections 24–26)
Section 24 lists the lawful bases for processing personal (non-sensitive) data. Section 26 adds stricter rules for sensitive data.
Six Lawful Bases (Section 24)
| Basis | Examples |
|---|---|
| ① Consent | Marketing emails, cookie placement |
| ② Contract performance | Payroll based on employment contract, delivery based on purchase contract |
| ③ Legal obligation | Statutory tax reporting, labor law record-keeping |
| ④ Vital interests | Sharing data in a medical emergency |
| ⑤ Public interest / official authority | Government statistical surveys |
| ⑥ Legitimate interests | Fraud prevention logs, internal security monitoring |
Practical point — avoid over-reliance on consent
Many organizations default to obtaining consent for everything. However, PDPA consent must be “freely given, specific, informed, and unambiguous” (Section 19). In employment relationships or other situations with a power imbalance, the validity of consent can be challenged. Appropriate use of contract performance or legitimate interests grounds is often more defensible.
Sensitive Data (Section 26)
Race, political opinion, religion, sexual orientation, health data, criminal records, and biometric data (fingerprints, facial recognition) are “sensitive data” requiring, in principle, explicit consent. The administrative penalty under Section 90 for unlawful processing of sensitive data reaches 5 million baht — higher than for ordinary personal data violations.
DPO Appointment Obligation (Sections 41–42)
Three conditions triggering mandatory DPO appointment:
① Data controllers or processors engaged in large-scale processing ② Organizations processing sensitive data (as defined in Section 26) as a core activity ③ Public authorities (except courts)
The PDPC has not yet published a specific numerical threshold for “large-scale.” Currently, companies that continuously process large volumes of personal data as a core business function (e-commerce, finance, healthcare, HR) should consider appointing a DPO.
Under Section 42, DPOs enjoy independence — they cannot be dismissed or penalized for performing their duties. For Japanese companies, a Japan-based privacy officer serving as DPO may be insufficient; the DPO should be well-versed in Thailand’s regulatory environment.
Data Breach Notification Obligation (Section 37(4)) — The 72-Hour Rule
Section 37(4) requires data controllers to notify the PDPC within 72 hours of becoming aware of a personal data breach. This mirrors the GDPR’s 72-hour rule.
Where the breach is likely to result in high risk to the rights and freedoms of data subjects, the controller must also notify the affected data subjects without delay, in addition to reporting to the PDPC.
Comparison with Japan’s APPI
Japan’s amended APPI (effective April 2022) also imposes a 72-hour preliminary reporting obligation for “high-risk” breaches to the PPC. Thailand’s rule is broadly similar, though the Thai PDPA has been interpreted by some practitioners as requiring PDPC notification for all breaches (not only high-risk ones), making Thailand’s obligation potentially broader in practice.
Penalty Structure — Administrative, Criminal, and Civil
PDPA penalties operate on three levels.
① Administrative Penalties (Sections 90–91)
| Violation | Maximum Administrative Penalty |
|---|---|
| Collecting / using / disclosing personal data without lawful basis | 3 million baht |
| Unlawful processing of sensitive data | 5 million baht |
| Obstructing data subject rights | 3 million baht |
| Procedural violations (no DPO, failure to notify breach, etc.) | 1 million baht |
② Criminal Penalties (Sections 79–80)
Section 79: Collecting, using, or disclosing sensitive data for wrongful gain → up to 1 year imprisonment + up to 1 million baht fine (or both) Section 80: Collecting, using, or disclosing personal data for wrongful gain → up to 6 months imprisonment + up to 500,000 baht fine (or both)
Corporations may face criminal liability (Section 82), and individual directors and executives may also be personally liable.
③ Civil Liability (Sections 77–78)
Section 77: Compensatory damages for actual loss caused by PDPA violation. Section 78: For intentional or grossly negligent violations, courts may award punitive damages of up to double the actual loss.
Enforcement Cases (2024–2025) and the Eagle Eye Crawler
The PDPC conducted multiple investigations and issued administrative guidance during 2023–2025. Based on publicly available information and practitioner reports, the following trends are observable:
- Healthcare sector: Patient health information (sensitive data) shared with third parties without adequate legal basis
- Retail / e-commerce: Cookie consent banners that were non-functional, while marketing trackers operated in the background
- Financial sector: Automated credit scoring where explanations to data subjects were insufficient under Section 39–40
The Eagle Eye Crawler
The PDPC has deployed an automated monitoring tool known as the “Eagle Eye Crawler” that scans Thai websites for PDPA compliance signals — specifically, whether privacy policies are published and accessible, and whether cookie consent mechanisms are properly implemented. The legal authority for this tool is generally understood to derive from Section 70 (PDPC investigative powers).
Key compliance signals the tool is believed to check:
- Presence and accessibility of a privacy policy
- Clear disclosure of data categories and purposes
- Instructions for exercising data subject rights
- Proper implementation of cookie consent banners
AI × PDPA Draft Guidelines (Published February 17, 2026)
The PDPC published draft guidelines on personal data processing in AI systems on February 17, 2026. Key points include:
Automated Decision-Making (Linked to Sections 39–40)
Section 39: Data subjects have the right to object to automated decision-making (including profiling) that significantly affects them. Section 40: In certain cases, data controllers have an obligation to explain the logic and criteria used in automated decisions.
The draft guidelines require organizations deploying AI systems to:
- Include AI-related disclosures in privacy notices
- Notify data subjects when automated decision-making is used
- Execute Data Processing Agreements (DPAs) with AI vendors
- Apply data minimization and purpose limitation principles to AI systems
Engaging Cloud AI Services as Processors
When a company uses cloud AI services (e.g., API-based LLMs) for business purposes, those vendors may qualify as “data processors” under the PDPA. Section 40 requires a written DPA between the data controller and the processor. Companies should review their contracts with AI vendors to ensure DPA requirements are met.
Cross-Border Data Transfers (Sections 28–29) — BCR and SCC
Like the GDPR, the PDPA restricts transfers of personal data to countries without adequate data protection standards.
General Principle (Section 28): When transferring personal data to a country or territory not recognized as having adequate data protection, the controller must put in place appropriate safeguards.
Adequacy Decisions (Section 29): Where the PDPC has recognized a country as having adequate protection, transfers may proceed without additional measures. As of March 2026, Japan has not received an adequacy decision from the PDPC.
Approved Appropriate Safeguards:
- BCR (Binding Corporate Rules): Suitable for intra-group transfers. Requires PDPC registration.
- SCC (Standard Contractual Clauses): Using PDPC-approved standard clauses enables transfers.
- Explicit consent: Valid basis for individual transfers, but impractical for large-scale or repeated transfers.
Japan Headquarters ↔ Thai Subsidiary Data Flows
A Japanese parent company managing Thai subsidiary employee data or customer data constitutes a cross-border transfer. Implementing BCR or SCC arrangements is the recommended practical approach.
Related Articles
- Thailand AI Regulation 2026: What Companies Need to Know
- Thailand PDPA Practical Guide 2026
- ← Vol. 1: Thailand’s Digital Law Map
- Vol. 3: Reading Thailand’s Draft AI Law →
Next in the Series
Volume 3 (March 24, 2026): We analyze Thailand’s Draft AI Law — its risk-classification structure (prohibited AI, high-risk AI, limited-risk AI), provider versus deployer obligations, the AI Governance Center, and how Thailand’s approach compares with the EU AI Act.
This article is for general informational purposes about Thailand’s legal system and does not constitute legal advice under Thai law. For specific matters, please consult a Thai-qualified legal professional. Our firm works in collaboration with JTJB International Lawyers’ Thai-qualified attorneys.