Thailand’s Personal Data Protection Act (PDPA) enforcement has entered a genuinely serious phase. Between 2024 and 2025, companies with inadequate data security measures faced administrative fines reaching into the millions of baht, while the PDPC launched its “Eagle Eye” 24-hour automated monitoring system. If your Japanese company still operates on a “wait-and-see” approach to PDPA compliance, it’s time to reassess.
What Is the PDPA? — Thailand’s GDPR in Brief
Basic Information
The PDPA (Personal Data Protection Act; พ.ร.บ.คุ้มครองข้อมูลส่วนบุคคล) was enacted in May 2019 and came fully into force on June 1, 2022 — after two delays caused by the COVID-19 pandemic. It is now fully operative as a binding legal obligation.
The supervising authority is the PDPC (Personal Data Protection Committee), which handles enforcement, investigations, and guideline development.
Three-Way Comparison: Japan / Thailand / EU
| Item | Japan (APPI) | Thailand (PDPA) | EU (GDPR) |
|---|---|---|---|
| Full enforcement | 2005 (amended 2022) | June 2022 | May 2018 |
| Extra-territorial scope | Yes | Yes | Yes |
| Legal bases | Purpose specification + consent | 6 bases (GDPR-style) | 6 bases |
| DPO requirement | Not required | Required for large-scale processing | Required in certain conditions |
| Breach notification | Promptly (no strict deadline) | Within 72 hours | Within 72 hours |
| Max administrative fine | JPY 100 million | THB 5 million (~USD 145,000) | 4% of global turnover |
Key takeaway: The PDPA is structurally closer to the GDPR than to Japan’s APPI. Compliance with Japanese data protection law alone is insufficient for PDPA purposes.
Three Core Concepts
Data Controller: The entity that determines the purposes and means of processing personal data. Japanese subsidiaries in Thailand are typically data controllers. Equivalent to Japan’s “business operator handling personal information.”
Data Processor: An entity that processes personal data on behalf of and under the instructions of a controller — for example, IT vendors, cloud service providers, payroll outsourcing companies. This concept comes directly from the GDPR and has no clear equivalent in Japanese law. Critically, processor fines have exceeded controller fines in at least one enforcement case (see below).
Sensitive Data: Racial/ethnic origin, political opinions, religious beliefs, criminal records, health data, biometric data (fingerprints, iris scans), sexual behavior/orientation, and similar categories. Processing sensitive data is prohibited as a default; only permissible with explicit consent or another statutory basis.
Enforcement Has Arrived — Lessons from Major Fine Cases
2024: The First Major Fine (THB 7 Million)
In 2024, the PDPC imposed an administrative fine of THB 7 million (approximately USD 200,000) on a major technology retailer — the largest PDPA penalty at that time.
The three key violations were:
- No DPO appointed, despite conducting large-scale personal data processing
- Inadequate security measures leading to a personal data breach
- Failure to notify the PDPC within 72 hours of discovering the breach
“We didn’t know we were required to” is not a valid defense for these obligations, which have been in force since 2022.
August 2025: Five Cases, Eight Orders — A Wave of Enforcement
In August 2025, the PDPC announced five enforcement cases simultaneously, issuing a total of eight administrative orders. The cases spanned diverse sectors and organizations:
| Case | Entity | Fine (THB) | Key Violations |
|---|---|---|---|
| Case 1 | Government agency | 153,120 | Unqualified processor engaged without DPA; inadequate security; ~200,000 records exposed |
| Case 1 | Service provider (processor) | 153,120 | Joint sanction for the breach |
| Case 2 | Private hospital | 1,210,000 | Improper disposal of health records; 1,000+ patient records leaked |
| Case 2 | Disposal contractor (individual) | 16,940 | Improper handling of medical records |
| Case 3 | Technology retailer | 7,000,000 | No DPO appointed; inadequate security measures; failure to report breach |
| Case 4 | Cosmetics company | 2,500,000 | Inadequate security measures; failure to report breach to PDPC |
| Case 5 | Toy retailer (controller) | 500,000 | Insufficient oversight of outsourced reservation system |
| Case 5 | Reservation system provider (processor) | 3,000,000 | Inadequate security controls on outsourced system handling large data volumes |
(Source: DLA Piper Privacy Matters, September 2025)
Two Critical Lessons
Lesson 1: The processor received a larger fine than the controller
In Case 5, the controller (toy retailer) was fined THB 500,000, while the processor (reservation system provider) received THB 3,000,000 — six times more. “We’re just a vendor” does not mean lighter responsibility. Processors that directly handle large volumes of personal data carry substantial obligations.
Lesson 2: No sector or size is exempt
Hospitals, cosmetics companies, toy retailers, government agencies — the 2025 cases covered a wide range. “We’re not a tech company” or “we don’t handle much data” are not grounds for exemption. If your organization processes customer or employee personal data, you are subject to the PDPA.
PDPC Eagle Eye — The 24-Hour Automated Surveillance Era
A Shift from Reactive to Proactive Enforcement
Traditionally, regulators respond to complaints filed by individuals. The PDPC has changed this dynamic by establishing the Eagle Eye division and deploying the Eagle Eye Crawler — a system that continuously scans URLs for data breach indicators around the clock, including both the open web and the dark web.
The PDPC no longer waits for complaints. It actively looks for violations.
What This Means for Japanese Companies
The Eagle Eye Crawler particularly monitors:
- Websites and apps with missing or inadequate privacy policies
- Personal data inadvertently exposed due to misconfigured access controls
- Personal data appearing in breached or leaked datasets online
Operating a Japanese-language website does not provide protection. If your organization provides services within Thailand, PDPA applies — regardless of the language of your site.
Rising Complaint Volume
The PDPC’s PDPA Center recorded 2,672 PDPA-related complaints as of January 2026 (announced at Data Privacy Day 2026). The three most common violation types: failure to comply with data minimization, collection without lawful basis, and use/disclosure without lawful basis.
AI × PDPA — The Most Overlooked Risk
”Organizations Using AI Bear Full Controller Obligations”
The PDPC has published draft guidelines on personal data protection in AI development and use, establishing a clear principle:
Organizations that use AI = Data controllers with full PDPA obligations
If your company inputs customer data or employee information into a generative AI tool (such as ChatGPT, Microsoft Copilot, or an AI-powered CRM), your organization is acting as a data controller directing an AI system to process personal data. “The AI did it” is not a valid defense.
Where Does the AI Vendor Stand?
AI vendors are generally treated as data processors. However, if a vendor uses customer data for its own purposes — such as retraining or improving its AI models — it may be reclassified as a data controller. Contracts with AI vendors should explicitly address whether and how the vendor uses your data, supported by a Data Processing Agreement (DPA).
For a full picture of Thailand’s AI regulatory framework, see our article on Thailand’s 2026 AI Regulation Framework.
Cross-Border Data Transfers — Is Sending Data to Japan Headquarters Safe?
PDPA Rules on Cross-Border Transfers
The PDPA restricts transfers of personal data outside Thailand. The destination country must provide an “adequate level of protection” as determined by the PDPC.
As of March 2026, the PDPC has not published a formal list of countries with adequate protection. Japan’s status remains undetermined.
Practical Alternatives
Three approaches are available while the adequacy list remains pending:
- Standard Contractual Clauses (SCCs): Enter into contracts with PDPC-approved clauses between the sending and receiving entities. The most practical approach for most organizations.
- Binding Corporate Rules (BCRs): Internal rules governing intra-group transfers. More appropriate for large multinationals; the approval process is complex.
- Explicit Consent: Obtain case-by-case explicit consent from data subjects. Impractical at scale.
The Risk Japanese Companies Often Miss
A frequently overlooked area: employee data sent to Japanese headquarters. Payroll data, performance reviews, attendance records — if your organization centralizes HR data in a Japan-based system, those transfers fall under the PDPA’s cross-border rules. SCCs need to be in place.
For e-commerce and customer data management considerations, see our article on Thailand’s De Minimis Abolition and Its Impact on EC Businesses.
7 Things Japanese Companies Should Do Now
① Create and Publish Privacy Notices
Draft separate privacy notices for customers and employees, specifying what data is collected, for what purpose, on what legal basis, and to whom it is transferred. Publish these on your website, app, or distribute internally. Consider Thai-language versions.
② Build Your ROPA (Records of Processing Activities)
The ROPA documents every processing activity your organization conducts: what data, why, how, with whom shared, how long retained. Organizations engaged in large-scale processing are required to maintain ROPAs under the PDPA. This is also the foundation for virtually all other compliance work.
③ Determine Whether You Need a DPO
A Data Protection Officer (DPO) is required under PDPA Section 41 if your organization:
- Processes personal data on a large scale as a core activity
- Processes sensitive data on a large scale
- Systematically monitors individuals’ behavior on a large scale
DPO functions may be outsourced to an external expert. Independence must be ensured, and the DPO must be registered with the PDPC.
④ Build a Data Breach Response Plan (72-Hour Rule)
Under PDPA Section 37(4), organizations must notify the PDPC within 72 hours of discovering a data breach. Without a pre-established Incident Response Plan specifying who does what from the moment a breach is detected, you will not meet this deadline.
⑤ Conduct a PDPA Impact Assessment for AI Tools
Review every AI tool used in your operations — generative AI, CRM automation, HR screening tools — from a PDPA perspective. Are you inputting personal data? Do you have a DPA with the AI vendor? Does the vendor use your data for model training?
⑥ Put Data Processing Agreements (DPAs) in Place
Every vendor or subcontractor that processes personal data on your behalf must be covered by a DPA. This includes IT vendors, cloud providers, payroll processors, logistics companies. The 2025 enforcement cases show that organizations that failed to establish DPAs with their processors were sanctioned.
⑦ Establish Legal Bases for Cross-Border Transfers
Audit which personal data flows to Japan headquarters (employee records, customer data, sales data) and ensure each flow has a legal basis — typically SCCs. Data mapping is the starting point.
Frequently Asked Questions
Q: We have 20 employees. Does the PDPA apply to us?
Yes. Unlike Japan’s APPI (which historically excluded organizations handling fewer than 5,000 records), the PDPA has no size threshold. Any organization processing personal data in Thailand is covered.
Q: We comply with Japan’s APPI. Is that enough for PDPA?
No. The PDPA is structurally closer to the GDPR. Key requirements that go beyond or differ from Japan’s APPI include: mandatory DPO appointment (for large-scale processors), 72-hour breach notification, and the requirement to identify a specific legal basis (beyond just consent) for each processing activity.
Q: Can we outsource the DPO role to an external firm?
Yes. The DPO function can be performed by an external expert. The DPO must have sufficient expertise in data protection law and practice, be in a position of independence within or relative to the organization, and be registered with the PDPC.
Q: We manage Thai subsidiary data in our Japan headquarters system. Is that a problem?
This constitutes a cross-border data transfer subject to PDPA restrictions. As of March 2026, Japan has not been granted adequacy recognition by the PDPC, so you will need an alternative legal basis — most practically, Standard Contractual Clauses.
Q: Is THB 5 million the maximum exposure under the PDPA?
The administrative fine cap is THB 5 million. But that is not the full picture. Criminal sanctions (up to THB 1 million and/or 1 year imprisonment) apply to certain offenses involving sensitive data. Civil liability for actual damages — plus punitive damages of up to twice the actual loss — can also be imposed. Class action exposure is an additional consideration.
Conclusion: The Wait-and-See Window Has Closed
Through the 2024–2025 enforcement wave and the deployment of Eagle Eye’s continuous monitoring, the PDPC has sent a clear signal: non-compliant organizations are now enforcement targets.
For Japanese companies, the four most urgent priorities are: ① publishing a privacy notice, ② building a ROPA, ③ establishing a 72-hour breach response procedure, and ④ creating legal bases for cross-border transfers to Japan. If tackling everything at once is not feasible, prioritize by risk level and work through the list systematically.
We advise on PDPA compliance from both a Japanese and Thai law perspective — including privacy notice drafting, DPO setup, cross-border transfer structuring, and AI tool risk assessments. Please feel free to contact us.
This article is for general informational purposes about Thailand’s legal system and does not constitute legal advice under Thai law. For specific matters, please consult a Thai-qualified legal professional. Our firm works in collaboration with JTJB International Lawyers’ Thai-qualified attorneys.