PDPA (Thailand)
Thailand's Personal Data Protection Act is the country's first comprehensive data protection law — modeled on GDPR and fully enforceable since 2022.
Thailand's Personal Data Protection Act (PDPA), enacted in 2019 and fully effective since June 2022, establishes comprehensive data protection rights for Thai residents and obligations for organizations processing their personal data. The law applies to organizations that collect, use, or disclose personal data of individuals in Thailand — including foreign organizations with no Thai presence that target Thai consumers. The Personal Data Protection Committee (PDPC) oversees enforcement.
PDPA's legal bases for processing mirror GDPR's structure: consent, contract, legal obligation, vital interest, public task, and legitimate interest. Consent must be explicit and freely given, and withdrawal of consent must be as easy as granting it. Sensitive personal data — including health data, biometric data, political opinions, and racial or ethnic origin — requires explicit consent and additional safeguards. These requirements shape how data collection forms, consent management systems, and user preference centers must be designed.
PDPA cross-border transfer restrictions are a practical concern for multinational organizations. Personal data of Thai residents may only be transferred to countries with adequate data protection standards, or under approved transfer mechanisms including standard contractual clauses. Unlike GDPR, Thailand's adequacy list is still developing — organizations must carefully assess the legal basis for each cross-border data flow and implement appropriate safeguards.
We architect PDPA compliance for organizations serving Thai markets — implementing consent management systems that meet PDPA standards, designing data processing agreements with Thai-specific requirements, and building cross-border transfer safeguards into the data pipeline architecture. Our teams understand how PDPA interacts with existing GDPR compliance programs for organizations with overlapping regional exposure.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.