Thailand PDPA

Thailand

20 domains

35 controls

Thailand Personal Data Protection Act B.E. 2562 (2019), effective June 2022.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (20)

Accountability

1 controls

Controls in the Accountability domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 39	Record of Processing Activities (RoPA)	Controllers shall maintain a record of processing activities including categories of data, purposes, recipients, retenti...

Breach Response

1 controls

Controls in the Breach Response domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 37(4)	Breach Notification to Data Subjects	Where a breach is likely to result in high risk to rights and freedoms of data subjects, controllers must notify affecte...

Consent

1 controls

Controls in the Consent domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 20	Consent for Minors	Consent from minors under 10 requires holder of parental responsibility. Minors 10-20 require parental consent unless tr...

Cross-Border Transfers

2 controls

Controls in the Cross-Border Transfers domain of Thailand PDPA — 2 controls
Code	Title	Description
Section 28	Cross-Border Data Transfer	Transfers outside Thailand require destination country to have adequate protection, or one of the exceptions, including...
Section 29	Intra-Group Transfer Rules	Intra-group transfers within affiliated entities permitted where binding policies are approved and registered with the P...

Data Subject Rights

7 controls

Controls in the Data Subject Rights domain of Thailand PDPA — 7 controls
Code	Title	Description
Section 30	Right of Access	Data subjects have the right to access and obtain a copy of their personal data held by the controller and to request di...
Section 31	Right to Data Portability	Data subjects may request personal data in a readable or commonly used machine-readable format and may request transfer...
Section 32	Right to Object	Data subjects may object to processing including direct marketing, scientific or statistical research, or processing bas...
Section 33	Right to Erasure	Data subjects may request deletion, destruction, or anonymisation of personal data where consent withdrawn, data no long...
Section 34	Right to Restriction of Processing	Data subjects may request restriction of processing pending accuracy verification, unlawful processing claims, or pendin...
Section 35	Right to Rectification	Controllers shall ensure personal data is accurate, current, complete, and not misleading. Data subjects may request cor...
Section 95(2)	Complaint Handling	Data subjects may lodge complaints with the PDPC. Controllers must facilitate internal complaint mechanisms and respond...

Disclosure

1 controls

Controls in the Disclosure domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 27	Disclosure to Third Parties	Disclosure of personal data to third parties requires consent or other lawful basis matching the original collection pur...

Enforcement

1 controls

Controls in the Enforcement domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 95	Effective Date and Enforcement	PDPA core provisions came into force 1 June 2022 following multiple postponements. All obligations are now actively enfo...

Governance

3 controls

Controls in the Governance domain of Thailand PDPA — 3 controls
Code	Title	Description
Section 41	Appointment of Data Protection Officer	Controllers and processors must appoint a DPO where core activities involve large-scale sensitive data, systematic monit...
Section 42	DPO Duties	The DPO shall advise on PDPA compliance, monitor compliance, cooperate with PDPC, and serve as contact point. The DPO mu...
Section 7	Local Representative Requirement	Foreign controllers and processors subject to PDPA must designate a representative in Thailand acting on their behalf wi...

Lawful Basis

2 controls

Controls in the Lawful Basis domain of Thailand PDPA — 2 controls
Code	Title	Description
Section 19	Lawful Basis and Consent Requirements	Collection, use, or disclosure of personal data requires consent unless another lawful basis applies. Consent must be ex...
Section 24	Lawful Bases Other Than Consent	Processing without consent permitted for research with safeguards, vital interest, contract performance, legal obligatio...

Penalties

3 controls

Controls in the Penalties domain of Thailand PDPA — 3 controls
Code	Title	Description
Sections 71-76	Civil Liability and Punitive Damages	Controllers and processors are liable for actual damages and punitive damages up to twice the actual damage for PDPA vio...
Sections 77-90	Administrative Fines	PDPC may impose administrative fines up to THB 5 million for violations including failure to obtain consent, breach noti...
Sections 79-81	Criminal Liability for Unlawful Disclosure	Unlawful disclosure of sensitive personal data for unjust benefit may result in imprisonment up to one year and fines up...

Processing Principles

2 controls

Controls in the Processing Principles domain of Thailand PDPA — 2 controls
Code	Title	Description
Section 21	Purpose Limitation	Personal data shall only be collected, used, or disclosed for purposes notified to the data subject prior to or at the t...
Section 22	Data Minimisation	Collection of personal data shall be limited to that necessary for the lawful purposes of the data controller.

Processor Management

1 controls

Controls in the Processor Management domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 40	Processor Obligations	Processors shall act only on documented instructions, implement security measures, maintain processing records, and noti...

Regulator

1 controls

Controls in the Regulator domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 43	PDPC Authority and Powers	The Personal Data Protection Committee has powers to investigate, issue orders, levy administrative fines, and publish g...

Retention

1 controls

Controls in the Retention domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 36	Retention and Deletion	Personal data shall be deleted, destroyed, or anonymised when retention period expires or processing purpose is fulfille...

Risk Management

1 controls

Controls in the Risk Management domain of Thailand PDPA — 1 controls
Code	Title	Description
PDPC Notification (DPIA)	Data Protection Impact Assessment	DPIA required where processing is likely to result in high risk including large-scale sensitive data, systematic monitor...

Scope and Definitions

2 controls

Controls in the Scope and Definitions domain of Thailand PDPA — 2 controls
Code	Title	Description
Section 5	Extraterritorial Application	PDPA applies to controllers and processors outside Thailand if they offer goods or services to, or monitor behaviour of,...
Section 6	Definitions and Scope of Personal Data	Personal data means any information relating to a natural person enabling identification, directly or indirectly, exclud...

Security

2 controls

Controls in the Security domain of Thailand PDPA — 2 controls
Code	Title	Description
PDPC Notification (Security Standards)	Minimum Security Standards	PDPC has issued minimum security standards covering access controls, authentication, audit logging, encryption, and inci...
Section 37	Controller Security Obligations	Controllers shall implement appropriate security measures to prevent loss, unauthorised access, use, alteration, correct...

Sensitive Data

1 controls

Controls in the Sensitive Data domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 26	Sensitive Personal Data	Processing of sensitive data (race, religion, sexual orientation, criminal record, health, disability, union, biometric,...

Transition

1 controls

Controls in the Transition domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 25	Historical and Pre-PDPA Data	Personal data collected prior to PDPA enforcement may continue to be processed for original purposes provided data subje...

Transparency

1 controls

Controls in the Transparency domain of Thailand PDPA — 1 controls
Code	Title	Description
Section 23	Privacy Notice Requirements	Controllers must inform data subjects of purpose, categories collected, recipients, retention, rights, and contact detai...

Frequently Asked Questions

What is Thailand PDPA?

Thailand PDPA is a compliance framework from Thailand with 20 domains and 35 controls. Thailand Personal Data Protection Act B.E. 2562 (2019), effective June 2022. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Thailand PDPA have?

Thailand PDPA has 35 controls organised across 20 domains. The largest domains are Data Subject Rights (7 controls), Governance (3 controls), Penalties (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Thailand PDPA map to?

Thailand PDPA does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Thailand PDPA compliance?

Start your Thailand PDPA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Thailand PDPA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 35 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required