Personal Data Protection Act Published

The Personal Data Protection Act, 2562 B.E. (2019) (“PDPA”) was published in the Royal Thai Government Gazette on 27 May 2019. The PDPA will come into force one year after the published date, except for provisions related to the Committee of Personal Data Protection and its office which became effective on 28 May 2019.

Keywords: Mazars, Thailand, Legal, Personal Data Protection Act, PDPA

11 July 2019

The PDPA applies to both public and private sectors. Significant issues addressed under the PDPA are as follows:

Key issues




Personal data’ means information which identifies a person, directly or indirectly, but not including information of a person who has died.

- Personal data controller’ means a natural or legal person authorized to make decisions on the collection, use, and disclosure of personal data

- Personal data processor’ means a natural or legal person who collects, uses, or discloses personal data by order of or on behalf of the personal data controller. This person is someone other than the personal data controller.

Personal Data processing

The consent of the data owner is required for collecting, using, or disclosing personal data.

- The purposes for which the personal data is being collected, used, and disclosed must be provided to the data owner.

- The personal data controller responsible for using the personal information must ensure that the information is secure and protected from unlawful alteration or access.

Rights of the Personal Data Owner


- Withdraw consent which was given previously when the Data Controller fails to comply with the rules under the PDPA.

- Access the personal data given and request a copy from the personal data controller.

- Be informed when personal data is disclosed without their consent.

- Portability of data.

- Have personal data erased, and stop, restrict, or object to how personal data is processed in certain circumstances.

- Have incorrect data updated.

Limitation on transferring Personal Data abroad

The transfer of personal data abroad must comply with the rules prescribed under the PDPA.

Civil liabilities

- If a personal data controller or processor fails to comply with or violate the PDPA, he/she is liable for:

1. Actual damages due to such actions, regardless of whether such actions were taken intentionally or negligently, except the personal data controller or processor can prove that: 1.1 Such damages occurred or incurred by force majeure or action or omission of the data owner; or

1.2 Such damages incurred as a result of complying with a lawful order of the competent official.

2. Punitive damages based on a court order.

Criminal penalties


- Fines, prison sentences, or both shall be imposed for failing to comply with or for violating the PDPA. For instance, the Data Controller uses or discloses the personal information without consent of the personal data owner.

The fines will range from Baht 500,000 to Baht 1,000,000, and the prison sentences will range from 6 months to 1 year, based on the severity of offence.

Administrative fines


- Administrative fines shall also be imposed for failing to comply with or for violating the PDPA.

The fines will range from Baht 500,000 to Baht 5,000,000, based on the severity of offence.

For the personal data which was collected before the enforcement of the PDPA, the personal data controller can keep and use such personal data in accordance with the objectives previously notified by the data owner, provided that the personal data controller defines how the data owner can withdraw its consent to use the personal data.

For more information, please visit the Ministry of Digital Economy and Society website and Ratchakitcha website.

Want to know more?