{"id":139498,"date":"2026-04-22T09:25:43","date_gmt":"2026-04-22T09:25:43","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139498"},"modified":"2026-04-22T09:45:28","modified_gmt":"2026-04-22T09:45:28","slug":"thailand-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/thailand-data-protection-cybersecurity\/","title":{"rendered":"Thailand: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139498","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-thailand"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Chandler Mori Hamada Limited<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/01\/admin-ajax.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Chandler Mori Hamada Limited<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/01\/admin-ajax.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Thailand<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong><em>Data Protection<\/em><\/strong><\/p>\n<p>The Personal Data Protection Act, B.E. 2562 (2019) (\u201c<strong>PDPA<\/strong>\u201d) outlines key protection frameworks for collection, use, and disclosure of any \u201c<strong>Personal Data<\/strong>\u201d, which is defined as any data which, by itself or in combination with other data, can be used to trace back to an individual. In terms of application, the PDPA applies to both private and government sectors (except for certain organisations as specified in the PDPA.)\u00a0 The PDPA has been fully enforceable since 1 June 2022.<\/p>\n<p>In principle, the PDPA, which is mainly adopted based on the General Data Protection Regulation of the European Union (\u201c<strong>GDPR<\/strong>\u201d), creates obligations on both private and government sectors if they are considered to fall under any of the two categories outlined below, in relation to collection, processing and treatment of Personal Data:<\/p>\n<ul>\n<li>any entity which has power to decide how to treat Personal Data (\u201c<strong>Controller<\/strong>\u201d); and<\/li>\n<li>any entity which treats Personal Data pursuant to instructions of a Controller or conducting processing Personal Data on behalf of the Controller (\u201c<strong>Processor<\/strong>\u201d)<\/li>\n<\/ul>\n<p>Both Controllers and Processors carry the burden of proof that they meet the requirements under the PDPA for all types of processing of Personal Data. In addition, the PDPA establishes a supervising authority (i.e., the Personal Data Protection Commission (\u201c<strong>PDPC<\/strong>\u201d) and the Office of the PDPC (\u201c<strong>Office<\/strong>\u201d)) to regulate Controllers and Processors.<\/p>\n<p>Regulations under the PDPA can be broadly categorised into three areas as follows:<\/p>\n<ul>\n<li><u>Lawful basis:<\/u><\/li>\n<\/ul>\n<p>Examples of commonly used bases for collection and processing of Personal Data are: (i) consent; (ii) contractual performance; (iii) legitimate interest; and (iv) legal obligations. However, processing of sensitive Personal Data is subject to a different set of bases. Please see further explanation in our response to Question No. 7.<\/p>\n<ul>\n<li><u>Rights of Data Subjects:<\/u><\/li>\n<\/ul>\n<p>The PDPA provides an extensive list of rights of data subjects, many of which can be universally invoked while others can be used only under certain circumstances. Except for the right to withdraw any consent given by the data subject, rights of data subjects are not always absolute, as Controller may have certain grounds to refuse such requests on a case-by-case basis. Please see further explanation in our response to Question No. 32.<\/p>\n<ul>\n<li><u>Security measures: <\/u><\/li>\n<\/ul>\n<p>The PDPA provides a blanket requirement to both Controllers and Processors to treat Personal Data in appropriate manners, which materially include well-organised safe keeping of data, safe storage (physical and electronic), automatic deletion of data, etc.<\/p>\n<p>The PDPC Notification re: Security Safeguard Measures of the Personal Data Controller B.E. 2565 (2022) prescribes minimum data security standards (i.e., organisational, technical, and physical measures, access control, confidentiality) for Personal Data processed under the PDPA. Please see further explanation in our response to Question No. 29.<\/p>\n<p><strong><em>Cybersecurity<\/em><\/strong><\/p>\n<p>Cybersecurity in Thailand is primarily governed by the Cybersecurity Act, B.E. 2562 (2019) (\u201c<strong>CSA<\/strong>\u201d), which establishes a national framework for preventing, responding to, and mitigating cybersecurity threats that may affect national security, public services, and critical infrastructure.<\/p>\n<p>The CSA applies mainly to Critical Information Infrastructure (\u201c<strong>CII<\/strong>\u201d) operators, which are entities designated by the relevant authorities operating in key sectors such as national security, public administration, finance, energy, transportation, public health, and digital infrastructure. These operators are subject to heightened cybersecurity obligations, including risk assessments, incident reporting, and compliance with prescribed cybersecurity standards.<\/p>\n<p>The CSA establishes the National Cybersecurity Committee (\u201c<strong>NCSC<\/strong>\u201d) and the Cybersecurity Regulatory Committee (&#8220;<strong>CRC<\/strong>&#8220;) as the principal regulatory bodies responsible for cybersecurity oversight. Sector-specific regulators also play a role in supervising CII operators within their respective industries.<\/p>\n<p>Key obligations under the CSA include:<\/p>\n<ul>\n<li>implementaing appropriate cybersecurity risk management measures and systems;<\/li>\n<li>monitoring, preventing, and responding to cybersecurity threats and incidents;<\/li>\n<li>mandatory reporting of significant cybersecurity incidents to relevant authorities; and<\/li>\n<li>cooperating with government authorities in cybersecurity investigations and response actions.<\/li>\n<\/ul>\n<p>The CSA adopts a risk-based approach by categorizing cyber threats into different levels (non-critical, critical, and severe threats), with corresponding powers granted to authorities, including the ability (subject to certain conditions) to access systems or data in the case of serious threats.<\/p>\n<p>In practice, while the CSA focuses on national-level cybersecurity and CII operators, its principles increasingly influence broader regulatory expectations for cybersecurity governance across industries, particularly when considered alongside the PDPA\u2019s requirements on security safeguards for personal data.<\/p>\n<p>In addition, Thailand has enacted other key legislation addressing cyber-related risks and offences.<\/p>\n<p>The Computer Crime Act, B.E. 2550 (2007) (as amended) (\u201c<strong>CCA<\/strong>\u201d) governs offences relating to unlawful access to computer systems, data interference, and the dissemination of illegal or harmful content through computer systems. It also empowers authorities to investigate cyber offences, including ordering the suspension or removal of unlawful content, and imposes obligations on service providers to retain computer traffic data and cooperate with competent officials.<\/p>\n<p>The Royal Decree on Measures for the Prevention and Suppression of Technology-Related Crimes (as amended) establishes a framework to address cyber-enabled offences, particularly online fraud and call centre scams. It imposes obligations on relevant parties, including data holders and service providers, to prevent and mitigate such risks, and provides for both criminal and administrative penalties.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Since the PDPA became enforceable, subordinate laws (including PDPC notifications, regulations, and guidelines) have continued to be issued, and further regulatory developments are expected in 2025\u20132026 to enhance clarity and enforcement. The PDPA is currently undergoing a post-implementation review following five years of enforcement. At the same time, the PDPC has been preparing an increasing number of practical guidelines in key areas, such as artificial intelligence (AI), the preparation of records of processing activities (ROPA), the assessment of lawful bases for processing, and the roles and responsibilities of data protection officers (DPOs). As a result, further draft regulations and guidelines are expected to be introduced in 2026 for public consultation and implementation.<\/p>\n<p>Most recently, in September 2025, the PDPC issued a regulation on the examination and certification of Binding Corporate Rules (\u201cBCR\u201d), establishing a formal framework for intra-group cross-border data transfers. The regulation introduces detailed requirements on documentation, enforceability, and accountability, including the need for a Thailand-based liable entity and a streamlined process for BCRs already approved under foreign regimes.<\/p>\n<p>From a cybersecurity perspective, in April 2025, the government introduced stricter penalties under the Royal Decree on Measures for the Prevention and Suppression of Technology-Related Crimes (No. 2), B.E. 2568 (2025), including criminal penalties of up to five years\u2019 imprisonment and\/or fines of up to THB 500,000 for the misuse of personal data in connection with technology-related crimes. In the same year, the scope of Critical Information Infrastructure (CII) was also updated to better reflect current business and technological developments, expanding its coverage to more relevant sectors.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPC has been increasingly active in reviewing and investigating data breach incidents. Following its first administrative enforcement decision in 2024, enforcement activity intensified in 2025.<\/p>\n<p>In 2025, the PDPC continued to issue additional administrative orders across both public and private sectors, covering a range of industries including government agencies, healthcare providers, IT and e-commerce businesses, cosmetics companies, and digital platform operators. These enforcement actions addressed various compliance failures, such as inadequate technical and organisational security measures, failure to appoint a data protection officer, failure to implement data processing agreements, and failure to notify data breaches within the prescribed timeframe. Several cases also highlight deficiencies in vendor management and oversight of data processors.<\/p>\n<p>Recent enforcement cases demonstrate a broad range of penalties, from relatively modest fines (e.g., approximately THB 16,000\u2013150,000 for certain processors and smaller-scale breaches) to significant penalties exceeding THB 1 million for more serious compliance failures, and up to THB 7 million for major breaches involving systemic deficiencies.<\/p>\n<p>Notably, several enforcement actions have arisen from cybersecurity-related incidents, such as system intrusions, data leaks, and unauthorised disclosures, with compromised data subsequently used in online fraud and call centre scams, highlighting the regulator\u2019s increasing focus on data security and cybersecurity risks. However, standalone cybersecurity enforcement remains relatively limited, and while the Royal Decree on Measures for the Prevention and Suppression of Technology-Related Crimes has been introduced in response to the rise in such threats, there are not yet any notable enforcement precedents, and the regulatory approach in this area remains evolving.<\/p>\n<p>Overall, enforcement trends in Thailand indicate a shift towards more active supervision, greater scrutiny of organisational security practices (including third-party risk management), and heightened expectations on accountability in responding to data breaches and cyber incidents.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA and cybersecurity laws do not have any registration or licensing requirements for Controllers or Processors. However, with respect to the PDPA, certain subordinate laws impose registration requirements on institutions that act as certifying bodies for Data Protection Officers or those that issue certifications for data privacy standards. In addition, organisations that appoint a Data Protection Officer (\u201cDPO&#8221;) must notify the Office of the details of such appointment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The term \u201cPersonal Data\u201d is defined under the PDPA as any information relating to a natural person that enables the identification of such natural person, whether directly or indirectly, but not including information of deceased persons. Sensitive Personal Data includes Personal Data relating to ethnicity, race, philosophical beliefs, religious beliefs, socio-political beliefs and affiliations, relationships with labour unions, criminal records, diseases and medical conditions, biometrics and DNA, and sexual preference. In any event, the PDPC may add other types of data into this category.<\/p>\n<p>This definition is intentionally broad and technology-neutral, capturing any information that relates to an identifiable individual regardless of the context in which the data is processed. In practice, this includes data relating to individuals in both private and professional capacities, such as employees, directors, and other representatives of corporate entities, provided that the information can be linked to a specific individual. Notwithstanding the above, even where information qualifies as Personal Data, certain activities may fall within statutory exemptions under the PDPA. For example, processing carried out for purely personal or household activities may be exempt from compliance obligations, meaning that the PDPA is not required to be complied in such circumstances.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under the Personal Data Protection Act B.E. 2562 (2019) (PDPA), certain types of personal data are subject to stricter regulation and are defined as \u201cSensitive Personal Data.\u201d Thailand uses the term \u201cSensitive Personal Data\u201d and does not adopt a separate concept such as \u201cspecial categories of personal data\u201d found in other jurisdictions. Sensitive Personal Data includes Personal Data relating to ethnicity, race, philosophical beliefs, religious beliefs, socio-political beliefs and affiliations, relationships with labour unions, criminal records, diseases and medical conditions, biometrics and DNA, and sexual preference. In any event, the PDPC may add other types of data into this category.<\/p>\n<p>The processing of Sensitive Personal Data is subject to more stringent requirements and limited lawful bases compared to ordinary Personal Data, with specific exemptions prescribed under the PDPA.<\/p>\n<p>Currently, the PDPA is under review for potential amendments, which include consideration of the scope of the definition of Sensitive Personal Data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Thailand has adopted data protection principles broadly aligned with the seven key principles under the GDPR. However, unlike the GDPR, these principles are not expressly set out as a standalone provision but are embedded across various sections of the PDPA.<\/p>\n<p>Under the PDPA, all Controllers must establish a lawful basis for each process of collection, use, or disclosure of Personal Data. Bases differ between ordinary Personal Data and sensitive Personal Data.<\/p>\n<p>The lawful bases for processing ordinary Personal Data are as follow:<\/p>\n<ol>\n<li>via consent of a data subject, prior to or during collection or processing;<\/li>\n<li>for achievement of purposes relating to preparation of historical documents or archives for public interest or relating to study, research, or statistics for which an appropriate protection standard is used to protect rights and liberties of data subjects as prescribed and announced by the PDPC (i.e., historical, research or statistical purposes);<\/li>\n<li>for prevention or suppression of a danger to life, body, or health of a person (i.e., vital interest);<\/li>\n<li>for performance under a contract to which a data subject is a party, or for proceedings with a data subject\u2019s request before entering into a contract (i.e., contractual performance);<\/li>\n<li>for performance of a Controller\u2019s duty for public interest or as required by the state (i.e., public interest);<\/li>\n<li>under a legitimate interest of a Controller or another person or juristic person, unless such interest is less important than basic rights in Personal Data of relevant data subject (i.e., legitimate interest); and<\/li>\n<li>for a Controller\u2019s compliance with the law (i.e., legal obligations).<\/li>\n<\/ol>\n<p>The lawful bases for processing sensitive Personal Data are as follow:<\/p>\n<ol>\n<li>via consent of a data subject, prior to or during collection or processing of Personal Data;<\/li>\n<li>for prevention or suppression of a danger to life, body, or health of a person, where the data subject is incapable of giving consent for whatever reason;<\/li>\n<li>for legitimate activities with appropriate safeguards by foundations, associations, or any other not-for-profit bodies for a purpose of their members, former members, or regular-contacted persons under the organisation\u2019s objectives, without disclosing sensitive Personal Data to external parties;<\/li>\n<li>sensitive Personal Data has already been disclosed to the public with explicit consent of data subjects;<\/li>\n<li>for establishment, compliance, exercise, or defence of legal claims; and<\/li>\n<li>for compliance with specific laws with a purpose relating to preventive medicine, public health, labour protection, research, or any other purpose for public interest.<\/li>\n<\/ol>\n<p>Furthermore, the PDPA requires Controllers to provide clear and detailed privacy notices at or before the time of processing personal data . The notice must include:<\/p>\n<ul>\n<li>The purpose of the data processing, including the lawful basis;<\/li>\n<li>The circumstances under which data subjects must provide their Personal Data to comply with legal or contractual obligations, or for the purpose of entering into a contract, including the potential consequences of failing to provide such Personal Data;<\/li>\n<li>The categories of Personal Data collected;<\/li>\n<li>The retention period;<\/li>\n<li>The categories of individuals or entities to whom the Personal Data may be disclosed.<\/li>\n<li>The contact details of the Controller, its representative, and DPO.<\/li>\n<li>The rights of data subjects<\/li>\n<\/ul>\n<p>Controllers are also obligated to retain Personal Data only for as long as necessary to fulfil the purposes for which the data was collected, used, or disclosed, unless otherwise required by applicable laws or regulations. Once the retention period has expired, or the data is no longer necessary, Controllers must take appropriate steps to securely delete, destroy, or anonymise the Personal Data to prevent unauthorised access, use, or disclosure.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no categorical prescriptions where consent is strictly required. General principles apply to all circumstances, whereby consent is required if a non-consent basis \u00a0cannot be established for processing Personal Data.\u00a0 Therefore, consent is typically required when processing activities go beyond what is necessary for contractual or legal obligations, or the legitimate interests\u2014such as for marketing, data analytics, or profiling. In such cases, the Controller must obtain clear, informed, and specific consent from the data subject prior to initiating any processing. Consent must be given voluntarily and must not be obtained through coercion or made a condition for accessing unrelated services.<\/p>\n<p>The PDPA sets out strict requirements for the form in which consent must be obtained. It must be presented in a manner that is clearly distinguishable from other matters, meaning it cannot be bundled with, or embedded within, broader documents such as terms of service, or combined with unrelated consents. Consent must be purpose-specific, allowing individuals to selectively agree to certain processing activities while declining others. Data subjects must also be informed of their right to withdraw consent at any time, and the process for doing so must be as simple as the process for giving it. Implied consent is not recognised under the PDPA. In other words, consent cannot be inferred from a data subject\u2019s silence, inactivity, or general conduct (e.g., continued use of a service without an explicit indication of agreement). Instead, consent must be explicitly given through a clear affirmative action, ensuring that it is freely given, informed, and unambiguous.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please see the response to Question No. 7 regarding the bases for sensitive Personal Data.<\/p>\n<p>It should be noted that the PDPA does not impose an absolute prohibition on the processing of any category of Sensitive Personal Data. Such data may still be processed, provided that an appropriate legal basis and applicable exemptions under the PDPA are satisfied.<\/p>\n<p>For the processing of children\u2019s data, consent shall be required subject to the following additional requirements:<\/p>\n<ul>\n<li>For minors under the age of 10, consent must be obtained from a legal guardian.<\/li>\n<li>For minors aged between 11 and 20, consent must also be obtained from a legal guardian, except in certain cases where the minor is permitted to unilaterally and independently provide consent (i.e., acts that grant rights or benefits without imposing duties or obligations, acts that are strictly personal to the minor, and acts which are appropriate to the minor\u2019s status in life and necessary for his or her reasonable needs.)<\/li>\n<\/ul>\n<p>In addition, under Section 20 of the PDPA, similar principles apply to persons who are legally incapacitated or quasi-incompetent. For an incompetent person (i.e., a person adjudged by a court to lack legal capacity), consent must be obtained from their legal guardian. For a quasi-incompetent person (i.e., a person whose capacity is partially limited by a court order), consent must be obtained from their curator, unless the act falls within the scope of actions that such person can lawfully undertake independently.<\/p>\n<p>The above requirements apply <em>mutatis mutandis<\/em> to the withdrawal of consent, the provision of notices to data subjects, the exercise of data subject rights, the filing of complaints by data subjects, and all other acts under the PDPA involving a minor as a data subject.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The PDPA imposes specific requirements for the processing of personal data relating to children or minors, primarily in relation to consent.<\/p>\n<p>As outlined in the response to Question 9, where consent is relied upon as the legal basis, additional requirements apply depending on the age of the minor. In particular, consent must generally be obtained from a legal guardian, except in limited circumstances where the minor is legally permitted to act independently.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please see the key points mentioned under our responses to the Questions Nos.7-10.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not specifically outline this topic in detail. However, the PDPC\u2019s guideline on notification of purposes recommends that a Data Protection Impact Assessment (\u201c<strong>DPIA<\/strong>\u201d) should be conducted to identify and mitigate risks associated with the processing of Personal Data, particularly where the data subject has neither provided consent nor been informed, before a Controller processes personal data obtained from sources other than the data subject directly. It is important to note that the PDPA itself does not provide specific requirements or detailed procedures for conducting a DPIA. Nonetheless, in the past, a draft subordinate regulation (i.e., the draft PDPC Notification regarding DPIA) has previously been introduced to address this area more comprehensively.<\/p>\n<p>Under the draft notification, Controllers must carry out DPIA when conducting any processing activity that produces high risks to rights and freedoms of data subjects. Such processing activities are as follows:<\/p>\n<ul>\n<li>extensive processing of Personal Data based on automated processing, including profiling on which decisions are based and whereby such decisions create legal effects concerning a person;<\/li>\n<li>processing on a large scale of sensitive Personal Data, taking into account number of relevant persons, amount of relevant information, diversity of relevant information, duration of processing, ;<\/li>\n<li>systematic monitoring of a publicly accessible area on a large scale; and<\/li>\n<li>a list of activities prescribed by the PDPC, namely:\n<ul>\n<li>use of innovative technology;<\/li>\n<li>profiling of a special category of Personal Data to decide on access to services;<\/li>\n<li>profiling of individuals on a large scale;<\/li>\n<li>processing of biometric data;<\/li>\n<li>processing of genetic data;<\/li>\n<li>matching of data or combining datasets from different sources;<\/li>\n<li>collecting Personal Data from a source other than data subjects themselves without providing them with a privacy notice;<\/li>\n<li>tracking individuals\u2019 locations or behaviour;<\/li>\n<li>profiling minors or vulnerable individuals or target-marketing or providing online services to them; and<\/li>\n<li>processing of Personal Data that might endanger a data subject\u2019s physical health or safety in an event of a security breach.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Furthermore, the assessment should contain at least:<\/p>\n<ul>\n<li>necessity for undertaking the DPIA;<\/li>\n<li>descriptions of processing and records of each step;<\/li>\n<li>results of hearings conducted for stakeholders;<\/li>\n<li>proportionality of processing;<\/li>\n<li>assessment of physical, mental, and material risks;<\/li>\n<li>mitigation of risks; and<\/li>\n<li>monitoring measures.<\/li>\n<\/ul>\n<p>In compliance with carrying out a DPIA when required, a Controller is assumed to have conducted the relevant risk assessments and provided appropriate measures under the PDPA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While Thailand does not currently have a broad set of formal sector-specific codes of practice under the PDPA, the PDPC has issued a number of guidelines. These include:<\/p>\n<p>1) Guideline on Notification of Purposes \u2013 outlining the required information that must be provided to data subjects regarding data processing activities, including procedures for collecting Personal Data from sources other than the data subject<\/p>\n<p>2) Guideline on Consent \u2013 providing detailed requirements for obtaining valid consent, including form, content, and conditions to ensure that consent is freely given, specific, informed, and unambiguous.<\/p>\n<p>3) Guideline on Compliance with State Information and Personal Data \u2013 clarifying the distinction between state information and Personal Data, and providing guidance on how to handle such information appropriately and in accordance with the PDPA.<\/p>\n<p>In addition to the above guidelines, relevant regulatory authorities and industry associations also publish sector-specific guidance or self-regulatory standards to support PDPA compliance within their industries. Examples include the Guideline on Personal Data Protection for Thai Banks issued by the Thai Bankers\u2019 Association, and personal data protection guidance for the non-life insurance industry developed with support from the Thai General Insurance Association and the Office of Insurance Commission.<\/p>\n<p>A notable development since 2025 is that, in February 2026, the PDPC released draft Guidelines on Personal Data Protection in the Development and Use of Artificial Intelligence for public consultation. Although not yet final, the draft guidelines indicate the PDPC\u2019s proposed approach to applying existing PDPA principles in the AI context, including matters such as role allocation, lawful basis, transparency, data minimisation, impact assessments for higher-risk AI use cases, security controls, and the exercise of data subject rights.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Controllers must maintain records of processing activities (ROPA) consisting of at least following information in a written or electronic form for the purpose of audits by data subjects or the Office:<\/p>\n<ol>\n<li>collected Personal Data;<\/li>\n<li>purpose of collection for each type of Personal Data;<\/li>\n<li>details of Controller;<\/li>\n<li>retention period of Personal Data;<\/li>\n<li>rights and methods for access to Personal Data;<\/li>\n<li>use or disclosure of Personal Data which is acquired under bases other than consent;<\/li>\n<li>Controller\u2019s rejection of request or objection from a data subject; and<\/li>\n<li>details of security measures applied to Personal Data.<\/li>\n<\/ol>\n<p>Similar to Controllers, Processors must also maintain ROPA whose minimum requirements are stated in the PDPC notification re: rules and procedures for preparation and storage of record of processing activities for Processors B.E. 2565 (2022). The minimum requirements are as follows:<\/p>\n<ol>\n<li>name and information of the Processor and its agent (if any);<\/li>\n<li>name and information of Controller, whereby the Processor proceeds under its order or on its behalf, and name and information of the agent of the Controller (if any);<\/li>\n<li>name and information of the data protection officer (\u201c<strong>DPO<\/strong>\u201d) including the contact address and means of contact in case the Processor appoints a DPO;<\/li>\n<li>type or manner of collection, use or disclosure of Personal Data by the Processor under the order or on behalf of the Controller, including the Personal Data and purpose of collection, use or disclosure of personal data as designated by the Controller;<\/li>\n<li>type of persons or agencies receiving the Personal Data in case the Personal Data is transmitted or transferred to a foreign country; and<\/li>\n<li>explanation relating to the security safeguard measures.<\/li>\n<\/ol>\n<p>Currently, there are 2 PDPC notifications regarding the requirement to maintain ROPA for small organisations. Under these notifications, an organisation that meets any of the following criteria is considered a small business enterprise and is exempt from the abovementioned obligations (subject to certain conditions).<\/p>\n<ol>\n<li>A small or medium-sized enterprise under the law on the promotion of medium and small-sized enterprises;<\/li>\n<li>A community enterprise or its network under the law on community enterprise promotion;<\/li>\n<li>A social enterprise or a social business group under the law on social enterprise promotion;<\/li>\n<li>A cooperative, federation of cooperatives, or farmers\u2019 group under the law on cooperatives;<\/li>\n<li>A foundation, association, religious organisation or a non-profit organisation<\/li>\n<li>A condominium juristic person under the laws governing condominiums, and a housing estate juristic person under the laws on land allocation;<\/li>\n<li>A family business or other business with similar characteristics; or<\/li>\n<li>A business operated by a natural person.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no explicit requirement to have data retention and disposal policies and procedures (except in the case of criminal records, which should not be retained for more than 6 months).\u00a0 However, Controllers must, under the PDPA, implement whatever systems necessary to ensure erasure and destruction of Personal Data upon one of following occurrences:<\/p>\n<ul>\n<li>when its prescribed retention period ends;<\/li>\n<li>when it becomes irrelevant, or its retention is beyond purpose for which it has been collected; or<\/li>\n<li>when a data subject has requested for the erasure or destruction or when a data subject withdraws consent.<\/li>\n<\/ul>\n<p>The above requirement is not applicable for retention of Personal Data under several purposes (e.g., exercise of freedom of speech, performance of a Controller\u2019s duty for public interest or as required by the state, or establishment, compliance, or exercise of rights under the law, etc.)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no explicit requirement to consult with the PDPC or the Office. In practice, organisations may consult with the PDPC or the Office on PDPA compliance-related matters. This can be done through informal channels (such as telephone inquiries), formal written requests, or by arranging meetings to seek guidance on specific issues.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, Controllers and Processors shall designate a data protection officer (&#8220;<strong>DPO<\/strong>&#8220;) in the following circumstances:<\/p>\n<ul>\n<li>Controllers and Processors is a public authority as announced by the PDPC;<\/li>\n<li>the activities of Controllers and Processors in the processing of Personal Data require regular monitoring of Personal Data or system, by reason of having a large number of Personal Data as announced by the PDPC; or<\/li>\n<li>the core activity of Controllers and Processors is the processing of sensitive Personal Data.<\/li>\n<\/ul>\n<p>In 2023, the Notification re: The Appointment of DPO under Section 41(2) of the PDPA B.E. 2566 (2023) was introduced by the PDPC. This notification sets out the key criteria for the circumstance stated in (2) above that Controllers and Processors shall appoint a DPO where their core activities consist of processing operations which require regular or systematic monitoring of Personal Data on a large scale.<\/p>\n<p><u>Regular or systematic monitoring of Personal Data:<\/u> If any core activities involve tracking, monitoring, analyzing, or profiling that generally processes Personal Data regularly or systematically, they will be deemed as processing activities requiring regular or systematic monitoring of Personal Data. The notification further prescribes some specific cases that are deemed as regular or systematic monitoring e.g., processing of data of membership cards, public transportation cards, and electronic cards, activities involving credit scoring or fraud prevention, and behavioral advertising.<\/p>\n<ul>\n<li><u>On a large scale:<\/u> The notification provides some specific cases deemed as large-scale processing, as follows:<\/li>\n<li>processing as a part of core activities with 100,000 or more data subjects;<\/li>\n<li>processing for behavioral advertising through widely used search engines or online social media platforms;<\/li>\n<li>processing of customers\u2019 or service users\u2019 Personal Data in the usual operations of the companies dealing with life insurance, non-life insurance, and financial institution businesses, excluding operations of the credit bureau and its members as defined by credit information business laws; or<\/li>\n<li>processing of customers\u2019 or service users\u2019 Personal Data by licensees of the Telecommunications Business Operators Type 3 according to the telecommunication business operation laws.<\/li>\n<\/ul>\n<p>If the core activities do not fall under above cases, the notification further provides four key factors which must be considered when determining whether the processing is carried out on a large scale: (1) the number of data subjects, (2) the volume of data, (3) the duration of processing and (4) the geographical extent of the processing activities.<\/p>\n<p>For the legal responsibility of the appointed DPO, the PDPA stipulates that the DPO shall:<\/p>\n<p>a, provide advice to Controllers or Processors, including their employees or service providers with respect to compliance with the PDPA;<\/p>\n<p>b. investigate the performance of Controllers or Processors, including their employees or service providers with respect to the processing of Personal Data for compliance with the PDPA;<\/p>\n<p>c. coordinate and cooperate with the Office in the circumstance where there are problems with respect to the processing of Personal Data undertaken by Controllers or Processors, including their employees or service providers with respect to the compliance with the PDPA; and<\/p>\n<p>d. keep confidentiality of the Personal Data known or acquired in the course of his or her performance of duty under the PDPA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPC Notification on Security Safeguard Measures, organisations are required to implement appropriate security measures. This includes ensuring that personnel are made aware of data protection policies, practices, and security requirements, and are adequately trained to handle Personal Data.<\/p>\n<p>According to the PDPC\u2019s checklist, organisations are expected to conduct data protection training at least annually and to tailor such training to different categories of personnel, taking into account their roles and responsibilities, in order to ensure appropriate risk management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Prior to or at time of collection of Personal Data, a Controller must give notice to data subject. Such notice must consist of following items, except if the data subject is already aware of such information:<\/p>\n<ul>\n<li>purpose of processing, including corresponding bases;<\/li>\n<li>notification of a case where a data subject must provide his or her Personal Data for compliance with law or a contract, or where it is necessary to provide Personal Data to enter into the contract, including notification of the possible effect of the data subject not providing such Personal Data;<\/li>\n<li>Personal Data to be collected and the retention period. If it is not possible to specify a retention period, then specifying an expected data retention period according to data retention standards;<\/li>\n<li>categories of persons or entities to whom collected Personal Data may be disclosed;<\/li>\n<li>information, address, and contact details of a Controller or data protection officer; and<\/li>\n<li>rights of the data subject as prescribed under the PDPA.<\/li>\n<li>details of cross-border transfers<\/li>\n<\/ul>\n<p>However, there is no mandatory form of notice. It is advisable that Controllers act reasonably and utilise communication channels that afford ample opportunity to data subjects to be notified and learn of these details.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is a distinction under the PDPA as outlined previously, and position determines roles and authorities.<\/p>\n<p>Both positions have statutory obligations and liabilities irrespective of clarity of a contract between them.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not contain a detailed standalone regime governing monitoring, profiling, automated decision-making or cookies. As a general matter, these activities are treated as forms of processing of personal data and are therefore subject to the ordinary PDPA requirements. The PDPA does, however, expressly refer to the monitoring of a data subject\u2019s behaviour in Thailand in the context of its extraterritorial application, although it does not further define monitoring or regulate tracking technologies such as cookies in detail.<\/p>\n<p>There is also a draft subordinate law (i.e., a draft PDPC notification regarding the obligation of Controllers in facilitating a data subject\u2019s right not to be subject to a decision based solely on automated processing) concerning a data subject\u2019s right not to be subject to a decision based solely on automated processing, including profiling.<\/p>\n<p>Under the draft:<\/p>\n<p><u>Definition of \u201cProfiling\u201d and \u201cAutomated Decision-Making\u201d<\/u><\/p>\n<ul>\n<li>\u201cProfiling\u201d means any form of automated processing of Personal Data consisting of use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person\u2019s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.<\/li>\n<li>\u201cAutomated Decision-Making\u201d means a process of making a decision by automated means without human involvement. These decisions are based on Personal Data acquired from a data subject or created by a Controller or Processor.<\/li>\n<\/ul>\n<p><u>Key obligations of Controllers regarding the implementation Automated Decision-Making<\/u><\/p>\n<ul>\n<li>Controllers must prepare for decision-making by humans or with human involvement in case a data subject does not wish for the decision to be based solely on automated processing, including profiling. However, such obligations are under several conditional exemptions (e.g., the Automated Decision-Making is necessary for entering into or performance of a contract, authorised by laws, or the decision is based on the data subject\u2019s explicit consent).<\/li>\n<li>There must not be any Automated Decision-Making for sensitive Personal Data, unless a data subject\u2019s explicit consent is obtained and appropriate measures to protect rights and freedoms of the data subject have been procured.<\/li>\n<\/ul>\n<p>However, it should be noted that, as of this date, this subordinate regulation remains in draft form, and its status has been uncertain for a considerable period. It is therefore unclear whether, when, or in what form it will ultimately come into force, and there remains a possibility that it may be further revised or may not be enacted at all.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Thailand does not currently have specific statutory rules or regulator guidance that separately define or regulate cookies, pixels, online tracking, targeted advertising, or cross-context behavioural advertising as standalone concepts. Instead, these activities are assessed under the general provisions of the PDPA to the extent they involve the processing of personal data. Accordingly, where cookies or similar tracking technologies are used for analytics, profiling, or advertising purposes, rather than being strictly necessary for the requested service, the controller must ensure compliance with the PDPA\u2019s general requirements, including transparency, lawful basis, purpose limitation, and data subject rights. In practice, consent will often be the most appropriate basis for non-essential advertising or tracking activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Thailand does not currently have a separate legal concept of \u201csale\u201d of personal data or \u201cdata broker\u201d under the PDPA, and there are no specific standalone rules directed at data brokers as such. Instead, any sale, transfer, sharing, or similar monetisation of personal data is assessed under the PDPA\u2019s general framework governing the collection, use, or disclosure of personal data, including lawful basis, transparency, purpose limitation, and data subject rights.<\/p>\n<p>That said, unlawful disclosure or transfer of personal data may still expose the relevant party to civil, administrative, and criminal liability under the PDPA. In particular, the PDPA provides criminal penalties for certain unlawful disclosure of personal data where the offence is committed in a manner likely to cause damage, impairment of reputation, humiliation, or hatred to the data subject.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no definition of, or a separate concept for these activities, nor are there any specific restrictions applicable to them under the data protection laws. All general principles and concepts broadly applicable to the processing of Personal Data will also apply, as relevant, to these and similar activities. In practice, however, the use of Personal Data for direct marketing is often viewed as a processing activity for which consent would be the most appropriate lawful basis under the PDPA, particularly where the communication is promotional in nature and not strictly necessary for the performance of a contract.<\/p>\n<p>Nevertheless, use of Personal Data for direct marketing via profiling or target marketing towards minors or vulnerable individuals may obligate Controllers to carry out a DPIA for such processing activity. Please refer to our response to Question No. 19 for clarification regarding DPIA.<\/p>\n<p>In addition to the PDPA, there are requirements relating to marketing communications in Thailand under the Computer Crime Act B.E. 2550 (2007) (the \u201c<strong>CCA<\/strong>\u201d). The CCA prohibits the sending of computer data or emails to other persons in any manner which disturbs recipients. There are certain exemptions prescribed under the relevant subordinate notification of the Ministry of Digital Economy and Society, which clarifies the characteristics and methods of sending data without disturbing recipients. These include, among others, the sending of computer data or email to communicate or evidence a contractual relationship already agreed between the sender and the recipient, including communications relating to employment, hire of work, or other agreed benefits, as well as delivery of goods or services previously agreed between the parties, such as membership or subscription arrangements.<\/p>\n<p>From the above, marketing communications should reasonably fall within the exemption of not disturbing the recipient if such sending has been agreed upon between the sender and the recipient, for example, in the case of members, subscribers, or individuals who registered to receive newsletters. If not, opt-in consent from the recipient would generally be required.<\/p>\n<p>In such cases, the CCA also requires the sender to provide a message setting out an easy method to opt out, including technical means enabling the recipient to terminate or refuse further communications, such as by email address, telephone number, facsimile number, contact address, URL, electronic form, or other computer-based command enabling the recipient to unsubscribe or decline receipt. Where the recipient has opted out, the sender must cease sending such communications promptly and, in certain cases, within 7 days from receipt of the opt-out request.<\/p>\n<p>The provisions of the CCA may also apply to marketing communications sent to general corporate email addresses that are not linked to a specific named individual.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>\u201cBiometric Data\u201d is defined under the PDPA as personal data resulting from the use of technological processing relating to the physical or behavioural characteristics of a natural person, which enables or confirms the unique identification of that person, such as facial recognition data, dactyloscopy data, or iris recognition data. As biometric data is classified as sensitive personal data under the PDPA, its collection, use, and disclosure are subject to the stricter rules applicable to sensitive personal data, including the need for a valid legal basis and, in many cases, explicit consent. The regulation is therefore focused on biometric data used for unique identification, rather than biometric measurements in a broader or purely technical sense.<\/p>\n<p>&nbsp;<\/p>\n<p>In addition, there is a draft supplementary regulation on appropriate protection measures for processing sensitive personal data, which would impose further obligations on controllers processing such data, including requirements relating to protection measures and internal policy documentation. However, this draft has not yet been enacted.<\/p>\n<p>A notable recent enforcement example is the World coin case. In November 2025, the PDPC reportedly ordered the relevant operator in Thailand to suspend the iris-scan service and delete approximately 1.2 million records that had already been collected. Public reporting suggests that the regulator\u2019s concerns included the collection of iris data in exchange for cryptocurrency or similar benefits, the adequacy of the consent process, and the risk of overseas transfer of such data. While this case did not create a separate statutory regime for biometric data, it is a significant indication that the PDPC takes a strict approach where biometric identifiers are collected for large-scale identity verification, and that it expects a clear legal basis, strong transparency, and careful handling of cross-border issues in such cases.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not contain a standalone statutory regime specifically governing artificial intelligence or machine learning. Rather, AI-related activities are currently regulated through the PDPA\u2019s general rules to the extent they involve the processing of personal data.<\/p>\n<p>Nonetheless, the PDPC released draft Guidelines on Personal Data Protection in the Development and Use of Artificial Intelligence for public consultation. This indicate the PDPC\u2019s proposed approach to applying existing PDPA principles in the AI context, including issues such as lawful basis, transparency, data minimisation, role allocation, impact assessments for higher-risk AI use cases, security controls, and the exercise of data subject rights.<\/p>\n<p>Separately, Thailand also has broader AI governance guidance issued by ETDA, but that guidance applies more generally to AI governance and is not limited to personal data protection.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not impose a general data localisation requirement. Personal data is not generally required to be stored in Thailand, and there is no blanket prohibition on overseas storage. Instead, cross-border transfers are governed by the PDPA\u2019s international transfer rules, under which transfers to a foreign country or international organisation must generally be made to a destination with adequate data protection standards or otherwise satisfy the applicable safeguards or exceptions.<\/p>\n<p>&nbsp;<\/p>\n<p>That said, certain sector-specific rules may have practical localisation or local-availability effects. In the financial sector, the Bank of Thailand permits outsourcing both domestically and overseas, but requires regulated institutions to ensure regulator access, audit rights, and the availability of relevant data and systems. In the capital markets sector, SEC outsourcing rules similarly require service providers to permit SEC inspection and retrieval of relevant documents and information. In the insurance sector, OIC rules contemplate approved locations for data operations units and document storage, which may also create local operational requirements in practice, even if they do not amount to a general prohibition on offshore storage.<\/p>\n<p>&nbsp;<\/p>\n<p>Certain government agencies may also impose their own internal information security requirements. For example, the Regulation of the National Intelligence Agency on the Use of Computers and Computer Networks B.E. 2552 (2009) distinguishes between internal networks under the Agency\u2019s control and other networks, reflecting a controlled internal-storage approach for sensitive agency information.<\/p>\n<p>&nbsp;<\/p>\n<p>As regards cloud localisation, there does not currently appear to be any generally applicable requirement under Thai data protection law that personal data must be hosted on Thai-based cloud infrastructure. However, some public-sector and sector-specific rules may produce a similar effect in practice. In particular, Thailand\u2019s developing Cloud First framework, together with draft government cloud, data-classification, and cloud cybersecurity guidance, may encourage certain agencies to use domestic hosting, government-controlled environments, or other controlled cloud arrangements depending on the classification, sensitivity, and security requirements of the data concerned.<\/p>\n<p>Accordingly, the Thai position is best described as no general localisation requirement under the PDPA, but with sector-specific, supervisory, and internal governmental requirements that may in practice require certain data, records, or systems to be maintained locally or remain readily accessible from Thailand.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not prohibit the transfer of personal data outside Thailand, but it does impose restrictions on such transfers. As a general rule, personal data may be transferred to a foreign country or international organisation only where the destination has adequate data protection standards or the transfer otherwise satisfies the applicable safeguards or statutory exceptions under the PDPA. As at present, we are not aware of any published PDPC adequacy decision designating specific jurisdictions as adequate.<\/p>\n<p>Where adequacy is not available, businesses typically rely on one of the recognised alternative mechanisms. These include the applicable statutory exemptions (such as consent, compliance with law, contractual necessity, vital interests, or transfers for important public interest reasons) or appropriate safeguards. In practice, the most relevant safeguards are Binding Corporate Rules (BCRs) for intra-group transfers and Standard Contractual Clauses (SCCs). Thailand recognises both a Thai model and certain overseas SCC models, including the ASEAN Model Contractual Clauses and the GDPR SCCs.<\/p>\n<p>A notable development is that, in 2025, the PDPC Office issued the Regulations on the Review and Certification of Binding Corporate Rules B.E. 2568 (2025), which establish the process for the review and certification of BCRs. Accordingly, no general notification to or prior approval from the regulator is required for ordinary cross-border transfers, but businesses relying on BCRs must follow the PDPC Office\u2019s certification framework, whereas businesses relying on SCCs or a statutory exemption typically comply contractually and operationally without separate advance authorisation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA imposes general security obligations on both controllers and processors. Controllers must implement appropriate security measures to prevent unauthorised or unlawful access to, use, alteration, correction, or disclosure of personal data, and to prevent accidental or unlawful loss, destruction, or damage. These measures must be reviewed where necessary or when technology changes, and must meet the minimum standards prescribed by the PDPC. Controllers must also ensure that any person receiving personal data from them does not use or disclose it unlawfully or without authority. Processors are likewise required to implement appropriate security measures and to notify the relevant controller of any personal data breach.<\/p>\n<p>In addition, controllers must notify the PDPC Office of a personal data breach without delay and, where feasible, within 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject. If the breach is likely to result in a high risk, the controller must also notify the affected data subjects without delay and inform them of any available remedial measures. The PDPC\u2019s breach notification rules further clarify the reporting process and the meaning of a personal data breach.<\/p>\n<p>More specifically, the PDPC Notification on Security Measures of the Data Controller B.E. 2565 (2022) requires security safeguards to cover all forms of personal data processing, whether physical or electronic, and to include appropriate organisational and technical measures, and where appropriate, physical measures. In substance, the framework focuses on risk assessment, protection against identified risks, confidentiality, integrity and availability, access controls, user authentication and access management, oversight of processors, and privacy\/security awareness for relevant personnel. At present, these remain the principal data security requirements under Thai data protection law, with enforcement attention continuing to focus on inadequate safeguards and failures to report breaches.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not establish a wholly separate security framework for each category of personal data. Instead, the general security obligations under the PDPA apply across all personal data, with the nature, sensitivity, and risk of the data being relevant factors in determining what measures are appropriate. As a result, controllers processing sensitive personal data would generally be expected to adopt more stringent safeguards in practice.<\/p>\n<p>This is reflected in the PDPC Notification on Security Measures of the Data Controller B.E. 2565 (2022), which requires security measures to be appropriate having regard to the level of risk and the nature of the processing. In addition, under the personal data breach rules, if a breach is likely to result in a high risk to the rights and freedoms of the data subject, the controller must notify the affected data subjects without delay, which may be more likely where the compromised data includes sensitive personal data.<\/p>\n<p>A more specific regime applies to criminal record data. Criminal record data is classified as sensitive personal data under the PDPA and is also subject to the PDPC Notification on Criteria Concerning Protection Measures for the Collection of Personal Data Relating to Criminal Records Not under the Control of the Competent Official Authorities B.E. 2566 (2023), which took effect on 9 March 2024. That notification limits collection to cases where there is a legal basis for criminal-record checking or the data subject\u2019s explicit consent, and requires the collection to be tied to specified purposes, such as recruitment, suitability assessment, or qualification checks. It also requires the controller to notify the data subject of the necessity for collecting such data and, where consent is relied upon, the consequences of refusing or withdrawing consent.<\/p>\n<p>The notification also imposes more specific protection measures. In particular, the controller must implement appropriate organisational and technical safeguards, and physical measures where necessary, for the collection, use, and disclosure of criminal record data. In addition, unless another law requires retention or there remains a lawful necessity, such data may not generally be retained for more than 6 months after completion of the relevant purpose, unless explicit consent supports further retention; after that, it must be erased, destroyed, or anonymised appropriately.<\/p>\n<p>Accordingly, while Thai law is generally based on a common risk-based security framework, it does impose additional specific requirements in certain cases, particularly for criminal record data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, a personal data breach is generally defined as a breach of security measures resulting in the unauthorised or unlawful loss, access to, use, alteration, modification, or disclosure of personal data. The relevant PDPC notification further recognises three categories of breach: confidentiality breach, integrity breach, and availability breach.<\/p>\n<p>Where a breach occurs, the controller must notify the PDPC Office without delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject. If the breach is likely to result in a high risk to the rights and freedoms of the data subject, the controller must also notify the affected data subjects without delay. The processor must notify the relevant controller without delay after becoming aware of the breach.<\/p>\n<p>A notable clarification in recent guidance is that the 72-hour period begins when the controller reasonably believes that a breach has occurred or is likely to have occurred following a preliminary assessment, rather than only after every detail has been fully confirmed. Controllers are also expected to assess the incident, keep appropriate records, and take steps to prevent or mitigate further harm.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA provides for the following individual data privacy rights:<\/p>\n<p>i. Right to be notified of Personal Data collection and processing, prior to or during collection of Personal Data. Such notification shall consist of information such as purpose of collection, use, or disclosure of Personal Data, specific Personal Data to be collected, and retention period, etc.<\/p>\n<p>ii. Right to access a data subject\u2019s own Personal Data, with exceptions of the following: (i) denial of access due to an applicable law or court order; or (ii) access may cause a detrimental effect on other data subjects\u2019 right and freedom.<\/p>\n<p>iii. Right to receive a data subject\u2019s own Personal Data from a Controller or to request a Controller to transfer such Personal Data to other Controllers.<\/p>\n<p>iv. Right to correct incomplete or inaccurate parts of Personal Data, although a Controller may verify the accuracy of new information provided by data subjects.<\/p>\n<p>v. Right to suspend use of Personal Data in any of the following events: (i) when a Controller is in the process of verifying certain information to rectify, update, complete, or avoid any mishaps about Personal Data upon a request of the data subject; (ii) when Personal Data is to be erased as requested by a data subject but the data subject instead requests to suspend its use; (iii) when it is no longer necessary to store Personal Data, but a data subject requests a Controller to continue to store such Personal Data for establishing legal claims, legal compliance, exercise of legal rights or defences; or (iv) when a Controller is in process of verifying its legitimate rights in its data collection or processing for purposes specified by law.<\/p>\n<p>vi. Right to oppose collection, use, or disclosure of a data subject\u2019s own Personal Data at any given time, with exception of Personal Data which is: (i) collected under bases other than consent (unless a Controller is able to prove that such collection, use, or disclosure is more legitimate or is for the exercise of the Controller\u2019s rights under the laws); and (ii) collected, used, or disclosed for scientific, historic, or statistical purposes (unless necessary for operation of Controller for public goods) or for the purpose of direct marketing.<\/p>\n<p>vii. Right to delete a data subject\u2019s own Personal Data or to render such Personal Data unidentifiable upon the following cases: (i) there is no further necessity for retention of such Personal Data; (ii) the data subject retracts consent and there is no other basis for retention of such Personal Data; (iii) the data subject opposes collection, use, or disclosure and a Controller cannot deny such request.<\/p>\n<p>viii. Right to withdraw consent at any time. However, withdrawal of consent will not have any effect on the Controller\u2019s previous data processing.<\/p>\n<p>ix. Right to file a complaint with the supervisory authority (i.e., the Office) if the data subject believes that a Controller fails to comply with any requirements under the PDPA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, a data subject has the right to file a complaint with the relevant authority (i.e., the PDPC or the Office) in the event that a Controller or Processor, including their employees or service providers, violates or fails to comply with any provision of the PDPA or any notifications issued thereunder. In addition, a data subject who has suffered damage may bring a civil claim against a Controller and\/or Processor that has caused such damage, seeking compensation for actual damages as well as punitive damages.<\/p>\n<p>The PDPA allows for punitive damages in addition to actual damages, to be awarded by a court as it deems fit, provided that such punitive damages shall not exceed two times the amount of actual damages.<\/p>\n<p>As for class action litigation, Thai procedural law does provide a mechanism for class action lawsuits, which could, in principle, be used in the context of PDPA violations, though there is no specific provision under the PDPA itself that addresses class actions.<br \/>\nSee our response to Question No. 43 for a more detailed explanation on class action.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, individuals are entitled to monetary damages. The PDPA also allows for punitive damages in addition to actual damages to be rendered by a court as it deems fit but shall not exceed two times the amount of actual damages.<\/p>\n<p>While it is stated under the PDPA that data subject is entitled to compensation when \u201cdamage\u201d is caused towards such data subject from non-compliance of a Controller or Processor, there is no clear precedent on what constitutes damage. Given courts\u2019 interpretation of \u201cdamages\u201d in similar legal concepts (i.e., tort law), it is possible that injury of feelings is sufficient to prove damage if such injury is a direct result from such non-compliance.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are three main governmental authorities enforcing the PDPA:<\/p>\n<ol>\n<li><u>The PDPC:<\/u> The PDPC is mainly responsible for enactment of regulations, notifications, and guidelines relating to Personal Data protection, along with providing interpretation and decision regarding the PDPA and its supplemental laws.<\/li>\n<li><u>The Office:<\/u> The main objectives of the Office include provision of support for development of Personal Data protection within Thailand, such as development of security technology, keeping records of development of Personal Data protection around Thailand, provision of consultation to other governmental or business entities regarding Personal Data protection, and processing of complaints from data subjects.<\/li>\n<li><u>PDPC Eagle Eye:<\/u> In addition to the above authorities, the PDPC has launched the &#8220;PDPC Eagle Eye&#8221; initiative as a proactive enforcement mechanism to monitor and inspect organisations&#8217; compliance with the PDPA. Through this initiative, the PDPC systematically reviews and audits websites, applications, and online platforms to assess compliance with key PDPA requirements, including the adequacy of privacy notices, cookie consent mechanisms, and data collection practices. The PDPC Eagle Eye serves as a tool for the PDPC to identify potential non-compliance issues and to take enforcement action where necessary, reflecting the PDPC&#8217;s increasingly active stance on data protection enforcement in Thailand.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are four types of penalties as prescribed under the PDPA and the relevant regulations:<\/p>\n<ol>\n<li><u>Penalties for civil breach <\/u><\/li>\n<\/ol>\n<p>A damaged data subject may bring a civil suit against a Controller and\/or Processor who has\/have wronged him\/her. The compensation will include actual damages as well as punitive damages as outlined above.<\/p>\n<ol start=\"2\">\n<li><u>Penalties for criminal breach<\/u><\/li>\n<\/ol>\n<p>The relevant authority under the PDPA may pursue a criminal case against a Controller for certain severe misconducts, and the maximum penalties are imprisonment of not exceeding one year or a fine of not exceeding THB 1,000,000, or both.<\/p>\n<p>Relevant directors or managers of a breaching Controller or Processor may be liable to the same penalties as well.<\/p>\n<ol start=\"3\">\n<li><u>Penalties for administrative breach<\/u><\/li>\n<\/ol>\n<p>The relevant authority under the PDPA may also pursue an administrative case against a Controller or Processor who has committed a wrongful act under the PDPA, and maximum fine is THB 5,000,000.<\/p>\n<ol start=\"4\">\n<li><u>Penalties for unlawful benefit from personal data (e.g., sale)<\/u><\/li>\n<\/ol>\n<p>Under the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No. 2), B.E. 2568 (2025), seeking unlawful benefit from personal data (e.g., through sale) may constitute a criminal offence, punishable by imprisonment for up to five years and\/or a fine of up to THB 500,000.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific process under the PDPA. However, orders of the regulators (i.e., the PDPC or the Office) are considered as administrative orders which can be appealed under administrative procedures. The appeal process involves submitting a formal appeal to the Administrative Court of Thailand, setting out the grounds for the appeal and any supporting evidence. The court will review the case and issue a determination based on the merits of the appeal.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act B.E. 2562 (2019) (\u201c<strong>Cybersecurity Act<\/strong>\u201d) is the principal legislation governing cybersecurity, aiming at protecting the country\u2019s significant information systems and information technology infrastructure. The Cybersecurity Act imposes several obligations on government agencies, regulatory organisations, and organisations designated as critical information infrastructure (\u201c<strong>CII<\/strong>\u201d) (collectively, \u201c<strong>Regulated Entities<\/strong>\u201d). These obligations include the following:<\/p>\n<ul>\n<li>preparing a code of practice and a standard framework for maintaining Cybersecurity in accordance with standards prescribed by relevant regulations and guidelines;<\/li>\n<li>preventing, coping with, and mitigating risks from cyber threats in accordance with such code of practice,<\/li>\n<li>appointing executive officials and operational officials for coordinating cybersecurity efforts with the National Cybersecurity Agency (\u201c<strong>NCSA<\/strong>\u201d).<\/li>\n<\/ul>\n<p>In addition, the Cybersecurity Act designates certain institutions as supervising organisations, which are tasked with supervising and regulating the operations of those Regulated Entities (\u201c<strong>Supervising Organisation<\/strong>\u201d).<\/p>\n<p>The Regulated Entities under the Cybersecurity Act are government agencies, the Supervising Organisations and the CII organisations. The NCSA is empowered to prescribe the characteristics of the organisations that qualify as the CII.<\/p>\n<p>On 16 September 2025, the NCSA issued the Notification of the NCSA, B.E. 2568 (2025) Re: Criteria and Characteristics of Agencies Whose Missions or Services Qualify Them as Critical Information Infrastructure (CII) Organizations, and the Assignment of Oversight and Regulatory Authority (the \u201c<strong>CII Notification<\/strong>\u201d), which updated and replaced the previous criteria for the designation of CII organisations. Under the CII Notification, a \u201cCritical Information Infrastructure Organization\u201d is defined as any government or private sector entity whose mission or services involve critical information infrastructure.<\/p>\n<p>Pursuant to the CII Notification, the sectors and services that may qualify an entity as a CII organisation include the following:<\/p>\n<ul>\n<li><strong>National security:<\/strong> including defence, law enforcement, and intelligence functions;<\/li>\n<li><strong>Key Public Services<\/strong>: including financial systems, public finance, civil registration, and national identification systems;<\/li>\n<li><strong>Information technology and telecommunications:<\/strong> including the Domain Name System (DNS), core IT infrastructure, and international telecommunications services via terrestrial and submarine networks;<\/li>\n<li><strong>Transportation and logistics: <\/strong>including land, rail, water, and air transport systems;<\/li>\n<li><strong>Energy and public utilities: <\/strong>including electricity generation and distribution, petroleum, gas (including distribution), and water supply;<\/li>\n<li><strong>Public health:<\/strong> including medical services, pharmaceutical production, medical devices, and health data systems; and<\/li>\n<li>Others as may be prescribed by the NCSC.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Thailand&#8217;s principal cybersecurity legislation, the Cybersecurity Act B.E. 2562 (2019), imposes formal audit requirements on Critical Information Infrastructure (&#8220;CII&#8221;) organisations. CII organisations must prepare a code of practice that includes a plan for examining and assessing cybersecurity risks by an internal auditor or an independent external auditor at least once a year. Furthermore, CII organisations are required to conduct annual cybersecurity risk assessments and submit summary reports to the Office of the National Cybersecurity Committee (NCSA) within 30 days of completion.<\/p>\n<p>The NCSA also has broad powers to conduct inspections and audits of CII entities to assess compliance with applicable cybersecurity standards. While the Cybersecurity Act does not prescribe a standalone certification regime, the National Cybersecurity Committee is empowered to support the certification of cybersecurity standards for CII organisations, government agencies, and supervising organisations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act does not explicitly impose specific requirements regarding supply chain management. However, it does require the Regulated Entities to comply with the cybersecurity standards and measures prescribed by the relevant authorities, which may include aspects of supply chain management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act imposes information sharing requirements in the context of cybersecurity incidents. The Regulated Entities are required to report any cyber threat incidents to the relevant regulating office and their Supervising Organisations without delay. The key supervising bodies under the Cybersecurity Act, CRC and the NCSA, are also authorised to request information, documents, or cooperation from any person related to or affected by a cyber threat, and to share information and resources with both the public and private sectors.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act defines a cybersecurity incident as any event caused by any action or unlawful undertaking committed through a computer or computer system which may damage or affect cybersecurity, or the cybersecurity of a computer, computer data, computer system, or other data related to the computer system, and defines a cyber threat as any action or unlawful undertaking using a computer, computer system, or undesirable programme with an intention to cause any harm to the computer system, computer data, or other relevant data, and posing an imminent threat of causing damage to or affecting the operation of a computer, computer system, or other relevant data. The Cybersecurity Act further classifies cyber threats into three levels: non-critical, critical, and crisis, depending on the nature, severity, and impact of the threat.<\/p>\n<p>Once a cyber threat incident occurs, the Regulated Entities are required to report the incident to the NCSA and their respective Supervising Organisations without delay. They must also cooperate and assist in preventing, coping with, and mitigating the risks posed by the cyber threat. The CRC and the NCSA are then authorised to:<\/p>\n<ul>\n<li>notify the public of the cyber threat incident, as deemed necessary and appropriate;<\/li>\n<li>request information, documents, or cooperation from any person related to or affected by the cyber threat; and<\/li>\n<li>access, examine, monitor, seize, or freeze any computer, computer system, or any equipment related to or affected by the cyber threat, with or without a court order, depending on the level and urgency of the threat incident, and subject to certain conditions and safeguards.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. In Thailand, individuals may bring a private right of action primarily under the PDPA. A data subject may file an administrative complaint and\/or bring a civil claim against a controller or processor for non-compliance that causes damage.<\/p>\n<p>Thailand also permits class actions under the Civil Procedure Code. Claimants with substantially similar facts and legal issues may bring proceedings on a representative basis, subject to court certification (e.g., commonality and adequacy of representation). Data breaches affecting multiple individuals may therefore be suitable for class action claims.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity laws in Thailand are primarily enforced through the mechanisms established under the Cybersecurity Act, which grants enforcement authority to the National Cyber Security Committee (\u201c<strong>NCSC<\/strong>\u201d) and the NCSA. For organisations designated as the CII, the NCSA has the power to conduct inspections, request information, and issue orders to implement or improve cybersecurity measures. In cases of non-compliance, the NCSA may issue corrective orders, and failure to comply may lead to administrative or criminal penalties, depending on the severity and impact of the violation. In urgent situations involving threats to national security, the law also authorises the NCSA to take immediate actions, including accessing systems or ordering the suspension of operations, subject to oversight and subsequent review by the NCSC. Enforcement is generally proactive in CII sectors, while for other entities, it may be reactive\u2014triggered by incidents, complaints, or regulatory investigations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Cybersecurity Act, regulators are granted broad powers of oversight, inspection, and audit, particularly in relation to entities classified as the CII. Key authorities involved include the NCSA, the CRC, and the NCSC, each with distinct but coordinated roles:<\/p>\n<p>The NCSA has authority to:<\/p>\n<ul>\n<li>conduct inspections and audits of the CII entities to assess compliance with applicable cybersecurity standards;<\/li>\n<li>require the submission of relevant information, documents, or access to computer systems and physical premises;<\/li>\n<li>issue corrective orders in cases of non-compliance or detected vulnerabilities;<\/li>\n<li>access or seize systems and data with court approval in serious cyber threat situations; and<\/li>\n<li>take immediate action without prior court approval in urgent cases, subject to subsequent judicial review.<\/li>\n<\/ul>\n<p>The CRC plays a supporting role by:<\/p>\n<ul>\n<li>setting minimum cybersecurity standards and codes of practice; and<\/li>\n<li>issuing technical directives to prevent or mitigate cyber threats, particularly within CII sectors.<\/li>\n<\/ul>\n<p>The NCSC provides overarching policy direction by:<\/p>\n<ul>\n<li>supervising the NCSA\u2019s activities and national enforcement priorities;<\/li>\n<li>coordinating with relevant agencies; and<\/li>\n<li>authorizing or directing significant enforcement actions in response to national-level cybersecurity threats.<\/li>\n<\/ul>\n<p>This framework ensures that cybersecurity oversight in Thailand is both proactive and responsive, particularly in protecting essential services and national interests.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Penalties under the Computer Crime Act:<\/p>\n<ul>\n<li>Fine (criminal or not): Up to THB 500,000; and\/or<\/li>\n<li>Imprisonment: Up to 20 years.<\/li>\n<\/ul>\n<p>Penalties under the Cybersecurity Act:<\/p>\n<ul>\n<li>Fine (criminal or not): Up to THB 300,000; and\/or<\/li>\n<li>Imprisonment: Up to 3 years.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific process under the Cybersecurity Act. Please refer to our response to Questions 37 for details regarding appeal procedures. In any case, the Cybersecurity Act stipulates that only a cyber threat classified as non-severe are eligible for appeal.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">13304<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}