Skip to main content
NOPE
In Effect Law Data Protection Context Relevance

Thailand PDPA

Thailand Personal Data Protection Act B.E. 2562 (2019)

Thailand's GDPR-style law. Health data requires explicit consent. First major fine (THB 7M) August 2024. Draft Royal Decree on AI proposes EU-style risk classification.

Jurisdiction

Thailand

TH

Enacted

May 27, 2019

Effective

Jun 1, 2022

Enforcement

Personal Data Protection Committee (PDPC)

Who Must Comply

This law applies to:

  • Data controllers/processors in Thailand
  • Foreign entities processing Thai residents' data

Who bears obligations:

Data ControllerData Processor

Safety Provisions

  • Section 26: Sensitive data (health) requires explicit consent
  • Section 27: Children's data restrictions
  • Automated decision-making transparency
  • Cross-border transfer restrictions
  • 72-hour breach notification

Enforcement

Enforced by

Personal Data Protection Committee (PDPC)

Penalties

THB 5M; criminal (up to 1yr)

Max fine: $5,000,000
Criminal liability(up to 1y)

Administrative: up to THB 5M (~$140K). Criminal: up to THB 1M and/or 1 year.

Quick Facts

Binding
Yes
Mental Health Focus
Yes
Child Safety Focus
Yes
Algorithmic Scope
No

Why It Matters

Active enforcement. Draft AI Royal Decree would add EU-style risk classification.

Recent Developments

First major fine THB 7M (Aug 2024). Draft AI Royal Decree proposes prohibited AI and high-risk classification.

What You Need to Comply

You need: explicit consent for health data; children's safeguards; 72-hour breach notification; cross-border mechanisms.

NOPE can help

Cite This

APA

Thailand. (2019). Thailand Personal Data Protection Act B.E. 2562 (2019). Retrieved from https://nope.net/regs/th-pdpa

BibTeX

@misc{th_pdpa,
  title = {Thailand Personal Data Protection Act B.E. 2562 (2019)},
  author = {Thailand},
  year = {2019},
  url = {https://nope.net/regs/th-pdpa}
}

Related Regulations

In Effect BN Data Protection

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect IN Data Protection

India DPDP Act

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

In Effect ID Data Protection

Indonesia PP 17/2025

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect NP AI Safety

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

In Effect PK AI Safety

Pakistan AI Policy

Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.

In Effect MM Online Safety

Myanmar Cybersecurity Law

Myanmar's cybersecurity law requiring platforms with 100,000+ users to register and imposing data retention requirements. Enacted post-2021 coup with uncertain enforcement.

Back to all regulations Check if this applies to you