Get compliant today


By submitting this form, you consent to be contacted about products and services from members of Relentless. Relentless is committed to safeguarding your privacy. If you require  further  information on how we collect and use your personal data, please read our Privacy Policy


A summary of the seven key things you should know about the PDPA key points is as follows:

(1) Personal Data. The PDPA governs any data of an alive person that could identify that person directly or indirectly. For example, any personal data of an individual handled by the company, including customer data, employee data, data of directors, shareholders, contractors, suppliers, seminar and market survey participants, and data involving customer complaints and inquiries would be subject to the PDPA.

(2) Players. The Personal Data Protection Committee will be established to set out further sub-regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).

(3) Applicability. The PDPA has extraterritorial applicability. Thus, data controllers and data processors both in and outside of Thailand could be subject to the PDPA.

(4) Legal basis. In order to collect, use, disclose and/or transfer personal data, the data controller has to rely on legal basis, which could be consent or other exemptions (e.g., vital interest, public interest, legal obligations, and legitimate interest).

(5) Personnel. The data controller and the data processor could be required to appoint a data protection officer and a representative in Thailand, which subject to future sub-regulations.

(6) Rights of data subjects. The data controller has to guarantee the rights of the data subjects.

(7) Penalties. The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.

Scope of Applicability

The PDPA shall not apply to personal or household activities.
In terms of territory, the PDPA will apply to:

• Any Data Controller or Data Processor residing in Thailand, regardless
of whether or not the acquisition, usage or disclosure of the data is
carried out in Thailand;

• in the case that the Data Controller or the Data Processor resides
outside of Thailand, if the subject of the aforesaid activities is data
belonging to a person residing in Thailand, the PDPA shall apply only
a: goods or services are being offered to such persons,
regardless of whether any payment is involved; and

b: behavior surveillance activities of such persons take place
within Thailand.


The Data Administrator shall only obtain the data directly from the data subject.

The Data Administrator must inform the data subject of the purpose of collecting the data, what data is to be collected, and to
whom the data will be disclosed.
Additionally, the request for consent must be clearly separated from other messages. The message must be delivered in a format
which is easily accessible and understandable, using language that is easy to understand. The message should not be misleading or
cause data subjects to misunderstand the purpose of collecting the data. The Commission may require the Data Administrator to
request consent from the data subject in accordance with any announcement that the board may make from time to time.

The Thailand PDPA does not provide a specific definition of “sensitive data.” However, according to the PDPA, it is prohibited to
collect information related to ethnicity, political opinions, religious beliefs, sexual orientation, criminal history, health information,
disability, trade union information, genetic data, biological data or any other information that affects the data subject in the same
way, unless there are specific laws which stipulate otherwise, e.g. for the protection of health or physical condition of the data

The PDPA does allow, in some limited circumstances, for an exemption to the requirement to obtain consent from the data
subject where the data is collected from another Person who is not the data subject.
In obtaining consent from the owner of the Personal Data, the Data Administrator must take into account the absolute
independence of the owner of the personal information in giving the consent. In entering into a contract, including to provide any
services, there must not be any condition for consent to be granted to collect, use or disclose personal information that is not
necessary or relevant to entering into such contract or services.

Common duties: Data Protection Officers (“DPO”)
Similar to the GDPR, both the Data Controller and the Data Processor are
required to appoint DPOs to inspect their handling of Personal Data. The
types of organizations that are required to have a DPO are:
• a governmental body designated by the Commission;
• an organization wherein the activities of the Data Controller/Data

Processor consist of collecting, using and disclosing Personal Data by
virtue of the organization’s nature, or it requires routine monitoring due
to the large scale of Personal Data being controlled or processed.
However, the threshold of such scale remains to be prescribed by
subordinated regulations; and
• an organization of which the core activities involve collecting, using and
disclosing sensitive Personal Data.

What qualifications does a DPO need to have? Do I need to hire them?
Their qualifications are to be announced by subordinated regulations.
However, considering that their duties are, for example, to provide advice to
the Data Controller and the Data Processor in matters of compliance with
PDPA and be the “contact persons” of the organization with regards to
personal data protection matters, expertise and specialization in personal
data protection matters is crucial.
A DPO can be an internal staff of the Data Controller or the Data Processor,
or they can be an outsourced person.

Other than ensuring that the Personal Data’s owners are accorded to their
rights discussed in the topic above, a Data Controller is also required to
perform the following:
• implement suitable measures to prevent loss, unauthorized access,
alteration or disclosure of Personal Data. However, what shall count as
“suitable measures” will be prescribed by the subordinated regulations,
which are yet to be issued;
• ensure that a third party who is not a Data Controller that acquires the
Personal Data does not use or disclose the Personal Data wrongfully, or
without authorization;
• maintain written records relating to processing activities, that can be
inspected by data owners;
• delete Personal Data when the storage period expires, or the Personal
Data is no longer relevant, exceeds the scope of necessity or consent is
withdrawn; and
• notify the commission within 72 hours in case of a data breach, except
in cases where such breach will not have a detrimental effect to the
rights of the individual. If the breach will adversely affect the Personal
Data owner, the Personal Data owner must also be notified and be
presented with compensation measures.

Specific Duties for Data Processor

Other than the Data Processor’s duty not to use Personal Data in manners
that are not lawfully instructed by the Data Controller, the PDPB also
requires the Data Processor to:
• implement suitable measures for preventing loss, unauthorized access,
alteration or disclosure of Personal Data; and
• maintain written records for processing activities that can be inspected
by the data owners.

Civil Liability

Actual damages
If the Data Controller or the Data Processor carries on any action that does
not comply with the PDPA and such action damages the Personal Data
owner, regardless of whether such noncompliance was carried on
intentionally or negligently, the Data Controller and Data Processor shall be
liable for actual damages arising therefrom, except where they can prove
that (i) the damages were a result of force majeure, or by actions of the data
owner; or (ii) the non-compliant act was a carried out in order to comply with
an official’s lawful order.

Punitive damages
Under the PDPA, the court is also empowered to order the Data Controller
or the Data Processor to pay “punitive damages” in addition to actual
damage. Such punitive damages shall not exceed two times the actual
damages owed. Factors that the court will take into consideration when
considering whether to order the punitive damages are, for example,
financial status of the Data Controller or the Data Processor, and/or the
extent of participation/involvement of the Data Controller or Data Processor
in the act that resulted in causing such damage.

Penal Penalties
Failure to comply with the PDPA may result in penalties being imposed on
both the entity and any directors who collaborate to commit the offence or do
not reasonably manage to prevent such offence. Such penalties include both
fines and imprisonment.
Administrative Penalties
Administrative penalties in the case of violation of the PDPA shall not be in
excess of THB 500,000, or not in excess of THB 5 million, depending on the
severity and type of violation.

Relentless Your PDPA Partner of Choice

Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity services to companies of all sizes.


Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.


We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.

With a tailor-made approach, we work with our clients in executing each project to their specific need and help maximize the long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Relentless PDPA Service What's Included?

Our Thailand PDPA Service Includes the Following Assessment

  • PDPA Assessment
  • Dedicated DPO
  • Unlimited Support Calls
  • Unlimited Email Support
  • Data Mapping
  • Record of Processing Activities
  • Subject Access Request Service
  • Data Risk Assessments
  • Data Breach Support
  • Data Protection Policy Writing
  • PDPA Framework Design
  • PDPA Privacy Maturity Gap Analysis and Remediation Report
Thailand PDPA Service


Harrow School Logo

We asked Robert to come in and do an audit for us in the lead up the introduction of PDPA in Thailand. He spent a week with us and was forensic in his approach. His report has left us a lot to think about and act upon. Compared to other firms offering the same thing, the price was very reasonable and they have experience in the SE Asia market, so the advice is refreshingly specific rather than generic. I wouldn’t hesitate to recommend Relentless Privacy Services

Dr T. J. Jefferis, Second Master


At relentless we have helped companies from startups to PLC’s our
services are rich, comprehensive, and built for every budget


Dedicated Data Mapping Tool

Data mapping is essential to achieving and maintaining GDPR compliance, making it easy for any business to track and make sense of all collected data and data processing activities. A data map can prove invaluable in outlining exactly what types of data you hold, where that data is stored and who has access to it. Used correctly, a data map can also help you manage tasks relating to data subject rights such as access requests, data rectification and the right to be forgotten. Its for this section that we’re proud to introduce Relentless GDPR 247s data mapping tool. With just a few quick clicks of a mouse, you can create an easy-to-follow data map which gives you a comprehensive overview of your processing activities in accordance with GDPR article 30. 

error: Content is protected !!