Thailand’s Personal Data Protection Act (PDPA) bears a structural resemblance to the European Union’s General Data Protection Regulation (GDPR), reflecting a shared emphasis on personal data rights, lawful processing, and accountability. However, significant differences exist in scope, enforcement, and practical implementation. Notably, Thailand’s legal framework is still evolving, with limited regulatory guidance and case law, which may pose interpretive challenges for organizations navigating compliance. This situation is exacerbated by the presence of criminal penalties for certain violations under the PDPA—a feature absent in the GDPR, raising potential concerns for both local and international businesses operating in Thailand. The table below highlights key distinctions between the two regimes to support risk assessment and compliance planning.
Legal Aspect
GDPR (EU)
PDPA (Thailand)
Enforcement Authority
Independent national data protection authorities
Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy
Maximum Fines
Up to €20 million or 4% of global turnover
Up to THB 5 million per offense + criminal penalties including imprisonment of up to 1 year
Data Subject Rights
Comprehensive: access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent, and protection from automated individual decision-making
Up to THB 5 million per offense + criminal penalties including imprisonment of up to 1 year
Right to Erasure
Fully enforceable under Art. 17
Recognized, but limited in practice
Consent Standard
Freely given, informed, specific, unambiguous (opt-in)
Similar standard, but less operational clarity, especially concerning the requirement for explicit consent for sensitive data
DPO Requirement
Mandatory for large-scale/public processing; role well-defined
Similar requirement covering sensitive data processing; guidance is limited
Cross-Border Transfers
Requires adequacy, SCCs, and BCRs
No adequacy list or its SCCs yet, but it recognizes SCCs under the GDPR, and ASEAN Model Contractual Clauses can be adopted
Profiling & Automation
Restricted with rights to object and human oversight
Not clearly regulated
Legal Grounds for Processing
6 bases: consent, contract, legal obligation, vital/public interest, legitimate interest
Private Right of Action
Yes, including class actions
Yes, but limited in scope and practice
Regulatory Maturity
Operational since 2018 with case law and EU guidance
Key Takeaways for Compliance Teams
- PDPA aligns structurally with GDPR but is less developed in enforcement and interpretation.
- Thai organizations may face criminal penalties for violations (unlike GDPR).
- Cross-border data transfers under PDPA lack practical guidance.
- Rights like objection to profiling are weaker under the PDPA.
- Companies subject to both laws should follow the higher GDPR standard as best practice.