Thailand’s PDPA: Enforcement in Action and Cross-Border Data Transfers

Posted by , on | Featured

Since June 2022, Thailand’s Personal Data Protection Act (PDPA) has shifted from an educational phase to active enforcement (see https://fosrlaw.com/2025/gdpr-vs-pdpa/).

Recent fines and administrative orders indicate that the Personal Data Protection Committee (PDPC) now expects organizations to integrate compliance into their everyday operations. Key steps include appointing Data Protection Officers, implementing robust security measures, and preparing for swift responses to potential breaches. Besides avoiding penalties, organizations that focus on compliance gain increased consumer trust and better market access. The PDPA’s clarified rules on cross-border data transfers position compliance as a strategic advantage and a catalyst for business growth. Notably, some companies have reported a 15% rise in consumer trust and a 10% increase in market access within the first year of PDPA compliance, demonstrating the tangible business benefits.

Enforcement in Practice

The PDPC has levied cumulative administrative fines exceeding THB 21.5 million across both public and private sector cases.

These penalties underscore a consistent emphasis on governance issues, weak security measures, and mishandled data breaches.

Key Illustrative Cases:

  • Cybersecurity failures: Insufficient user training on password security, inconsistent risk evaluations, and missing data processing agreements contributed to a breach impacting 200,000 citizens. Both a government agency and its IT contractor were fined due to these governance and security lapses. To lower the risk of breaches and shared liabilities, organizations should perform comprehensive risk assessments and establish clear data processing agreements.
  • Improper Data Disposal: A private hospital was fined after patient records were reused as food packaging, exposing insufficient oversight of its contractor’s data destruction. A hardware retailer was fined THB 7 million for failing to appoint a Data Protection Officer, lacking in adequate security measures, and not notifying authorities or customers following a breach. In a similar incident, a cosmetics retailer received a THB 2.5 million fine but alleviated some impact by supporting affected customers.
  • Shared liability with processors: A toy retailer and its software vendor were both fined after exposed system interfaces caused a significant breach. The toy retailer, as the data controller, was fined THB 500,000, while the software vendor, as the processor, was fined THB 3,000,000. The processor received a larger fine than the controller, highlighting that service providers are directly responsible for failing to implement adequate security measures to protect personal data.

Takeaway: The PDPC penalizes failures to appoint DPOs, inadequate security measures, the absence of proper contracts with processors, and delayed breach notifications. Organizations that respond transparently and support affected individuals may receive leniency, while inaction results in higher fines (see https://fosrlaw.com/2024/thailand-personal-data-protection-committee-issues-fines-for-violation-of-personal-data-protection-act/).

Cross-Border Data Transfers

The restrictions imposed by the PDPA on international data transfers were clarified in the December 2023 regulations under Sections 28 and 29. These regulations establish two compliance pathways: the Adequacy route (Section 28), referred to as the “Green Route,” and the Appropriate Safeguards route (Section 29), designated as the “Safeguard Route.”

  • Adequacy (Section 28): Transfers are allowed to jurisdictions officially recognized by the PDPC as having sufficient data protection. No list of “adequate” countries has been published yet.
  • Proper safeguards (Section 29): When adequacy is lacking, businesses must implement safeguards such as:
  • Binding Corporate Rules (BCRs): Internal group policies that bind affiliates worldwide and require PDPC approval.
  • Standard Contractual Clauses (SCCs): Contractual terms based on ASEAN or EU models, updated with Thai-specific obligations such as 72-hour breach reporting.
  • Other safeguards: Future certification systems or government-to-government agreements.

The PDPA’s extraterritorial scope means overseas businesses that target Thai residents or track their behavior must follow these transfer rules, usually by appointing a local representative in Thailand. This representative serves as the main contact for data protection issues, communicates with the PDPC and Thai authorities, and makes sure the organization meets its PDPA obligations. Their role is essential for managing compliance and responding to regulatory inquiries.

Practical Implications

Organizations managing Thai personal data should focus on these initiatives as part of their compliance plan, aligning them with maturity levels to support ongoing improvement (see https://fosrlaw.com/2024/pdpa-thailand-exception-to-rule-of-section-19/).

Governance: Begin by appointing Data Protection Officers where necessary and establishing data processing agreements with vendors. Integrate these processes into company practices and improve them through regular reviews and updates. To assess governance maturity, organizations can use KPIs such as policy adoption rate, audit closure time, and DPO training hours. These metrics create a live scorecard to monitor progress from ‘initiate’ to ‘optimize.’

  • Security: Perform risk assessments, use encryption, establish access controls, and conduct regular audits. Integrate security measures into daily operations and enhance them by adopting advanced technology and techniques for threat detection and prevention.
  • Breach Response: Develop a written incident plan that includes 72-hour reporting protocols. Integrate response plans into company culture through training and drills, then improve them by regularly reviewing protocols and applying lessons learned from past incidents.
  • Cross-Border Compliance: Map out international data transfers and update contracts with SCCs as the initial step. Consider BCRs for intra-group transfers. Incorporate these practices through cross-department collaboration and enhance them by adapting strategies based on regulatory changes and stakeholder feedback. A simple decision tree can clarify when to use SCCs versus BCRs, making compliance decisions clearer and more actionable.
  • Ongoing Oversight: Start by monitoring regulatory developments and reviewing compliance programs annually. Embed oversight into the organizational structure by appointing compliance champions. Enhance operations by implementing training programs that ensure privacy is integrated throughout. 
  • Consider ongoing oversight: Begin by monitoring regulatory developments and conducting annual compliance reviews. Strengthen oversight by appointing compliance leaders and enhancing it through regular training to incorporate privacy into daily operations. Subscribing to PDPC updates or industry alerts helps teams stay informed. Using Regulatory Technology (RegTech) tools, such as automated monitoring platforms or audit dashboards, can reduce manual workload and provide real-time updates, supporting proactive compliance management.

Frequently Asked Questions: Practical Guidance

The following practical guidance answers common questions organizations have during PDPA implementation.

Organizations beginning PDPA compliance should first map data flows by identifying collected personal data, storage locations, access permissions, and cross-border transfers. At each data touchpoint, they should ask, “Can I minimize or pseudonymize here?” to encourage preventive thinking from the start and align with global trends toward proactive privacy engineering. The next steps include:

1. Appoint a Data Protection Officer (DPO) if your processing meets the statutory thresholds.

2. Draft and issue privacy notices for employees, customers, and third parties.

3. Review contracts with vendors and partners that handle personal data.

4. Develop internal policies covering security, data subject rights requests, and incident response.

These first steps lay the groundwork for ongoing compliance efforts.

Adequacy List – When to Expect Publication

As of 2025, the PDPC has not released a list of “adequate” jurisdictions. This means all cross-border transfers must, for now, be treated as going to non-adequate destinations and require proper safeguards. The PDPC has indicated that work is ongoing, but there is no fixed timeline.

To help organizations plan, consider these scenarios for publishing the adequacy list.

  • Best-case scenario: The adequacy list is published by Q3 2025, enabling businesses to make necessary updates without immediate resource reallocation.
  • Base-case scenario: Publication occurs by mid-2026, necessitating some renewal of SCCs or initial BCR drafting to bridge the compliance gap.
  • Worst-case scenario: No adequacy list becomes available until late 2027, forcing organizations to manage ongoing SCC renewals and expanded BCR efforts during this period.

Therefore, businesses should prepare for SCCs or BCRs until an official list is released. Organizations should recognize the uncertainty about timelines and regularly check PDPC announcements for updates. By staying informed, companies can better manage expectations and proactively adjust their compliance plans to meet changing regulations.

SCCs and BCRs – Templates and Approval

The PDPC released model Standard Contractual Clauses (SCCs) aligned with ASEAN Model Clauses and the EU’s GDPR clauses. Companies can adapt these, as long as they include Thailand-specific requirements like a 72-hour breach notification. Compliance teams can access the SCC templates from the PDPC’s official website or other authoritative sources, enabling them to quickly implement the necessary documents.

There is no official template for Binding Corporate Rules (BCRs). However, PDPC guidance clearly states that they must be legally binding across the entire corporate group, confirm data subject rights, and include technical and organizational safeguards. BCRs require formal submission and approval by the Office of the PDPC, which involves reviewing enforceability and implementation. Since approval can be resource-intensive, most businesses tend to prefer SCCs as a shorter-term solution.

Incident Response – Reportable Events

A reportable incident under the PDPA is any breach “likely to result in a risk to the rights and freedoms of data subjects.” This includes unauthorized access, disclosure, alteration, or destruction of personal data that could harm individuals. For example, if a company’s email system is compromised by a phishing attack, resulting in unauthorized access to customer information such as names, addresses, and payment details, or sensitive personal information (e.g., health data or biometric data), it poses a serious risk to individuals. Such incidents require prompt notification and response to reduce potential harm. The average cost of identity theft per victim can exceed USD $1,000, highlighting the importance of compliance with the 72-hour reporting requirement. Failure to comply with the breach notification requirement may result in a fine of up to THB 3,000,000 (approximately $ 81,000). This tangible impact underscores the need for organizations to act quickly, both to comply with the law and to minimize potential damage to individuals and organizational trust..

A 72-hour notice (see https://fosrlaw.com/2022/personal-data-breach-notifications/) to the PDPC must include:

  • Nature of the breach (type of data, scope, and estimated number of records affected).
  • Likely consequences for individuals, such as identity theft and financial fraud.
  • Measures already implemented to contain the breach.
  • Planned steps to reduce future risks.

When the breach presents a high risk to individuals, direct notification to those affected is also necessary.

Vendor Management – Ongoing Oversight

Vendors (data processors) remain a recurring enforcement theme. Compliance teams should:

  1. Conduct due diligence before engagement — assess the vendor’s technical security, certifications, and prior track record.
  2. Use robust Data Processing Agreements (DPAs) — ensure PDPA-required clauses are in place, covering confidentiality, instructions, and breach reporting.
  3. Monitor performance regularly — through questionnaires, audits, or compliance certifications.
  4. Establish escalation procedures — if a vendor suffers a breach or fails a compliance review, the company must be able to act quickly to protect data subjects.

The PDPC has shown that processors can be fined directly, but controllers remain accountable for vendor oversight.

The comments herein are for discussion and information purposes only and are not guaranteed to be up to date. Nothing herein should be or can be relied on as legal advice.

For any questions, you may contact Formichella & Sritawat at [email protected]

© 2025 Formichella & Sritawat Attorneys at Law

About the Authors

Naytiwut Jamallsawat is a Partner at Formichella & Sritawat Attorneys at Law, heading the firm’s Regulatory Practice. He advises both international and local clients on complex regulatory issues involving data privacy, telecommunications, and emerging technologies.

Supitchaya Akeyati is an Associate at Formichella & Sritawat Attorneys at Law, focusing on corporate law and data privacy. She advises clients on PDPA compliance, cross-border data transfers, and regulatory issues in the TMT industry, and contributes to the firm’s litigation work where data privacy overlaps with commercial disputes.

Tags: , , , , , , , ,