🇹🇭 Live Privacy & Data Protection

Thailand Personal Data Protection Act B.E. 2562 (2019)

Governs the collection, use, and disclosure of personal data by organisations in Thailand.

View official source document

Rules extracted

180

Obligations decomposed

15.0x

Avg obligations per rule

🇹🇭 Thailand

Jurisdiction

About this regulation

The Thailand PDPA was enacted in 2019 (B.E. 2562) and became fully effective on 1 June 2022 after several deferrals. The Act establishes comprehensive data protection obligations including consent requirements, lawful bases for processing, protections for sensitive data, data subject rights, controller and processor obligations, DPO requirements, cross-border transfer restrictions, and enforcement through the Personal Data Protection Committee (PDPC). The PDPA prescribes civil, criminal and administrative penalties, with administrative fines up to THB 5 million. The Act applies to data controllers and processors collecting, using or disclosing personal data within Thailand, regardless of whether the collection, use or disclosure occurs in Thailand.

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

180

Obligations

15.0x

Decomposition ratio

Each rule is decomposed into an average of 15.0 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 180 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in PDPA is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: Thailand Personal Data Protection Act B.E. 2562 (2019)
Regulatory body: Personal Data Protection Committee (PDPC)
Jurisdiction: 🇹🇭 Thailand
Document type: act
Effective date: June 1, 2022
Issuing authority: National Legislative Assembly of Thailand
Industry: Privacy & Data Protection
Official source: View source document ↗

Who this applies to

data controllersdata processorspublic authoritiesprivate entities

Key requirements

consent and lawful bases
sensitive data protections
data subject rights (access, rectification, erasure, portability, objection)
DPO appointment
data breach notification (72 hours)
cross-border transfer restrictions
record of processing activities

Frequently asked questions about PDPA

What is PDPA?

Who does PDPA apply to?

PDPA applies to data controllers, data processors, public authorities, private entities.

How many obligations does PDPA contain?

AuditDSS has decomposed PDPA into 180 atomic obligations from 12 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of PDPA?

The key requirements include: consent and lawful bases, sensitive data protections, data subject rights (access, rectification, erasure, portability, objection), DPO appointment, data breach notification (72 hours), cross-border transfer restrictions, record of processing activities.

How can I assess my PDPA compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 180 PDPA obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces PDPA?

PDPA is enforced in Thailand by Personal Data Protection Committee (PDPC).

When did PDPA come into effect?

PDPA became effective on June 1, 2022.

What industry does PDPA apply to?

PDPA is primarily relevant to the Privacy & Data Protection industry. AuditDSS covers 71 regulations in this industry sector.

Build a PDPA compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for PDPA — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering PDPA requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine PDPA with other regulations into a single unified compliance pack for your business.

Build PDPA compliance pack

Already have a policy? Assess it against PDPA

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 180 obligations

Your document is scored against every obligation in PDPA. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.