+44 212 582 0192 [email protected]

2026 Thailand PDPA compliance for third party due diligence contracts and data transfers

by | Feb 1, 2026 | Global Privacy Laws: | 0 comments

Thailand Official Office Formiti

This content is protected against AI scraping.

This guide has been updated to reflect the Thailand Personal Data Protection Act (PDPA) as of 2026. While the core Act was enacted in 2019, 2024-2025 marked a “Strategic Enforcement” era where the Personal Data Protection Committee (PDPC) shifted from awareness-building to imposing significant fines (up to THB 7 million) and active surveillance through tools like the PDPC Eagle Eye Crawler.

1. Carry Out Third-Party Data Protection Due Diligence

In 2026, third-party due diligence is no longer a “good practice”—it is a legal shield against high administrative fines. Recent cases have shown that Data Controllers are being held liable for the “weak security” of their vendors.

  • Vetting for 2026 Standards: Beyond basic compliance, you must verify if the third party has a registered Data Protection Officer (DPO) and a tested Breach Notification Protocol.

  • Active Monitoring: Passive contracts are insufficient. Conduct regular security audits. The PDPC now expects “Privacy in Action,” meaning you must prove you are actively monitoring your vendor’s data destruction and storage practices.

  • Liability Allocation: Ensure contracts clearly define that the Processor is liable for their own security failures. In 2025, the PDPC began fining Data Processors (the vendors) directly—in one case, a processor was fined THB 3 million alongside the controller.

2. Ensure Data Processing Agreements (DPA) are in Place

Under the current regulatory maturity of 2026, a DPA is a mandatory document. The PDPC has issued several administrative orders against organizations specifically for the absence of a written agreement between Controller and Processor.

Key Clauses for your 2026 DPA:

  • 72-Hour Breach Reporting: The Processor must notify the Controller of any breach immediately so the Controller can meet the 72-hour regulatory deadline.

  • Right to Audit: Explicitly allow the Controller (or a third party) to audit the Processor’s facilities.

  • Specific Instructions: Document that the Processor must only process data according to the Controller’s written instructions.

  • Sub-Processing: Processors must obtain prior written consent before hiring their own sub-contractors (Sub-Processors).

Penalty Update: Failure to have a valid DPA or adequate security measures can lead to administrative fines of up to THB 5 million. If the breach involves sensitive data (health, criminal records, etc.) for commercial gain, criminal penalties include imprisonment for up to one year.

3. Comply with Data Transfer Mandates Out of Thailand

As of March 2024, the PDPC’s regulations on cross-border data transfers are fully enforceable. By 2026, the “whitelist” of adequate countries remains limited, making alternative legal pathways essential.

The 2026 Transfer Framework:

  1. Standard Contractual Clauses (SCCs): This is the most common tool. The PDPC accepts SCCs that align with the ASEAN Model Contractual Clauses or EU GDPR SCCs, provided they are adapted to reference Thai law.

  2. Binding Corporate Rules (BCRs): For multinational corporations, BCRs must now be submitted to the PDPC for formal certification. A new “streamlined” review exists if your BCRs are already GDPR-approved, but you must still appoint a Liable BCR Member based in Thailand.

  3. Transfer Impact Assessment (TIA): In 2026, “Privacy in Action” requires you to document a risk assessment for the destination country before the transfer begins.

Mandatory Record Keeping:

If you transfer data out of Thailand, you must maintain a Record of Processing Activities (ROPA) that specifically tracks:

  • The destination country.

  • The legal basis for the transfer (Consent, Contract, SCCs, etc.).

  • The security measures of the recipient.

Final Thoughts for 2026

The PDPC now uses automated tools like the Eagle Eye Crawler to monitor for data leaks 24/7. Compliance has moved from a “policy-level” exercise to an “operational” reality. Organizations should now aim for the Thailand Trustmark Certification to demonstrate high-level maturity and reduce regulatory scrutiny.