+44 (0) 121 582 0192 [email protected]


As the Thailand economy rebounds, the protection of personal data remains the cornerstone of trust between individuals and organisations. Thailand’s Personal Data Protection Act (PDPA), echoing global data privacy concerns, establishes stringent guidelines for the handling of personal data by Data Controllers and Processors. This article explores the obligations laid down by the PDPA for securing personal data and the repercussions of failing to comply.


Security Measures Under the PDPA

The PDPA mandates both Personal Data Controllers and Processors to ensure the safety and confidentiality of personal data through well-organised storage (both physical and electronic) and systematic deletion procedures. Despite the lack of explicit instructions on secure storage characteristics, the industry consensus leans towards adhering to prevailing standards that balance cost, utility, and the nature of data held. These standards must also consider the organisation’s size, financial status, and potential risks to data integrity.


Enhanced Data Protection Techniques

In the realm of data security, pseudonymization and anonymization emerge as crucial techniques for mitigating risks of unintended or deliberate data exposure. These methods serve to obscure the data subject’s identity, thereby bolstering data protection.

Following the enactment of the Royal Decree, the Ministry of Digital Economy and Society (MDES) issued a notification detailing minimum data security standards to be observed during the transition period ending 31 May 2022. Key requirements include:

  1. Access Control: Implementing robust access control mechanisms to personal data and associated processing devices.
  2. Permission Management: Establishing systems for the designation of access rights and permissions to personal data.
  3. User Access Management: Ensuring personal data is accessible only to authorised individuals.
  4. User Responsibility Designation: Implementing systems to prevent unauthorised data processing activities.
  5. Monitoring and Records: Keeping detailed records of data access, modification, deletion, or transfer activities.

Moreover, Data Controllers are required to communicate these security measures to their personnel, fostering a culture of data protection awareness.


Penalties for PDPA Violations

Violations of the PDPA carry significant consequences, ranging from civil suits to criminal and administrative actions:

  • Civil Breach: Individuals harmed by PDPA violations can initiate civil suits against Data Controllers or Processors. Notably, the PDPA allows for punitive damages up to twice the actual damages for severe breaches.
  • Criminal Breach: Beyond civil actions, breaches involving unauthorised use or disclosure of sensitive data without consent can lead to imprisonment (up to six months), fines (up to Baht 500,000), or both. Penalties double for breaches undertaken for commercial advantage.
  • Administrative Breach: Administrative fines can reach up to Baht 5,000,000 for serious breaches, underscoring the PDPA’s commitment to enforcing data privacy.



The introduction of the PDPA marks a significant milestone in Thailand’s commitment to personal data protection. For Data Controllers and Processors, the act necessitates a rigorous reevaluation of data handling practices, ensuring compliance with security measures and awareness of the severe penalties for non-compliance. As digital landscapes evolve, adherence to the PDPA not only mitigates legal risks but also enhances trust and confidence among consumers, paving the way for responsible and secure data management practices.

See how the Formiti Thailand PDPA Service can enhance your PDPA compliance

If you are an international company offering products and services to Thai citizens with no legal entity within Thailand Formiti has you covered with the Thailand PDPA Local Representative Service