top of page
Search

Thailand PDPA 2026 for foreign SMEs: lawful bases, DPO, cross-border transfers, SME exemptions, and enforcement

  • Writer: gentlelawlawfirm
    gentlelawlawfirm
  • Jan 13
  • 9 min read
Thailand PDPA 2026 for foreign SMEs: lawful bases, DPO, cross-border transfers, SME exemptions, and enforcement
Thailand PDPA 2026 for foreign SMEs: lawful bases, DPO, cross-border transfers, SME exemptions, and enforcement

Introduction

For foreign SMEs operating in Thailand, the Thailand Personal Data Protection Act B.E. 2562 (2019) (PDPA) is not only a legal requirement but also a practical operating constraint across HR, marketing, sales, customer support, and vendor management. The PDPA sets the conditions for collecting, using, and disclosing personal data, including when consent is required and when it is not.

In 2026, the compliance question is less about “whether the PDPA applies” and more about whether your SME can demonstrate a defensible lawful basis, document key decisions, and control cross-border data flows and vendors. Enforcement has also become more visible, including publicly reported administrative fines for data breach governance failures.

Legal disclaimer: This article is general information only and not legal advice for your specific case. PDPA obligations depend on your facts, including data categories, purposes, processing scale, and operational model. Always confirm your situation with qualified counsel.


Thailand PDPA 2026 for foreign SMEs: scope and who must comply

The PDPA applies to data controllers or data processors in Thailand, even if processing occurs outside Thailand. It can also apply to certain controllers or processors outside Thailand in relation to personal data of data subjects in Thailand, with representative requirements and exceptions stated in the Act.

Practical SME takeaway: if you have staff, customers, leads, members, website users, or CCTV in Thailand, assume the PDPA is in scope and then document the lawful basis and controls.


Lawful bases: how foreign SMEs should choose under Sections 24 and 26


Start with the rule: consent is the default, then check exceptions

The PDPA provides that a controller shall not collect, use, or disclose personal data without consent unless permitted by the Act or other laws.

Section 24 lists key grounds where personal data may be collected without consent, including:

  • research or statistics with appropriate safeguards

  • vital interests (danger to life, body, or health)

  • contract necessity

  • public interest or official authority

  • legitimate interests (subject to balancing against fundamental rights)

  • legal obligation


Sensitive personal data requires extra care

Section 26 governs “sensitive personal data” and generally requires explicit consent unless a specific exception applies. Plan for stricter governance if you handle health, biometric, criminal, or similar sensitive categories.


A practical lawful basis matrix for foreign SMEs

Use this approach to reduce re-consent and reduce enforcement risk:

  1. Employment and HR

  2. Often anchored on contract necessity and legal obligation for payroll, benefits, immigration support, and statutory reporting, depending on the specific dataset and purpose.

  3. Customer onboarding and billing

  4. Commonly contract necessity for core service delivery and account operations.

  5. Fraud prevention and security monitoring

  6. Often legitimate interests or vital interests depending on facts and risk, but must be documented with a balancing test and appropriate safeguards.

  7. Direct marketing

  8. The PDPA provides a right to object to processing for direct marketing, so SMEs should separate “service messages” from “marketing messages” and maintain opt-out controls.

Caution: Do not treat “consent” as the safest option by default. Consent must be freely given and should not be bundled as a condition for unrelated services.


DPO in Thailand: when it is required and what “large scale” means


The PDPA DPO trigger

The PDPA requires controllers and processors to designate a Data Protection Officer (DPO) in cases described in Section 41(2), and the PDPC issued a notification clarifying criteria and examples for when a DPO must be appointed.


PDPC criteria you can operationalize

Under the PDPC notification, a DPO is required where core activities involve:

  • regular monitoring of personal data or systems, and

  • processing personal data on a large scale

The notification provides practical clarification, including:

  • what “regular monitoring” can include, such as tracking, monitoring, analyzing, or profiling behavior in a systematic and regular manner, including behavioral advertising

  • a “large scale” example threshold where processing involves 100,000 data subjects or more as part of core activities, plus other sector examples

SME reality check: many SMEs do not meet the DPO trigger. However, if you run large-scale consumer operations, behavioral advertising, telecom style services, or broad surveillance, you should do a DPO assessment using the PDPC criteria and keep the assessment memo.


Cross-border transfers: Section 28 adequacy and Section 29 safeguards

Cross-border data flows are one of the most common compliance gaps for foreign SMEs, especially when your tools use cloud hosting, overseas support teams, CRMs, email platforms, analytics, or group company processing.


Section 28: Adequacy plus a key definition that helps cloud-based SMEs

The PDPC Section 28 notification defines “sending or transferring personal data” and clarifies that it does not include data transit via intermediary networks or cloud storage where no external person can access the data, supported by technical measures or legal conditions.

The notification also sets adequacy factors for destination countries or international organizations, including:

  • legal measures aligned with Thai personal data protection law and enforceable rights and remedies

  • authorities with duty and power to enforce data protection rules

It further provides that the PDPC Office may support case-by-case adequacy decisions and that the Committee may establish a list of destinations considered adequate.


Section 29: Appropriate safeguards and BCR and SCC style mechanisms

The Section 29 notification provides a structured approach for transfers within a group of undertakings and also discusses safeguards and contractual approaches, including references to binding corporate rules and standard contractual clauses, with required subject matter for contractual clauses.

Practical SME takeaway: If you are using overseas vendors or group companies with real access to personal data, you should not rely on “we are a small company” as a transfer justification. You need a documented transfer pathway and appropriate safeguards.


SME exemptions: what exists and what does not


No blanket PDPA exemption for SMEs

The PDPA contains exemptions for specific activities, not a general “SME exemption.” For example, the Act does not apply to personal or household activities, certain security-related public authority functions, and certain mass media activities, among others.


A real SME relief area: RoPA recordkeeping exemption for small enterprises

The PDPA itself allows that certain recordkeeping elements may not apply to “small organizations” under Committee rules, subject to risk and data type conditions.

Separately, the PDPC issued a notification exempting small enterprise data controllers from specific Section 39 record items, where the controller fits listed categories such as SMEs under Thailand’s SME promotion law, community enterprises, social enterprises, cooperatives, foundations, and similar, subject to limitations. The notification also states exclusions and limits, including where processing involves sensitive personal data under Section 26 or likely high risk to rights and freedoms.

Plain-English interpretation: Some SMEs may have reduced RoPA recordkeeping requirements, but that does not remove core PDPA duties such as lawful basis, security measures, and breach notification readiness.


Enforcement in practice: what is being fined and why it matters to SMEs

Thailand has publicly reported administrative fines and enforcement activities related to PDPA compliance.

  • On 21 August 2024, Thailand’s digital ministry and PDPC Office communications reported a 7 million THB administrative fine against a large private entity in connection with personal data leak controls and compliance failures.

  • On 4 August 2025, Thai government communications reported that the PDPC Office imposed administrative fines across public and private entities for multiple cases, with cumulative fines reported above 21.5 million THB since full enforcement began.

SME takeaway: The most defensible risk reduction is not “perfect paperwork.” It is a small set of documented decisions and controls:

  • lawful basis mapping for each core workflow

  • vendor governance and security measures

  • an incident response and breach notification playbook

The PDPA also includes a 72-hour breach notification expectation in the Act, with conditions and procedures to follow.


Key takeaways

  • Lawful basis is the anchor: Section 24 provides key non-consent bases, while Section 26 tightens rules for sensitive personal data.

  • DPO is not automatic: PDPC criteria focus on core activities, regular monitoring, and large scale processing, with concrete examples.

  • Cross-border transfers need a pathway: Section 28 and 29 notifications clarify definitions, adequacy, and safeguards that matter for cloud and group operations.

  • SME exemptions are limited: There is no blanket SME PDPA exemption, but there is a specific RoPA record exemption notification for certain small enterprise controllers, with conditions and exclusions.

  • Enforcement is real: Government communications report administrative fines and broader enforcement actions.


Common misconceptions

Misconception 1: “We are an SME, so PDPA does not apply.” Not correct. The PDPA applies broadly, with limited activity-based exemptions and a narrow RoPA record exemption for certain small enterprises under a PDPC notification.

Misconception 2: “Consent is always the safest lawful basis.” Not necessarily. Consent must be freely given and should not be bundled. Many routine SME workflows can be grounded in contract necessity, legal obligation, or legitimate interests where properly documented.

Misconception 3: “Using cloud tools means we are always making cross-border transfers.” Sometimes yes, sometimes no. The Section 28 notification clarifies that certain data transit or cloud storage setups where no external person can access the data may not be treated as “sending or transferring” under that definition. Your configuration and vendor access model matters.


Worked scenarios (illustrative and conditional)


Scenario A: US-owned SaaS SME with Thai customers, CRM hosted overseas

  • Risk drivers: overseas CRM access by vendor support and analytics processing

  • Compliance actions: map lawful basis for customer onboarding and billing, document cross-border transfer pathway, and update vendor agreements and security measures

  • DPO: usually not required unless regular monitoring and large scale triggers apply


Scenario B: EU trading SME running behavioral advertising to Thai consumers

  • Risk drivers: profiling and behavioral advertising may indicate regular monitoring

  • Compliance actions: DPO assessment under PDPC criteria, marketing opt-out design, and documented lawful basis and notice design


SME roadmap: step-by-step PDPA compliance for 2026


Step 1: Build a data map in 2 hours

List each workflow:

  • recruitment and HR

  • customer onboarding

  • payments and invoicing

  • marketing and lead capture

  • customer support

  • vendor and outsourcing


Step 2: Assign a lawful basis per workflow and document it

  • Use Section 24 bases where applicable

  • Flag any sensitive personal data under Section 26 and apply stricter governance


Step 3: Decide if you need a DPO and keep the memo

Use PDPC criteria for core activities, regular monitoring, and large scale. Keep a short memo even if the answer is “no.”


Step 4: Fix your cross-border transfer pathway

  • Identify overseas vendors and group entities with access

  • Apply Section 28 and Section 29 logic, including the data transit clarification and safeguards approach


Step 5: Check SME RoPA recordkeeping exemption eligibility

If you may qualify as a small enterprise controller, verify whether the RoPA record exemption applies and whether your processing falls into an excluded category such as Section 26 sensitive data or higher-risk processing.


Step 6: Implement minimum security measures and breach readiness

The Act includes breach notification expectations and the PDPC has publicly reported enforcement actions related to security governance and breach handling. Prepare an incident response process and responsibilities.


FAQ

  1. Does Thailand PDPA 2026 for foreign SMEs apply to foreign SMEs? Yes, in many cases. The PDPA applies to controllers and processors in Thailand and can also apply to certain entities outside Thailand in relation to personal data of data subjects in Thailand.

  2. What are the main lawful bases under Thailand PDPA 2026 for foreign SMEs? Consent is the default, but Section 24 lists key non-consent bases such as contract necessity, legal obligation, vital interests, public interest, and legitimate interests.

  3. When do we need a DPO in Thailand? You need a DPO when PDPC criteria are met, focusing on core activities requiring regular monitoring and large scale processing. The PDPC notification provides detailed criteria and examples.

  4. Do SMEs get exempted from PDPA obligations? Not broadly. SMEs are not generally exempt from the PDPA, but some SMEs may qualify for a specific RoPA recordkeeping exemption notification, subject to conditions and exclusions.

  5. What counts as a cross-border transfer under PDPA? The Section 28 notification defines “sending or transferring personal data” and clarifies that data transit or cloud storage without external access may be excluded. If overseas parties can access the data, you likely have a cross-border transfer to structure and safeguard.

  6. Do we need consent for cross-border transfers? Sometimes, but not always. Transfers can be structured under Section 28 adequacy or Section 29 safeguards depending on the facts and applicable mechanisms, and consent may be one route with required transparency about inadequate standards where applicable.

  7. What is the enforcement risk in 2026? Government communications have reported PDPA administrative fines and broader enforcement actions. SMEs should focus on lawful basis documentation, vendor security, and breach readiness.

  8. What is the fastest PDPA starting point for an SME? Start with a workflow data map and lawful basis matrix, then add a cross-border transfer register and vendor agreements. This creates the minimum defensible compliance posture.


Glossary

  • PDPA: Personal Data Protection Act B.E. 2562 (2019).

  • PDPC: Personal Data Protection Committee and its Office.

  • Data controller: Entity determining purposes and means of processing.

  • Data processor: Entity processing personal data on behalf of a controller.

  • Lawful basis: A legal ground to collect, use, or disclose personal data, including Section 24 exceptions.

  • Sensitive personal data: Data under Section 26 requiring stricter conditions.

  • DPO: Data Protection Officer required in certain cases under Section 41 and PDPC criteria.

  • RoPA: Record of Processing Activities and related exemptions for certain small enterprises.

  • Cross-border transfer: Sending or transferring personal data abroad under Section 28 and 29 frameworks and notifications.


Decision checklist artifact: Thailand PDPA 2026 compliance checklist for foreign SMEs

A) Scope and roles

  •  Identify whether you are a controller, processor, or both

  •  Confirm Thailand scope and any representative considerations for offshore operations

B) Lawful basis and notices

  •  Assign lawful basis for each workflow using Section 24 and consent rules

  •  Flag sensitive personal data under Section 26 and apply stricter governance

C) DPO decision

  •  Perform DPO assessment using PDPC criteria for regular monitoring and large scale

  •  Record decision and review triggers (growth, new marketing model, new product)

D) Cross-border transfer readiness

  •  Map all overseas vendors and group entities with data access

  •  Classify flows under the Section 28 definition and consider whether the “data transit or non-accessible cloud storage” clarification applies

  •  Implement safeguards under Section 29 where needed, and document the mechanism

E) SME RoPA exemption check

  •  Check whether you qualify for the PDPC small enterprise controller RoPA exemption notification

  •  Confirm you are not excluded due to high-risk processing or Section 26 sensitive data processing

F) Enforcement readiness

  •  Implement minimum security governance and vendor controls

  •  Implement an incident response and breach notification playbook, including decision logs and timing


Call to action (GENTLE LAW IBL)

If your foreign SME needs a practical PDPA plan that aligns lawful bases, DPO decisioning, vendor contracts, and cross-border transfers with Thailand PDPC rules, GENTLE LAW IBL can scope a compliance roadmap and produce an implementable document pack designed for SME operations.

bottom of page