top of page
Search

Thailand PDPA compliance 2025 for foreign SMEs: lawful bases, cross-border transfers, DPO, breach notifications, and fines

  • Writer: gentlelawlawfirm
    gentlelawlawfirm
  • Sep 20
  • 4 min read
Thailand PDPA compliance 2025 for foreign SMEs: lawful bases, cross-border transfers, DPO, breach notifications, and fines
Thailand PDPA compliance 2025 for foreign SMEs: lawful bases, cross-border transfers, DPO, breach notifications, and fines

Introduction

If your business operates in Thailand or targets people in Thailand, the Personal Data Protection Act B.E. 2562 applies. This practical guide explains Thailand PDPA compliance 2025 for foreign SMEs: the seven lawful bases, mandatory privacy notices, processor contracts, the new cross-border transfer regime that took effect in 2024, Data Protection Officer triggers, 72-hour breach notifications, and recent enforcement trends. All key points are tied to the PDPA text and the latest PDPC notifications and guidance.

1) Scope and lawful bases you must map

  • Who is in scope: PDPA applies to organizations that collect, use, or disclose personal data in Thailand and also to foreign organizations that offer goods or services to people in Thailand or monitor their behavior.

  • Lawful bases: Consent and the statutory alternatives such as contract, legal obligation, vital interests, public interest, and legitimate interests appear in the Act and PDPC guidance. When you rely on consent, it must be informed, specific, and freely given using clear language.

  • Sensitive data: Extra conditions apply to special categories such as health and biometrics. Document your basis and safeguards before processing.

Action: Build a data-processing register that lists purpose, lawful basis, data categories, recipients, and retention per activity. Use consent only when a non-consent basis does not apply, and maintain evidence.

2) Privacy notices and processor contracts

  • Privacy notices must clearly set out purposes, lawful bases, data subject rights, retention, recipients, cross-border transfers, and contact points. Align the English version with a Thai version where appropriate.

  • Data processing agreements: Controllers must impose written instructions and adequate security on processors and supervise compliance. Build audit rights and deletion or return obligations into vendor contracts.

3) Cross-border transfers in 2025: what changed and how to comply

Two PDPC notifications published in the Royal Gazette on 25 December 2023 took effect on 24 March 2024. They set out the framework for sending personal data from Thailand to other countries.

  • Whitelist mechanism: Transfers may rely on a destination that has adequate personal data protection standards under the PDPC’s criteria, sometimes called the Whitelist Notification.

  • Appropriate safeguards and BCRs: Where no whitelist applies, transfers can rely on binding corporate rules or other appropriate safeguards under the Section 29 notification.

  • Current state of play: Commentaries note that, as of 2025, the PDPC has not yet published a public list of adequate jurisdictions, so most organizations rely on safeguards such as BCRs or transfer clauses and exceptions. Treat this as a working assumption and check for updates before filing or transferring.

Checklist for cross-border compliance

  1. Identify transfer flows, destinations, and recipients.

  2. Check whether a whitelist exists for the destination at the time of transfer. If not, implement appropriate safeguards or BCRs that meet PDPC criteria.

  3. Update your privacy notice and records of processing to reflect transfer bases.

  4. Maintain transfer assessments and technical measures proportional to the risks.

4) Do you need a Data Protection Officer in 2025

The PDPC issued a Notification on Appointment of DPO with effect from 13 December 2023. A DPO is required for controllers and processors that conduct regular monitoring or process large-scale data meeting the thresholds defined by the PDPC. Commentary on the notification highlights quantitative triggers, such as processing in excess of 100,000 data subjects for core activities. Document your trigger analysis and keep an appointment resolution if a DPO is required.

5) Security measures and data breach notifications

  • Security: Controllers must implement appropriate organizational and technical measures. Weak access controls and failure to supervise processors have already attracted fines.

  • Notify within 72 hours: Controllers must notify the PDPC without delay and where feasible within 72 hours of becoming aware of a breach, unless the breach is unlikely to risk individuals’ rights and freedoms. If you cannot notify in time, the PDPC has clarified you should notify as soon as possible and no later than 15 days with reasons. High-risk cases also require notification to affected individuals.

  • Assessment and templates: The PDPC’s 2022 notification and guideline provide breach assessment factors and forms controllers can use.

Action: Stand up an incident response runbook that includes 72-hour internal escalation, a PDPC form pack, evidence logging, and a public communications script.

6) Fines and 2024 to 2025 enforcement signals

  • First administrative penalty: In August 2024 the PDPC announced its first significant administrative fine against a large e-commerce platform, totaling THB 7 million, including failures to appoint a DPO, inadequate security, and failure to notify.

  • 2025 wave of fines: On 1 August 2025 the PDPC disclosed eight new administrative fines across five public and private cases. Reports indicate totals of roughly THB 14.5 to 21.5 million, with orders covering security failings, late or missing breach notifications, and missing DPO appointments. Treat enforcement as active and sector-agnostic.

7) Compliance checklist for Thailand PDPA compliance 2025 for foreign SMEs

  1. Data inventory and lawful bases: Catalogue processing activities and pin each to a lawful basis with evidence. Avoid bundled or pre-ticked consent.

  2. Privacy notices: Publish clear, layered notices that reflect actual purposes, recipients, retention, and cross-border flows.

  3. Processor governance: Put DPAs in place that mirror PDPA duties and give you audit, deletion, and return rights. Supervise vendors handling personal data.

  4. Cross-border transfers: For any offshore transfers after 24 March 2024, apply whitelist criteria if available or implement safeguards or BCRs that meet Sections 28 to 29 notifications. Keep transfer assessments.

  5. DPO trigger test: Document whether your processing meets PDPC thresholds for appointment and, if so, appoint a qualified DPO and publish contact details.

  6. Security and monitoring: Implement risk-based controls, penetration testing, vendor monitoring, and least-privilege access.

  7. Breach readiness: Prepare to notify PDPC within 72 hours and individuals if high risk, with a 15-day outer limit where a delay is justified.

  8. Training and records: Train staff and maintain records to evidence compliance during inspections.

How GENTLE LAW IBL helps

We provide one-stop PDPA programs: bilingual privacy notices, consent flows tailored to your stack, processor contracts, cross-border transfer assessments and BCR packages, DPO appointment and governance, breach readiness drills, and regulator response playbooks.

Conclusion and call to action

Thailand PDPA compliance 2025 for foreign SMEs is manageable when you align your lawful bases, contracts, cross-border mechanisms, DPO oversight, and breach response. For an implementation sprint that produces publish-ready notices, DPAs, and a cross-border file aligned to the 2024 PDPC notifications, contact GENTLE LAW IBL.

📩 Book a consultation: https://gentlelawibl.com

Comments

bottom of page