top of page
Search

Thailand PDPA compliance 2025 for SMEs: cross-border transfers, DPO rules, and breach reporting

  • Writer: gentlelawlawfirm
    gentlelawlawfirm
  • Nov 4, 2025
  • 5 min read
Thailand PDPA compliance 2025 for SMEs: cross-border transfers, DPO rules, and breach reporting
Thailand PDPA compliance 2025 for SMEs: cross-border transfers, DPO rules, and breach reporting

Introduction

Thailand’s PDPA has been fully enforceable since 2022 and regulators have continued to clarify key obligations. For 2025, three areas drive most audit and enforcement risk for SMEs: cross-border transfers, Data Protection Officer (DPO) appointment, and personal data breach notification. Two PDPC notifications on international transfers took effect March 24, 2024, detailing when you need adequacy, when BCRs exempt you from adequacy, and how appropriate safeguards like Standard Contractual Clauses can lawfully support transfers.


The legal foundation at a glance

  • Cross-border transfers.

    • Section 28 requires an adequate protection standard in the destination country or organization, assessed against PDPC criteria.

    • Section 29 provides alternatives. Transfers within a group can rely on Binding Corporate Rules that are reviewed and certified by the PDPC. Otherwise, use appropriate safeguards such as SCCs, certifications, or state agreements, as specified in the PDPC notification.

  • DPO appointment. A 2023 PDPC notification clarifies that a DPO is required when core activities involve regular monitoring and large scale processing. The notification entered into force December 13, 2023.

  • Breach notification. Controllers must notify the PDPC without undue delay and, where feasible, within 72 hours of becoming aware of a breach. If a delay is unavoidable, a written explanation should be made within 15 days. Notify affected individuals without undue delay if there is likely high risk.

  • Controller obligations and scope. The PDPA applies to organizations processing personal data in Thailand or of Thai data subjects, including foreign entities targeting Thai residents.

Thailand PDPA compliance 2025 checklist


1) Map data and identify transfers

Catalogue systems, vendors, and any cross-border transfers. If data leaves Thailand, determine whether the destination has adequate protection under Section 28 or whether you will rely on Section 29 options. Keep documentary evidence of your legal basis.


2) Choose the right transfer mechanism

  • Binding Corporate Rules (group transfers). Use BCRs for intra-group transfers if you can secure PDPC review and certification. This exempts you from the adequacy requirement once approved.

  • Appropriate safeguards (most vendors). Use SCCs or other safeguards that meet PDPC criteria. PDPC materials accept ASEAN Model Clauses and EU SCCs if adapted within limits and aligned to the Thai notifications. Document how your clauses meet each PDPC element.

3) Assess whether you must appoint a DPO

Apply the PDPC criteria: the processing is a core activity, involves regular monitoring such as tracking or profiling, and is on a large scale. Document your analysis, name your DPO if required, and publish the DPO contact to data subjects and the Office as Section 41 expects.

4) Build a breach response that meets Thai timelines

Implement a 24x7 triage process. Notify the PDPC within 72 hours when feasible, and explain any delay within 15 days. Where a breach is likely to cause high risk to individuals, notify affected data subjects without undue delay. Keep decision logs.


5) Update privacy notices, consent, and processor contracts

Ensure privacy notices cover Thai-specific disclosures and that data processing agreements reflect PDPA duties, security, and sub-processor control consistent with PDPC guidance and the new transfer rules.


6) Maintain records and prove compliance

Maintain records of processing and training. Align security controls to your risk profile and vendor landscape because recent PDPC enforcement has targeted inadequate safeguards and weak processor oversight.

Cross-border transfer playbook for SMEs

When to use adequacy under Section 28If the PDPC identifies countries or organizations with adequate standards, transfers can rely on Section 28. The PDPC sets factors for adequacy such as enforceable rights, remedies, and functioning supervisory bodies.

When to use Section 29 alternatives

  • BCRs for affiliated groups once reviewed and certified by the PDPC.

  • Appropriate safeguards like SCCs, certifications, or state instruments, provided they meet PDPC criteria. ASEAN Model Clauses and EU SCCs are referenced as usable standards if kept within prescribed limits.

Practical tip: For most SME vendor relationships, start with SCCs aligned to the Thai notification, add a transfer impact assessment that addresses enforcement and data subject rights, and maintain an audit trail of security and breach co-operation obligations.

DPO decision guide you can defend

  • Trigger test. Core activity + regular monitoring + large scale. Examples in PDPC materials include behavioral advertising, ongoing risk scoring, and multi-site security monitoring.

  • Timing and publication. The DPO notification took effect December 13, 2023. Publish DPO contact details to data subjects and the Office, and ensure the DPO is reachable for rights requests.

  • Outsourcing. The DPO may be internal or an external service provider, but conflicts must be managed and independence preserved.

Breach reporting in Thailand: timelines and content

  • Notify the PDPC without undue delay and where feasible within 72 hours of becoming aware. If you cannot meet 72 hours, submit reasons for the delay within 15 days.

  • Notify individuals without undue delay if there is likely high risk.

  • What to include. Nature of the breach, affected data, potential impacts, remedial actions, and DPO contact. Keep risk assessments and evidence of containment actions.


FAQs

Do Thailand PDPA compliance 2025 rules require using Thai-issued model SCCsNo official Thai model SCCs are required. The PDPC notifications accept appropriate safeguards including SCCs, and allow ASEAN Model Clauses or EU SCCs when adapted within PDPC limits.

If my group has BCRs, do I still need adequacy No. PDPC-certified BCRs allow transfers within the group without relying on Section 28 adequacy.

We are a small SaaS reseller. Do we need a DPO Only if your core processing involves regular monitoring on a large scale. Use the PDPC criteria and examples to assess and document your decision.

What if a vendor suffers a breach Your contract should require the processor to notify you promptly and to cooperate. You remain responsible for PDPC notification within the Thai timeline and for notifying affected individuals when required.

How GENTLE LAW IBL implements Thailand PDPA compliance 2025

  • Transfer design. We map destinations, select SCCs or BCRs, and tailor clauses to align with PDPC notifications and ASEAN or EU standards.

  • DPO threshold and setup. We run a written DPO trigger analysis, appoint or outsource the DPO, and publish contact channels for regulators and data subjects.

  • Breach readiness. We create a minute-by-minute playbook that satisfies 72-hour reporting and the 15-day delay explanation rule, plus templates for notices to individuals.

Call to action

If you want a practical program for Thailand PDPA compliance 2025, GENTLE LAW IBL can design your transfer mechanism, set up your DPO, localize SCCs, and implement a breach protocol that meets Thai timelines.

Book a consultation: https://www.gentlelawibl.com


bottom of page