top of page
Search

Thailand’s PDPA Compliance For Foreign SMEs: A Practical 2025 Guide

  • Writer: gentlelawlawfirm
    gentlelawlawfirm
  • Aug 10
  • 4 min read

Thailand’s PDPA Compliance For Foreign SMEs: A Practical 2025 Guide
Thailand’s PDPA Compliance For Foreign SMEs: A Practical 2025 Guide

Thailand fully enforced the Personal Data Protection Act in 2022. Since then the regulator has issued detailed sub-regulations on breach notification, cross-border transfers, security measures, and record-keeping. If you are a foreign-owned SME in Thailand, PDPA compliance is mandatory. Non-compliance can bring administrative fines, civil damages, and in certain cases criminal penalties.

What is the PDPA and who does it apply to

Thailand’s PDPA governs how businesses collect, use, disclose, and retain personal data of individuals. It applies to data controllers and data processors in Thailand and to some foreign operators that target or monitor people in Thailand. The law has been fully enforceable since June 1, 2022.

Key definitions you must know

  • Personal data: information relating to an identified or identifiable person.

  • Sensitive data: for example health, biometric, union, religion. Processing requires a higher threshold.

  • Data controller: decides purposes and means of processing.

  • Data processor: processes data for the controller.

  • Data subject: the individual. These terms follow Sections 6 and following of the PDPA. Authoritative summaries are consistent across leading commentaries.

Lawful bases you can rely on

A controller must have a lawful basis such as consent, contract necessity, legal obligation, vital interests, public interest, or legitimate interests subject to safeguards. Sensitive data needs explicit consent or a specific legal exemption.

PDPA compliance in Thailand for foreign SMEs: core obligations

Use this checklist to structure your PDPA compliance in Thailand for foreign SMEs program.

  1. Transparency and notices Provide a clear privacy notice at or before collection. State purposes, retention period, recipients, rights, and contact details for privacy queries. For data obtained from other sources, Thai practice expects timely notice and consent in line with PDPA Section 25.

  2. Security measures Implement appropriate technical and organizational measures under the PDPC Security Measures Notification and maintain evidence of implementation.

  3. Records of processing Controllers must normally keep a Record of Processing Activities. Small businesses are exempt in many cases, but recent Government Gazette notifications in January 2025 clarify the scope and processor exemptions. Exemptions do not apply if a DPO must be appointed or in certain higher-risk scenarios. Verify your status before relying on an exemption.

  4. Breach notification Notify the PDPC without undue delay and where feasible within 72 hours after becoming aware of a personal data breach that is likely to risk individuals’ rights and freedoms. Notify affected data subjects without undue delay where there is a high risk. The PDPC issued detailed criteria and forms in December 2022.

  5. Data subject rights Set up workflows for access, rectification, erasure, restriction, portability, and objection. Thai practice commonly applies a 30-day response period. Document outcomes and reasons for any refusal.

  6. Cross-border transfers Section 28 requires adequate protection in the recipient country or approved safeguards. On December 25, 2023 the Government Gazette published cross-border rules covering binding corporate rules and standard contractual clauses frameworks for Thailand. Map your transfers and implement the approved mechanism.

  7. Data Protection Officer where required Appoint a DPO if you are a public authority, process data requiring regular monitoring on a large scale, or process sensitive data on a large scale. This duty applies to controllers and processors that meet the threshold.

Practical roadmap for SMEs

  1. Data mapping: inventory all personal data, systems, processors, and transfers.

  2. Gap analysis: compare your practices against PDPA and sub-regulations.

  3. Policy suite: privacy notice, consent language, retention and deletion standard, incident response plan, cross-border transfer clauses.

  4. Contracts: update vendor DPAs so processors report breaches without delay and support your 72-hour window.

  5. Rights handling: standard operating procedures to log, verify, and respond within 30 days.

  6. Security controls: access control, encryption at rest and in transit, logging, and periodic testing per PDPC Security Measures.

  7. Training and audits: train staff at least annually and run internal audits.

  8. Cross-border governance: adopt PDPC-compatible clauses or BCRs where needed.

Frequent pitfalls we fix for clients

  • Using bundled or pre-ticked consent boxes that are not valid under PDPA consent standards.

  • Missing 72-hour breach reporting and lack of incident playbooks.

  • Assuming SME status always removes ROPA duties even when a DPO is required.

  • Not updating legacy marketing lists collected before 2022 with proper notices and consent.

Penalties in brief

Administrative fines can reach up to THB 5 million depending on the violation. Civil damages may include punitive damages up to twice the actual damage, and certain unlawful disclosures can carry criminal penalties. Thai authorities have begun enforcing these rules in practice.

How GENTLE LAW IBL helps

We deliver one-stop PDPA programs for foreign-owned SMEs in Thailand: data mapping, policy drafting, consent and cookie flows, contract updates, cross-border transfer solutions, breach readiness, and ongoing compliance audits. Our approach is legal first and conversion friendly so your privacy UX supports growth.

Call to action Ready to make PDPA compliance in Thailand for foreign SMEs smooth and strategic Book a PDPA strategy session with GENTLE LAW IBL at gentlelawibl.com.

Comments

bottom of page