...
Line

Personal Data Protection Act B.E. 2562 (2019)

Legal Principles, Conceptual Framework, and Practical Enforcement Challenges

The rapid development of information technology and the digital economy has transformed personal data into a crucial economic and social resource. At the same time, risks associated with violations of personal data rights have increased significantly.

In response, Thailand enacted the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), establishing a comprehensive legal framework for the protection of personal data and elevating Thailand’s data protection standards to align with international practices.

The PDPA was published in the Government Gazette on 27 May 2019 and came into force on 28 May 2020. The Act establishes an institutional structure, regulatory mechanisms, data subject rights, and legal sanctions to ensure effective protection of personal data.

Personal Data

Personal Data refers to any information relating to an individual that enables the identification of that individual, whether directly or indirectly, such as name, address, or telephone number. However, it does not include data relating to deceased persons.

The underlying principle of the PDPA is the protection of individual rights and freedoms, which, under general legal doctrine, cease upon the death of the individual. Consequently, information relating to deceased persons is not protected under the PDPA.

Sensitive Personal Data

Sensitive Personal Data refers to special categories of personal data which, if collected, used, or disclosed improperly, may affect the dignity, rights, freedoms, safety, or equality of the data subject. These categories therefore receive a higher level of legal protection.

Examples include:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Sexual behavior or orientation
  • Criminal records
  • Health data, including disability information
  • Trade union membership
  • Genetic data
  • Biometric data (e.g., fingerprints, facial recognition, iris scans, voice recognition)

From a legal theory perspective, such data is considered sensitive because it may be used to discriminate against individuals, undermine human dignity, or negatively affect an individual’s social, economic, or employment opportunities.

Therefore, the law does not allow reliance on general consent alone for the processing of sensitive personal data. The collection, use, or disclosure of such data is permitted only under specific legal grounds provided by law.

Conceptual Foundations and Objectives of the PDPA

The Personal Data Protection Act B.E. 2562 is designed around three fundamental principles, reflecting structural changes in the Thai legal system to address challenges posed by the digital society:

  1. Protection of individual rights and freedoms
  2. Establishment of accountability for data users
  3. Balancing data protection with legitimate economic and public interests

Protection of Individual Rights and Freedoms

The core principle of the PDPA is the recognition that personal data is not merely technical information but is closely connected to human identity, dignity, and privacy.

Improper collection, use, or disclosure of personal data may lead to violations of fundamental rights, including:

  • the right to privacy
  • the right to reputation
  • the freedom to conduct one’s life

The PDPA therefore empowers data subjects by granting rights to access, rectify, erase, restrict, and object to the processing of their personal data, reinforcing the concept that individuals should remain at the center of data protection (data subject–centric approach).

Accountability of Data Users

The PDPA shifts the regulatory focus from reliance solely on consent toward accountability of data controllers and data processors.

Data users must demonstrate that data processing activities are:

  • lawful
  • necessary
  • supported by appropriate safeguards

The Act imposes obligations such as:

  • implementing data security measures
  • maintaining records of processing activities
  • notifying data breach incidents
  • appointing a Data Protection Officer (DPO)

This shift reflects a conceptual transformation whereby organizations move from being mere recipients of consent to becoming entities accountable for the consequences of data processing.

Balancing Data Protection with Economic and Public Interests

The PDPA does not seek to excessively restrict the flow of information or hinder economic development. Instead, it acknowledges that data processing is essential for:

  • business operations
  • public administration
  • service delivery

Accordingly, the law allows data processing based on legal grounds other than consent, such as:

  • contractual necessity
  • legal obligations
  • legitimate interests

However, such processing must not disproportionately infringe upon the rights and freedoms of data subjects.

Structure of Relationships Between Parties in Personal Data Processing

The PDPA framework is based on the relationship among three primary actors:

  1. Data Subjects
  2. Data Controllers
  3. Data Processors

Each actor holds distinct legal status, duties, and responsibilities.

Data Subject

A Data Subject is a natural person who can be identified, directly or indirectly, from personal data.

Such data may include:

  • basic information (name, address, phone number)
  • behavioral information
  • technical or digital data
  • other information that may be linked to an identifiable individual

From a legal theory perspective, the concept of the Data Subject reflects the principle that personal data forms part of an individual’s identity and dignity.

Accordingly, data subjects are not merely information providers but rights holders, possessing rights such as:

  • the right to be informed
  • the right to access and control personal data
  • the right to object or withdraw consent

Data Controller

A Data Controller refers to a person or legal entity that determines the purposes and means of collecting, using, or disclosing personal data.

Examples include:

  • private companies
  • government agencies
  • employers
  • hospitals
  • financial institutions
  • digital platform operators

The Data Controller is considered the center of legal responsibility under the PDPA.

Responsibilities include:

  • implementing security measures
  • maintaining records of processing activities
  • notifying data breaches
  • facilitating the exercise of data subject rights

Data Processor

A Data Processor refers to a person or entity that processes personal data on behalf of the Data Controller, without determining the primary purpose of data processing.

Examples include:

  • IT service providers
  • cloud service providers
  • payroll processing services
  • outsourced data processing companies

Although Data Processors act under instructions from Data Controllers, they still bear certain legal obligations, such as:

  • complying with controller instructions
  • implementing security safeguards
  • promptly notifying data breaches.

Scope of Application and Extraterritorial Effect

The PDPA is not limited to activities conducted solely within Thailand. Instead, it has extraterritorial application, reflecting the global nature of data flows in the digital economy.

The Act applies to:

  1. Data controllers or processors located in Thailand, regardless of whether the data processing occurs domestically or abroad.
  2. Data controllers or processors located outside Thailand, if their activities relate to data subjects located in Thailand, particularly when they:
  • offer goods or services to individuals in Thailand, whether payment is required or not, or
  • monitor the behavior of individuals in Thailand (e.g., website tracking, consumer behavior analysis, or profiling).

This extraterritorial effect reflects the global principle that data protection should follow the data subject rather than the location of the data processor.

Conclusion

The PDPA represents a paradigm shift from “free use of data” toward “responsible data governance.”

Understanding the PDPA both in terms of its legal principles and its practical enforcement mechanisms is therefore essential for protecting individual rights while ensuring lawful and responsible data processing within the digital economy.

Disclaimer

This article is prepared solely for general informational purposes and does not constitute legal advice. The information contained herein may not be comprehensive and may not reflect the most current legal developments. Readers should not rely on this article as a substitute for professional legal advice, which must be based on the specific facts and circumstances of each individual case. The publication or use of this article does not create a lawyer–client relationship. All rights reserved under the Copyright Act B.E. 2537 (1994).

Author: Pinprapus Chartikavanich
Date: 16 January 2026

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.