Search for:

After numerous attempts over almost two decades (please see our series of client alerts below), the Thailand Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly on 28 February 2019 (“PDPA“). The PDPA will be submitted for royal endorsement and subsequent publication in the Government Gazette.

This PDPA will change the landscape of personal data protection in Thailand. While the Thai Constitution upholds the right to privacy, Thailand did not have any consolidated law governing data protection in general before. There are only specific laws in certain business sectors, such as telecommunications, healthcare, banking, and credit bureau. The PDPA will become the very first consolidated law generally governing data protection in Thailand.

There are several key points under the PDPA that businesses should be aware of, namely extraterritorial applicability, data subject notification requirements, consent requirements, consent of minors, restrictions and exemptions for the collection, use, disclosure, and cross-border transfer of personal data, explicit consent requirements for sensitive data and exemptions related thereto, data subjects’ rights, security measures, data breach and its notification, records of processing activities, representatives of controllers or processors who are not established in Thailand, data protection officers (DPO), exemptions from cross-border transfer requirements for transfers within the same business group, prescribed criminal and administrative penalties, and actual and punitive damages for civil liability.

Although the PDPA has drawn various concepts from the EU General Data Protection Regulation (GDPR), the PDPA also reflects concepts developed from Thai perspectives. Compliance with the GDPR does not necessarily mean compliance with the PDPA. Therefore, careful examination is crucial in order for companies to fully comply with the PDPA and GDPR.

While the final version of the PDPA has not yet been published in the Government Gazette (as of the date of this client alert), it is expected to be officially announced soon. After publication on the Government Gazette, business entities will have a transition period to prepare for compliance with the PDPA. As the PDPA will apply to most entities both onshore and offshore (with limited exemptions), we urge all entities to start reviewing their personal data related activities (e.g. customer data, supplier data, employee data, billing and payment documents), conducting data classification, data mapping, preparing personal data related documents, and other necessary steps for full compliance with the PDPA once it comes into effect.

For more information, please contact our team at Baker McKenzie.

Our Previous Client Alerts on Data Protection

Date Title
September 2018 New draft Personal Data Protection Bill issued for public hearing – Substantial changes following GDPR
April 2018 New Draft Thai Personal Data Protection Bill – Extraterritorial Applicability Introduced
January 2018 Update: Public Hearing on the Thai Personal Data Protection Bill, including New Provisions
July 2015 Latest Developments on the Personal Data Protection Bill in Thailand
January 2015 Draft Laws under the Digital Economy Initiative



Dhiraphol Suwanprateep is a partner in Baker McKenzie's Bangkok office, where he is head of the IT/Communications Practice Group and co-head of the Intellectual Property Practice Group. Mr. Suwanprateep advises clients on government initiatives, particularly Thailand's Digital Economy Initiative which promotes the local ITC sector through strategies aimed at developing related infrastructure, accelerating innovation, and transforming the country's economy into one that is based on digital technologies. His work also involves advising on the amended Computer Crime Act which increases penalties for cyber crimes. He is also a regular commentator and contributor to local, regional and global media on the government's proposed initiatives and frequently participates in local community engagements throughout the country. Dhiraphol joined Baker McKenzie in 1987 and became a partner in 1992.


Pattaraphan joined Baker McKenzie in 2011 and is a Partner in the Intellectual Property and Technology practice. Before joining Baker McKenzie, she worked at the National Broadcasting and Telecommunications Commission (NBTC) as a legal officer. Pattaraphan is also one of the very few Thai lawyers that is a Certified Information Privacy Professional/Europe (CIPP/E).


Kritiyanee joined Baker McKenzie in 2013 and is a partner in the Intellectual Property and Technology practice. She has experience in data protection, cyber security, and complex technology matters.

Drafted the legal article “the Future is Now and Its Challenges Present: How to determine IP ownership and plan for regulatory compliance in the era of Artificial Intelligence (AI) and the Internet of Things (IoT) symbiosis” published in the Intellectual Property and International Trade Court Law Journal.

Drafted the legal article “Ready or not, Here It Comes - Blockchain and Its Legal Implications” published in the Intellectual Property and International Trade Court Law Journal: Special 20th Anniversary Issue.


Jenjira Yanprasart is an associate in Baker McKenzie's Bangkok office.