Who must comply with Thailand’s PDPA 2025 and what data does it cover?

Thailand’s PDPA applies to all organizations that collect, use, or disclose personal data of Thai residents, regardless of whether the business is based in Thailand or abroad. Covered entities include data controllers (who decide how and why data is processed) and data processors (who handle data on behalf of controllers). Personal data includes any information identifying an individual, while sensitive data covers areas like health, biometrics, and financial records. Cross-border data transfers are only allowed to countries with adequate protections or when explicit consent, contractual necessity, or urgent legal grounds exist.

What are the key PDPA enforcement actions and regulatory changes in 2025?

In 2025, Thailand’s PDPC significantly increased enforcement, issuing over THB 14.5 million in fines in a single month. Common violations include failure to appoint Data Protection Officers (DPOs), delayed breach notifications, and inadequate consent or security measures. Organizations are now subject to stricter compliance orders and public corrective actions. To stay compliant, businesses should review PDPC updates, follow the 10-point compliance checklist, audit their data programs, and train staff regularly.

How should businesses obtain and manage valid PDPA consent in 2025?

Valid PDPA consent must be clear, informed, and purpose-specific. Businesses should use plain language, provide granular opt-in choices, and allow easy withdrawal at any time. Consent must be recorded and securely stored. Children under 10 require parental consent. Alternatives to consent include contractual necessity, legal compliance, or protection of vital interests. Withdrawal processes should be as simple as giving consent, ensuring compliance and user trust.

What are the best practices for safe data collection under Thailand’s PDPA?

Under Thailand’s PDPA in 2025, best practices include collecting only data essential to the stated business purpose, using plain-language privacy notices, disclosing cookies clearly, and adapting policies for new technologies. Common compliance risks include over-collection of unnecessary data and vague or hidden privacy policies. Transparency, minimization, and proper documentation are critical for building trust and avoiding regulatory scrutiny.

What rights do individuals have under Thailand’s PDPA 2025?

Individuals have the right to access, rectify, erase, restrict, object to processing, request portability, and be informed about how their data is used. Organizations must respond to most requests within 30 days. Common compliance pitfalls include delays, incomplete responses, or lack of transparency. Using PDPA request templates and documented workflows helps businesses stay compliant while protecting individual rights.

What special PDPA protections apply to children and vulnerable groups?

Children under age 10 require parental or guardian consent before any data processing. Platforms and services targeting minors must validate consent, provide child-friendly privacy notices, and justify every data collection purpose. These safeguards are a priority in 2025, with regulators focusing on clear consent flows, documented protections, and transparent communication with families.

What are the breach notification requirements under Thailand’s PDPA 2025?

Organizations must notify the PDPC within 72 hours of most breaches. For serious breaches, regulators and affected individuals must be informed immediately. Notifications must describe the incident, its impact, and corrective measures. Full documentation of the response is required for regulator review, and clear communication with affected individuals is mandatory when high-risk exposure occurs.

What are the ongoing duties for DPOs and compliance under PDPA?

Data Protection Officers (DPOs) are required when organizations process large-scale or high-risk data. Their duties include overseeing compliance, training staff, preparing for audits, and maintaining updated documentation. The PDPC’s 10-point compliance checklist is essential for ongoing self-assessment. Continuous training and clear protocols help organizations remain compliant and resilient under PDPA.

What are the PDPA penalties and enforcement actions in 2025?

In 2025, penalties under Thailand’s PDPA include administrative fines, criminal charges for reckless violations, and civil lawsuits. Recent cases imposed fines exceeding THB 14.5 million for failures such as unreported data breaches and missing DPO appointments. Investigations are conducted through audits, complaint reviews, and inspections. Poor documentation, delayed breach alerts, and lack of staff training are common triggers for enforcement.

How does Thailand’s PDPA align with GDPR and other privacy laws?

Thailand’s PDPA shares key principles with the GDPR, including requirements for consent, DPO appointments, and cross-border transfer safeguards. Multinational businesses should align data transfer contracts, unify consent practices, and appoint DPOs responsible for both PDPA and GDPR compliance. Aligning PDPA with international standards helps reduce risks and ensures smooth cross-border operations.

What are the first steps businesses should take for PDPA compliance in 2025?

Businesses should start by identifying all personal data collected, mapping data flows across systems, and assigning a Data Protection Officer (DPO) where required. These foundational steps create clarity, reduce compliance risks, and prevent fines, which have already exceeded THB 14.5 million for unprepared businesses in 2025.

How does PDPA address third-party risks and sector-specific rules?

Under PDPA, data processors such as cloud providers and HR vendors must follow contractual obligations, but data controllers remain fully responsible for compliance. In regulated industries like finance, healthcare, and education, stricter data security and breach notification standards apply, with closer regulator scrutiny when sensitive data is involved.

What PDPA regulatory updates are expected in 2025?

In 2025, the PDPC is expected to release updated guidelines on cross-border data transfer adequacy and tailored compliance resources for SMEs. Organizations should act quickly in their first 30 days of PDPA preparation, establishing strong compliance foundations and scheduling regular reviews to remain aligned with evolving regulations.

Thailand’s PDPA Data Privacy Law: 2025 Guide

Thailand’s PDPA data privacy law triggered over THB 14.5 million in fines this month alone, spotlighting a new era of strict enforcement and rapid regulatory updates.

If your organization collects or uses data from Thai residents, there is no room for delay: active compliance is now monitored, with surprise audits and public corrective orders on the rise.

Thailand PDPA rules businesses data privacy

2025’s focus on sensitive data, international transfers, and the vital role of Data Protection Officers means every business owner, manager, and compliance lead must adapt quickly.

This guide will give you next-step clarity and actionable insights to protect your business and build trust under Thailand’s PDPA data privacy law.

Key Takeaways

PDPA compliance is mandatory for any organization handling personal data of Thai residents, including international businesses, with heightened protection for sensitive and children’s data.
2025 enforcement is escalating, with over THB 14.5 million in fines issued for failures like missing DPOs or delayed breach notifications, documented compliance and regular audits are now non-negotiable.
Valid consent must be clear, informed, and purpose-specific, requiring easy opt-out options and robust documentation, especially for children under 10 (parental consent required).
Data minimization and transparency are critical: collect only essential data, use simple privacy notices, and ensure mobile-friendly, accessible consent forms to limit regulatory risk.
Individuals have powerful data rights, including access, rectification, erasure, restriction, and portability; organizations must respond to most requests within 30 days using clear, tracked processes.
Effective breach response requires notifying the PDPC within 72 hours, documenting every action, and communicating promptly with affected individuals for high-risk exposures.
DPOs are essential for high-risk data activities, leading company-wide training, maintaining updated documentation, and using the PDPC’s 10-point checklist for ongoing compliance.
PDPA penalties include escalating fines, criminal liability, and civil claims; alignment with international standards (like GDPR) is vital for businesses operating across borders or handling cross-border data flows.

Thailand’s PDPA 2025: Scope and Key Updates
PDPA Consent and Data Collection
PDPA Data Subject Rights 2025
PDPA Breach Notification and Compliance Duties
PDPA Penalties and Global Alignment in 2025
FAQ: Thailand’s PDPA Data Privacy Law in 2025
Conclusion

Thailand’s PDPA 2025: Scope and Key Updates

Who must comply and what data is covered?

Thailand’s PDPA data privacy law covers any organization that collects, uses, or discloses personal data of Thai residents, whether based in Thailand or abroad.

The PDPA applies to:

Data controllers: entities that determine why and how data is processed
Data processors: entities that handle data on behalf of controllers

Personal data includes any information linked to an identifiable individual, while sensitive data spans health records, biometric data, and more.

Special rules protect children’s data, with parental consent required for anyone under 10.

For cross-border data transfers, new 2025 guidance highlights:

Transfers only allowed to countries with adequate standards
Exceptions for explicit consent, contracts, or urgent legal need

Access Thailand’s PDPC English portal for full guidance

2025 enforcement actions and regulatory changes

In 2025, enforcement has surged, with over THB 14.5 million in fines issued in August alone.

Key enforcement areas revealed by the PDPC include:

Failure to appoint Data Protection Officers (DPOs)
Missed or delayed breach notifications
Inadequate consent and security practices

The PDPC’s 10-point compliance checklist is the gold standard for organizational self-assessment. High-profile cases underscore the need for detailed breach plans and active compliance monitoring.

Organizations now face stricter orders and public corrective actions after investigations.

Businesses must stay alert: “Active enforcement and real penalties now make documented compliance non-negotiable.” The core actions: review PDPC updates, audit your data programs, and ensure all staff understand the latest requirements.

Ongoing awareness and use of the PDPC’s compliance checklist are the most effective means to minimize risk and demonstrate due diligence.

Clear, informed, and specific consent is a cornerstone of Thailand’s PDPA data privacy law in 2025.

To ensure valid consent, organizations must:

Use clear, accessible language for every request
Separate consent into granular, purpose-specific opt-in choices
Provide easy methods for withdrawal at any time
Record and securely store all consent documentation

Children’s data has additional requirements: for anyone under 10, parental or guardian consent is mandatory. Consent withdrawals must be as straightforward as initial consent, with organizations responding promptly.

Other lawful bases beyond consent include:

Contractual necessity
Compliance with a legal obligation
Protection of vital interests

Best practices for safe data collection and use

In 2025, the PDPC emphasizes data minimization and strict purpose limitation.

Effective compliance requires:

Collecting only data essential for the stated business purpose
Using plain-language privacy notices and cookie disclosures
Adapting procedures for technology-driven data collection to be transparent

Common risk points include:

Over-collecting unnecessary data
Using vague or hidden privacy notifications

A single unclear privacy notice can trigger regulatory scrutiny.

Awareness, clarity, and documentation are critical to mitigating risk and building trust under Thailand’s PDPA data privacy law.

PDPA Data Subject Rights 2025

Key rights and organizational response duties

Thailand’s PDPA data privacy law grants individuals a clear set of rights over their personal data, and organizations must respond promptly and accurately.

Key rights include:

Access: Review what data is held and how it is used
Rectification: Request corrections to inaccurate data
Erasure: Seek deletion of irrelevant or unlawfully kept data
**Restriction: **Limit processing under certain conditions
**Objection: **Oppose specific processing activities
Portability: Request transfer of data to another party
Right to be informed: Receive clear information at collection

Organizations must acknowledge or action most requests within 30 days, with common pitfalls including slow response times, lack of transparent processes, and incomplete documentation.

PDPA templates and best practices support efficient request management.

Special protections for children and vulnerable groups

Children under age 10 require documented parental or guardian consent before data processing.

Educational platforms, websites, and child-focused services must:

Validate consent mechanisms
Transparently inform children and guardians
Justify every data collection with clear processing purposes

Clear consent flows and targeted privacy policies empower families and reduce compliance risk.

This year, documentation of these safeguards will be a primary focus for inspections and audits.

Strong, prompt fulfillment of data subject rights is both an obligation and a trust-builder for any organization managing personal data in Thailand.

PDPA Breach Notification and Compliance Duties

2025 breach notification protocols

Timely breach notification is non-negotiable under Thailand’s PDPA data privacy law in 2025. Organizations must notify the PDPC within 72 hours for most breaches, but “serious” breaches require an immediate update to both the regulator and affected individuals.

Key requirements include:

Reporting the incident, impact, and corrective actions within the required timeframe
Documenting the entire response for regulator review
Communicating directly and clearly with data subjects in case of high-risk exposure

Explore practical breach guidance at Thailand Computer Emergency Response Team.

Ongoing duties for DPOs, training, and documentation

Data Protection Officers (DPOs) must be appointed whenever large-scale or high-risk data processing occurs and serve as main contacts for regulators and individuals.

Essential DPO duties now include:

Overseeing PDPA compliance across all business units
Leading staff training and awareness campaigns
Preparing for audits and updating compliance documentation regularly
Utilizing the PDPC’s 10-point checklist for ongoing self-assessment

In summary, strong protocols, an empowered DPO, and continuous training make organizations resilient and responsive under Thailand’s PDPA data privacy law.

PDPA Penalties and Global Alignment in 2025

Fines, investigations, and enforcement actions

Organizations face increasing penalties under Thailand’s PDPA data privacy law in 2025, with fines totaling over THB 14.5 million in recent months for failures like unreported data breaches and missing DPO appointments.

Key PDPA enforcement actions include:

Administrative fines (scaling with severity and intent)
Criminal charges for intentional or reckless violations
Civil liability, including personal and class action lawsuits

Recent enforcement has highlighted:

High-profile fines against public and private sector entities
Case examples: Unreported call center data leaks and negligent handling of cyber fraud led to large penalties and regulatory orders
Common triggers: Poor documentation, lack of staff training, and delayed breach alerts

The Personal Data Protection Committee (PDPC) investigates through audits, complaint reviews, and surprise inspections, emphasizing continuous organizational readiness. Timely cooperation with PDPC investigations is critical.

Thailand’s PDPA shares similarities with the GDPR on cross-border data transfers, consent standards, and DPO requirements.

For multinationals, compliance steps include:

Reviewing contracts for data transfer adequacy
Aligning consent mechanisms across jurisdictions
Appointing DPOs with responsibility for both regimes

Visit the European Data Protection Board for GDPR resources.

Effective PDPA risk management means organizations must stay alert to enforcement trends, align practices internationally, and ensure all staff can respond confidently to regulatory reviews.

FAQ: Thailand’s PDPA Data Privacy Law in 2025

Starting PDPA compliance in 2025 means acting quickly and getting the basics right. Most SMEs begin by:

Identifying all personal data collected, stored, or processed
Mapping data flows across business systems and third-party services
Assigning a PDPA lead or appointing a Data Protection Officer (DPO), where required

These steps ensure immediate clarity and help avoid fines that recently exceeded THB 14.5 million for unprepared businesses.

Third-party risks and sector-specific rules

Data processors (such as cloud providers or HR vendors) must follow contractual privacy requirements, but data controllers remain the main party responsible for compliance.

In certain sectors like finance, health, and education:

PDPC guidelines require stronger data security and detailed breach notification steps
Regulators prioritize cases where sensitive data is involved

This means regulated industries face closer scrutiny and stricter obligations.

Anticipating regulatory updates in 2025

For 2025, the PDPC is set to release:

Clarifications on cross-border adequacy for international data transfers
Enhanced compliance resources tailored to SMEs

Your first 30 days of PDPA preparation can set the foundation for long-term compliance and peace of mind. Immediate action and regular review are now essential for every organization handling personal data in Thailand.

Conclusion

Understanding Thailand’s PDPA in 2025 positions your organization for trust, resilience, and competitive advantage, turning compliance into opportunity rather than obligation.

To act now, review the PDPC’s latest compliance checklist, update all consent and breach notification processes, train every team member, and audit your cross-border data transfers. Each proactive step reduces risk and builds stakeholder confidence.

If you need tailored guidance, Themis Partner offers expert support from policy drafting to staff training, helping you meet every PDPA requirement with clarity and efficiency. Contact us today to secure your compliance and strengthen your business foundation.