Yes, the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") governs data privacy in general in Thailand. Under the PDPA, a financial institution would be deemed a data controller where it has the authority and duty to make decisions regarding the collection, use or disclosure of the personal data. The cloud service provider would be deemed a data processor under the PDPA where it processes and hosts personal data on behalf of and/or under the instructions of the data controller, and does not have the power and duty to makes its own decisions regarding the collection, use or disclosure of such personal data.

According to Section 40 para. 3 of the PDPA, the data controller is required to put in place a contract with the data processor to control the activities carried out by the data processor in accordance with the latter’s duties under the PDPA.