Last review date: January 2025

☒ omnibus – all personal data
☒ sector-specific — e.g., financial institutions, governmental bodies
☒ constitutional

Omnibus

Thailand's Personal Data Protection Act B.E. 2562 (2019) (PDPA), as a consolidated/omnibus law, was approved by the National Legislative Assembly in February 2019 and published in the Government Gazette in May 2019. It is the first consolidated legislation governing the collection, use, disclosure, and cross-border transfer of personal data, with extraterritorial effect. Following three-year-long postponements by the Thai Government due to the COVID-19 pandemic, the PDPA became fully effective on 1 June 2022.

Following the PDPA’s effective date, the Personal Data Protection Committee (PDPC) published several sub-regulations and guidelines. However, a number of draft sub-regulations are still under consideration.

Sector-specific

Personal data is regulated/restricted by sector-specific laws, which include the following:

• Telecommunications – The Notification of the National Broadcasting and Telecommunications Commission Re: Measures to Protect the Rights of Telecommunications Service Users Related to Personal Data, Rights to Privacy, and Liberty to Communicate through Telecommunications prescribes requirements for telecommunications license holders to collect, process, and maintain the personal data of their telecommunications users.
• Credit Bureau – The Credit Information Business Act B.E. 2545 (2002) was enacted with the following objectives: (i) to control credit bureau companies and credit information transactions; (ii) to protect the rights of data subjects; and (iii) to ensure that reliable information is given to processors of credit information.
• Child Protection – The Child Protection Act B.E. 2546 (2003) provides protection for children, including information about children under 18 years of age and their parents.
• Public Health – The National Health Act B.E. 2550 (2007) protects personal health information. Disclosure of such information in a manner that causes damage to data subjects is prohibited unless consent is obtained or specific exceptions apply.
• Banking and E-payment – The Payment System Act B.E. 2560 (2017) authorizes the Bank of Thailand to issue notifications that establish rules for the provision of regulated payment systems and regulated payment services, particularly concerning the retention and disclosure of personal data of service users.
• Insurance – The Notification of the Office of Insurance Commission (OIC) Re: Rules, Methods for Issuing and Offering of Non-life Insurance Policy for Sale and the Performing of Duty of Non-life Insurance Agent, Broker and Bank B.E. 2563 (2020); and the Notification of OIC Re: Rules, Methods for Issuing and Offering of Life Insurance Policy for Sale and the Performing of Duty of Life Insurance Agent, Broker and Bank B.E. 2563 (2020) specify that an organization, agent and broker must have systems and procedures for managing, storing, and protecting customers' data in accordance with data protection laws. In addition, the Notification of OIC Re: Personal Data Protection Guideline for Non-life Insurance Business B.E. 2564 (2021); The Notification of OIC Re: Personal Data Protection Guideline for Life Insurance Business B.E. 2564 (2021); and The Notification of OIC Re: Personal Data Protection Guideline for Loss Adjuster Business B.E. 2564 (2021) provide guidance, recommendations, and practices for personal data protection in insurance sector to ensure compliance with the PDPA.

Government Agencies – The Official Information Act B.E. 2540 (1997) protects the personal data of individuals in the possession or control of a state agency.

Constitutional

The right to privacy has long been recognized in the Thai legal system and upheld under the Thai Constitution. Therefore, a person shall have the right to be afforded protection against undue exploitation of their personal data, as provided by law.

Theoretically, any violation of the Thai Constitution that results in damage to others may constitute a wrongful act (a tort) under the Thai Civil and Commercial Code. However, to date, no court decision that interprets the provisions of the Constitution in this light has been issued.

Last review date: January 2025

• The Personal Data Protection Act B.E. 2562 (2019)
• Royal Decree Prescribing Characteristics, Businesses, or Organizations which are Exempted from the Personal Data Protection Act B.E. 2562 (2019) B.E.2566 (2023)
• Notification of the PDPC re: Exemption from Maintenance of Records Obligation of the Data Controller Which Is a Small Organization B.E. 2565 (2022)
• Notification of the PDPC re: Rules and Methods for Preparation and Maintenance of Records of Personal Data Processing Activities for the Data Processor B.E. 2565 (2022)
• Notification of the PDPC re: Security Measures of the Data Controller B.E. 2565 (2022)
• Notification of the PDPC on Rules and Methods of Personal Data Breach Notification B.E. 2565
• Notification of the PDPC re: Rules for Issuance of Orders of Expert Committee under the Personal Data Protection Act B.E. 2562 B.E. 2566
• Notification of the PDPC Re: the Data Controller and the Data Processor that Are Public Authorities Required to Appoint a Data Protection Officer B.E. 2566 (2023)
• Notification of the Personal Data Protection Committee Re: Personal Data Protection Officers under Art.41(2) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
• Notification of the Personal Data Protection Committee Re: Security Measures of Personal Data for the Data Controller exempted from the Personal Data Protection Act B.E. 2562 (2019)B.E. 2566 (2023)
• Notification of the Personal Data Protection Committee Re: Suitable Measures for Collection of Personal Data for the Achievement of the Purpose relating to Historical Documents or Archives
• Notification of the Personal Data Protection Committee Re: Criteria for Protection of Personal Data for Cross-border Transfer under Art.28 of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
• Notification of the Personal Data Protection Committee Re: Criteria for Protection of Personal Data for Cross-border Transfer under Art.29 of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
• Notification of the Personal Data Protection Committee Re: Criteria on the Protection Measures for the Collection of Personal Data relating to Criminal Records which is not carried out under Control of Authorized Official Authority under the Law B.E. 2566
• Notification of the Personal Data Protection Committee Re: Appropriate Measures for the Collection of Personal Data for the Achievement of the Purpose relating to Research or Statistics under Section 24 (1) and the Scientific, Historical, or Statistic Research Purposes, or other

  Public Interests under Section 26 (5) (d) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)

• Notification of the Personal Data Protection Committee Re: Criteria on the Protection Measures for the Collection of Personal Data relating to Criminal Records which is not carried out under Control of Authorized Official Authority under the Law B.E. 2566 (2023)
• Announcement of the Personal Data Protection Committee on the Master Plan for the Promotion and Protection of Personal Data in the Country B.E. 2567 – 2570 (2024 – 2027)
• Notification of the PDPC re: Criteria for Determining Administrative Fines by the Expert Committee (No. 2) B.E. 2567 (2024)
• Notification of the PDPC re: Criteria for Deletion or Destruction or De-identification of Personal Data B.E. 2567 (2024)
• Notification on the exemption to maintain the Record of Processing Activities of Data Controller who is a small organization B.E. 2567 (2024)
• Notification on the exemption to maintain Record of Processing Activities Data Processor which is a small organization B.E. 2567 (2024)
• Rules of the PDPC re: the Filing, Refusal of Acceptance, Dismissal, Consideration, and Timeframe for the Consideration of the Complaints B.E. 2565
• Operational Guideline Re: Obtaining Consent from Data Subjects under the PDPA
• Operational Guideline re: the Notification of the Purposes and Details of Collection of Personal Data from the Data Subjects under the PDPA
• Guideline for Data Controllers and Data Processors: Case Studies from Consultation Concerning Enforcement of the Personal Data Protection Act B.E. 2562
• The Notification of the National Broadcasting and Telecommunications Commission Re: Measures to Protect Telecommunications Users, Data Privacy, Privacy Rights and Freedom of Communications
• The Credit Information Business Operation Act B.E. 2545 (2002)
• The Child Protection Act B.E. 2546 (2003)
• The National Health Act B.E. 2550 (2007)
• The Payment System Act B.E. 2560 (2017)
• The Notification of the Bank of Thailand SorGorSor2. 4/2563 re: Market Conduct Rules
• The Notification of the Office of Insurance Commission Re: Rules, Methods for Issuing and Offering of Non-life Insurance Policy for Sale and the Performing of Duty of Non-life Insurance Agent, Broker and Bank B.E. 2563 (2020)
• The Notification of the Office of Insurance Commission Re: Rules, Methods for Issuing and Offering of Life Insurance Policy for Sale and the Performing of Duty of Life Insurance Agent, Broker and Bank B.E. 2563 (2020)
• The Notification of the Office of Insurance Commission Re: Personal Data Protection Guideline for Life Insurance Business B.E. 2564 (2021)
• The Notification of the Office of Insurance Commission Re: Personal Data Protection Guideline for Non-life Insurance Business B.E. 2564 (2021)
• The Notification of the Office of Insurance Commission Re: Personal Data Protection Guideline for Loss Adjuster Business B.E. 2564 (2021)
• The Official Information Act B.E. 2540 (1997)

Last review date: January 2025

• The Cybersecurity Act B.E. 2562 (2019)
• The National Cybersecurity Committee Notification re: Policy and Plan on Maintaining Cybersecurity (B.E. 2565-2570) (2022-2027)
• The Cybersecurity Regulating Committee Regulation re: Delegation of Power to Critical Cyber Threat Committee B.E. 2565 (2022)
• Office of the Prime Minister Notification re: Appointment of Competent Officials Under CSA B.E. 2566 (2023)
• The National Cybersecurity Committee Notification re: Establishment, Duties, and Authority of National Computer System Security Coordination Center B.E. 2564 (2021)
• The National Cybersecurity Committee Notification re: Characteristic, Duties, Responsibilities of the Computer System Security Coordination Center for Critical Information Infrastructure Organizations and Relevant Tasks of Services B.E. 2564 (2021)
• The National Cybersecurity Committee Notification re: Prescribing Criteria and Types of Organizations with Tasks or Services as Critical Information Infrastructure Organizations and Assigning Control and Regulation B.E. 2564 (2021)
• The Cybersecurity Regulating Committee Notification re: Code of Practice and Standard Framework for Maintaining Cybersecurity for Government Agency and CII B.E. 2564 (2021)
• The National Cyber Security Committee Notification re: Characteristics of the Cyber Threats, the Measures to Prevent, Cope with, Assess, Suppress, and Suspend the Cyber Threats in Each Level B.E. 2564 (2021)
• The Cybersecurity Regulating Committee Notification re: Rules and Procedures for Reporting Cyber Threats B.E. 2566 (2023)
• The National Cybersecurity Agency Notification re: Criteria and Rates of Fees, Maintenance Fees, Remuneration, and Service Fees for Operations B.E.2566 (2023)
• The National Cybersecurity Committee Notification re: Standard and Guideline for Promoting and Developing the Cybersecurity related Service System B.E. 2566 (2023)
• The National Cybersecurity Committee Notification re: Minimum Standard of Data or Information System B.E. 2566 (2023)
• The National Cybersecurity Committee Notification re: Standard for Determining Cybersecurity Characteristics for Data or Information Systems B.E. 2566 (2023)
• The National Cybersecurity Agency Notification re: Guideline for the Preparation of Cybersecurity Plan B.E. 2567 (2024)
• The Cybersecurity Regulating Committee Notification re: Duties of the Critical Information Infrastructure Organization and Regulator B.E. 2567 (2024)
• The National Cybersecurity Committee Notification re: Measures and Guidelines for Improving Skills, Knowledge, and Expertise in Cybersecurity B.E. 2567 (2024)
• The National Cybersecurity Committee Notification re: Cybersecurity Standards for Cloud Systems B.E. 2567 (2024)
• The National Cybersecurity Agency Notification re: Guideline for Determining Cybersecurity Characteristics for Data or Information Systems B.E. 2567 (2024)

Last review date: January 2025

In Thailand, there are some key laws and regulations relating to non-personal data per the list below:

1. The Official Information Act B.E. 2540 (1997) imposes obligations on government authorities regarding information in their possession or control. This includes information related to the operations of government authorities or the private sector, which may be both non-personal data and personal data.
2. The Credit Data Business Operation Act B.E. 2545 (2002) governs businesses related to credit information, particularly the use of information pertaining to credit data or credit scoring. This information includes non-personal data, such as approved loans, loan payment history, payment history for goods and services through credit cards, and account status.
3. The National Cybersecurity Committee Notification re: Cybersecurity Standards for Cloud Systems B.E. 2567 (2024) governs the use of cloud services by organizations subject to the Cybersecurity Act. The use of cloud services could include hosting both non-personal data and personal data of such organizations. It imposes specific obligations on both cloud users and cloud service providers, particularly concerning the security of cloud services.

Last review date: January 2025

Yes. The PDPC recently held a public hearing on additional draft sub-regulations. The comments from the public hearing will be considered before the PDPC officially publishes the new sub-regulations in the Royal Gazette. Once all sub-regulations are issued, this should give more clarity on compliance with the PDPA. Currently, the PDPC has issued more sub-regulations to supplement the PDPA and there are still some pending draft sub-regulations. On 8 January 2025, the Notification on Exemption to maintain Records of Processing Activities (RoPAs) of Data Controller and the Notification on Exemption to maintain RoPAs of Data Processor were published officially as law in the Government Gazette. The Notification on Exemption to maintain RoPAs of Data Controller will come into force on 8 April 2025 while the Notification on Exemption to maintain RoPAs of Data Processor recently came into force on 9 January 2025.

In addition, as the protection of personal data has become a focus of the new government in Thailand, the PDPC is likely to take more active enforcement measures in 2025.

Furthermore, as of December 2024, there have been no further updates on the Draft Public Information Act B.E. ("Draft Act"). The Draft Act, which has been under consideration by the Parliament since 2023, aims to allow the public to conveniently access information or news from the government sector. It is proposed as an amendment and development to replace the existing Official Information Act B.E. 2540 (1997) once it is officially issued.