Compliance with Thailand's Personal Data Protection Act

In May 2019, Thailand joined the growing list of countries adopting a comprehensive privacy law, the Personal Data Protection Act, B.E. 2562 (2019) (PDPA). Although many of the principles and obligations under the PDPA were adapted from the EU's General Data Protection Regulation (GDPR), businesses operating in Thailand or handling the personal data of data subjects in Thailand should familiarize themselves with this new law and operationalize its requirements before the compliance date of May 28, 2020.

The PDPA adopts the concepts of "data controller" and "data processor" consistent with the GDPR and other privacy regimes. It also has broad extraterritorial scope. The PDPA applies to the collection, use, or disclosure of personal data by a data controller or a data processor that is in Thailand, regardless of whether such data collection, use, or disclosure takes place in Thailand or elsewhere. Its obligations extend to businesses outside of Thailand engaged in either of the following activities:

  • Offering of goods or services to individuals in Thailand, or
  • Monitoring the behavior of individuals in Thailand.

The PDPA prescribes data subject consent requirements, addresses the collection, use, and disclosure of personal data to third parties within and outside of Thailand, and provides penalties for violations, including civil penalties, administrative fines, and criminal liability. As in other privacy regimes, the PDPA permits a data subject to request access to his or her personal data and to submit requests to delete, destroy, or anonymize his or her personal data.

How CENTRL's Privacy360 helps:

  • Data Subject Rights Management module that automates the process from data subject request to fulfillment. Using tasks, workflows and connectors to systems, Privacy360 can find and report the PII data about a particular data subject. Privacy teams can then respond to the data subject using secure portal, within the stipulated time as per the regulation. The DSRM module supports all rights that the PDPA requires a company to comply with.
  • Consent and Preference module to manage the lifecycle of granular consent- from collection to withdrawal. Companies have the ability to create the consent choices, present to the data subjects and record the consent. This consent can then be propagated to third parties and other source systems.
  • Data Inventory and Mapping module that automates data mapping process using both eDiscovery and surveys. This is not only helpful to efficiently respond to data subject requests but also to useful to understand the type of personal data collected, the
  • Assessments and Third-Party Risk Management module to assess privacy risk across internal processes and third parties. Manage gaps and issues that that are identified during the process to reduce risk
  • Comprehensive analytics and privacy dashboard for DPOs and executives to monitor overall status

By using CENTRL's Privacy360, your organization can easily manage a multitude of templates, checklists and questionnaires while providing the control to monitor, evaluate and create audit reports allowing you to focus on the results instead of the process.

Read more about Privacy360, or contact sales of CENTRL's privacy solutions.

Learn how CENTRL can help your Privacy Compliance program

Related Privacy Compliance Links

Data Sheet




Privacy Program
Management Platform



Connect & integrate with other systems

Learn more