The Personal Data Protection Act B.E. 2562 (2019), or PDPA, is a crucial law in Thailand aimed at protecting personal data of citizens by establishing obligations for those involved in data processing, such as data controllers and data processors, to operate with responsibility, transparency, and due regard for data subjects' rights. However, in an era where data flows across borders easily through digital technology, this legislation was not intended to limit PDPA's enforcement to only operators with establishments within Thailand. The law extends beyond domestic boundaries to effectively protect personal data subjects' rights.
If any agency or operator falls under the following characteristics, such agencies or operators are obligated to comply with PDPA:
1. Data Controllers and Data Processors located in Thailand, regardless of whether they process data domestically or abroad
2. Those outside the Kingdom of Thailand who collect, use, or disclose personal data of data subjects located in Thailand, where such activities are for the purpose of:
Section 1 covers cases where data controllers or data processors are legal entities registered in Thailand or have establishments in Thailand. Even if they collect and use customer data abroad, such operators remain subject to PDPA enforcement.
Meanwhile, section 2 covers cases where Thailand's PDPA extends its jurisdiction to foreign data controllers and data processors - namely, business operators located outside the Kingdom, such as E-Commerce platforms (Amazon, Shein, Temu) or Social media platform (X, Facebook). If these foreign operators collect and use personal data of persons residing in Thailand for the purposes specified by PDPA, they must inevitably comply with PDPA.
When Thailand's PDPA law applies to business operators located outside the Kingdom who are data controllers or processors, these operators must fulfill the following obligations under Sections 37 and 40 of PDPA:
1. Security Measures: Must establish appropriate security measures to prevent unauthorized access, use, alteration, or disclosure of personal data, and must review these measures when necessary or when technology changes, in accordance with minimum standards set by the Commission
2. Third-Party Data Sharing: When providing personal data to persons or legal entities other than data controllers, must have measures to prevent unauthorized or improper use or disclosure by such persons
3. Data Deletion System: Must have a monitoring system to delete or destroy personal data when the retention period expires, or when data becomes irrelevant, excessive, upon data subject request, or upon consent withdrawal, except where exemptions apply
4. Breach Reporting: Must report personal data breaches to the Personal Data Protection Committee Office within 72 hours, or notify data subjects if the breach poses high risk
5. Representative Appointment: Must appoint a representative in Thailand to serve as a contact point with data subjects and the Personal Data Protection Committee Office
1. Processing Restriction: Must conduct activities related to collecting, using, or disclosing personal data only according to instructions received from the data controller, except when such instructions violate laws or provisions for personal data protection under the PDPA
2. Security Measures: Must establish appropriate security measures to prevent loss, unauthorized access, use, alteration, modification, or disclosure of personal data, and notify the data controller of any personal data breaches
3. Record Keeping: Must prepare and maintain records of personal data processing activities according to criteria and methods announced by the Commission
4. Representative Appointment: Must appoint a representative in Thailand to serve as a contact point with data subjects and the Personal Data Protection Committee Office
There are no direct rules about which foreign business types need representatives. However, foreign companies must appoint representatives when they meet these conditions:
1. Must be a data controller or processor outside the Kingdom - meaning not registered as a legal entity under Thai law or having branches established in Thailand
2. Must process data of data subjects residing in the Kingdom of Thailand
3. Processing activities must constitute offering goods and services to data subjects in Thailand (whether payment is involved or not) or monitoring behavior of data subjects located in Thailand
4. Must not be government agencies as announced by the Commission of PDPC
5. Must process sensitive data under Section 26 or process large amounts of data under Section 41(2)
If any corporations located outside the Kingdom falls under the above cases, they are obligated to appoint a representative in the Kingdom of Thailand by preparing an appointment document granting unlimited authority to act on behalf of the operator regarding personal data processing according to the operator's stated purposes.
1. South Korea's Personal Data Protection Commission Fines Temu
On May 15, 2025, South Korea's Personal Information Protection Commission (PIPC) decided to fine Whaleco Inc., owner of the famous e-commerce platform Temu, approximately 1.386 billion won (32 million baht) for violating South Korea’s Personal Information Protection Act (PIPA). The penalty resulted mainly from Temu transferring personal data of South Korean users to China, Singapore, and Japan without notifying users or obtaining prior consent. They also failed to specify clear details in their privacy policy, neglected supervision of overseas personal data processors, and failed to appoint domestic representatives as required by law, despite having a large South Korean user base. Additionally, they established a complex 7-step account deletion process, creating barriers to data subjects' rights exercise.
2. Netherlands Data Protection Authority Fines Locatefamily.com
Locatefamily.com is a Canadian-based company whose website provides people search services, publishing names, addresses, and phone numbers of many people, including EU citizens, without data subjects ever giving consent. The company failed to appoint a representative in the European Economic Area (EEA) to handle personal data responsibilities as required by law. This resulted in the Dutch Data Protection Authority (Dutch DPA) imposing a fine of 525,000 euros (20 million baht) and additional penalties every two weeks if they continue to ignore representative appointment requirements.
Both example cases involve operators who, despite not having establishments in the countries where the laws were enacted, remain subject to those countries' personal data protection law enforcement. This obligates operators to comply with established personal data protection standards, including the duty to appoint domestic representatives - similar to Thailand's PDPA, which applies not only to domestic data controllers and processors but extends its reach to those outside the Kingdom.
To ensure your business operations proceed efficiently, PDPA compliance is one factor that helps promote good image and elevate business reputation in the eyes of customers and service users. If you have questions about personal data protection law compliance, Athentic Consulting is pleased to provide services supporting your business operations seamlessly, with quality, and in alignment with today's data-centric business environment.
Reference
• South Korea fines China’s Temu for user data violations
https://www.channelnewsasia.com/east-asia/south-korea-fine-china-e-commerce-temu-user-data-violation-5131996
• Dutch DPA imposes fine of €525,000 on Locatefamily.com
https://www.edpb.europa.eu/news/national-news/2021/dutch-dpa-imposes-fine-eu525000locatefamilycom_en#:~:text=The%20Dutch%20Data%20Protection%20Authority,numbers%2C%20often%20without%20their%20knowledge.
• Thailand’s Personal Data Protection Act
