We need to face it: While often seen as a bureaucratic burden and cost factor that many would prefer to avoid, personal data protection remains a global hot topic, with growing attention from governments worldwide. As European companies expand their operations into Thailand, understanding the country’s data privacy regulations is crucial for ensuring compliance with Thailand’s Personal Data Protection Act (PDPA).

The good news is that Thailand’s PDPA complies with international standards, including the EU’s General Data Protection Regulation (GDPR). For European businesses already navigating the complexities of GDPR compliance, this presents an opportunity to leverage their existing data protection frameworks. However, while the PDPA shares many similarities with the GDPR, it also has some substantial differences, which introduce unique challenges for European businesses operating in Thailand.

In this article, I will briefly outline the common ground and key differences between the PDPA and the GDPR, while addressing the challenges that (European) companies may face when conducting business in Thailand.

Common Grounds: Aligning PDPA with the GDPR

Both Thailand’s PDPA and the EU’s GDPR aim to protect personal data and privacy, ensuring responsible handling of information. The core principles of both laws are similar, including:

• Legal Basis: The PDPA and the GDPR both require organizations to have a legal basis for processing personal data. Without this, data processing is prohibited.

• Consent: As long as there is no other legal basis, the processing of data is legal, if companies obtain explicit, informed, and freely given consent from the date subject before collecting or processing personal data.

• Data Subject Rights: Both laws give individuals the right to access, correct, delete, and object to data processing. However, the nature and scope of the requests for information, and in particular the relevant time limits, differ considerably in some cases. Companies must have procedures in place to handle these requests.

• Data Protection Principles: Both emphasize data minimization, purpose limitation, and transparency. Data should only be collected for legitimate purposes and retained no longer than necessary.

• Security Requirements: Both impose obligations to document data processing and to secure personal data through appropriate technical and organizational measures. This includes, for example, the obligation to maintain a record of personal data processing activities, to implement appropriate technical security measures, and, typically, to appoint a Data Protection Officer (DPO).

• Cross-Border Data Transfers: Both regulate the transfer of personal data across borders, requiring special safeguards to ensure continued protection.

Key Differences: Navigating the Divergence

As previously mentioned, the PDPA and the GDPR share many similarities—which, in my practical experience, create strong synergy effects between the two. However, there are some important differences that European companies need to be aware of when doing business in Thailand. As there are too many to list exhaustively in this context, here are a few examples to illustrate some of the major differences:

• Anonymised and Pseudonymised Data: Even though the PDPA and the GDPR seem to use almost identical definitions (for example, for the term ‘personal data’), there are some ambiguities. While the GDPR defines both anonymized and pseudonymized data, the PDPA does not define these terms at all. As a result, their interpretation in regulatory practice in Thailand varies considerably. This can lead to significant legal risks if one is not aware of these differences and applies a GDPR-based understanding of these terms or implements corresponding data protection processes in Thailand.

• Legitimate interest as a legal basis: The GDPR provides multiple lawful bases for processing personal data, including ‘legitimate interests,’ which is a particularly relevant legal basis in practice. Accordingly, many processing activities of European companies rely on this legal basis, especially in areas such as HR and technology-driven marketing, for example, on websites or apps. While the PDPA also uses the term ‘legitimate interests,’ it does not define this term. In practice, ‘legitimate interests’ can be used as a legal basis only in a few specific cases. European companies may therefore need to adapt their practices to the more limited grounds under the PDPA.

• Right to access: Both the GDPR and the PDPA grant data subjects the right to access their personal data held by a data controller. While the GDPR specifies in detail the information that must be provided in response to an access request (e.g., the purpose of processing, categories of personal data, legal basis, etc.), the PDPA does not prescribe specific requirements for what must be included when responding to such requests. In practice, this has led to widely varying requirements on the type and scope of the information to be provided.

• Fines and Penalties: The GDPR is known for its high penalties that can reach up to €20 million or 4% of a company’s global turnover. In comparison, the PDPA sets fines that are considerably lower, with a maximum of 5 million THB (approximately €140,000) for breaches, or 2% of annual turnover. While the fines under the PDPA may not be as severe as the GDPR’s, they still pose significant risks for non-compliance. Depending on the violation of the PDPA, the penalty may also be imprisonment for a term not exceeding one year.

Other areas with significant deviations are: The processing of personal data of minors; scientific research as a legal basis; the nature and scope of the investigatory powers and corrective powers of the authorities and civil claims for damages by data subjects.

Challenges for European Companies

For European companies entering the Thai market, our practical experience has shown that amongst other things, particularly the following challenges are to be consider when it comes to data privacy compliance:

• Dual Compliance: One of the biggest challenges is the need to comply with both the GDPR and the PDPA. Companies that process personal data of individuals from both the EU and Thailand must navigate two sets of complex regulations. This requires implementing systems and processes that satisfy the requirements of both laws, particularly in areas like cross-border data transfers, consent management, and breach notifications.

• Local Data Processing and Storage Requirements: Like the GDPR, the PDPA mandates that personal data be processed and stored securely. In some instances, the PDPA may even require data to be kept within Thai borders. Understanding these requirements and finding a way to comply with these regulations as an international company, where cross-border transfer is often necessary, is key to maintaining compliance and avoiding penalties.

• Lack of Enforcement Precedents: While the GDPR has been in effect for several years and has seen numerous enforcement actions, the PDPA is still relatively new. This means that there are fewer legal precedents and clearer guidance on compliance in Thailand. European businesses will need to stay updated on how Thai authorities and courts of law interpret and enforce the PDPA as it evolves.

• Language Barriers: As with any foreign market, language differences can pose a significant challenge when interpreting legal texts and communicating data privacy policies. European companies often need to invest in local legal expertise to navigate the nuances of the PDPA, ensuring that their data privacy practices are aligned with Thai law and are clearly communicated to Thai customers.

Key Takeaways

As outlined, navigating the Thai data protection landscape is not a self-explanatory task for European companies. Despite GDPR compliance, implementing the legal requirements under Thai law can be a challenge that requires a careful approach. Although both frameworks share common principles, their differences in scope, sanctions and compliance requirements must not be overlooked.

However, with the right legal guidance, companies can master these requirements and benefit from far-reaching synergies between the two frameworks if the compliance measures are implemented carefully, taking into account selective adjustments where necessary.

---

About the Author