PDPA consulting in Thailand
Thailand Personal Data Protection Act (PDPA) imposes consent, security, and breach notification duties on employers and websites serving Thai data subjects. Non-compliance triggers regulator fines and civil claims. A privacy policy alone is not compliance. Operational changes are required.
At Thai Visa Centre, we refer PDPA matters to licensed Thai counsel and coordinate visa impact for foreign employers. For FinTech data rules, see our FinTech lawyers guide.
Processing needs documented lawful basis beyond a website privacy policy.
Data processing agreements with cloud and payroll vendors are standard compliance items.
Incident response plans and notification timelines apply to many controllers.
We refer PDPA counsel and coordinate employer visa and work permit compliance.
PDPA compliance checklist
PDPA rules sit alongside Thai commercial law published through the Ministry of Justice.
| Area | Requirement |
|---|---|
| Consent records | Document how and when data subjects consented with withdrawal mechanism. |
| Cross-border transfer | Safeguards required when sending Thai personal data to foreign servers or processors. |
| Staff training | Employees handling customer data need periodic PDPA awareness training. |
| DPO appointment | Certain controllers must appoint a data protection officer under PDPA rules. |
Administrative divorce workflow
Mutual consent divorce at amphoe requires both spouses, complete agreement, and original marriage certificate from the registering district. Verify licensing on the Lawyers Council of Thailand register before engaging any firm.
Data mapping
Inventory what personal data you collect, where stored, and who accesses it.
Gap assessment
Compare current practices against PDPA lawful basis and security requirements.
Policy and contract update
Revise privacy notices, vendor DPAs, and internal data handling procedures.
Staff training rollout
Train HR, marketing, and IT teams on consent, breach reporting, and subject rights.
Ongoing monitoring
Audit vendor changes, new product features, and regulator guidance updates.
When to hire PDPA counsel
Foreign employers often treat PDPA as a marketing website task. Regulators expect documented lawful basis, security measures, and breach response across HR and customer systems.
- Before launching apps or websites collecting Thai customer data
- When regulator sends inquiry or enforcement notice
- When processing employee payroll and HR records for Thai staff
- Before signing vendor contracts with overseas cloud providers
- Whenever immigration and employment records overlap PDPA duties
TVC coordination: We coordinate visa and work permit impact, document translation referrals, and administrative filings where they overlap immigration. We do not provide PDPA legal opinions, DPO services, or regulator representation.
Common PDPA compliance mistakes
Bangkok employers and startups repeat the same data protection gaps. Most are preventable with scoped legal review before launch.
- Publishing a privacy policy without operational consent records and data inventory.
- Using overseas servers without cross-border transfer safeguards required by PDPA.
- Assuming small businesses are fully exempt from all PDPA obligations.
- Ignoring employee HR data when focusing only on customer marketing databases.
- Mixing immigration consulting with PDPA legal opinions from unqualified agents.
Long-stay and lifestyle context
Many readers use this page while scouting Thailand for relocation, visa runs, or extended holidays. Pair your plans with immigration status that matches how long you actually stay. Tourist exemption and short tourist visas are for trips: not for building a life here.
See our Thailand lifestyle guide for visa paths, city choices, TM30, 90-day reporting, and compliance habits that keep long-stay holders out of trouble at immigration.
Court vs TVC scope
PDPA Consulting and Training in Thailand: Compliance for Employers and Apps (2026) requires licensed Thai advocates for binding legal work. TVC coordinates visa status, certified translation referrals, and stay planning. we do not substitute for bar-licensed counsel.
Stay status during cases
Family, probate, and criminal matters can run months. Plan visa extensions, 90-day reporting, and re-entry before hearings stack up, lapses block extensions even when your case is strong.
Language and evidence
Court and amphoe proceedings are in Thai. Foreign documents need certified translation and often MFA legalisation. Start authentication early; deadlines do not wait for postal delays.
Life after judgment
Winning at trial or registering divorce does not automatically resolve immigration status. Coordinate visa category changes with licensed counsel before your marriage or business visa basis ends.
Practical planning matrix
Use this matrix alongside the sections above before you confirm dates, payment, or visa paperwork tied to this stay.
| Decision | Guidance |
|---|---|
| Licensed counsel | Retain a Thai attorney before responding to summons or filing at amphoe or court |
| Document bundle | Organise IDs, contracts, and correspondence chronologically for your lawyer |
| Deadlines | Missing court dates or appeal windows forfeits rights. Calendar every official appointment |
| Visa planning | Maintain valid stay status throughout proceedings; TVC helps with extensions and reporting |
| Translation | Budget certified Thai translation for foreign-language evidence before hearing or registration dates |
TDAC reminder: Every Thailand entry requires a fresh Digital Arrival Card within 72 hours of landing: including return trips on Elite, LTR, retirement, or marriage visas. Keep your confirmation offline in case airport Wi-Fi fails.
For entry documents and first-arrival checklists, see our Thailand entry requirements.
Frequently asked questions
General answers on PDPA compliance in Thailand. Consult licensed Thai counsel for scoped review of your data processing.
Q:Does PDPA apply to small businesses?
A:Many obligations scale with size and data sensitivity. Get scoped legal review.
Q:Does TVC provide PDPA lawyers?
A:We refer to partner firms. TVC staff focus on visas and administrative coordination.
Q:Is a privacy policy enough for compliance?
A:No. Operational consent records, security, and vendor agreements are required.
Q:Do foreign companies outside Thailand need PDPA compliance?
A:Processing data of Thai data subjects while offering goods or services in Thailand triggers duties.
Q:What happens after a data breach?
A:Notification and remediation duties depend on risk level. Incident response planning is essential.
Q:Can TVC train our staff on PDPA?
A:We refer training providers and counsel. We do not deliver certified PDPA legal training ourselves.
Q:Does PDPA affect work permit applications?
A:Employer compliance may be reviewed indirectly. Coordinate HR data handling with corporate counsel.
Q:Where are official PDPA rules published?
A:Personal Data Protection Committee and Ministry of Justice publish primary guidance on official websites.