Personal Data Protection Act B.E. 2562 (PDPA) was enacted in the Government Gazette since 27 May 2019, part of the act came into force the day after, but, some not such as the Chapter 2, 3, 5, 6, 7 and Section 95 and Section 96 which came into force one year after the date of publication.1

Nevertheless, the effective date was postponed twice due to unpreparedness of government agencies, also business sectors. Finally the act comes into force fully today, the 1st June 2022.

PDPA aims to protect personal data and to impose duties for business sectors to abide by the regulations to protect personal information such as collection, processing, use and disclosure.  Also, to be in line with the European Union’s General Data Protection Regulation which came into force since 2016.

Under the Thai PDPA, ‘the personal data’ means relevant information concerning a person which can be directly or indirectly identified but not include information of the deceased. 2

‘Personal data controller’ means a person or juristic person having decision-making powers; regarding the data collection, use or disclosure of personal information.3

Note that all business sectors can be personal data controllers under this act such as personal information of the employee when applying for a job.

Without consent, a personal data controller who discloses the following data in a manner that is likely to cause damage to others reputation, being insulted, hated or shamed, shall be punished with imprisonment not exceeding six months. or a fine not exceeding five hundred thousand baht or both.4

Ethnicity, political opinions, beliefs, religion, sexual behavior, criminal records, health information, disability, labor union, genetic information, biological information, or any other information which affects the owner of the personal data in the same way as prescribed by the committee without the express consent of the personal data subject.

In conclusion, from today. This act affects all business sectors concerning personal information of others, those require more attention to the way how to handle information of others. Failure to comply with the Act could result a serious punishment.


1. Personal Data Protect Act B.E.2562, Section 2
2. the same Act, Section 6
3. the same Act, Section 6
4. the same Act, Section 26, 27, 79