Thailand Personal Data Protection Act
Punitive damages up to twice actual losses and criminal penalties make Thailand PDPA non-compliance a direct personal and commercial liability for management.
The Thailand Personal Data Protection Act B.E. 2562 (2019) is Thailand's comprehensive data protection legislation, establishing a GDPR-aligned framework for the collection, use, and disclosure of personal data. Full enforcement commenced on 1 June 2022 after several deferrals.
The PDPA establishes the Personal Data Protection Committee (PDPC) as the supervisory authority and requires organisations to obtain consent, appoint DPOs where applicable, implement security safeguards, and notify breaches within 72 hours. Cross-border transfers require adequate safeguards.
For Microsoft 365 environments, PDPA compliance requires Purview sensitivity labels for data classification, DLP policies for data protection controls, Defender XDR incident detection and response for breach notification, and Conditional Access for access management. StremarControl engineers and operates the Microsoft-native controls required for Thailand PDPA mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for PDPC compliance reporting.
Why This Matters Now
Thailand's PDPA is the country's first comprehensive data protection law, establishing GDPR-aligned principles for Southeast Asia's second-largest economy. It mandates DPO appointment, consent-based processing, cross-border transfer safeguards, and 72-hour breach notification. For M365 environments, compliance requires Purview data classification, DLP policies for data protection, and Defender XDR incident workflows for breach notification. Thailand's growing role as an ASEAN data hub makes PDPA compliance essential.
Framework Metadata
Scope & Applicability
Applies to data controllers and processors collecting, using, or disclosing personal data in Thailand, or offering goods/services to individuals in Thailand, or monitoring behaviour of individuals in Thailand. The PDPA has extraterritorial reach. Exemptions for personal/household activities, public interest activities, and media. M365 tenants processing Thai personal data must comply.
Core Obligations
Consent and Lawful Basis
Collect, use, or disclose personal data only with explicit consent or another lawful basis. Consent must be freely given, specific, and informed.
Data Protection Officer
Appoint a DPO where the organisation regularly processes large volumes of personal data or sensitive data.
Breach Notification
Notify the PDPC of a personal data breach within 72 hours. Notify affected individuals if the breach is likely to pose a high risk to their rights.
Cross-Border Transfers
Transfer personal data to foreign countries only where adequate protection standards exist or with appropriate safeguards.
Security Measures
Implement appropriate security measures to prevent unauthorised access, use, disclosure, alteration, or destruction of personal data.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Security Measures
Conditional Access with MFA and device compliance. Intune endpoint security. Defender XDR for threat protection. Purview sensitivity labels.
Conditional Access logs, Intune compliance reports, Defender analytics, label usage reports.
72-Hour Breach Notification
Defender XDR incident detection with Sentinel playbooks for PDPC notification workflows. Automated breach severity classification.
Incident timeline reports, playbook execution logs, PDPC notification records.
Cross-Border Transfers
Purview DLP with geo-fencing rules. Conditional Access named locations for geographical restrictions. Data residency controls.
DLP cross-border logs, Conditional Access geo-reports, data residency configuration exports.
Implementation Timeline
Related Frameworks
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
With penalties up to 10% of annual turnover and mandatory 3-day breach notification, the PDPA places direct commercial consequence on management for data protection failures.
Criminal penalties against responsible individuals and strengthened cross-border transfer rules make APPI compliance a personal liability matter for management in Japan's market.
Ready to get Thailand PDPA-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Thailand PDPA requirements, close gaps, and produce audit-ready evidence.