We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Research and Briefings

Personal Data Protection Act (PDPA) in Thailand


The Personal Data Protection Act (PDPA) 2019 was published in Thailand on May 27, 2019, followed by the provisions relating to the establishment of the Personal Data Protection committee (PDPC) the day after. Other provisions of the PDPA, which include those on collecting consent, use, and disclosure of personal data, rights of data subjects, liabilities, and penalties, will become effective on May 27, 2020.

In the attached Client Alert document, Marsh has partnered with Tilleke & Gibbins, a leading regional law firm in Southeast Asia, to outline the key points in this Act. We also offer a quick snapshot of measures that businesses can take to address the changes and concerns.

Some of the points covered in the Client Alert include:

  • To whom the PDPA applies.
  • What constitutes personal data.
  • Differences between a data collector and a data processor.
  • Responsibilities in managing personal data.
  • Civil and criminal penalties for failing to comply.
  • The Act’s extraterritorial jurisdiction.
  • Risks to businesses, and how these can be managed.
  • Individual and personal liabilities to Board Directors and Senior Executives.

Download a copy of the Risk Alert to find out more. Please also feel free to contact your Marsh representative if you have further questions.