Personal Data Protection Committee (PDPC)
Personal Data Protection Committee (PDPC) is the structural Thai PDPA enforcement body under the Ministry of Digital Economy and Society. Administers the Personal Data Protection Act 2019, the Thai equivalent of GDPR. Enforces consent, data-subject rights, breach notification, and cross-border-transfer rules. Coordinates with sector regulators (BOT, OIC, NBTC) on sector-specific data-protection enforcement.
Snapshot
Headline numbers a buyer checks first.
Established (PDPA enacted)
2019
2019
Fully effective June 2022
Mandate
PDPA enforcement (Thai GDPR equivalent)
2024
Max penalty (administrative)
THB 5M per violation
2024
Reports to
Ministry of Digital Economy and Society (MDES)
2024
Profile overview
Personal Data Protection Committee (PDPC) is the structural Thai PDPA enforcement body under the Ministry of Digital Economy and Society. Administers the Personal Data Protection Act 2019, the Thai equivalent of GDPR. Enforces consent, data-subject rights, breach notification, and cross-border-transfer rules. Coordinates with sector regulators (BOT, OIC, NBTC) on sector-specific data-protection enforcement.
Mandate and enforcement tools
Consent rules
Lawful basis for data processing
PDPC enforces the PDPA's six lawful bases for personal data processing: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interest. Thai businesses must ensure all personal data processing has a documented lawful basis; consent-only reliance (a common compliance error) creates compliance risk when consent is later withdrawn.
Data subjects
Rights enforcement β access, erasure, portability
PDPC administers data-subject rights under PDPA including right of access, right to erasure (right to be forgotten), right of rectification, and data portability. PDPC handles complaints from data subjects against organizations that fail to respond to rights requests within 30 days. Complaint volumes have grown year-on-year since full enforcement began 2022.
Breach notification
72-hour breach notification requirement
Data controllers must notify PDPC of personal data breaches within 72 hours when the breach is likely to result in a risk to data subjects. High-risk breaches also require notification to affected individuals. PDPC tracks breach notifications across sectors; banking and healthcare account for the largest notification volumes.
Cross-border
International data transfer restrictions
PDPA restricts transfers of personal data to countries without adequate data protection standards unless specific safeguards (standard contractual clauses, binding corporate rules) are in place. PDPC maintains a list of adequate-protection countries; cross-border data transfer is a compliance issue for multinational companies with Thai data flows.
PDPA enforcement comparison β ASEAN
Personal data protection regulatory frameworks in key ASEAN markets
Thailand
Primary law
PDPA 2019
Regulator
PDPC under MDES
Max administrative fine
$144,928 per violation (~USD 140K)
Singapore
Primary law
PDPA 2012 (amended 2020)
Regulator
Personal Data Protection Commission (PDPC SG)
Max administrative fine
SGD 1M or 10% of annual turnover
Indonesia
Primary law
Personal Data Protection Law 2022
Regulator
BSSN (National Cyber and Crypto Agency)
Max administrative fine
IDR 35B (~USD 2.2M)
Philippines
Primary law
Data Privacy Act 2012
Regulator
National Privacy Commission
Max administrative fine
PHP 5M (~USD 90K)
| Country | Primary law | Regulator | Max administrative fine |
|---|---|---|---|
| Thailand | PDPA 2019 | PDPC under MDES | $144,928 per violation (~USD 140K) |
| Singapore | PDPA 2012 (amended 2020) | Personal Data Protection Commission (PDPC SG) | SGD 1M or 10% of annual turnover |
| Indonesia | Personal Data Protection Law 2022 | BSSN (National Cyber and Crypto Agency) | IDR 35B (~USD 2.2M) |
| Philippines | Data Privacy Act 2012 | National Privacy Commission | PHP 5M (~USD 90K) |
Key drivers 2025-2026
Enforcement
PDPC enforcement escalation trajectory
PDPC issued its first formal administrative fines in 2023. Enforcement intensity is expected to increase in 2025-2026 as PDPC builds its investigation capacity and prioritises high-profile non-compliance cases. Thai banks, hospitals, and e-commerce platforms are the highest-scrutiny sectors for PDPC enforcement.
Compliance market
PDPA compliance consulting and DPO market
Thai enterprises are investing in Data Protection Officer (DPO) hiring, PDPA compliance audits, and data-mapping technology. The PDPA compliance consulting market is estimated at $0.058-5 billion annually, driven by PDPC enforcement escalation and international buyer requirements for Thai supply-chain PDPA compliance.
AI regulation
AI and automated decision-making scope expansion
PDPC is developing guidance on AI-based profiling and automated decision-making under PDPA. Thailand's AI Act (in development) may create additional requirements beyond PDPA for algorithmic accountability. The intersection of PDPA and AI regulation is the highest-complexity emerging compliance area for Thai digital enterprises.
Where this profile is featured
Reports that reference this entity in their operator concentration or analysis.
Featured in
Thai Cyber Security: Public-Private Build-Out and PDPA Enforcement
PDPA enforcement counterpart; coordinates with NCSA on data-breach incident response and disclosure.
Featured in
Thailand PDPA: Enforcement Trajectory and Compliance Cost
PDPA enforcement counterpart; coordinates with NCSA on data-breach incident response and disclosure.
Related Market profiles
Peers, parents, partners, agencies, and other Data Protection actors.
Reports featuring this profile
Thai Cyber Security: Public-Private Build-Out and PDPA Enforcement
PDPA enforcement counterpart; coordinates with NCSA on data-breach incident response and disclosure.
Open report β
Sits alongside 2 other Atlas profilesThailand PDPA: Enforcement Trajectory and Compliance Cost
PDPA enforcement counterpart; coordinates with NCSA on data-breach incident response and disclosure.
Open report β
Sits alongside 5 other Atlas profiles