Thai Data Controllers (PDPA Corporate Aggregate)
Thai data controllers are the estimated 500,000+ corporate and public-sector entities obligated under the Personal Data Protection Act BE 2562 (2019) to register purposes, obtain consent, and manage data-subject rights for personal data collected in Thailand. The category spans banks, hospitals, retailers, telecoms, and government agencies, all of which must appoint a data-protection officer if processing at scale. The PDPC administers enforcement with civil fines up to THB 5M per violation and criminal liability for intentional breach. Corporate compliance spend on PDPA readiness has generated a THB 2-3B advisory and technology market, including consent-management platforms, data-mapping tools, and DPO-as-a-service offerings. Compliance maturity varies sharply between SET-listed multinationals and SMEs.
Profile overview
Thai data controllers are the estimated 500,000+ corporate and public-sector entities obligated under the Personal Data Protection Act BE 2562 (2019) to register purposes, obtain consent, and manage data-subject rights for personal data collected in Thailand. The category spans banks, hospitals, retailers, telecoms, and government agencies, all of which must appoint a data-protection officer if processing at scale. The PDPC administers enforcement with civil fines up to THB 5M per violation and criminal liability for intentional breach. Corporate compliance spend on PDPA readiness has generated a THB 2-3B advisory and technology market, including consent-management platforms, data-mapping tools, and DPO-as-a-service offerings. Compliance maturity varies sharply between SET-listed multinationals and SMEs.
Sector segments and compliance obligations
Financial services
Banks, insurers, and securities firms
Banks (KBank, SCB, BBL) and insurers are among Thailand's most compliance-mature data controllers. BOT and OIC supervisory data-handling requirements overlap with PDPA, accelerating compliance investment. Estimated PDPA spend per large bank: $2.9β300M over 2022β2025.
Healthcare
Hospitals and medical record controllers
BDMS, Bumrungrad, Bangkok Dusit, and public hospitals under MoPH are data controllers of sensitive health data (special category under PDPA). Consent requirements for medical-record sharing, insurance claims, and telemedicine are most stringent.
Retail and e-commerce
Lazada, Shopee, Central, TCC
Retail and e-commerce platforms hold consumer purchase history, location data, and behavioral profiles. Cookie consent, marketing opt-out, and data-subject access request (DSAR) processes are mandatory. Non-compliance risk is high given consumer-complaint volume.
PDPA enforcement comparison β selected Asian jurisdictions
Data protection regulatory framework comparison by penalty, enforcement authority, and maturity (2024).
Thailand
Data protection law
PDPA (BE 2562, 2019)
Max fine
$144,928 (USD ~135K)
Regulator
PDPC
Enforcement maturity
Early-stage enforcement; 2024+ escalation
Singapore
Data protection law
PDPA 2012 / 2021 amendment
Max fine
SGD 1M or 10% turnover
Regulator
PDPC Singapore
Enforcement maturity
Mature; regular enforcement
Philippines
Data protection law
Data Privacy Act 2012
Max fine
PHP 5M (USD ~87K)
Regulator
NPC
Enforcement maturity
Active enforcement; criminal liability
Indonesia
Data protection law
PDP Law 2022
Max fine
2% of annual revenue
Regulator
BSSN (transitional)
Enforcement maturity
Nascent; implementing regulations pending
EU (reference)
Data protection law
GDPR 2018
Max fine
EUR 20M or 4% turnover
Regulator
DPAs (national)
Enforcement maturity
Fully mature; billions in fines issued
| Country | Data protection law | Max fine | Regulator | Enforcement maturity |
|---|---|---|---|---|
| Thailand | PDPA (BE 2562, 2019) | $144,928 (USD ~135K) | PDPC | Early-stage enforcement; 2024+ escalation |
| Singapore | PDPA 2012 / 2021 amendment | SGD 1M or 10% turnover | PDPC Singapore | Mature; regular enforcement |
| Philippines | Data Privacy Act 2012 | PHP 5M (USD ~87K) | NPC | Active enforcement; criminal liability |
| Indonesia | PDP Law 2022 | 2% of annual revenue | BSSN (transitional) | Nascent; implementing regulations pending |
| EU (reference) | GDPR 2018 | EUR 20M or 4% turnover | DPAs (national) | Fully mature; billions in fines issued |
Watchpoints 2025β2026
PDPC enforcement ramp
First-wave corporate fines in 2024β2025
PDPC has commenced enforcement actions targeting visible consumer-facing violations. The first substantial corporate fines (expected $0.029β5M range) will set precedent and trigger a secondary compliance-spend wave across SME controllers.
DPO mandate
Data Protection Officer requirement enforcement
Controllers processing data at scale must appoint a DPO. PDPC is expected to begin auditing DPO appointment compliance in 2025. Non-appointment carries fines; many SME controllers have not yet complied.
AI governance
Automated profiling and AI-decision rules
PDPA Article 37 restricts solely-automated decisions that produce legal effects. Thai data controllers deploying credit-scoring, marketing-segmentation, and content-recommendation AI face increasing PDPC scrutiny.
Where this profile is featured
Reports that reference this entity in their operator concentration or analysis.
Featured in
Thailand PDPA: Enforcement Trajectory and Compliance Cost
Entities determining the purposes and means of personal-data processing; primary PDPA-compliance duty holder; subject to administrative fines for violations.
Related Market profiles
Peers, parents, partners, agencies, and other Cybersecurity actors.
Competitor
National Cyber Security Agency (NCSA Thailand)
Thai national cybersecurity regulator under Cybersecurity Act 2019; oversees critical-information-infrastructure protection and national cyber-threat response.
Open Market profile β
Competitor
Data Protection Officer (DPO) β Thai PDPA Role
The mandatory DPO role under Thailandβs PDPA 2019, required for large-scale data processors and sensitive-data controllers.
Open Market profile β
Competitor
Foreign Digital Service VAT Framework (Thailand RD)
Thailandβs VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.
Open Market profile β
Sector peer
Thai PDPA Advisory Firm Cluster
Cluster of law firms and Big 4 advisory practices providing PDPA compliance, DPO services, and data-governance advisory in Thailand.
Open Market profile β
Reports featuring this profile
Related Market profiles
competitor
National Cyber Security Agency (NCSA Thailand)
Thai national cybersecurity regulator under Cybersecurity Act 2019; oversees critical-information-infrastructure protection and national cyber-threat response.
competitor
Data Protection Officer (DPO) β Thai PDPA Role
The mandatory DPO role under Thailandβs PDPA 2019, required for large-scale data processors and sensitive-data controllers.
competitor
Foreign Digital Service VAT Framework (Thailand RD)
Thailandβs VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.