Thai Data Processors (PDPA Corporate Aggregate)
Thai data processors are entities that process personal data on behalf of data controllers under written agreement, as defined under the Personal Data Protection Act BE 2562 (2019). Examples include cloud-service providers, payroll processors, marketing-analytics vendors, call centres, and BPO firms operating in Thailand. The PDPA imposes direct obligations on processors including security-measure compliance, sub-processor notification, and breach-notification duties to the controller. Thailand’s outsourcing and shared-service-centre sector is a significant processor cluster, particularly in Bangna, Lad Krabang, and the EEC. Processor classification affects contract structuring for IT service firms, SaaS providers, and data-infrastructure operators with Thai corporate clients.
Profile overview
Thai data processors are entities that process personal data on behalf of data controllers under written agreement, as defined under the Personal Data Protection Act BE 2562 (2019). Examples include cloud-service providers, payroll processors, marketing-analytics vendors, call centres, and BPO firms operating in Thailand. The PDPA imposes direct obligations on processors including security-measure compliance, sub-processor notification, and breach-notification duties to the controller. Thailand’s outsourcing and shared-service-centre sector is a significant processor cluster, particularly in Bangna, Lad Krabang, and the EEC. Processor classification affects contract structuring for IT service firms, SaaS providers, and data-infrastructure operators with Thai corporate clients.
Processor segments and service types
Cloud and SaaS
AWS, Google Cloud, Microsoft Azure Thailand
International cloud providers operating data centres in or serving Thai clients are data processors under PDPA. Data Processing Agreements (DPAs) are required. Standard contractual clauses and local data-residency requirements are evolving.
BPO and shared services
EEC shared-service centres
Thailand's Eastern Economic Corridor hosts shared-service operations for regional corporates. BPO firms processing Thai payroll, HR data, and customer-care records are processors under PDPA. Concentration in Bangna, Lad Krabang, Chonburi.
Marketing and analytics
Data analytics and CRM vendors
Marketing-analytics firms, customer-data platforms (CDPs), and CRM-implementation vendors processing Thai consumer data must execute DPAs with controller clients. Sub-processor notification obligations are frequently overlooked.
Payroll processors
Payroll software and outsourcing
Payroll-outsourcing firms (ADP Thailand, SAP Payroll implementers, local vendors) process sensitive employee personal data for thousands of Thai corporate clients. Processor obligations include security measures and breach notification to the controller within 72 hours.
PDPA processor vs controller obligations — comparison
Key obligations under Thailand PDPA BE 2562 for data controllers versus data processors.
Consent management
Data controller
Must obtain and record consent
Data processor
Process only per controller instruction
Data subject rights
Data controller
Must respond within 30 days
Data processor
Must assist controller with DSAR fulfilment
Breach notification
Data controller
Report to PDPC within 72 hours
Data processor
Report to controller without undue delay
DPO appointment
Data controller
Required if processing at scale
Data processor
Required if processing at scale on controller behalf
Cross-border transfer
Data controller
Must ensure adequate protection
Data processor
May transfer only per controller authorisation
Maximum fine
Data controller
$144,928 civil, criminal liability
Data processor
$86,957 civil (direct processor violations)
| Obligation | Data controller | Data processor |
|---|---|---|
| Consent management | Must obtain and record consent | Process only per controller instruction |
| Data subject rights | Must respond within 30 days | Must assist controller with DSAR fulfilment |
| Breach notification | Report to PDPC within 72 hours | Report to controller without undue delay |
| DPO appointment | Required if processing at scale | Required if processing at scale on controller behalf |
| Cross-border transfer | Must ensure adequate protection | May transfer only per controller authorisation |
| Maximum fine | $144,928 civil, criminal liability | $86,957 civil (direct processor violations) |
Watchpoints 2025–2026
Sub-processor chains
PDPC audit of processor networks
Many Thai corporates have processors who engage sub-processors without controller notification — a PDPA violation. PDPC enforcement actions on sub-processor chains (modelled on the 2025 toy-seller case) are expanding.
Cloud residency
Data localisation pressure
PDPC and sectoral regulators (BOT, OIC) are signalling preference for Thai data residency for sensitive financial and health data. Cloud providers are expanding Thai data-centre capacity in response.
AI processing
Generative AI as data processor
Thai corporates using OpenAI, Microsoft Copilot, and Google Gemini APIs for document processing are likely engaging these platforms as PDPA data processors. DPA execution with hyperscalers is a compliance gap for many organisations.
Where this profile is featured
Reports that reference this entity in their operator concentration or analysis.
Featured in
Thailand PDPA: Enforcement Trajectory and Compliance Cost
Entities processing personal data on behalf of controllers; PDPC has extended enforcement to processors not just controllers (Aug 2025 toy-seller case set $0.087
Related Market profiles
Peers, parents, partners, agencies, and other Cybersecurity actors.
Competitor
National Cyber Security Agency (NCSA Thailand)
Thai national cybersecurity regulator under Cybersecurity Act 2019; oversees critical-information-infrastructure protection and national cyber-threat response.
Open Market profile →
Competitor
Data Protection Officer (DPO) — Thai PDPA Role
The mandatory DPO role under Thailand’s PDPA 2019, required for large-scale data processors and sensitive-data controllers.
Open Market profile →
Competitor
Foreign Digital Service VAT Framework (Thailand RD)
Thailand’s VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.
Open Market profile →
Sector peer
Thai PDPA Advisory Firm Cluster
Cluster of law firms and Big 4 advisory practices providing PDPA compliance, DPO services, and data-governance advisory in Thailand.
Open Market profile →
Reports featuring this profile
Related Market profiles
competitor
National Cyber Security Agency (NCSA Thailand)
Thai national cybersecurity regulator under Cybersecurity Act 2019; oversees critical-information-infrastructure protection and national cyber-threat response.
competitor
Data Protection Officer (DPO) — Thai PDPA Role
The mandatory DPO role under Thailand’s PDPA 2019, required for large-scale data processors and sensitive-data controllers.
competitor
Foreign Digital Service VAT Framework (Thailand RD)
Thailand’s VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.