Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

Thailand PDPA Compliance

Operationalize PDPA compliance with the most comprehensive PrivacyOps platform.

Download the book today!

PrivacyOps - Automation & Orchestration for Privacy Compliance
Download Book
Available in PDF

The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet through a Royal Decree has deferred the enforcement of certain data protection provisions of the PDPA until 31 May 2021.

The PDPA aims to guarantee protection of individuals' personal data, and impose obligations on businesses that deal with the collection, usage, and disclosure of personal data. The PDPA is largely based on the GDPR, and therefore, there are several similarities between the two, such as the legal provisions for processing of personal data, data subject requests, and other security measures requirements.

The solution enables organizations to comply with the Thai PDPA regulations through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities and AI-driven process automation.

securiti dashboard supports enterprises in their journey toward compliance with the Thai PDPA through automation, enhanced data visibility and identity linking.

See how our comprehensive PrivacyOps platform helps you comply with various sections of PDPA.


Customize a data subject rights request portal for seamless customer care

Simplify your DSR request format by building web forms customized for your brand image to accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.

dsr portal
dsr handling

Automate data subject access request handling

PDPA Section: 23, 30

Data subjects need to be notified about their data privacy rights and organizations are required to simplify the initiation of verified DSR requests. The automation of the delivery and generation of secure data access reports will greatly reduce the risk of compliance violations and reduce the workforce required to comply with all the requests.

Secure fulfillment of data access and port requests

PDPA Sections: 23, 30, 31

Organizations are required to disclose the information to the data subjects within a limited time frame of receiving a verifiable data request. This will be free of charge, and delivered through a secure centralized portal.

data access request
data rectify request

Automate processing of rectification requests

PDPA Sections: 35, 36

Seamlessly fulfill data rectification requests with the help of automated data subject verification workflows across all appearances of a subject’s personal data.

Automate erasure requests

PDPA Section: 33

Quickly fulfill data subject’s’ erasure requests through automated and flexible workflows.

data erasure request
processing request

Automate objection and restriction of processing requests

PDPA Sections: 23, 32, 34

Build a framework for objection and restriction of processing handling based on business requirements, with the help of collaborative workflows.

Continuous monitoring and tracking

PDPA Sections: 37(1)(3), 39, 40

Keep track of risks involved by continuously monitoring and scanning data against non-compliance to subject rights, security controls or data residency. Surface new Personal Data categories, types and data flow risks on a continuous basis.

personal data monitoring tracking
personal information data linking

Automate People Data Graph

PDPA Sections: 39, 40(3) 

Discover personal information stored across all your systems within the organization and link them back to a unique data subject. Visualize personal data sprawl and identify compliance risks.

Meet cookie compliance

PDPA Sections: 19, 20, 25, 26

Automatically scan the organization’s web properties and categorize tags and cookies.Also build customizable cookie banners, collect consent and provide a preference center.

cookie consent
consent preference management

Monitor and track consent

PDPA Sections: 19, 20, 24, 25, 26, 27

Track consent revocation of the data subjects  to prevent the processing or transfer of data without their consent. Demonstrate consent compliance to regulators and data subjects.

Assess PDPA readiness

PDPA Sections: 37, 39, 40

With the help of our multi-regulation, collaborative, readiness and privacy impact assessment system you can measure your organization's posture against PDPA requirements, identify the gaps and address the risks. Seamlessly being able to expand assessment capabilities across your vendor ecosystem to maintain compliance against PDPA requirements.

Assess GDPR readiness
map data flows

Map data flows

PDPA Sections: 39, 40(3)

Keep track of data flows in your organizations, trace this data , catalog the collection of data and transfer data and document business process flows internally and to service providers or 3rd parties. 

Manage vendor risk

PDPA Sections: 37(2), 39

Track, manage and monitor privacy and security readiness for all your service providers from a single interface. Collaborate instantly, automate data requests and deletions, and manage all vendor contracts and compliance documents.

manage vendor risk
breach response notification

Breach Response Notification

PDPA Section: 37(4)

Automates compliance actions and breach notifications to concerned stakeholders in relation to security incidents by leveraging a knowledge database on security incident diagnosis and response.

5 key data subject rights encoded within PDPA

Access: Data subjects have the right to know what data has been collected about them and how that data is being processed. They can request to access and obtain a copy of their personal data from controllers and processors

Port: Data subjects have the right to request the transfer of personal data from one electronic processing system to another in a readable format and the transmitted can be used or disclosed by automatic means.

Rectification: Data subjects have the right to make changes to inaccurate data. Data subjects have a right to request the rectification of their inaccurate data and have incomplete data stored about themselves completed.

Erasure: Data subjects have a right to erasure available where the controller or processor must delete the data of the data subjects if the data subjects withdraw their consent, or where data is no longer necessary for the purpose it was collected or processed for, or where data was collected unlawfully.

Consent: Personal data cannot be processed without obtaining explicit consent from the data subject.

Quick facts about PDPA


Under the PDPA, the data controller will have to guarantee the rights of the data subjects.


A violation of the PDPA may result in civil liability, criminal liability, and administrative fines.


Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year depending on the violation type.


PDPA contains no detailed rules regarding the use of automated processing of individuals’ personal data for decision making.


PDPA does not apply to foreign public authorities, international organizations and public entities including those that are engaged in duties with respect to the prevention and suppression of money laundering, forensic sciences, or cybersecurity.




Securiti PrivacyOps Named a Leader in The Forrester WaveTM