Data Protection & PDPA in Thailand

At pimaccounting, our Data Privacy, Data Protection, and PDPA consultants offer cutting-edge, practical and effective solutions for all your PDPA, privacy and cyber security challenges – no matter how small or large your organisation.

Audit / PDPA expertise / Cyber Security / DPO / Data Breaches


We aim to embed data, security and technology as part of the standard business process.

Ensuring the value of data is recognized and protected throughout its life-cycle



As a certified Data Protection Officer and Legal firm, our knowledge of Thai markets allows us to provide tailor-made solutions for transactions, risk, and executive services to clients.



We reinvent the rules of business by implementing the right technology, redefining industry business models and changing human behaviours and customer expectations.



We utilise our local, technical and legal expertise in a rapidly evolving business and regulatory environment and guide our clients through all relevant data protection processes,

Get a free consultation & evaluate the risk

With so many laws and regulations surrounding data security and usage, it’s not surprising that most people find it overwhelming. Collecting, sharing, and using data can feel like a minefield.

We know how complex regulations such as the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy and Personal Data Protection Act (PDPA) can seem. 


Data protection and PDPA in a few steps

Preparation phase

Pre-audit with our PDPA consultant (FREE)
Assessing current data collection practices Gaining consent
Be ready for data breaches
Make a plan and seek support if needed

Define & Mesure

Review processes, procedures & policies
Detailed Project Action Plan and Schedule
Communication Kick-Off material
High-Level PDPA Gap Analysis & Advisory
Data Classification and Mapping
Conduct interviews with key staff impacted

Improve to future state

Process Flows for Data Subject Rights Execution, Data Breach Management, Data Retention Monitoring and Outsourced Vendors Review
Amendment of Process flows related to PDPA integrated into existing Processes/SOP
Data Subject Rights Request Form
Vendor Due Diligence Checklist
DPO and Committee Establishment Plan
PDPA IT Compliance Report

Implementation Support

Legal Policy Amendment/Development
Cookie Policy Management for website
Data Collection management for website
Database Privacy & Data Protection
Consent Forms
Data Retention Policy template
Record of data processing template (ROP)
PDPA Training

Cyber Security

IT & Security Audit & Assessments
Website & Ecommerce Audit
Cyber Security Strategy
Verified Secure Architecture
Technical Security Testing
Cyber Attack Simulation
Legal and Regulatory Compliance

Best practice for PDPA

The Electronic Transactions Development Agency (ETDA) has issued guidelines on best practices to protect personal data as follows


Identify Personal Data

Establish an understanding with the overall strategy of personal data protection, both the company’s sensitive data and personal data, according to PDPA. Thereafter, identify the scope of data to be protected and develop a model data structure and categorize data. 


Identify how data is being used

Search, analyze, and categorize data into different types regularly. Establish an understanding about the data environment, structure, and lifecycle to determine the most effective data protection measures. 


Identify the baseline of sensitive data protection

Set up a baseline to protect sensitive data of the company and personal data, according to PDPA. Evaluate the control processes and measures required, as well as perform risk assessment and gap analysis to identify solutions and risk mitigation. 


Plan, design, and implement data protection

Plan and prioritize measures to protect sensitive data of the company and personal data, both technical and strategic data. Thereafter, design and implement preventive measures for such data securely. Most importantly, the protective measures must be aligned with business growth targets. 


Monitor and protect sensitive data

Develop data governance framework, risk metrics, and monitoring processes to ensure that practice guidelines and control measures are working properly to achieve objectives. In addition, review the strategy and data protection measures regularly. 


Smart PDPA Solutions
for Smart Companies

For any questions, queries or advice about our data protection and PDPA services, please do not hesitate to contact us in English, French, German or Thai.

Call us at (+66) 094-3655697 / (+66) 092-8899046

Have Questions? We Have Answers.

What is the deadline?

With Thailand’s Personal Data Protection Act set to come into effect on May 27th, organisations across the country must ready themselves to comply with the new regulations. Being adequately prepared entails understanding the PDPA and effectively communicating its implications with everyone in the organisation who has access to personal data. but due to the pandemic, the effective date of Thailand’s PDPA is postponed until 1 June 2021.

What are the penalties?

The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class-action lawsuit. The director of a company could also be subject to penalties under the PDPA.

What are considered as a personal data & sensitive data?

The PDPA provides stringent requirements for the collection and storage of sensitive personal data that refers to any information relating to a person, which enables the identification of such person including personal data pertaining to:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Criminal records
  • Trade union memberships
  • Genetic data
  • Biometric data
  • Health records
  • Sexual orientation or preferences

The collection of sensitive personal data without the express consent of the data owner is prohibited, except in certain circumstances, such as medical emergencies or as required by law.

What is a cross border data transfer?

In the event that a data controller sends or transfers Personal Data to a foreign country, the destination country that receives such Personal Data shall have adequate data protection standards, unless an exemption is met (e.g. a consent from the data subject is obtained for the transfer of the Personal Data to a country which the data protection standard that is not adequate, or the transfer is for compliance with the law). The guideline on adequate data protection standard is yet to be issued.

What is a Data Processor?

A person or entity that collects, uses, or discloses personal data in accordance with the orders of the data controller.

What is a Data Controller?

A person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

What is a Data Protection Officer?

The Data Protection Officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Sections 5, 6, 30-41 of the Thai Personal Data Protection Act law (PDPA). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.

About our PDPA expert

Our experienced and certified DPO, GDPR and PDPA consultants help you to make the transition process to Pimaccounting extremely easy. With your consent, our liaison team will deal directly with your previous service provider during the transition to Pimaccounting. All you need to do is contact us so that we can take care of the rest.

Any questions or specific request
Please contact us.

We provide outsourcing data protection, PDPA consultation, statutory auditing, bookkeeping, payroll and BOI consulting


Call us at (+66) 094-3655697 / (+66) 092-8899046