Reconix LogoReconix
PDPA Section 37

Prove Your Data Is Protected Under PDPA

Section 37 mandates technical safeguards for every data controller in Thailand. Our penetration testing validates those controls and delivers audit-ready evidence accepted by the PDPC.

฿3M–฿5M
Max Administrative Fine
Tiered by Data Type (Sections 83–84)
72 hrs
Breach Notification
Mandatory Reporting Window
6mo–1yr
Imprisonment
Based on Intent (Sections 79–80)
Up to 2×
Civil Liability
Actual Damages (Section 78)
Get PDPA Assessment

What is the PDPA?

The Personal Data Protection Act B.E. 2562 (2019) is Thailand's comprehensive data protection law. Fully enforced since June 2022, it governs how organizations collect, use, and disclose personal data within the country.

  • Enacted in 2019, fully enforced since June 1, 2022
  • Governs collection, use, disclosure, and transfer of personal data
  • Applies to ALL organizations handling personal data of individuals in Thailand
  • Enforced by the Personal Data Protection Committee (PDPC)
  • Modeled after GDPR with Thailand-specific provisions

Reference: Personal Data Protection Act B.E. 2562 (2019), published in Royal Gazette

Who Must Comply with PDPA?

Any organization that collects, uses, or stores personal data of individuals in Thailand falls under PDPA.

Financial Institutions

Banks, insurers, and payment processors handling customer financial data

Healthcare Providers

Hospitals, clinics, and health-tech companies processing patient records

E-Commerce & Retail

Online platforms and retailers collecting customer information

Technology Companies

SaaS providers, app developers, and IT service companies

Any Company with Customer Data

Any business collecting names, emails, phone numbers, or IDs

Government Agencies

Public sector organizations processing citizen data

Compliance

Key PDPA Compliance Requirements

PDPA places clear obligations on data controllers to safeguard personal data through technical and organizational measures.

Technical Safeguards

Implement encryption for data at rest and in transit, enforce access controls, and deploy multi-factor authentication (MFA) for systems accessing personal data.

Regular Security Assessments

Conduct penetration testing and vulnerability assessments to identify and remediate security weaknesses in systems processing personal data.

Breach Notification within 72 Hours

Under Section 37(4), notify the PDPC within 72 hours of becoming aware of a personal data breach. Notify affected individuals if the breach poses high risk.

Data Protection Impact Assessments

Assess the impact of data processing activities on the rights and freedoms of data subjects, especially for high-risk processing operations.

Records of Processing Activities

Maintain detailed records of all personal data processing activities including purposes, data categories, recipients, and retention periods.

Data Protection Officer (DPO)

Appointing a DPO is mandatory for state agencies, organizations processing large volumes of personal data, or those handling sensitive personal data as a core activity.

Penalties for Non-Compliance

PDPA carries severe consequences spanning criminal, administrative, and civil liability.

Criminal
Chapter 7, Part 2

Fines up to ฿500,000 or imprisonment up to 6 months for standard unauthorized disclosure. Where the offender acts for unlawful advantage, fines up to ฿1,000,000 or imprisonment up to 1 year, or both.

Administrative
Section 84

Administrative fines up to ฿3,000,000 per violation for standard personal data breaches (Section 83), or up to ฿5,000,000 for violations involving sensitive personal data such as biometrics, health, or racial data (Section 84). Multiple violations compound.

Civil
Section 78

Courts may award punitive damages up to twice the actual damages suffered by data subjects (Section 78). Total civil liability is capped at two times actual damages.

How Penetration Testing Supports PDPA

Each type of penetration test maps directly to PDPA requirements, validating the controls that protect personal data.

Web Application Penetration Testing

Protects online systems collecting personal data through forms, portals, and web applications

Mobile Application Penetration Testing

Secures mobile interfaces where users submit personal data including biometrics and location

API Security Testing

Validates data exchange points where personal data flows between systems and third parties

Cloud Security Assessment

Ensures cloud-stored personal data is protected with proper access controls and encryption

Checklist

PDPA Compliance Checklist

Key security measures to demonstrate PDPA Section 37 compliance.

Conduct regular penetration testing on systems processing personal data
Implement encryption for personal data at rest and in transit
Deploy multi-factor authentication (MFA) for systems accessing personal data
Maintain access control logs and audit trails for personal data access
Establish and test a 72-hour breach notification procedure
Document all data processing activities and maintain records
Conduct Data Protection Impact Assessments for high-risk processing
Train all employees handling personal data on security practices
Review and update security policies at least annually
Implement network segmentation to isolate personal data systems
Establish vendor security assessment processes for third-party data processors
Maintain documented evidence of all security measures for PDPC audits

Official References

Consult the original regulatory documents for full requirements.

PDPA Full Text B.E. 2562 (PDPC)
PDPA Full Text B.E. 2562 (MDES English)
PDPC Subordinate Legislation
PDPC Guidelines for Controllers/Processors

Related Security Services

Comprehensive testing to cover all aspects of PDPA data protection.

Web Application Penetration Testing

Identify vulnerabilities in web apps collecting personal data. OWASP Top 10 coverage with manual expert testing.

Learn more

Mobile App Penetration Testing

Secure mobile applications handling personal data including biometric and location information.

Learn more

Vulnerability Assessment

Systematic scanning and analysis to identify security weaknesses across your infrastructure.

Learn more
Back to All Compliance

PDPA Compliance FAQ

Common questions about PDPA penetration testing and compliance requirements.

Get PDPA-Ready Today

Protect personal data, satisfy Section 37, and receive audit-ready reports accepted by the PDPC.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.