Explore how Thailand's PDPA compares to Europe’s GDPR, examining similarities in data protection principles and differences in enforcement. Discover how both frameworks address privacy rights and cross-border data handling.

Territorial scope 

GDPR 

The GDPR applies to organisations that have a presence in the EU, especially realities that have an' establishment' in the EU.  thus, the GDPR applies to the processing of data by organizations established in the EU, regardless of whether the processing takes place in the EU or not 

PDPA 

PDPA applies to the collection, use, or exposure of particular data by organizations that are in Thailand anyhow of whether the collection, use or exposure of particular data takes place in Thailand or not. 

Personal scope 

GDPR 

 The GDPR applies to data controllers and data processors who may be public bodies 

PDPA 

The PDPA does not apply to public authorities tasked with state security, including financial security and public safety, as well as their responsibilities in preventing and addressing money laundering, forensic science, or cybersecurity. 

Personal data 

GDPR 

The GDPR defines 'personal data' as 'any information relating to an identified or identifiable natural person whether collected directly or indirectly from data subject 

PDPA 

The PDPA defines 'personal data' as any information related to an individual that can identify that person, either directly or indirectly, but it excludes information about deceased individuals. 

Pseudonymisation 

GDPR 

The GDPR defines pseudonymised data as the processing of personal data in a way that it can no longer be linked to a specific individual without the use of additional information. 

PDPA 

The PDPA does not define pseudonymized data. 

Legal basis 

 The GDPR stipulates that data controllers may only process personal data if there is a legal basis for doing so. The legal grounds include Consent, Performance of contract, legal obligation, vital interest, data subject, public interest, and legitimate interest.  

PDPA 

The PDPA states that data controllers must not collect, use, or disclose personal data unless the data subject has given: consent, necessary for performance of consent & compliance with the law, supressing danger to a data subject’s life, public interest, and legitimate interest. 

Data transfers 

GDPR 

The GDPR permits the transfer of personal data to a third country or international organization that the EU Commission has deemed to provide an adequate level of protection. 

The GDPR specifies that a cross-border transfer is allowed based on international agreements for judicial cooperation. 

PDPA 

Under the PDPA, the transfer of personal data is allowed only to destination countries or international organizations that provide an adequate level of protection as determined by the PDPC. 

The PDPA does not specifically cover the transfer of personal data for the purpose of complying with a court judgment or any decision made by an authority in a third country. 

Data processing records 

GDPR 

Data controllers and data processors are required to keep a record of processing activities under their management. 

The GDPR outlines a list of information that a data processor must record 

PDPA 

Data controllers and data processors must keep a record of their personal data processing activities. 

The PDPA does not specify a list of processing information that a data processor must record 

Data Processing Impact Assessment

The GDPR stipulates that a DPIA must be conducted in the following situations: 

- When the processing could pose a high risk to an individual's rights and freedoms. 

- When there is a systematic and extensive evaluation of personal aspects concerning individuals, based on automated processing or profiling. 

- When there is large-scale processing of special categories of data.  

PDPA 

To meet the minimum standards set by the PDPC, an assessment of security measures for processing operations should be conducted only when necessary or when there is a change in technology. The PDPA states that the PDPC will specify these minimum standards. 

DATA PROTECTION OFFICER 

GDPR  

Under the GDPR, data controllers and data processors, including their representatives, are required to appoint a DPO. And GDPR recognises the independence of DPOs 

PDPA

Similarly, Under the PDPA, data controllers and data processors, including their representatives, are required to appoint a DPO. PDPA does not explicitly comment on the independence of the DPOs 

Data security and data breaches 

GDPR

The GDPR acknowledges integrity and confidentiality as key principles of protection, stating that personal data must be processed in a way that guarantees appropriate security for that data. 

PDPA

The PDPA identifies security measures as a fundamental principle for protecting the rights and freedoms of data subjects. 

Data subject rights 

Data subject have several rights including right to access, rectify, erasure, restrict the processing, data portability, and object of processing and request must be responded to without 'undue delay' and within one month of receipt. This deadline may be extended by an additional two months, depending on the complexity and volume of the requests.  

PDPA Provides the similar rights, but PDPA does not specify a timeline for data controllers to respond to requests, it grants data subjects the right to file a complaint with the relevant authority if the data controller fails to respond to a deletion request.