top of page

PDPA Risk After Market Entry: What Foreign Investors Overlook in Thailand

Key Takeaways:


  • PDPA compliance risks often arise after market entry, particularly in vendor management and data disposal practices.

  • Recent enforcement actions demonstrate that data controllers remain responsible for third-party processors.

  • Data protection failures may affect enterprise value and due diligence outcomes in M&A transactions

  • Foreign investors should integrate PDPA compliance into corporate governance and risk management frameworks. 


PDPA Compliance Before and After Market Entry


For many foreign investors entering Thailand, compliance with the Personal Data Protection Act (PDPA) is often treated as a box-ticking exercise during market entry. Privacy policies are adopted, consent forms prepared, and companies assume that the issue has been adequately addressed. However, recent enforcement actions demonstrate that PDPA compliance risks do not end after market entry. Weak data governance, improper data disposal, and poorly managed vendor relationships can expose companies to regulatory penalties, reputational damage, and operational disruption, which are risks that may ultimately affect enterprise value and corporate transactions.


Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) came fully into force on 1 June 2022, establishing a comprehensive legal framework governing the collection, use, disclosure, and cross-border transfer of personal data. Prior to the enforcement date, many companies were engaged in a rapid search for compliant privacy policies for their websites or sought in-house specialists in PDPA or the EU’s General Data Protection Regulation (GDPR). Templates available on online platforms ranged from two pages to fourteen pages, leaving many companies uncertain whether their policies met the statutory requirements. In the years following its implementation, however, PDPA compliance efforts in many organizations appear to have shifted from initial implementation to routine operational management. This is partly because some businesses do not rely heavily on website cookies or cross-border transfer of personal data, while others, particularly in sectors such as insurance, require sensitive personal data from clients in order to provide their services. In these cases, obtaining consent from customers is often integrated into normal business operations. This may also reflect the fact that some multinational companies are already compliant with the EU’s regime under the GDPR. Despite this perceived relaxation, the statutory regime is gradually developing an enforcement culture. 


Recent Enforcement: Lessons from the Healthcare Sector


Recent PDPA enforcement actions demonstrate that data protection compliance can have significant implications for enterprise value, director exposure, and operational stability. In August 2025, a private hospital in Ubon Ratchathani, acting as the data controller, was fined THB 1.21 million, while its data processor was fined THB 16,940. The Office of the Personal Data Protection Commission (PDPC) imposed these penalties after the improper disposal of more than one thousand medical records. In one widely reported incident, a medical record revealing a patient’s diagnosis of Hepatitis B was reportedly used as packaging paper for a Thai street snack known as Khanom Tokiao. The case illustrates how inadequate data destruction practices can result in serious privacy breaches. From a transaction perspective, incidents of this nature may also raise questions during legal due diligence, particularly where data governance practices form part of operational risk assessments. 


Vendor Risk and the Role of Data Processors


Although the hospital had engaged a third-party data processor, a small family business, to destroy the medical records containing sensitive personal data, the data controller remains legally responsible for ensuring that the destruction or erasure of personal data complies with statutory standards and retention requirements. Data processors, in turn, must process and destroy personal data strictly in accordance with contractual agreements and must notify the data controller of any data breach or public disclosure incident. Failing to comply may constitute a breach of contractual obligations and expose both parties to regulatory penalties. The incident highlights that PDPA enforcement is not limited to large technology companies but can arise from routine operational practices such as document disposal and vendor outsourcing. 


Why PDPA Matters in M&A Transactions


For foreign investors entering the Thai market, whether through greenfield investments, joint ventures, or acquisitions, PDPA compliance is often viewed as a secondary operational issue rather than a strategic legal risk. However, data protection failures can create liabilities that extend beyond regulatory fines. Non-compliance may affect a company’s valuation during mergers and acquisitions, expose directors to regulatory scrutiny, and disrupt business operations if regulators impose corrective measures. In addition, reputational damage resulting from data breaches can undermine consumer trust and commercial relationships. In cross-border acquisitions, buyers may inherit undisclosed data protection risks after completion. Because PDPA liability can arise from historical data processing practices, buyers may be exposed to regulatory risks even where the underlying conduct occurred prior to the acquisition. If historical PDPA non-compliance later comes to light, the acquiring company may face regulatory scrutiny or contractual disputes under representations and warranties. For these reasons, data protection compliance has become an increasingly relevant due diligence issue, and buyers are now more attentive to whether target companies have proper data governance policies, vendor management procedures, and data breach response mechanisms in place.


Practical Compliance Considerations for Investors


Foreign investors and multinational companies operating in Thailand should consider implementing several practical measures. In addition to customer-facing data practices, PDPA compliance should also extend to internal processes such as recruitment, employee data management, and HR record retention, where companies frequently collect sensitive personal data during hiring and employment administration.


  • Conducting PDPA compliance audits after market entry

  • Reviewing data processing agreements with third-party vendors

  • Ensuring proper data retention and destruction procedures

  • Implementing internal training and governance policies 

  • Integrating data protection considerations into corporate risk management frameworks.


These measures help reduce regulatory exposure while protecting the long-term enterprise value of the business. 


Conclusion: PDPA as a Strategic Risk


Although PDPA enforcement in Thailand is still evolving, recent regulatory actions suggest that authorities are increasingly willing to impose penalties for improper data management practices. For foreign investors and multinational companies, PDPA compliance should therefore be viewed not merely as a formal requirement for website policies but as an integral component of corporate governance, operational resilience, and transaction risk management.


Disclaimer & Contact


This article is provided for general information purposes only and does not constitute legal advice. While I strive to keep my legal analysis accurate and practical, changes in law or other circumstances may affect its application. If you wish to discuss PDPA compliance, or  data protection considerations in corporate transactions, you are welcome to contact me to arrange an initial discussion.



Osaris Chaichit 

Attorney-at-Law (Thailand)

Notarial Services Attorney


 
 

The Thai Legal Ally You Can Trust

OC Bangkok Legal Services 

+66(0)824715644

+66(0)944715664

osa_chaichit@gmail.com​​​

Sukhumvit 77 Road,

On Nut, Suan Luang,

Bangkok 10250, Thailand 

  • Whatsapp
  • Line
  • LinkedIn
  • Facebook
  • Instagram

© 2025 by Osaris Chaichit (OC Bangkok Legal Services). All rights reserved.

Unauthorized copying, reproduction, or distribution of this material, in whole or in part, without written consent is strictly prohibited.​ All content on this website and communication with Osaris Chaichit (OC Bangkok Legal Services) through email, phone, chat, social media, or any other channels are for general informational purposes only and do not constitute legal advice. No lawyer-client relationship is created through using this website or communicating with me; a formal engagement letter is required to establish such a relationship.

If you need guidance tailored to your case, feel free to reach out to me directly.

bottom of page