PDPA. Othello’s home data-protection regime.
The Personal Data Protection Act B.E. 2562 is Thailand’s comprehensive data-protection law — gazetted 2019, fully effective 1 June 2022, and enforced by the Personal Data Protection Committee (PDPC). As a Bangkok-domiciled firm, this is Othello’s primary regime: every document Othello processes that contains personal data falls under it. The grace period is over. In August 2025 the PDPC issued eight fines across five cases totalling ฿21.5M — and crucially, it fined data processors, not only controllers. Vendors can no longer hide behind their clients. Othello operates as a processor on the client-controller’s documented instruction, under a discipline calibrated to the stricter of PDPA and GDPR. DPA on request · NDA from first email · audit-trail retained Bangkok-side.
- RegimePDPA B.E. 2562 · home
- RegulatorPDPC · actively enforcing
- RoleProcessor · on instruction
- ProcessorsFined too · §40 duties
- Cross-border§§28–29 · documented
- EU alignmentGDPR-modelled
- ConfidentialityNDA from first email
The posture, substantively. Six points under Thailand’s home regime.
PDPA compliance is now a business-critical obligation, not a future consideration. Since the PDPC began issuing multi-million-baht fines — including against processors — the questions that matter are concrete: what role does Othello hold, on what lawful basis, who is accountable, and how is cross-border transfer handled. The six points below document the substantive posture under PDPA B.E. 2562.
PDPA B.E. 2562 — fully effective since 2022.
The Personal Data Protection Act B.E. 2562 was published in the Royal Thai Government Gazette in 2019 and became fully effective on 1 June 2022 after pandemic-related postponements. It governs how organisations collect, use, and disclose the personal data of individuals in Thailand — and is similar in scope and spirit to the EU’s GDPR, on which it was modelled.
The PDPC — and the grace period is over.
The Personal Data Protection Committee (PDPC) enforces the Act. In August 2025 it issued eight administrative fines across five cases — public and private, healthcare to retail — totalling around ฿21.5M, signalling the end of the “warning” era. The recurring failures it flags: no DPO, no breach reporting, weak security, processing without lawful basis. Othello’s posture is built directly against those failure modes.
Processor, with its own liability.
Othello acts as a data processor on the client-controller’s documented instruction. Critically, the PDPC’s enforcement has extended to processors, not only controllers — a vendor cannot hide behind its client. Othello accepts the Section 40 processor duties directly: process only on instruction, maintain security, keep records, and support the controller’s obligations.
Six lawful bases — consent is only one.
PDPA recognises six lawful bases for processing — consent, contract, legal obligation, vital interests, public task, and legitimate interest. For Othello’s work, processing is grounded in the contract with the controller and the controller’s documented instruction, not blanket consent. The basis is identified per engagement and recorded — “collection without lawful basis” is one of the most-complained-of failures.
Sections 28–29 govern transfer abroad.
Sections 28 and 29 regulate transfer of personal data to foreign countries — relevant whenever a document moves between Thailand and an overseas client or partner. Othello documents the cross-border basis rather than assuming free flow: where data leaves Thailand, the receiving country’s adequacy or appropriate safeguards are assessed and recorded — mirroring the SCC discipline applied on the GDPR side.
DPO, records, and breach reporting.
The failures the PDPC fines most are accountability gaps — no DPO, no breach reporting, no records. Othello maintains a data-protection point of accountability, records of processing, and a breach-response procedure that notifies the controller without undue delay so the controller can meet its PDPC reporting duty. Accountability is documented, not assumed.
★ WHY PROCESSOR LIABILITY MATTERS · The PDPC has fined data processors, not just controllers — in one 2025 case a controller and processor were penalised together. For an institutional client, that means choosing a vendor whose own PDPA posture is sound is a way to reduce their exposure, not just the vendor’s. Othello carries its processor duties as its own, documented in the DPA. See GDPR Compliance for the EU-facing counterpart.
Eight data-subject rights. Othello supports the controller in honouring each.
PDPA grants individuals eight enforceable rights over their personal data. As a processor, Othello does not field these requests directly — it supports the client-controller’s response from Othello-controlled infrastructure. The flagship rights in practice are access and erasure, the two most frequently exercised.
Right to access
The flagship right. A data subject may request access to their personal data and a copy of it, and ask how it was obtained. On the controller’s instruction, Othello promptly retrieves the relevant material from its infrastructure and provides it for the controller’s response. Logged in the audit-trail.
Right to erasure
A data subject may request deletion or de-identification of their personal data where the basis for holding it no longer applies. On instruction, Othello securely deletes the relevant material from its infrastructure and confirms deletion in writing, recorded in the audit-trail. Aligns with the scheduled-deletion discipline applied at engagement close.
Right to rectification
A data subject may have inaccurate personal data corrected and incomplete data completed. Where a document Othello holds contains an error the controller asks to correct, Othello applies the correction in its copy and records the change. Accuracy is a PDPA principle, not just a right.
Right to object
A data subject may object to certain processing — including direct marketing and processing on legitimate-interest or public-task grounds. As processor, Othello halts the objected-to processing of the relevant material on the controller’s instruction and records the objection and the action taken.
Right to data portability
A data subject may obtain their data in a machine-readable format and have it transmitted to another controller where technically feasible. Othello supports the controller by extracting the relevant material in a structured format suitable for portability. Format-fidelity discipline carries over.
Right to restrict processing
A data subject may request that processing be suspended in defined circumstances — for instance, while accuracy is contested or an objection is assessed. Othello suspends processing of the relevant material on instruction, holding it without further use until the controller resolves the request.
Right to withdraw consent
Where processing rests on consent, a data subject may withdraw it at any time, as easily as it was given. As Othello’s work rests on the contract and the controller’s instruction rather than direct consent, withdrawal is actioned through the controller — Othello ceases the relevant processing once instructed.
Right to lodge a complaint
A data subject may complain to the PDPC where they believe their data has been mishandled. The PDPC’s complaint centre recorded thousands of complaints by early 2026 — the most common concerning minimisation, lawful basis, and unlawful disclosure. Othello’s posture is built to keep engagements clear of exactly those failure patterns.
★ RIGHTS RUN THROUGH THE CONTROLLER · As a processor, Othello does not receive data-subject requests directly — it supports the controller’s response. What Othello guarantees is that the relevant material can be located, corrected, extracted, or deleted promptly from its infrastructure, with every action recorded. The controller stays in control; Othello makes the response executable. See Our Process for the bench workflow.
PDPA was modelled on GDPR — close, but not identical.
Thailand’s PDPA was drafted with the GDPR as its template, so the two map closely — same controller/processor split, similar rights, similar accountability. But they attach to different data subjects and have their own cross-border rules. Othello runs one handling discipline that satisfies both, and names which regime governs which engagement.
One handling standard. Two regimes it answers to.
Where the data subject is in Thailand, PDPA governs directly — it is Othello’s home regime. Where the data subject is in the EU/EEA, GDPR governs and the EU → Thailand transfer runs on SCCs + TIA. Many engagements touch both. Othello’s bench operates a single discipline — in-house processing, encryption, minimisation, retention control, breach response — calibrated to the stricter of the two on any point. See GDPR Compliance for the EU-facing detail.
★ PLAIN LANGUAGE · PDPA is Othello’s home regime; GDPR applies to EU-facing work. Because PDPA was built on GDPR, one well-run discipline covers both — calibrated to the stricter requirement on any given point. One handling discipline, two regimes, named per engagement.
Six stages. Each with a documented gate. Data is controlled end to end.
How personal data inside a client document is handled under PDPA from arrival to deletion. The lawful-basis gate is first — the basis and any cross-border mechanism are recorded before processing begins. Nothing runs on an undocumented basis. See Our Process for the bench workflow this sits inside.
From intake to confirmed deletion. Bangkok-controlled throughout.
Every engagement carrying personal data progresses through the six stages below under the firm’s data-protection discipline. The lawful basis and cross-border mechanism are set before intake — DPA executed, §§28–29 basis recorded for any transfer abroad. The data is then controlled inside Othello infrastructure to confirmed deletion.
Data protection sits inside the engagement. Not bolted on.
PDPA discipline runs through every service Othello delivers — translation, certified work, ESG advisory. The pages below document the adjacent compliance frame and the services it protects, all under one engagement letter, one NDA, one audit-trail.
GDPR Compliance · EU-facing work
The EU General Data Protection Regulation counterpart — applied to EU-facing engagements via SCCs and an Article 28 DPA, since Thailand holds no EU adequacy decision. The other half of the one-discipline-two-regimes posture.
Open GDPR ComplianceTechnical Translation · ISO 17100
ISO 17100 + ISO 9001 technical translation — the service most often carrying personal data inside documents. In-house processing, encryption, and minimisation apply to every engagement. PDPA/GDPR discipline built into the workflow.
Open Technical TranslationData Processing Agreement
Request a processor Data Processing Agreement aligned to PDPA Section 40 (and GDPR Article 28 for EU work) — issued under mutual NDA. The contract that records role, lawful basis, transfer mechanism, and Othello’s obligations before any data moves.
Request a DPAData-protection questions answered up front.
Substantive answers to what Thai corporates, privacy officers, and procurement teams routinely ask about how Othello handles personal data under the PDPA. Click to expand each.
Q.01What is the PDPA, and when did it take effect?
The Personal Data Protection Act B.E. 2562 is Thailand’s comprehensive data-protection law, similar in scope and spirit to the EU’s GDPR, on which it was modelled. It was published in the Royal Thai Government Gazette in 2019 and became fully effective on 1 June 2022 after pandemic-related postponements. It governs how organisations collect, use, and disclose the personal data of individuals in Thailand, and is enforced by the Personal Data Protection Committee (PDPC).
Q.02Is the PDPA actually being enforced, or is it still a grace period?
It is being actively enforced — the grace period is over. The PDPC issued its first administrative penalty in 2024, and in August 2025 issued eight fines across five cases — public and private, spanning healthcare, retail, and state services — totalling around ฿21.5M. The regulator has made clear the era of warnings is finished. Recurring failures it flags: no DPO, no breach reporting, weak security, and processing without lawful basis.
Q.03Is Othello a controller or a processor under the PDPA?
A data processor. Othello processes personal data inside documents on the documented instruction of the client, who is the controller and determines the purposes. This is recorded in the engagement and the Data Processing Agreement. Importantly, PDPA imposes direct duties on processors (Section 40) — process only on instruction, maintain security, keep records, and support the controller — and the PDPC has fined processors, so Othello carries these duties as its own.
Q.04Can a data processor really be fined under the PDPA?
Yes — and the PDPC has done so. Enforcement in 2025 extended to data processors, not only controllers; in one case a controller and processor were penalised together. The practical takeaway for an institutional client: choosing a vendor whose own PDPA posture is sound reduces your exposure, not just the vendor’s. A vendor cannot hide behind its client, and a client should not have to absorb a vendor’s compliance gap.
Q.05What is the maximum penalty for a PDPA violation?
Administrative fines of up to ฿5 million per violation, plus potential criminal penalties and civil liability — and businesses can be ordered to cease processing. Affected data subjects may also bring civil claims, including collective actions. The separate Emergency Decree on Technology Crimes (2025) adds criminal offences for the misuse of personal data in connection with tech crimes. The financial and operational risk is real and current.
Q.06What lawful basis does Othello rely on to process our documents?
PDPA recognises six lawful bases — consent, contract, legal obligation, vital interests, public task, and legitimate interest. Othello’s processing is grounded in the contract with the controller and the controller’s documented instruction, not blanket consent. The basis is identified per engagement and recorded — “collection without a lawful basis” is one of the most-complained-of failures at the PDPC, so Othello documents the basis rather than assuming it.
Q.07How does the PDPA handle cross-border transfers?
Sections 28 and 29 regulate transfer of personal data to foreign countries — relevant whenever a document moves between Thailand and an overseas client or partner. Othello documents the cross-border basis rather than assuming free flow: where data leaves Thailand, the destination’s adequacy or appropriate safeguards are assessed and recorded. This mirrors the SCC + Transfer Impact Assessment discipline applied on the GDPR side for EU → Thailand flows.
Q.08What data-subject rights does the PDPA grant, and how do you support them?
PDPA grants eight rights — access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right to complain to the PDPC. As a processor, Othello does not receive these requests directly; it supports the controller’s response by promptly locating, correcting, extracting, or deleting the relevant material from Othello-controlled infrastructure, with every action recorded in the audit-trail.
Q.09Do you use machine translation or consumer AI tools on our documents?
No — not for substantive client content. Othello does not route personal data inside client documents through consumer LLM endpoints or unscreened third-party machine-translation services. Content is processed within Othello-controlled infrastructure by the named bench, encrypted in transit and at rest, under least-privilege access. Silent data egress to free translation tools is exactly the kind of weak-security failure the PDPC penalises — and the one Othello is built to avoid.
Q.10How does PDPA relate to GDPR, and to Othello’s wider framework?
PDPA is Othello’s home regime; GDPR applies to EU-facing work. Because PDPA was modelled on GDPR, the two map closely — Othello runs one handling discipline (in-house processing, encryption, minimisation, retention control, breach response) calibrated to satisfy the stricter of the two on any point. This sits inside the firm’s founding standard — established 2020 on US government contracts under FAR-grade verification and NDA-from-first-email confidentiality. See GDPR Compliance. Email [email protected] or call +66 02-859-2145.
Thai personal data, handled lawfully.
Othello operates under the PDPA as its home regime — processor role with direct §40 duties, lawful basis recorded per engagement, in-house processing, encryption, minimisation, breach discipline, confirmed deletion — and runs EU-facing work to GDPR standard via SCCs and a DPA. The lawful basis is documented before processing begins; the audit-trail is retained Bangkok-side for PDPC accountability. ≤1 BH acknowledgement · DPA on request under mutual NDA.
Unit 12-03, Chartered Square · 152 N Sathon Rd · Si Lom · Bangkok 10500