Bench active · EN ↔ TH · TEL +66 02-859-2145 · NDA from first email · 1-hour quote SLA
EN TH
Request RFP
COMPLIANCE · PDPA · THAI HOME REGIME · PDPC-ENFORCED SINCE 2022
DPO duty · breach notice · NDA from first email
★ PDPA B.E. 2562 · PDPC-ENFORCED · 6 LAWFUL BASES · 8 RIGHTS · GDPR-ALIGNED · NDA-FIRST

PDPA. Othello’s home data-protection regime.

The Personal Data Protection Act B.E. 2562 is Thailand’s comprehensive data-protection law — gazetted 2019, fully effective 1 June 2022, and enforced by the Personal Data Protection Committee (PDPC). As a Bangkok-domiciled firm, this is Othello’s primary regime: every document Othello processes that contains personal data falls under it. The grace period is over. In August 2025 the PDPC issued eight fines across five cases totalling ฿21.5M — and crucially, it fined data processors, not only controllers. Vendors can no longer hide behind their clients. Othello operates as a processor on the client-controller’s documented instruction, under a discipline calibrated to the stricter of PDPA and GDPR. DPA on request · NDA from first email · audit-trail retained Bangkok-side.

Fully Effective
2022
B.E. 2562 · 1 June
Lawful Bases
6
For lawful processing
Data-Subject Rights
8
Access · erasure · objection
Max Admin Fine
฿5M
Per violation + criminal
★ DATA-PROTECTION POSTURE · TRANSPARENT
Home regime. Processor role. One DPA, one audit-trail.
  • RegimePDPA B.E. 2562 · home
  • RegulatorPDPC · actively enforcing
  • RoleProcessor · on instruction
  • ProcessorsFined too · §40 duties
  • Cross-border§§28–29 · documented
  • EU alignmentGDPR-modelled
  • ConfidentialityNDA from first email
★ The PDPA Posture · How A Thai Processor Stays Lawful

The posture, substantively. Six points under Thailand’s home regime.

PDPA compliance is now a business-critical obligation, not a future consideration. Since the PDPC began issuing multi-million-baht fines — including against processors — the questions that matter are concrete: what role does Othello hold, on what lawful basis, who is accountable, and how is cross-border transfer handled. The six points below document the substantive posture under PDPA B.E. 2562.

POINT 01 · THE LAW

PDPA B.E. 2562 — fully effective since 2022.

The Personal Data Protection Act B.E. 2562 was published in the Royal Thai Government Gazette in 2019 and became fully effective on 1 June 2022 after pandemic-related postponements. It governs how organisations collect, use, and disclose the personal data of individuals in Thailand — and is similar in scope and spirit to the EU’s GDPR, on which it was modelled.

StatutePDPA B.E. 2562
Effective1 June 2022
ModelGDPR-aligned
POINT 02 · THE REGULATOR

The PDPC — and the grace period is over.

The Personal Data Protection Committee (PDPC) enforces the Act. In August 2025 it issued eight administrative fines across five cases — public and private, healthcare to retail — totalling around ฿21.5M, signalling the end of the “warning” era. The recurring failures it flags: no DPO, no breach reporting, weak security, processing without lawful basis. Othello’s posture is built directly against those failure modes.

RegulatorPDPC
Aug 20258 fines / 5 cases
Total to date~฿21.5M
POINT 03 · ROLE

Processor, with its own liability.

Othello acts as a data processor on the client-controller’s documented instruction. Critically, the PDPC’s enforcement has extended to processors, not only controllers — a vendor cannot hide behind its client. Othello accepts the Section 40 processor duties directly: process only on instruction, maintain security, keep records, and support the controller’s obligations.

OthelloProcessor
Duties§40
LiabilityDirect
POINT 04 · LAWFUL BASIS

Six lawful bases — consent is only one.

PDPA recognises six lawful bases for processing — consent, contract, legal obligation, vital interests, public task, and legitimate interest. For Othello’s work, processing is grounded in the contract with the controller and the controller’s documented instruction, not blanket consent. The basis is identified per engagement and recorded — “collection without lawful basis” is one of the most-complained-of failures.

Bases6 lawful
Othello’sContract + instruction
RecordedPer engagement
POINT 05 · CROSS-BORDER

Sections 28–29 govern transfer abroad.

Sections 28 and 29 regulate transfer of personal data to foreign countries — relevant whenever a document moves between Thailand and an overseas client or partner. Othello documents the cross-border basis rather than assuming free flow: where data leaves Thailand, the receiving country’s adequacy or appropriate safeguards are assessed and recorded — mirroring the SCC discipline applied on the GDPR side.

Sections§§28–29
ApproachDocumented
MirrorsGDPR SCC
POINT 06 · ACCOUNTABILITY

DPO, records, and breach reporting.

The failures the PDPC fines most are accountability gaps — no DPO, no breach reporting, no records. Othello maintains a data-protection point of accountability, records of processing, and a breach-response procedure that notifies the controller without undue delay so the controller can meet its PDPC reporting duty. Accountability is documented, not assumed.

DPO duty§41 (where applicable)
RecordsMaintained
BreachNotify controller

WHY PROCESSOR LIABILITY MATTERS · The PDPC has fined data processors, not just controllers — in one 2025 case a controller and processor were penalised together. For an institutional client, that means choosing a vendor whose own PDPA posture is sound is a way to reduce their exposure, not just the vendor’s. Othello carries its processor duties as its own, documented in the DPA. See GDPR Compliance for the EU-facing counterpart.

★ The Eight Rights · What PDPA Grants Data Subjects

Eight data-subject rights. Othello supports the controller in honouring each.

PDPA grants individuals eight enforceable rights over their personal data. As a processor, Othello does not field these requests directly — it supports the client-controller’s response from Othello-controlled infrastructure. The flagship rights in practice are access and erasure, the two most frequently exercised.

RIGHT 01 · FLAGSHIP

Right to access

The flagship right. A data subject may request access to their personal data and a copy of it, and ask how it was obtained. On the controller’s instruction, Othello promptly retrieves the relevant material from its infrastructure and provides it for the controller’s response. Logged in the audit-trail.

AccessCopyProvenance
RIGHT 02 · FLAGSHIP

Right to erasure

A data subject may request deletion or de-identification of their personal data where the basis for holding it no longer applies. On instruction, Othello securely deletes the relevant material from its infrastructure and confirms deletion in writing, recorded in the audit-trail. Aligns with the scheduled-deletion discipline applied at engagement close.

ErasureDe-identifyConfirmed
RIGHT 03 · RECTIFICATION

Right to rectification

A data subject may have inaccurate personal data corrected and incomplete data completed. Where a document Othello holds contains an error the controller asks to correct, Othello applies the correction in its copy and records the change. Accuracy is a PDPA principle, not just a right.

CorrectCompleteAccurate
RIGHT 04 · OBJECTION

Right to object

A data subject may object to certain processing — including direct marketing and processing on legitimate-interest or public-task grounds. As processor, Othello halts the objected-to processing of the relevant material on the controller’s instruction and records the objection and the action taken.

ObjectHaltRecorded
RIGHT 05 · PORTABILITY

Right to data portability

A data subject may obtain their data in a machine-readable format and have it transmitted to another controller where technically feasible. Othello supports the controller by extracting the relevant material in a structured format suitable for portability. Format-fidelity discipline carries over.

PortableMachine-readableTransmit
RIGHT 06 · RESTRICTION

Right to restrict processing

A data subject may request that processing be suspended in defined circumstances — for instance, while accuracy is contested or an objection is assessed. Othello suspends processing of the relevant material on instruction, holding it without further use until the controller resolves the request.

SuspendHoldPending
RIGHT 07 · WITHDRAW CONSENT

Right to withdraw consent

Where processing rests on consent, a data subject may withdraw it at any time, as easily as it was given. As Othello’s work rests on the contract and the controller’s instruction rather than direct consent, withdrawal is actioned through the controller — Othello ceases the relevant processing once instructed.

WithdrawAnytimeCease
RIGHT 08 · COMPLAINT

Right to lodge a complaint

A data subject may complain to the PDPC where they believe their data has been mishandled. The PDPC’s complaint centre recorded thousands of complaints by early 2026 — the most common concerning minimisation, lawful basis, and unlawful disclosure. Othello’s posture is built to keep engagements clear of exactly those failure patterns.

PDPCComplaintInvestigated

RIGHTS RUN THROUGH THE CONTROLLER · As a processor, Othello does not receive data-subject requests directly — it supports the controller’s response. What Othello guarantees is that the relevant material can be located, corrected, extracted, or deleted promptly from its infrastructure, with every action recorded. The controller stays in control; Othello makes the response executable. See Our Process for the bench workflow.

★ PDPA + GDPR · Two Regimes · One Discipline

PDPA was modelled on GDPR — close, but not identical.

Thailand’s PDPA was drafted with the GDPR as its template, so the two map closely — same controller/processor split, similar rights, similar accountability. But they attach to different data subjects and have their own cross-border rules. Othello runs one handling discipline that satisfies both, and names which regime governs which engagement.

★ THE TWO REGIMES · SIDE BY SIDE

One handling standard. Two regimes it answers to.

Where the data subject is in Thailand, PDPA governs directly — it is Othello’s home regime. Where the data subject is in the EU/EEA, GDPR governs and the EU → Thailand transfer runs on SCCs + TIA. Many engagements touch both. Othello’s bench operates a single discipline — in-house processing, encryption, minimisation, retention control, breach response — calibrated to the stricter of the two on any point. See GDPR Compliance for the EU-facing detail.

DIM 01
Origin.PDPA: B.E. 2562, gazetted 2019, fully effective 2022, modelled on GDPR. GDPR: Regulation (EU) 2016/679, effective 2018.
DIM 02
When it governs.PDPA: personal data of individuals in Thailand. GDPR: EU/EEA data subjects (Art 3). Othello names which applies per engagement.
DIM 03
Roles.Both split controller and processor with near-identical duties — and both now fine processors. Othello is the processor under either, on documented instruction.
DIM 04
Cross-border transfer.PDPA: §§28–29 govern transfer abroad. GDPR: EU→TH needs SCCs + TIA. Othello documents the mechanism either way.
DIM 05
Penalties.PDPA: up to ฿5M administrative per violation, plus criminal and civil. GDPR: up to €20M / 4% of global turnover. Both now actively enforced.
DIM 06
Othello’s standing.PDPA: home regime, directly applicable. GDPR: applied to EU-facing work via SCCs + DPA. Both run honestly — neither overclaimed.

PLAIN LANGUAGE · PDPA is Othello’s home regime; GDPR applies to EU-facing work. Because PDPA was built on GDPR, one well-run discipline covers both — calibrated to the stricter requirement on any given point. One handling discipline, two regimes, named per engagement.

★ Data Lifecycle · Intake to Confirmed Deletion

Six stages. Each with a documented gate. Data is controlled end to end.

How personal data inside a client document is handled under PDPA from arrival to deletion. The lawful-basis gate is first — the basis and any cross-border mechanism are recorded before processing begins. Nothing runs on an undocumented basis. See Our Process for the bench workflow this sits inside.

★ LAWFUL-BASIS-FIRST · AUDIT-TRAIL RETAINED

From intake to confirmed deletion. Bangkok-controlled throughout.

Every engagement carrying personal data progresses through the six stages below under the firm’s data-protection discipline. The lawful basis and cross-border mechanism are set before intake — DPA executed, §§28–29 basis recorded for any transfer abroad. The data is then controlled inside Othello infrastructure to confirmed deletion.

STAGE 01
Basis & transfer gate.Regime identified (PDPA / GDPR / both). Lawful basis recorded — contract + instruction; cross-border basis under §§28–29 where data moves abroad. DPA executed, NDA from first email already in force. No processing on an undocumented basis.
STAGE 02
Secure intake.Documents received over encrypted transfer channels, not default email. Logged on receipt. Scope and data categories confirmed against the DPA. Minimisation applied — only what the engagement needs.
STAGE 03
Controlled processing.Processed in-house by the named bench under least-privilege access — no consumer LLM endpoints, no unscreened tools. Encrypted at rest. Access logged; need-to-know enforced.
STAGE 04
Editorial & QA.Independent editor reviews within the same controlled environment (ISO 17100 stage two). No data leaves the perimeter for QA. Any sub-processor is screened and bound back-to-back. Disclosed to the controller.
STAGE 05
Delivery & rights.Deliverable returned over secure channel. Data-subject-rights requests (via the controller) actioned promptly — access, rectification, erasure, restriction, portability. Every action recorded in the audit-trail.
STAGE 06
Retention & deletion.Held only for the DPA-agreed window, then securely deleted or returned, with written confirmation. Audit-trail of the lifecycle — basis, transfer, processing, deletion, any incident — retained Bangkok-side for PDPC accountability.
★ PDPA FAQ · Ten Common Asks

Data-protection questions answered up front.

Substantive answers to what Thai corporates, privacy officers, and procurement teams routinely ask about how Othello handles personal data under the PDPA. Click to expand each.

Q.01What is the PDPA, and when did it take effect?

The Personal Data Protection Act B.E. 2562 is Thailand’s comprehensive data-protection law, similar in scope and spirit to the EU’s GDPR, on which it was modelled. It was published in the Royal Thai Government Gazette in 2019 and became fully effective on 1 June 2022 after pandemic-related postponements. It governs how organisations collect, use, and disclose the personal data of individuals in Thailand, and is enforced by the Personal Data Protection Committee (PDPC).

Q.02Is the PDPA actually being enforced, or is it still a grace period?

It is being actively enforced — the grace period is over. The PDPC issued its first administrative penalty in 2024, and in August 2025 issued eight fines across five cases — public and private, spanning healthcare, retail, and state services — totalling around ฿21.5M. The regulator has made clear the era of warnings is finished. Recurring failures it flags: no DPO, no breach reporting, weak security, and processing without lawful basis.

Q.03Is Othello a controller or a processor under the PDPA?

A data processor. Othello processes personal data inside documents on the documented instruction of the client, who is the controller and determines the purposes. This is recorded in the engagement and the Data Processing Agreement. Importantly, PDPA imposes direct duties on processors (Section 40) — process only on instruction, maintain security, keep records, and support the controller — and the PDPC has fined processors, so Othello carries these duties as its own.

Q.04Can a data processor really be fined under the PDPA?

Yes — and the PDPC has done so. Enforcement in 2025 extended to data processors, not only controllers; in one case a controller and processor were penalised together. The practical takeaway for an institutional client: choosing a vendor whose own PDPA posture is sound reduces your exposure, not just the vendor’s. A vendor cannot hide behind its client, and a client should not have to absorb a vendor’s compliance gap.

Q.05What is the maximum penalty for a PDPA violation?

Administrative fines of up to ฿5 million per violation, plus potential criminal penalties and civil liability — and businesses can be ordered to cease processing. Affected data subjects may also bring civil claims, including collective actions. The separate Emergency Decree on Technology Crimes (2025) adds criminal offences for the misuse of personal data in connection with tech crimes. The financial and operational risk is real and current.

Q.06What lawful basis does Othello rely on to process our documents?

PDPA recognises six lawful bases — consent, contract, legal obligation, vital interests, public task, and legitimate interest. Othello’s processing is grounded in the contract with the controller and the controller’s documented instruction, not blanket consent. The basis is identified per engagement and recorded — “collection without a lawful basis” is one of the most-complained-of failures at the PDPC, so Othello documents the basis rather than assuming it.

Q.07How does the PDPA handle cross-border transfers?

Sections 28 and 29 regulate transfer of personal data to foreign countries — relevant whenever a document moves between Thailand and an overseas client or partner. Othello documents the cross-border basis rather than assuming free flow: where data leaves Thailand, the destination’s adequacy or appropriate safeguards are assessed and recorded. This mirrors the SCC + Transfer Impact Assessment discipline applied on the GDPR side for EU → Thailand flows.

Q.08What data-subject rights does the PDPA grant, and how do you support them?

PDPA grants eight rights — access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right to complain to the PDPC. As a processor, Othello does not receive these requests directly; it supports the controller’s response by promptly locating, correcting, extracting, or deleting the relevant material from Othello-controlled infrastructure, with every action recorded in the audit-trail.

Q.09Do you use machine translation or consumer AI tools on our documents?

No — not for substantive client content. Othello does not route personal data inside client documents through consumer LLM endpoints or unscreened third-party machine-translation services. Content is processed within Othello-controlled infrastructure by the named bench, encrypted in transit and at rest, under least-privilege access. Silent data egress to free translation tools is exactly the kind of weak-security failure the PDPC penalises — and the one Othello is built to avoid.

Q.10How does PDPA relate to GDPR, and to Othello’s wider framework?

PDPA is Othello’s home regime; GDPR applies to EU-facing work. Because PDPA was modelled on GDPR, the two map closely — Othello runs one handling discipline (in-house processing, encryption, minimisation, retention control, breach response) calibrated to satisfy the stricter of the two on any point. This sits inside the firm’s founding standard — established 2020 on US government contracts under FAR-grade verification and NDA-from-first-email confidentiality. See GDPR Compliance. Email [email protected] or call +66 02-859-2145.

Thai personal data, handled lawfully.

Othello operates under the PDPA as its home regime — processor role with direct §40 duties, lawful basis recorded per engagement, in-house processing, encryption, minimisation, breach discipline, confirmed deletion — and runs EU-facing work to GDPR standard via SCCs and a DPA. The lawful basis is documented before processing begins; the audit-trail is retained Bangkok-side for PDPC accountability. ≤1 BH acknowledgement · DPA on request under mutual NDA.

+66 02-859-2145 · [email protected]
Unit 12-03, Chartered Square · 152 N Sathon Rd · Si Lom · Bangkok 10500
PDPA Compliance · Personal Data Protection Act B.E. 2562 · PDPC-Enforced · Data Processor · §40 Duties · 6 Lawful Bases · 8 Rights · §§28–29 Cross-Border · In-House · Encrypted · Minimised · GDPR-Aligned · NDA From First Email Othello International