TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. PDPA Guide: Personal Data Protection Act Explained
Legal Compliance

PDPA Guide: Personal Data Protection Act Explained

Understand the PDPA (Personal Data Protection Act), its requirements, and how to comply. Covers Thailand PDPA, Singapore PDPA, and Malaysia PDPA.

TermsBox Team|April 2, 202612 min read

The PDPA, or Personal Data Protection Act, is the cornerstone data privacy legislation in several Southeast Asian countries. If your website or application serves users in Thailand, Singapore, or Malaysia, understanding PDPA compliance is not optional.

This guide covers what the Personal Data Protection Act requires, how each country's version differs, and the practical steps you need to take. This is educational content, not legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is the PDPA?

The Personal Data Protection Act is a category of national privacy law adopted independently by Thailand, Singapore, and Malaysia. Each country enacted its own PDPA to regulate how organizations collect, use, store, and disclose personal data belonging to individuals within their jurisdiction.

At its core, every PDPA establishes:

  • Consent requirements for collecting and processing personal data
  • Purpose limitation so data can only be used for stated reasons
  • Individual rights allowing people to access, correct, and in some cases delete their data
  • Security obligations requiring organizations to protect personal data from unauthorized access
  • Enforcement mechanisms with fines and, in some cases, criminal penalties

The concept is similar to the EU's General Data Protection Regulation (GDPR), but each PDPA reflects its country's legal tradition and enforcement priorities.

Thailand PDPA: Key Requirements

Thailand's PDPA (formally the Personal Data Protection Act B.E. 2562) was enacted in 2019 and became fully enforceable on June 1, 2022. It is the most GDPR-aligned of the three laws discussed here.

Scope and Applicability

Thailand's PDPA applies to any organization that collects, uses, or discloses personal data of individuals in Thailand, regardless of where the organization is based. This extraterritorial scope means a company in Europe or North America that targets Thai consumers must comply.

Lawful Bases for Processing

Section 24 of Thailand's PDPA establishes six lawful bases for processing personal data:

  1. Consent of the data subject
  2. Research or statistical purposes (with safeguards)
  3. Vital interests of the data subject
  4. Performance of a contract
  5. Public interest or exercise of official authority
  6. Legitimate interests (balanced against the data subject's rights)

Data Subject Rights

Under Sections 30 through 36, individuals in Thailand have the right to:

  • Access their personal data and obtain a copy
  • Request correction of inaccurate data
  • Request deletion or destruction of data
  • Object to the collection, use, or disclosure of their data
  • Withdraw consent at any time
  • Request data portability in a structured format

Penalties

Thailand's PDPA allows administrative fines up to 5 million THB (approximately $140,000 USD). Criminal penalties can include imprisonment of up to one year and fines up to 1 million THB. Civil liability allows courts to award punitive damages up to twice the actual damages.

Singapore PDPA: Key Requirements

Singapore's Personal Data Protection Act (No. 26 of 2012) has been in force since July 2, 2014, with significant amendments in 2020 and 2021. It is administered by the Personal Data Protection Commission (PDPC).

Scope and Applicability

Singapore's PDPA applies to all private sector organizations in Singapore that collect, use, or disclose personal data. Government agencies are covered under separate public sector rules. The law applies to organizations based in Singapore and to those outside Singapore that collect personal data within the country.

The Consent Framework

Singapore's PDPA uses a distinctive consent model with three tiers:

  • Express consent: Explicitly given by the individual, either orally or in writing
  • Deemed consent: When the individual voluntarily provides data for a purpose that is reasonable, or when the organization has given notice and the individual has not opted out
  • Deemed consent by contractual necessity: Added in 2021 amendments, allowing data disclosure to third parties when necessary to fulfill a contract

Obligations on Organizations

The PDPA imposes nine main obligations:

  1. Consent: Obtain valid consent before collecting or using personal data
  2. Purpose limitation: Collect data only for purposes a reasonable person would consider appropriate
  3. Notification: Inform individuals of the purposes for data collection
  4. Access and correction: Allow individuals to access and correct their data
  5. Accuracy: Make reasonable efforts to keep data accurate
  6. Protection: Protect data with reasonable security arrangements
  7. Retention limitation: Stop retaining data when it is no longer needed
  8. Transfer limitation: Ensure adequate protection when transferring data overseas
  9. Data breach notification: Notify the PDPC and affected individuals of significant breaches

Penalties

Following the 2020 amendments, Singapore's PDPA allows fines of up to 10% of an organization's annual turnover in Singapore or SGD 1 million, whichever is higher. This was a significant increase from the previous cap of SGD 1 million.

Malaysia PDPA: Key Requirements

Malaysia's Personal Data Protection Act 2010 (Act 709) came into force on November 15, 2013. It was the first comprehensive data protection law in Southeast Asia.

Scope and Applicability

Malaysia's PDPA applies to any person who processes personal data in commercial transactions within Malaysia. Notably, it does not apply to the federal and state governments. Unlike Thailand's PDPA, Malaysia's law currently has limited extraterritorial reach, applying primarily to data processing that occurs within Malaysia.

Seven Data Protection Principles

The law is built around seven principles under Part II:

  1. General Principle: Personal data must be processed lawfully and for a directly related purpose
  2. Notice and Choice Principle: Data subjects must be informed of the purpose and given the right to choose
  3. Disclosure Principle: Data cannot be disclosed for purposes other than those stated at collection
  4. Security Principle: Organizations must take practical steps to protect personal data
  5. Retention Principle: Data must not be kept longer than necessary
  6. Data Integrity Principle: Data must be accurate, complete, and up to date
  7. Access Principle: Data subjects have the right to access and correct their personal data

Penalties

Non-compliance with the Malaysia PDPA carries fines of up to MYR 500,000 (approximately $107,000 USD) and imprisonment of up to three years, or both. Each principle carries its own penalty provisions under the Act.

How PDPA Requirements Compare Across Countries

Understanding the differences helps you build a compliance strategy that covers all three jurisdictions.

Requirement Thailand Singapore Malaysia
Enacted 2019 (enforced 2022) 2012 (enforced 2014) 2010 (enforced 2013)
Extraterritorial scope Yes Limited Limited
Consent model Opt-in (GDPR-style) Deemed consent model Opt-in with notice
Data portability right Yes No No
Right to erasure Yes No (retention limitation only) No
Breach notification Required Mandatory (2021) Not mandatory
Maximum fine 5 million THB 10% turnover or SGD 1M MYR 500,000
Criminal penalties Yes (up to 1 year) No Yes (up to 3 years)
DPO requirement Required for certain organizations Not required (recommended) Not required

Thailand's PDPA is the strictest, with broader individual rights and extraterritorial reach. Singapore's is the most commercially pragmatic with its deemed consent model. Malaysia's is the oldest but is currently undergoing proposed amendments that would bring it closer to modern standards.

PDPA Compliance Checklist for Websites

Whether you are subject to one or all three PDPAs, these steps will help you build a solid compliance foundation.

1. Audit Your Data Collection

Map every point where your website collects personal data. This includes:

  • Contact forms and registration pages
  • Analytics tools (Google Analytics, Mixpanel, etc.)
  • Cookies and tracking technologies
  • Payment processing
  • Newsletter signups
  • Third-party integrations and embedded content

2. Publish a Privacy Policy

Every PDPA requires a clear, accessible privacy policy that explains what data you collect, why, and how individuals can exercise their rights. Your policy must be specific to the data you actually process, not a generic template.

Use a privacy policy generator to create a policy that covers PDPA-specific requirements like lawful bases (Thailand), deemed consent explanations (Singapore), and the seven principles (Malaysia).

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

3. Implement Consent Mechanisms

For Thailand and Malaysia, you need opt-in consent before collecting non-essential data. For Singapore, you need at minimum a clear notice with an opt-out mechanism for deemed consent scenarios. A cookie consent banner is essential if you serve visitors from these countries, and your consent mechanism must record when and how consent was given.

4. Establish Data Subject Rights Processes

Set up a documented process for handling access, correction, and deletion requests. Thailand's PDPA requires responses within 30 days under Section 31. Singapore requires access requests to be fulfilled "as soon as reasonably possible." Malaysia requires responses within 21 days.

5. Implement Security Measures

All three PDPAs require "reasonable" or "appropriate" security measures. At minimum this means:

  • Encryption of personal data in transit and at rest
  • Access controls limiting who can view personal data
  • Regular security assessments
  • Incident response procedures

6. Review Cross-Border Transfers

If you transfer personal data outside the country of origin, each PDPA has specific requirements. Thailand requires adequate protection standards in the receiving country. Singapore requires comparable protection through contracts or binding corporate rules. Malaysia requires approval from the Minister, with certain exceptions.

PDPA and Your Cookie Policy

Cookies are a critical compliance area under all three PDPAs because they involve automatic collection of personal data. Analytics cookies, advertising pixels, and social media widgets all fall under PDPA regulation.

Thailand's PDPA requires explicit consent before placing non-essential cookies, following the same opt-in model as the GDPR. Singapore allows deemed consent for functional cookies but requires notice and opt-out for analytics and marketing cookies. Malaysia's PDPA requires notice of cookie usage under the Notice and Choice Principle.

A comprehensive cookie policy generator can help you create documentation that covers the specific requirements for each jurisdiction. Tools like TermsBox provide cookie consent banners that can be configured to meet different regional consent requirements, scanning your site to identify which cookies and trackers are actually in use.

Common PDPA Compliance Mistakes

Businesses frequently stumble on these issues when trying to meet PDPA requirements.

Copying a GDPR policy and assuming it covers PDPA. While Thailand's PDPA is similar to the GDPR, Singapore and Malaysia have different consent models and obligations. A GDPR-compliant policy may not address deemed consent (Singapore) or the seven principles framework (Malaysia).

Ignoring extraterritorial reach. If your website attracts visitors from Thailand and you collect their personal data, Thailand's PDPA applies to you regardless of where your business is located. Website analytics alone can constitute data collection.

Failing to maintain consent records. All three PDPAs place the burden of proof on the organization. You must be able to demonstrate that valid consent was obtained. Verbal claims or implied consent through continued website use are not sufficient under Thailand's PDPA.

Treating all three PDPAs as identical. Each law has distinct requirements around consent models, data subject rights, transfer restrictions, and penalties. A single compliance approach rarely covers all three without country-specific adjustments.

Not appointing a Data Protection Officer when required. Thailand's PDPA requires certain organizations to appoint a DPO, particularly those that process large volumes of sensitive data. Failing to do so is itself a violation.

Preparing for PDPA Changes

Data protection law in Southeast Asia is evolving rapidly. Malaysia has proposed significant amendments to its PDPA that would introduce mandatory breach notification, a right to data portability, and increased penalties. Singapore continues to issue enforcement decisions and updated guidance through the PDPC. Thailand's Personal Data Protection Committee regularly publishes subordinate regulations clarifying how the law applies to specific sectors.

Staying compliant means building flexible privacy practices, not just checking a box once. Regular audits of your data processing activities, up-to-date privacy documentation, and adaptive consent mechanisms will serve you well as these laws mature.

For website owners managing compliance across multiple jurisdictions, an automated compliance platform like TermsBox can help keep your privacy policy aligned with current requirements. Subscriber documents update automatically when your compliance scanner detects changes in your site's data collection practices.

Frequently Asked Questions

What does PDPA stand for?

PDPA stands for Personal Data Protection Act. It is the primary data privacy law in several Southeast Asian countries, including Singapore (enacted 2012), Thailand (enacted 2019, enforced 2022), and Malaysia (enacted 2010). Each country's PDPA establishes rules for collecting, using, and disclosing personal data.

Does the PDPA apply to businesses outside Southeast Asia?

Yes, each PDPA has some form of extraterritorial reach. Thailand's PDPA applies to any organization that collects or uses data of individuals in Thailand, regardless of where the business is located. Singapore's PDPA applies to organizations that collect data in Singapore. If your website serves visitors from these countries, you may be subject to their requirements.

What are the penalties for PDPA non-compliance?

Penalties vary by country. Thailand's PDPA allows fines up to 5 million THB (approximately $140,000 USD) and criminal penalties including up to one year imprisonment. Singapore's PDPA allows fines up to 10% of annual turnover or SGD 1 million, whichever is higher. Malaysia's PDPA carries fines up to MYR 500,000 and imprisonment up to three years.

How is the PDPA different from the GDPR?

While all PDPAs share core principles with the GDPR, such as consent, purpose limitation, and data subject rights, there are differences. The GDPR grants a broader set of individual rights, including data portability and the right to erasure. Thailand's PDPA closely mirrors the GDPR, while Singapore's PDPA uses a deemed consent model and has a Do Not Call Registry that the GDPR lacks.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the PDPA?
  • Thailand PDPA: Key Requirements
  • Scope and Applicability
  • Lawful Bases for Processing
  • Data Subject Rights
  • Penalties
  • Singapore PDPA: Key Requirements
  • Scope and Applicability
  • The Consent Framework
  • Obligations on Organizations
  • Penalties
  • Malaysia PDPA: Key Requirements
  • Scope and Applicability
  • Seven Data Protection Principles
  • Penalties
  • How PDPA Requirements Compare Across Countries
  • PDPA Compliance Checklist for Websites
  • 1. Audit Your Data Collection
  • 2. Publish a Privacy Policy
  • 3. Implement Consent Mechanisms
  • 4. Establish Data Subject Rights Processes
  • 5. Implement Security Measures
  • 6. Review Cross-Border Transfers
  • PDPA and Your Cookie Policy
  • Common PDPA Compliance Mistakes
  • Preparing for PDPA Changes
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.