How Limina Helps Organizations Comply With Thailand's PDPA

Thailand's Personal Data Protection Act (PDPA) was signed into law in 2019 and came into force in mid-2022. In many ways it is inspired by Europe's General Data Protection Regulation (GDPR), but it comes with some notable differences: violations can result in prison time in addition to criminal and administrative fines, and there is a broader social good carve-out from the consent requirement when processing sensitive personal information.

The structural parallels to the GDPR are nonetheless clear. Both frameworks establish a distinction between data controllers and data processors, recognize multiple legal bases for data processing such as consent and legitimate interest, set breach notification requirements, and mandate robust security measures. For any organization operating in or doing business with Thailand, the PDPA represents a serious compliance obligation that demands a thoughtful, technically sound approach to how personal data is handled.

This article walks through the key data protection requirements under the PDPA and its supplemental legislation, with a focus on the areas where Limina's privacy-enhancing technology can play a direct role: data minimization, cross-border data transfers, and security and breach reporting obligations.

What is Thailand's PDPC and why does its guidance matter?

The PDPA establishes a Personal Data Protection Committee (PDPC), which is tasked with issuing detailed guidance across a range of practical concerns. Its mandate includes specifying the data protection standards that controllers and processors must meet, establishing criteria for cross-border data transfers, setting out rules for risk assessment and breach notification, and clarifying how personal data should be deleted or anonymized.

At the time of writing, the PDPC has announced 18 distinct pieces of secondary legislation and four guidelines that clarify different aspects of the Act. Notably absent from this body of guidance is any direction on the deletion and anonymization of personal data — a gap that leaves organizations without a clear benchmark, even as the underlying obligation remains firmly in place.

Understanding the evolving guidance landscape is important because compliance under the PDPA is not static. Organizations need to monitor PDPC announcements and ensure their practices keep pace with new requirements as they are issued.

What does the PDPA require for data minimization?

Section 22 of the PDPA requires that the collection of personal data be limited to what is necessary in relation to the lawful purpose identified by the data controller. This means a controller must first determine what it needs personal data for, communicate that purpose to the individual prior to collection, and then collect only the data that is genuinely required to fulfill that purpose. Nothing more.

What the PDPA and its supplemental legislation do not do is specify precisely how data minimization must be achieved in practice. The concept of pseudonymization is not mentioned in the Act. De-identification is likewise absent from the operative provisions, and anonymization appears only briefly in the context of being an alternative to deletion, without any guidance on what a sufficient anonymization process looks like.

This creates a compliance challenge. The obligation is clear; the method is not. In the absence of PDPC guidance, organizations can look to established global standards. The National Institute of Standards and Technology, for example, defines de-identification as "a general term for any process of removing the association between a set of identifying data and the data subject." ISO/IEC 27559:2022(E), the Privacy Enhancing Data De-identification Framework, provides structured guidance on how to achieve this in a principled, auditable way.

Limina's machine learning models are trained to recognize over 50 types of personal data entities across 53 languages, including the sensitive information categories listed in Section 26 of the PDPA such as ethnic origin and health information. This allows organizations to accurately identify the personal data they hold, whether it exists in structured, semi-structured, or unstructured formats. Limina can then replace those data points with placeholders or synthetic data that preserves the utility of the underlying content without retaining the identifiers themselves.

Because Limina's solution was built by linguists, it is context-aware in a way that pattern-matching systems simply are not. It understands the relationships between entities within documents, which makes it far more accurate at identifying personal information across varied and complex data environments. For organizations navigating the data minimization requirements of the PDPA, this granularity matters. Fine-grained selection of only the data points required for a given use case is precisely what compliance demands.

Even where the PDPC has yet to define what constitutes adequate anonymization, removing direct identifiers is a logical and defensible first step — and it is exactly what Limina's data de-identification platform is built to do.

If your organization is working through what data minimization looks like in practice, talk to our team to understand how Limina can fit into your compliance program.

How does the PDPA regulate cross-border data transfers?

Cross-border data transfers are one area where the PDPA is noticeably stricter than the GDPR. Section 28 establishes that personal data may only be transferred to a foreign country if that country provides adequate data protection standards. Unlike the GDPR, which offers fallback mechanisms such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs) to lawfully enable transfers to countries without an adequacy finding, the PDPA does not provide comparable alternatives.

If a controller is uncertain whether the destination country provides adequate protection, it must notify the PDPC, which then has the authority to determine whether the transfer should be permitted or blocked entirely. Critically, the PDPC can prohibit the transfer even if the organization has strong internal safeguards in place, such as contractual obligations or internal data governance policies. The PDPC holds the final say, and controllers must comply with that decision without the GDPR-style safety valves they may be accustomed to using.

Section 29 does provide one meaningful exception. Cross-border transfers within affiliated businesses or groups of undertakings can proceed without the stricter requirements of Section 28, provided the data controller or processor in Thailand has implemented a personal data protection policy covering such transfers, and that policy has been reviewed and certified by the Office, which is the regulatory authority under the Act. This allows intra-group transfers to continue as long as the certified policy is in place and followed.

For organizations that need to share data internationally, Limina's technology can significantly simplify cross-border compliance. Where personal identifiers in a dataset are not required by the recipient, removing them may render the data no longer capable of identifying an individual. Under the PDPA's definition, personal data is "any information relating to a Person, which enables the identification of such Person, whether directly or indirectly." Data that no longer enables such identification, directly or indirectly, may fall outside the scope of the Act altogether.

This is a highly context-specific determination, and organizations should consult legal counsel to assess whether re-identification remains possible after de-identification. But Limina's data de-identification platform provides the technical foundation for that analysis, enabling organizations to strip identifying information from documents, records, and unstructured data before it crosses a border.

What security measures does the PDPA require?

Personal data controllers under the PDPA are required to implement strict technical and organizational security measures to protect personal data from unauthorized access, use, alteration, modification, or disclosure. The 2022 announcements from the PDPC outlined key security requirements that controllers and processors must meet, covering personal data in all formats, whether held in documents, electronic systems, or other forms.

The required measures span the full data lifecycle. Organizations must identify risks, implement controls to mitigate them, respond to and recover from incidents, and conduct ongoing monitoring and review as technology and threat landscapes evolve. Required controls include access management, identity proofing, and data integrity management, all calibrated to the risk level associated with the type and purpose of the data being processed.

Controllers are also responsible for ensuring their processors implement comparable security measures. Processors must maintain detailed processing records for each activity they conduct on behalf of the controller, and those records must be available for review by the PDPC on request. This creates a chain of accountability that extends beyond the controller's own internal operations.

Limina's technology helps organizations meet these requirements in a practical way. By identifying and redacting sensitive information in real-time across unstructured data formats such as text documents, emails, and images, Limina reduces the volume of sensitive personal data that is stored and processed in the first place. Fewer records containing identifiable information means a smaller attack surface and reduced exposure in the event of a security incident.

Limina also improves the precision of data access controls by enabling organizations to redact specific data points that are not required for day-to-day business operations. Where many organizations rely on regex-based data loss prevention tools that generate high rates of false positives or miss contextual identifiers entirely, Limina's linguist-built, context-aware detection significantly improves accuracy. This matters both for routine data governance and for demonstrating to regulators that appropriate technical measures are in place.

Industries with particularly high concentrations of sensitive personal data, including healthcare, financial services, insurance, pharma and life sciences, and contact centers, face some of the most complex obligations under the PDPA's security framework. Limina has built its platform with these regulated environments in mind.

What are the PDPA's breach reporting requirements?

When a personal data breach does occur, the PDPA requires controllers to report it to the PDPC within 72 hours of becoming aware of the incident, where there is a high risk that the breach will affect individuals' rights and freedoms. The report must include the nature of the incident, the categories and approximate number of individuals affected, the types of data compromised, and the remedial actions taken or planned. Affected individuals must also be notified where the breach is assessed to carry significant risk to their rights.

Getting this right under time pressure is genuinely difficult. Organizations that lack a clear picture of what personal data they hold, where it is stored, and what categories it falls into will struggle to produce accurate, complete reports within 72 hours. Inaccurate reports can compound regulatory exposure.

Limina can play a meaningful role in breach response. By detecting and documenting over 50 types of personal information across multiple languages and formats, Limina gives organizations a clear and comprehensive inventory of the personal data in their systems. In the event of an incident, this capability allows compliance and legal teams to quickly identify the types of data affected and assess the severity of the breach accurately. That assessment is what determines whether notification to the PDPC and to data subjects is required, and how the notification itself should be framed.

More broadly, because Limina reduces the volume of personal data stored to begin with, the potential blast radius of any breach is smaller. Organizations that have applied systematic de-identification to data that does not require retention of identifiers have fewer identifiable records at risk and a more defensible compliance posture.

Ready to build a stronger data protection program? Contact Limina to learn how our platform can support your PDPA compliance from data minimization through breach response.