Reconix LogoReconix
PDPA Section 37

PDPA Penetration Testing & Compliance Requirements

Thailand's Personal Data Protection Act (PDPA) Section 37 mandates that data controllers implement appropriate technical safeguards to protect personal data. Ensure compliance and avoid severe penalties with expert security assessments.

฿5M
Max Administrative Fine
Per Violation (Section 84)
72 hrs
Breach Notification
Mandatory Reporting Window
1 year
Imprisonment
Criminal Liability
Unlimited
Civil Liability
Punitive Damages (Section 78)
Get PDPA Assessment

What is the PDPA?

The Personal Data Protection Act B.E. 2562 (2019), commonly known as PDPA, is Thailand's comprehensive data protection law. Enacted in 2019 and fully enforced since June 2022, it governs the collection, use, and disclosure of personal data by organizations operating in Thailand.

  • Enacted in 2019, fully enforced since June 1, 2022
  • Governs collection, use, disclosure, and transfer of personal data
  • Applies to ALL organizations handling personal data of individuals in Thailand
  • Enforced by the Personal Data Protection Committee (PDPC)
  • Modeled after GDPR with Thailand-specific provisions

Reference: Personal Data Protection Act B.E. 2562 (2019), published in Royal Gazette

Who Must Comply with PDPA?

If you collect, use, or store personal data of people in Thailand, PDPA applies to your organization.

Financial Institutions

Banks, insurers, and payment processors handling customer financial data

Healthcare Providers

Hospitals, clinics, and health-tech companies processing patient records

E-Commerce & Retail

Online platforms and retailers collecting customer information

Technology Companies

SaaS providers, app developers, and IT service companies

Any Company with Customer Data

Any business collecting names, emails, phone numbers, or IDs

Government Agencies

Public sector organizations processing citizen data

Compliance

Key PDPA Compliance Requirements

The PDPA imposes specific obligations on data controllers to ensure the security and protection of personal data.

Technical Safeguards

Implement encryption for data at rest and in transit, enforce access controls, and deploy multi-factor authentication (MFA) for systems accessing personal data.

Regular Security Assessments

Conduct penetration testing and vulnerability assessments to identify and remediate security weaknesses in systems processing personal data.

Breach Notification within 72 Hours

Under Section 37(4), notify the PDPC within 72 hours of becoming aware of a personal data breach. Notify affected individuals if the breach poses high risk.

Data Protection Impact Assessments

Assess the impact of data processing activities on the rights and freedoms of data subjects, especially for high-risk processing operations.

Records of Processing Activities

Maintain detailed records of all personal data processing activities including purposes, data categories, recipients, and retention periods.

Data Protection Officer (DPO)

Appointing a DPO is mandatory for state agencies, organizations processing large volumes of personal data, or those handling sensitive personal data as a core activity.

PDPA Non-Compliance Penalties

PDPA enforcement carries severe consequences across criminal, administrative, and civil domains.

Criminal
Chapter 7, Part 2

Fines up to ฿1,000,000 or imprisonment up to 1 year, or both, for those who unlawfully use or disclose personal data causing damage to data subjects.

Administrative
Section 84

Administrative fines up to ฿5,000,000 per violation imposed by the Personal Data Protection Committee (PDPC). Multiple violations compound.

Civil
Section 78

Courts may award punitive damages up to twice the actual damages suffered by data subjects. There is no cap on total civil liability.

How Penetration Testing Addresses PDPA

Penetration testing maps directly to PDPA requirements by validating the security controls protecting personal data.

Checklist

PDPA Compliance Checklist

Key security measures to demonstrate PDPA Section 37 compliance.

Conduct annual penetration testing on systems processing personal data
Implement encryption for personal data at rest and in transit
Deploy multi-factor authentication (MFA) for systems accessing personal data
Maintain access control logs and audit trails for personal data access
Establish and test a 72-hour breach notification procedure
Document all data processing activities and maintain records
Conduct Data Protection Impact Assessments for high-risk processing
Train all employees handling personal data on security practices
Review and update security policies at least annually
Implement network segmentation to isolate personal data systems
Establish vendor security assessment processes for third-party data processors
Maintain documented evidence of all security measures for PDPC audits

Official References

Consult the original regulatory documents for full requirements.

PDPA Full Text B.E. 2562 (PDPC)PDPA Full Text B.E. 2562 (MDES English)PDPC Subordinate LegislationPDPC Guidelines for Controllers/Processors

Related Security Services

Comprehensive testing to cover all aspects of PDPA data protection.

Back to All Compliance

PDPA Compliance FAQ

Common questions about PDPA penetration testing and compliance requirements.

Achieve PDPA Compliance Today

Protect personal data and meet Section 37 requirements with expert PDPA-focused security assessments. Get audit-ready reports accepted by the PDPC.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.