Thailand Data Privacy


The Personal Data Protection Act B.E. 2562 (2019) (PDPA) in Thailand imposes requirements for collecting, securing, using, disclosing, transferring and otherwise handling personal data. The PDPA distinguishes between data controller and a data processor. A data controller is the person who makes decisions regarding collection, use and disclosure of personal data. A data processor is the person who processes data on behalf of, or at the instruction of a data controller. At a high level, some of the key obligations of data controllers include:

  • Collecting personal data only with consent from the data subject, and notifying the data subject of the collection of their data (unless an exception applies)
  • Implementing appropriate security measures to protect the personal data from unauthorized disclosure
  • Using and disclosing personal data only for the purposes to which the data subject has consented
  • Responding to the rights of data subjects including rights to access & correct their personal data, and requests to delete their personal data
  • Transferring personal data outside of Thailand only with the consent of the data subject unless an alternative lawful basis for that transfer exists

AWS is vigilant about your privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24x7 to ensure the confidentiality, integrity, and availability of our customer's data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help you simplify meeting your own security and regulatory requirements. As an AWS customer, regardless of your size or location, you inherit all the benefits of our experience, tested against the strictest of third-party assurance frameworks.

AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2 and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.

For example, ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.

These comprehensive AWS technical and organizational measures are consistent with typical regulatory goals to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.

As AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the PDPA, customers are ultimately responsible for their own compliance with the PDPA and related regulations. The content on this page supplements the existing Data Privacy resources to help you align your requirements with the AWS Shared Responsibility Model when you store and process personal data using AWS services.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »