Thailand · PDPA 2019WordPress hosting with PDPA (Thailand) plugin built into the platform.
Explicit consent, privacy portal, data subject request workflow, and signed DPA — handled by Yovale's compliance MU-plugin. The PDPA reaches every business that offers goods, services, or monitoring to people in Thailand, no matter where the site is hosted. Yovale handles that for you on every plan.
We use cookies and similar tools to measure traffic and improve the site. Under Thailand's PDPA, you choose what to allow. Nothing non-essential runs until you opt in.
Six obligations you have to meet.
The Personal Data Protection Act B.E. 2562 (2019), in force across Thailand since June 1, 2022 and enforced by the PDPC Thailand, gives Thai data subjects enforceable rights over their personal data. It applies extraterritorially: if you offer goods or services to people in Thailand, or monitor their behavior, you are in scope even if your business sits outside the country. Heavily influenced by the GDPR but with stricter consent rules for sensitive data.
- 01
Explicit consent
Visitors must opt in BEFORE you fire analytics, ad pixels, or any non-essential script. Consent must be freely given, specific, informed, and recorded. Sensitive data (health, biometrics, religion, criminal records) needs a separate explicit consent.
- 02
Lawful basis & purpose limitation
Every processing activity needs a documented lawful basis under sections 24 and 26 of the PDPA. You disclose the purpose at collection and you do not reuse the data for unrelated purposes later.
- 03
Data subject rights
Access, rectification, erasure, restriction of processing, portability, objection, and withdrawal of consent. Thai data subjects can exercise these rights in writing or electronically; you have 30 days to respond.
- 04
72-hour breach notification
Notify the PDPC Thailand within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in high risk to the data subject, you must also notify the affected individuals without undue delay.
- 05
DPO appointment for large processors
A Data Protection Officer is mandatory when core activities involve large-scale processing of personal data, regular and systematic monitoring, or sensitive data processing. The DPO is the contact point for the PDPC Thailand and for data subjects.
- 06
Cross-border transfer rules
Transfers of personal data outside Thailand require an adequate data protection standard, explicit consent, standard contractual clauses, binding corporate rules, or another lawful mechanism under the PDPA cross-border transfer notification.
Built into the platform. Not a plugin you install.
Yovale ships PDPA (Thailand) compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.
Explicit-consent banner
Geo-aware. Visitors from Thailand see explicit opt-in flows that match PDPA standards, with a separate prompt for sensitive categories. GDPR, CCPA, DPDPA, and PIPL visitors see their own variant. Renders in 8 locales. Configurable in the dashboard.
Privacy portal
/.well-known/privacy on every Yovale site. Thai data subjects view, export, restrict, or delete their data without filing a support ticket. Every request lands in the Compliance dashboard tab with a 30-day SLA timer.
Audit log
Every consent given, withdrawn, or modified is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained for the PDPA statute of limitations so you can produce records if the PDPC Thailand asks.
Signed DPA
Pre-signed Data Processing Agreement aligned with the PDPA controller-processor model. Lists every sub-processor (Cloudflare, Anexia, R2), data flows, security measures, and 72-hour breach notification commitments. PDF download for your records.
Why infrastructure beats a plugin.
Typical WordPress PDPA plugin
- Adds 200-500ms to every page load (banner JS, cookie scan, DB writes)
- Stores consent records in wp_options — slow, untyped, breaks with object caching
- Updates through wp-admin — you maintain it, you break it, you debug conflicts
- Costs $49-119/year per site (Complianz, CookieBot, regional Thai vendors)
- Breaks when you migrate hosts; consent history lost
Yovale's built-in approach
- 0ms latency — consent state computed at the edge worker, cached in the CDN
- Audit log in a dedicated database, queryable, never blocks page render
- Updates ship through the platform — you don't see them, you don't break them
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — consent history is yours to export
14 regulations. One toggle each. All automatic.
- Explicit consent for processing
- Lawful basis under sections 24 and 26
- 72-hour breach notification to the PDPC Thailand
- Right to erasure and withdrawal of consent
- Cross-border transfer mechanism
PDPA (Thailand) + Yovale, answered.
My business isn't in Thailand — does the PDPA still apply?
If you offer goods or services to people in Thailand, or monitor their behavior (analytics, ad targeting, retargeting), yes. Section 5 of the PDPA gives it extraterritorial reach, just like GDPR Article 3. You're in scope whether your company, server, or team sits in Thailand or not.
How is the PDPA different from the GDPR?
The PDPA is heavily modelled on the GDPR — controller and processor roles, data subject rights, breach notification, DPO appointment — so most of the muscle memory carries over. Key differences: explicit consent is required for a wider range of cases, sensitive data needs a separate explicit consent, and penalties are administrative fines up to THB 5 million plus criminal sanctions including imprisonment up to one year.
Do I need a Data Protection Officer?
A DPO is mandatory if your core activities involve large-scale processing, regular systematic monitoring of data subjects, or sensitive personal data (health, biometrics, religion, race, criminal records). For most small WordPress sites you do not need one, but if you run a Thai e-commerce or health platform, you do.
Does this work for non-Thai visitors?
Yes. The compliance system is geo-aware. Thai visitors see PDPA explicit-consent flows. EU visitors see GDPR opt-in flows. US visitors see CCPA opt-out flows. The same hosting handles every regulation automatically — no extra config per region.
What if I get a data subject request from Thailand?
Visitors handle most requests themselves through the privacy portal at /.well-known/privacy on your domain. For requests that need human review (custom deletion, complex access requests, restriction of processing), you see them in your dashboard Compliance tab with a 30-day SLA timer that matches the PDPA response window.
Is the DPA aligned with the PDPA controller-processor model?
Yes. The pre-signed Data Processing Agreement is available as a PDF download in the dashboard. We are listed as the data processor, you are the controller. It covers every sub-processor (Cloudflare, Anexia, R2), the 72-hour breach notification commitment to the PDPC Thailand, and the security measures applied to your data.
Ship a PDPA-compliant WordPress site in 60 seconds.
Every Yovale site is PDPA-ready from the moment you deploy. No plugin to install. No DPA to chase. No banner to configure. Start the free Growth trial and see your first compliance dashboard.