Home / Knowledge base / Web Design & Development
Knowledge Base

What is the GDPR and does it apply to businesses in Thailand?

What the GDPR is and whether it applies to businesses in Thailand, what it requires, who it covers, how it relates to the PDPA, and how to prepare.

Web Design & Development What is / explanation 5 min read

The General Data Protection Regulation (GDPR) is a European Union law governing how organisations collect, store, and process personal data belonging to EU residents. It came into force in May 2018 and has extraterritorial reach, meaning it applies to any organisation that processes EU residents' data regardless of where that organisation is based. Businesses in Thailand that receive website visits, leads, or customers from the EU may be within scope.

What does the GDPR require?

The GDPR sets out several core obligations for organisations that process personal data. Key requirements include:

  • A lawful basis for every type of data processing, whether consent, legitimate interest, contractual necessity, or legal obligation
  • Clear, plain-language privacy notices explaining what data is collected and why
  • Respect for individual rights, including the right to access their data, correct it, or request erasure
  • Data breach notification to supervisory authorities within 72 hours of discovery
  • Appointment of a Data Protection Officer (DPO) for certain types of organisations, including those carrying out large-scale processing of sensitive data
Website showing a cookie consent banner asking the visitor to accept cookies
GDPR requires a lawful basis and clear consent for data processing — a cookie-consent banner is the most visible example on a website.

Does the GDPR apply to businesses in Thailand?

A business based in Thailand falls under GDPR if it offers goods or services to individuals in the EU, or monitors the behaviour of individuals in the EU. Running a website that EU visitors can access and providing a contact form does not automatically trigger GDPR obligations. However, actively marketing to EU residents, accepting EU customers, or tracking their behaviour through analytics or advertising tools is more likely to bring a Thai business within scope. Organisations unsure of their obligations should seek legal advice from a professional with GDPR expertise.

How does the GDPR relate to Thailand's PDPA?

Thailand's Personal Data Protection Act (PDPA), which has been enforced since June 2022, draws heavily on the GDPR and shares many of the same core principles: lawful basis for processing, consent requirements, data subject rights, and breach notification obligations. A business operating in Thailand and serving EU customers may need to comply with both simultaneously. Where requirements overlap, the stricter standard generally takes precedence. At Phoenix Media, implementing consent management solutions that satisfy both GDPR and PDPA requirements is a standard part of analytics and tracking setup for clients with international audiences.

What should businesses do to prepare?

The starting point is understanding what personal data you collect, where it comes from, and what you use it for. From there, businesses should audit their privacy policy, review cookie consent mechanisms on their website, and check how third-party tools such as Google Analytics and Meta Pixel handle data from EU users. GDPR compliance is not a one-time exercise: data practices, vendor agreements, and consent configurations need to be reviewed whenever the business or its tools change. Legal advice from a qualified professional is essential for organisations that process EU personal data at any meaningful scale.