PDPA Thailand and PDPA Singapore: What SaaS Founders Need to Know
Southeast Asia is one of the fastest-growing markets for SaaS. Both Thailand and Singapore now have comprehensive data protection laws modelled closely on GDPR, and both have extraterritorial reach. If your SaaS has users or processes data about people in Thailand or Singapore, these laws apply to you.
This guide explains what each law requires, how they compare to GDPR, and what practical steps a global SaaS company needs to take.
Thailand's Personal Data Protection Act (PDPA)
Thailand's PDPA (พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล) became fully effective on 1 June 2022. It's Thailand's first comprehensive privacy law and was clearly inspired by GDPR.
Extraterritorial Scope
Thailand's PDPA applies to:
- Any entity established in Thailand that collects, uses, or discloses personal data
- Any entity outside Thailand that offers goods or services to data subjects in Thailand
- Any entity outside Thailand that monitors the behaviour of data subjects in Thailand
If you have Thai users, Thai PDPA applies to you regardless of where your company is incorporated.
Key Definitions
| Term | Thai PDPA Definition | GDPR Equivalent |
|---|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person | Personal data (Art. 4(1)) |
| Sensitive Data | Racial/ethnic origin, political opinion, religion/belief, sex behaviour, criminal records, health data, disability, union membership, genetic data, biometric data, and any other data affecting data subject similarly | Special categories (Art. 9) |
| Data Controller | Person/entity deciding purpose and means of processing | Controller (Art. 4(7)) |
| Data Processor | Person/entity processing on behalf of controller | Processor (Art. 4(8)) |
Lawful Bases
Thailand's PDPA provides 6 lawful bases, mirroring GDPR Art. 6:
- Consent (freely given, specific, informed, unambiguous)
- Contract performance
- Legal obligation compliance
- Vital interests
- Public interest / official authority
- Legitimate interests (controller/third party, unless overridden by data subject's interests)
Consent under Thai PDPA: Must be explicit and in writing (or electronic equivalent). Pre-ticked boxes and bundled consent are prohibited. Withdrawal must be as easy as giving consent. For sensitive data, explicit consent is always required.
Data Subject Rights
| Right | Thai PDPA | GDPR Equivalent |
|---|---|---|
| Access | Section 30 — 30 days to respond | Art. 15 — 1 month |
| Correction | Section 34 | Art. 16 |
| Erasure | Section 33 — conditional | Art. 17 |
| Restriction | Section 35 | Art. 18 |
| Portability | Section 31 — machine-readable format | Art. 20 |
| Objection | Section 32 | Art. 21 |
| Automated decision-making | Section 40 | Art. 22 |
Breach Notification
Under Thai PDPA Section 37(4):
- Notify the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of a breach
- Notify affected data subjects if the breach is likely to result in high risk to their rights and freedoms
- No mandatory format yet established
International Transfers
Thailand PDPA Section 28 restricts transfers to countries with adequate protection standards. Currently, Thailand has not published a list of adequate countries. The standard approach:
- Use contractual safeguards (Thai DPA equivalent)
- Obtain explicit consent for the international transfer
- Necessary for contract performance with the data subject
Fines
| Violation Type | Fine |
|---|---|
| Civil penalty | Actual damages + punitive damages up to 2x actual loss |
| Criminal — sensitive data violations | Up to THB 1M (~USD 28,000) and/or 1 year imprisonment |
| Criminal — general violations | Up to THB 3M (~USD 84,000) and/or 3 years imprisonment |
| Administrative fines | Up to THB 5M (~USD 140,000) |
Singapore's Personal Data Protection Act (PDPA)
Singapore's PDPA (Cap. 26G) has been in force since 2014 and was significantly amended in 2020/2021 to add mandatory breach notification, increased fines, and data portability rights.
Extraterritorial Scope
Singapore's PDPA applies to organisations that collect, use, or disclose personal data of individuals in Singapore. Unlike Thailand and GDPR, the Singapore PDPA doesn't have explicit extraterritorial language for organisations offering services to Singaporeans, but the PDPC has taken enforcement action against overseas organisations in practice.
Key Differences from GDPR
| Feature | Singapore PDPA | GDPR |
|---|---|---|
| Lawful basis | Consent or deemed consent (5 categories) + legitimate interests + 12 exceptions to consent | 6 lawful bases |
| DPO requirement | Data Protection Officer mandatory for all organisations | DPO mandatory only for public authorities, large-scale monitoring, or large-scale special category processing |
| Anonymised data | Excluded from PDPA scope | Excluded from GDPR scope |
| Business Contact Info | Explicitly excluded (name, job title, business email, business phone at work) | No equivalent exclusion |
| Data portability | Yes — mandatory data porting in certain sectors | Yes — Art. 20 (contract/consent basis) |
| Breach notification | Mandatory — 3 calendar days to PDPC if significant harm | 72 hours to DPA |
| Maximum fines | SGD 1M or 10% of annual Singapore turnover (whichever higher) | €20M or 4% global turnover |
Mandatory DPO Requirement
Unlike GDPR's narrow DPO requirement, Singapore's PDPA requires every organisation to designate a Data Protection Officer. The DPO doesn't need to be a full-time role — it can be a part-time designation, an external consultant, or an existing employee. The DPO's contact information must be publicly available.
Consent under Singapore PDPA
Singapore's consent framework is more flexible than GDPR's. Key points:
- Express consent: Notified + agreed
- Deemed consent: Notification without objection in certain contexts; consent from voluntary provision of data for an obvious purpose; or contractual necessity
- Legitimate interests: 12 exceptions to consent requirement including fraud prevention, business asset transactions, employment purposes, safety, research
Breach Notification
Singapore PDPA breach notification is stricter than GDPR in one key way — the timeline for notifying affected individuals:
- Notify the PDPC: within 3 calendar days of assessing that the breach is notifiable
- Notify affected individuals: as soon as practicable (same 3-day window recommended)
- Notifiable threshold: breach affects 500+ individuals OR is likely to cause significant harm to individuals
International Transfers
Singapore PDPA Section 26 restricts international transfers to countries providing comparable protection. The PDPC published the Third Schedule listing comparable countries (includes EEA, UK, Japan, Switzerland, South Korea, New Zealand, Australia). For other countries, use a contractual arrangement (Singapore PDPA-compliant DPA).
Practical Compliance Checklist: Thailand + Singapore PDPA
- Identify your exposure: Do you have Thai/Singaporean users? Do you process data about people in these countries? If yes, both laws apply.
- Update your privacy policy: Add references to Thai PDPC and Singapore PDPC. Disclose data transfers. Describe data subject rights in both jurisdictions. Privacy Policy Generator →
- Consent mechanisms: Review your signup flow — is consent obtained in a way that satisfies both laws? Pre-ticked boxes prohibited. Separate consent for marketing.
- Appoint a DPO (Singapore): Required for all organisations. Publish contact details. Doesn't need to be full-time.
- Data processing agreements: Ensure your vendor agreements comply with both laws. DPA Generator →
- International transfer safeguards: Review sub-processors for transfers from Thailand/Singapore to non-adequate countries. TIA Generator →
- Breach response: Update your incident response plan to include 72h (Thailand) and 3-day (Singapore) notification triggers. IRP Generator →
- Data subject rights workflow: Ensure you can respond to access, correction, erasure, and portability requests within 30 days (Thailand) / 30 business days (Singapore). DSR Response Generator →
Thailand + Singapore PDPA vs GDPR: Quick Comparison
| Feature | Thailand PDPA | Singapore PDPA | GDPR |
|---|---|---|---|
| Effective | June 2022 | 2014 (amended 2021) | May 2018 |
| Extraterritorial | Yes — explicit | Yes — in practice | Yes — explicit |
| Lawful bases | 6 (GDPR-aligned) | Consent + deemed consent + 12 exceptions | 6 |
| DPO required | No (recommended) | Yes — all organisations | Conditional |
| Breach notification | 72 hours to PDPC | 3 calendar days to PDPC | 72 hours to DPA |
| Rights | 6 rights (GDPR-aligned) | Access, correction, portability + others | 8 rights |
| Max fine | THB 5M (~USD 140K) | SGD 1M or 10% Singapore turnover | €20M or 4% global turnover |
| Sensitive data | Explicit consent always required | Stricter consent for sensitive data | Art. 9 explicit consent |
The Bottom Line for Global SaaS Founders
Both Thailand and Singapore PDPA are GDPR-adjacent. If you've built GDPR compliance into your product, you're 70–80% of the way there for both laws. The key gaps to close:
- Singapore: Appoint a named DPO, publish contact details, update breach notification timelines to 3 calendar days
- Thailand: Review consent flows for Thai users (stricter than GDPR in practice), update privacy policy to reference Thai PDPC (Sำนักงานคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล)
- Both: Update international transfer provisions in DPAs and privacy policy for SEA context
Related guides: CCPA vs GDPR · GDPR vs LGPD (Brazil) · PIPEDA vs GDPR (Canada) · APPI vs GDPR (Japan)
⚠️ This guide is for informational purposes and does not constitute legal advice. PDPA compliance in Thailand and Singapore is evolving rapidly — verify current regulatory guidance with qualified local counsel.