Data protection in the digital age: What you need to know!

Data protection in the digital age: What you need to know!

On November 22, 2025, experts will discuss how companies should deal with the new data protection regulations. The focus here is particularly on the regulations of the General Data Protection Regulation (GDPR), which are also anchored in the positioning framework of the publisher Der Tagesspiegel. The processing of personal data takes place in accordance with the GDPR and the Federal Data Protection Act (BDSG), based on legal bases such as consent and contract fulfillment. This information is recorded in the publisher's data protection declaration.

A central concern here is that data is only stored for as long as necessary to achieve the processing purpose. A retention period of ten years applies to accounting data. The declaration also regulates the transfer to third parties, such as processors for hosting or marketing. Data will only be transferred to third countries if an adequate level of data protection is guaranteed.

New challenges due to international regulations

In a broader context, the Personal Data Protection Act (PDPA) is becoming increasingly important in Thailand. As the country's first data protection law, published on May 27, 2019, it regulates the collection, processing and sharing of personal data and provides for sanctions for violations. The principles of the GDPR were incorporated into the PDPA. The full applicability of the PDPA has been postponed several times, but has been in force since June 1, 2022.

If you take international standards into account, the issue becomes even more complex. Since March 2024, new regulations for cross-border data transfer have been in force in Thailand. Thailand is a member of the Asia Pacific Economic Forum (APEC) and adheres to the Cross Border Privacy Rules, further strengthening data security. For companies operating internationally, this could have a significant impact on their data strategies.

Cybersecurity and artificial intelligence at a glance

Another key issue is cybersecurity. The Cybersecurity Act, which came into force at the end of May 2019, expands the authorities' powers and provides for penalties for violations. This is particularly relevant for companies that have an online presence and are therefore exposed to the risks of the digital space. Threats are divided into three levels: uncritical, critical and crisis scenarios, with the state having corresponding powers to intervene.

In addition to these aspects, there are efforts to promote and support artificial intelligence. A draft presented in 2023 lays the foundation for a law to promote AI, and guidelines already exist that contain ethical principles and governance requirements for generative AI.

This shows that developments in data protection are of great importance both nationally and internationally. It is essential for companies to adapt to changing laws and regulations to ensure compliance and respect the rights of data subjects. This will be crucial not only for protection from legal consequences, but also for consumer trust.