a. Audits

Data privacy audits are a core instrument for ensuring sustainable compliance with the Thai Personal Data Protection Act (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR). For companies operating between Thailand and Germany, audits serve not only as a regulatory safeguard but also as a governance and risk-management tool. Our data privacy audit practice is designed to provide management, boards, and stakeholders with a clear, defensible understanding of the organization’s data protection maturity and exposure.

We conduct both onsite and offsite data privacy audits, depending on the client’s operational structure, industry, and risk profile. Our audits follow a structured PDCA cycle (Plan–Do–Check–Act) to ensure continuous improvement rather than one-off compliance. We assess the client’s business processes as to data protection, including governance structures, internal responsibilities, technical and organizational measures, and escalation procedures. A central focus lies on the review and validation of Records of Processing Activities (RoPA), data flow mappings, privacy notices, consent mechanisms, data processing agreements, and cross-border data transfer frameworks. Where required, we benchmark existing processes against regulatory expectations and enforcement practice in both Thailand and the EU.

Beyond legal compliance, our data privacy audits are aligned with financial reporting and corporate governance requirements. We support year-end closing processes by identifying potential data protection risks that may require disclosure or provisioning. Our audit results can be structured to facilitate reporting to CPAs and auditors, including assessments of potential administrative fines, penalty exposure, and contingent liabilities arising from PDPA or GDPR non-compliance. Where relevant, we assist management in integrating data protection findings into risk assessments for financial statements, internal control systems, and compliance reports, ensuring consistency between legal, operational, and financial perspectives.

b. Compliance Advice (GDPR, PDPA)

Effective data protection compliance requires more than policies—it requires a legally sound and operationally embedded compliance framework aligned with both GDPR and PDPA requirements. We advise companies operating between Thailand and Germany on building, implementing, and maintaining data protection programs that withstand regulatory scrutiny and enforcement. Our compliance advice is tailored to the client’s business model, industry, data processing activities, and cross-border exposure.

A core element of our advisory work relates to data subject rights, including access, rectification, erasure, restriction, objection, and data portability. We assist clients in designing compliant internal procedures for handling data subject requests within statutory timelines, ensuring proper documentation and escalation mechanisms. In addition, we advise on data breach notification obligations, including incident response planning, breach assessments, notification thresholds, and reporting timelines to supervisory authorities and affected individuals under both GDPR and PDPA. Our guidance is aligned with enforcement practice and focuses on minimizing regulatory exposure while preserving transparency and credibility.

Cross-border data transfers between German headquarters and Thai subsidiaries represent a critical compliance risk. We advise on international data transfers pursuant to Article 44 GDPR, emphasizing that Thailand is currently not an Article 45 GDPR adequate jurisdiction. Our services include the implementation and maintenance of Standard Contractual Clauses (SCCs) between group entities, support in developing

Binding Corporate Rules (BCRs) for multinational corporate groups, and structured reliance on Article 49 GDPR transfer exceptions where appropriate. We further advise German headquarters on the appointment and oversight of Data Protection Officers (DPOs) at group and local levels, including reporting lines, independence requirements, and subsidiary-level responsibilities. Our advice includes assessments of potential administrative penalties and fines, enabling German parent companies to quantify risk, satisfy internal audit requirements, and demonstrate effective group-wide compliance governance.

Under the German Corporate Governance Code (DCGK), the management board is responsible for establishing an effective compliance and risk management system, while the supervisory board must oversee its adequacy and effectiveness. Data protection risks under GDPR and PDPA therefore constitute a reportable compliance risk with potential relevance for both bodies. Failure to adequately identify, assess, and mitigate such risks may give rise to personal liability exposure under D&O insurance frameworks, particularly where known deficiencies remain unaddressed. A documented, risk-based penalty exposure assessment supports informed decision-making, defensible risk acceptance, and demonstrable compliance with DCGK oversight obligations.