The European Union initially enacted Data Protection Directive 95/46/ EC in 1995, which later developed into the General Data Protection Regulation (GDPR) coming into force in 2018. The GDPR is well known for its efficiency in personal data protection aiming to ensure fair and transparent dataprocessing; thus, it has been a model law for data protection in several countries, including Thailand. Although Thailand does not have any obligation to impose data protection law, the Personal Data Protection Act B.E. 2562 (PDPA) is now enacted, which has taken effect on 1 June 2022. However, some provisions of the PDPA are drafted differently from the GDPR.For example, Section 24 of the PDPA prohibits collecting or processing personal data without the consent of the data subject, except it falls under other legal grounds prescribed by law. Since personal data protection entails special characteristics, the law itself extends the scope of application to govern activities carried out outside the territory or done by any data controller or processor outside the territory provided that the conditions prescribed by law are satisfied. Another interesting issue with regard to the distinct characteristics of data protection claims is that all evidence is usually within the exclusive knowledge of data controller or processor. If the burden of proof in the data breach claims is on the data subject, it would be almost impossible for the data subject to succeed in the legal proceeding. To guarantee that the data subject can enjoy full protection under the PDPA, it then leads to the question of whether the burden of proof in such type of claim should be shifted to the data controller or processor who already has all related evidence in hand.