You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 25, 2026

Thailand Introduces Certification Framework for Personal Data Protection Standards

Subscribe to Updates

On June 18, 2026, Thailand’s Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette establishing Thailand’s first formal certification framework for personal data protection standards under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The notifications, which took immediate effect, introduce a voluntary certification framework aimed at promoting accountability, strengthening organizational data protection governance, and aligning Thailand more closely with international frameworks that recognize certification as a key compliance tool.

Certification Criteria

The first notification sets out the assessment criteria for organizations seeking certification. Applicants must undergo an evaluation against a framework comprising four assessment categories, 10 focus areas, and 128 assessment criteria covering key elements of a privacy management program. These include:

  • Organizational oversight and internal policies and procedures.
  • Human resource development, including staff training and awareness programs.
  • Clearly defined operational processes and procedures covering data subject rights, transparency obligations, records of processing activities, and lawful basis management, as well as contractual safeguards such as data-processing and data-sharing agreements and risk assessments, including Data Protection Impact Assessments.
  • Technical measures encompassing data security controls and breach response capabilities

Based on the assessment results, organizations may be awarded either a PDPA Compliance Certificate or a higher-level PDPA Certificate accompanied by a certification mark.

Application and Assessment Process

The second notification establishes the application and assessment process for obtaining certification. Eligible applicants include government agencies and private-sector entities that demonstrate sufficient privacy governance maturity and meet the prescribed eligibility requirements.

Applicants must submit their applications along with supporting documentation for review. Upon receiving an application, the Office of the PDPC will conduct a detailed evaluation, which may include both documentary review and on-site inspections. Incomplete applications may be rejected, though applicants are typically given a limited period to correct deficiencies before a final decision is made.

Once granted, certification is valid for three years from the date of issuance unless there are any changes or the certificate is revoked by the Office of the PDPC. Organizations seeking to maintain their certified status must apply for renewal before expiration and continue to comply with all applicable standards.

Applicants are also responsible for certification and assessment fees.

Implications for Organizations

Although certification remains voluntary, the framework signals the PDPC’s increasing emphasis on demonstrable accountability and structured privacy governance. Organizations pursuing certification will likely need to maintain a mature and well-documented privacy compliance program. The certification framework may also serve as a benchmark for regulatory expectations and could influence future enforcement priorities.

Organizations interested in pursuing certification should consider conducting a gap assessment against PDPA requirements, strengthening internal governance frameworks, and preparing the necessary documentation in advance. Beyond compliance, certification may also offer strategic value by enhancing stakeholder trust and demonstrating adherence to recognized data protection standards.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

April 9, 2026
As part of its ongoing public consultation process for the development of new practical guidelines under the Personal Data Protection Act B.E. 2562 (2019) (PDPA), Thailand’s Personal Data Protection Committee (PDPC) held a two‑day public hearing on April 1–2, 2026. The hearing followed an online questionnaire and stakeholder engagement activities conducted in March 2026 and reflects the PDPC’s continued efforts to develop guidance that aligns international regulatory standards with Thai operational realities. The public hearing provided a forum for participants from both the public and private sectors to exchange views with the PDPC on the proposed guidance so that it responds to the needs of the business community while supporting effective and balanced enforcement of the PDPA. The PDPC emphasized that the consultation process is part of a wider policy objective to build trust in the convenient, secure, and internationally aligned exchange of data. Structure of the Consultation Process According to the PDPC, the initiative to develop the draft PDPA guidelines is being implemented through three core phases: Review of international best practices. The PDPC has conducted a comparative review of data protection guidance and regulatory approaches in jurisdictions with internationally recognized standards, including Singapore, the United Kingdom, the European Union (EU), and Japan. These materials are intended to serve as a reference point for developing practical recommendations across key subject areas under the PDPA. Identification of practical issues and challenges. To ensure that the guidelines respond to real‑world compliance challenges in Thailand, the PDPC has gathered views from a broad range of stakeholders across the public sector, the private sector, and the general public. This phase included focus group discussions and questionnaires aimed at identifying areas to provide organizations with greater clarity and consistency on regulatory expectations. Preparation of draft guidelines. Insights from the comparative study and stakeholder
Read More
April 3, 2026
On March 16, 2026, Vietnam’s Ministry of Public Security released a draft version of a new Decree on the Prevention and Combating of Cybercrime and High-Tech Crime to replace the currently effective Decree 25/2014/ND-CP. In the draft, the ministry has proposed a comprehensive regulatory framework aimed at addressing violations occurring within the cybersecurity domain, including measures related to intellectual property. Acts of Online IP Infringement Article 9 of the draft decree notably introduces specific provisions addressing online intellectual property infringement, with detailed lists of acts considered to constitute infringement in the online environment. Copyright and related rights infringement includes: Uploading or sharing works, performances, sound recordings, video recordings, broadcasts, computer programs, software, research, documents, theses, or other intellectual creations on digital platforms without the consent of the rights holder. Unauthorized livestreaming of copyrighted television programs, sporting events, or artistic performances. Uploading, sharing, storing, transmitting, or providing links to infringing works or digital content via websites, social networks, applications, or digital platforms. Providing or using software, tools, devices, or access codes to circumvent technological protection measures or evade lawful control mechanisms implemented by rights holders. Using artificial intelligence (AI) tools to replicate the ideas or structure of another person’s work without significant new creativity or without proper attribution, thereby causing damage to the original author. Industrial property infringement includes: Manufacturing, trading, advertising, or distributing counterfeit goods bearing counterfeit trademarks, geographical indications, or industrial designs, as well as goods infringing industrial property rights through online platforms. Unauthorized registration, appropriation, or use of domain names, account names, or digital identifiers that create confusion regarding the rights holder or the origin of goods or services. Producing, using, or offering for sale products containing all or part of a patented invention via online platforms. Advertising or introducing products with technical features or characteristics identical
Read More
April 3, 2026
Thailand’s Securities and Exchange Commission (SEC) has established a comprehensive governance framework for the use of artificial intelligence and machine learning (AI/ML) in the capital markets. The framework provides guidance to capital market business operators on understanding the risks associated with AI/ML implementation and adopting appropriate practices to build public confidence in Thailand’s capital markets. While the guidelines are principle-based rather than prescriptive, they reflect the SEC’s expectations for responsible AI/ML governance and are likely to inform supervisory activities and industry standards going forward. Scope The framework applies to capital market business operators supervised by the SEC. This includes, for example, securities and derivatives firms, asset management companies, mutual fund and private fund managers, investment advisors and investment consultants (including robo-advisory service providers), derivatives intermediaries, and other licensed intermediaries and market operators in the Thai capital markets that deploy AI/ML in their operations. Core Principles of the Guidelines The framework is presented as a best-practice manual rather than prescriptive regulation, providing guidance that regulated entities may apply to their AI/ML governance and risk management as appropriate. While currently nonbinding, the guidelines signal the SEC’s expectations for the sector, particularly in relation to other binding SEC regulations such as those covering IT risk management and market conduct. The guidelines name four core principles for AI/ML deployment: Fairness: Design and develop AI/ML with consideration for fairness, equality, and social diversity to prevent discrimination against individuals or groups. Legal and ethical compliance: Ensure AI/ML use aligns with applicable laws, ethical standards, and organizational values and policies. Accountability: Establish clear responsibility—both internally and externally—for AI/ML activities and outcomes. Transparency: Provide adequate disclosure to users about AI/ML use, including explainability of decisions and traceability of activities. AI/ML Best Practices The guidelines prescribe best practices across four stages of the AI/ML lifecycle, as described below.
Read More
April 2, 2026
Thailand’s Personal Data Protection Act (PDPA) enforcement has entered a new phase, and the insurance industry is squarely in the regulatory spotlight. The Personal Data Protection Committee (PDPC) considers insurers “large-scale” processors of sensitive data—including health records, financial information, and biometric data—making the sector a focal point for enforcement action. In August 2025 alone, the PDPC issued administrative fines totaling THB 21.5 million, and fines for individual violations have ranged from THB 50,000 to THB 2 million. The PDPC has also deployed its “Eagle Eye Crawler,” an AI-driven surveillance tool that monitors websites around the clock for data leaks and noncompliant privacy notices. This article highlights the key regulatory developments directly affecting insurers and outlines practical steps toward compliance. What Has Changed: OIC and PDPC Alignment The Office of Insurance Commission (OIC) has synchronized its sector-specific rules with the PDPA through the Notification on Customer Personal Data Protection (No. 2) B.E. 2568 (2025). The combined effect of the PDPC’s general enforcement push and the OIC’s sectoral guidance creates four critical compliance areas for insurers. Consent unbundling. Consent for marketing must be strictly separated from the core insurance contract; bundling marketing consent into the policy application is no longer permissible. Agent and intermediary oversight. Insurance intermediaries are generally classified as data processors, meaning that insurers—as data controllers—must provide specific written instructions and security protocols to all agents and brokers. A 2026 enforcement trend shows controllers being held liable for the “weak security” of their vendors and downstream processors. Enhanced privacy notices. Insurers must provide a summary privacy notice alongside the full policy, plainly stating categories of data, purposes, lawful bases, disclosure recipients, cross-border transfers, retention periods, data subject rights, and easy marketing opt-out channels. DPO registration and ROPA. All organizations involved in “regular or systematic monitoring of data subjects on
Read More