You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 29, 2026

Thailand Introduces Certification Framework for Personal Data Protection Standards

Subscribe to Updates

On June 18, 2026, Thailand’s Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette establishing Thailand’s first formal certification framework for personal data protection standards under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The notifications, which took immediate effect, introduce a voluntary certification framework aimed at promoting accountability, strengthening organizational data protection governance, and aligning Thailand more closely with international frameworks that recognize certification as a key compliance tool.

Certification Criteria

The first notification sets out the assessment criteria for organizations seeking certification. Applicants must undergo an evaluation against a framework comprising four assessment categories, 10 focus areas, and 128 assessment criteria covering key elements of a privacy management program. These include:

  • Organizational oversight and internal policies and procedures.
  • Human resource development, including staff training and awareness programs.
  • Clearly defined operational processes and procedures covering data subject rights, transparency obligations, records of processing activities, and lawful basis management, as well as contractual safeguards such as data-processing and data-sharing agreements and risk assessments, including Data Protection Impact Assessments.
  • Technical measures encompassing data security controls and breach response capabilities

Based on the assessment results, organizations may be awarded either a PDPA Compliance Certificate or a higher-level PDPA Certificate accompanied by a certification mark.

Application and Assessment Process

The second notification establishes the application and assessment process for obtaining certification. Eligible applicants include government agencies and private-sector entities that demonstrate sufficient privacy governance maturity and meet the prescribed eligibility requirements.

Applicants must submit their applications along with supporting documentation for review. Upon receiving an application, the Office of the PDPC will conduct a detailed evaluation, which may include both documentary review and on-site inspections. Incomplete applications may be rejected, though applicants are typically given a limited period to correct deficiencies before a final decision is made.

Once granted, certification is valid for three years from the date of issuance unless there are any changes or the certificate is revoked by the Office of the PDPC. Organizations seeking to maintain their certified status must apply for renewal before expiration and continue to comply with all applicable standards.

Applicants are also responsible for certification and assessment fees.

Implications for Organizations

Although certification remains voluntary, the framework signals the PDPC’s increasing emphasis on demonstrable accountability and structured privacy governance. Organizations pursuing certification will likely need to maintain a mature and well-documented privacy compliance program. The certification framework may also serve as a benchmark for regulatory expectations and could influence future enforcement priorities.

Organizations interested in pursuing certification should consider conducting a gap assessment against PDPA requirements, strengthening internal governance frameworks, and preparing the necessary documentation in advance. Beyond compliance, certification may also offer strategic value by enhancing stakeholder trust and demonstrating adherence to recognized data protection standards.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

March 20, 2023
Thailand has enacted new legislation to counter cybercrime and scams. The Royal Decree on Measures for Protection and Suppression of Technology Crimes B.E. 2566 (2023) (“Cybercrime Decree”) was published in the Government Gazette on March 16, 2023, and took effect the following day. The Cybercrime Decree provides a new legal tool to interrupt the money-laundering process and aims to crack down on cybercrime perpetrators and scammers by providing stronger legal measures applying to certain types of offenders that had not been sufficiently covered by existing laws. This new legislation grants victims the right to have commercial banks and online payment platforms freeze suspicious transactions and obligates these banks and platforms to comply with such requests. It further requires these banks and platforms—as well as other service providers—to share data for the prompt prevention and suppression of cybercrime. The key rights, duties, and offenses established by the Cybercrime Decree are detailed below. Freezing Transactions The Cybercrime Decree requires commercial banks and online payment platforms to temporarily freeze (for 72 hours) any related transactions of their account holders upon receipt of an alert from the account holder that he or she is the victim of cybercrime. Victims can report these illicit transactions by phone or electronic means. If by phone, the relevant bank or platform must document the call. The victim must file a police complaint about the illicit transaction within 72 hours of the freeze being made. A police inquiry officer will then notify the bank or platform about the complaint, and the transaction freeze must be maintained for seven days from the filing of the complaint with the police. The police will then determine whether it is necessary to keep the transaction frozen for longer than seven days. If the seven days lapse without a further order to freeze the
Read More
February 28, 2023
Influencer marketing and the creation of sponsored content is an increasingly popular way for brands to reach their target audience. Although there is no universal definition of an “influencer,” the term is broadly used to describe people who are able to affect purchasing decisions of others through their relationship with their audience. In the context of social media and the creator economy, influencers are usually people with significant followings on platforms such as Instagram, TikTok, Twitch, or YouTube who are viewed as celebrities, opinion leaders, trendsetters, or experts in their respective field. Based on a study conducted by Nielsen in 2022, 80% of social media users in Asia who follow influencers are likely to purchase products recommended by the influencers. Brand owners should be aware of five key legal considerations when entering into influencer marketing agreements. 1. Making informed decisions through due diligence Every collaboration with an influencer is a business relationship. Brands must conduct thorough due diligence on potential influencers prior to engaging them. This may include deep dives into the individual’s old social media posts, as well as requests for disclosure of prior controversial incidents and existing brand associations. For example, a health and fitness brand may not want—for both legal and commercial reasons—to be publicly associated with an influencer who is a brand ambassador of electronic cigarettes, no matter how impressive the latter’s Instagram following or deadlift record is. Brands should also ensure that their influencer marketing agreements include relevant representations and warranties that the influencer has not and will not commit a crime or act in a way that may cause negative publicity for the brand. This may include racist, extremist, homophobic, violent, or misogynistic acts, or any other acts that are obscene or against public order. 2. Clearly defining the scope of engagement Brands
Read More
February 26, 2023
Vietnam’s Ministry of Information and Communications (MIC) has been working to replace the outdated 2009 Telecom Law with a new version more suited to today’s digital economy. A draft Telecom Law was made available for public consultation from October 27 to December 27, 2022. On January 17, 2023, the MIC submitted an amended draft (the “Draft”) to the Ministry of Justice for appraisal (the Vietnamese version of the Draft and accompanying documents in the dossier can be accessed here). The Draft is scheduled to be discussed by the National Assembly in May 2023 and submitted for approval in October 2023. The key content and changes of the Draft as compared to the existing law are set out below. 1. Licensing Telecom Services For domestic enterprises, the 2009 Telecom Law only provides two types of licenses—telecom network establishment licenses and telecom service business licenses—without differentiating the conditions and licensing procedures for various types of telecom services. This no longer meets management requirements and does not encourage enterprises to participate in providing new services on already existing infrastructure. Although the Draft retains the two main types of licenses—licenses to provide telecom services with network establishment for a term of not more than 15 years; and licenses to provide telecom services without network establishment with a term of no more than 10 years—it also provides different licensing conditions for different types of telecom service provision, with three kinds of licensing: (i) individual licenses for certain enterprises with specific conditions and obligations based on telecom management objectives at the time of licensing; (ii) class licenses for businesses that meet the prescribed licensing conditions; and (iii) registration, which requires businesses only to submit registration information according to the prescribed form to be licensed. In addition, to avoid the situation of licensed telecom network enterprises
Read More
February 24, 2023
Noppparat Lalitkomon, head of Tilleke & Gibbins’ data protection team in Thailand, has prepared the Thailand contribution for the Data Privacy Trends and Topics Report, published by Lex Mundi. The report provides brief overviews of recent and upcoming regulatory and legal developments concerning data privacy in the jurisdictions of Lex Mundi member firms in 53 jurisdictions around the world. Drawing on the expertise of Lex Mundi member firms from around the world, the report features local insights to help businesses handle cross-border data and cybersecurity challenges. Lex Mundi has also compiled a global overview of how firms in each region assess the likelihood of significant changes to the data protection landscape in 2023. Notably, Asia and the Pacific is identified as the region most likely to undergo changes, with 73% of reporting firms expecting significant developments in their jurisdictions. The report containing all 53 contributions—grouped by world region—is available on the Lex Mundi website or through the button below.
Read More