You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 29, 2026

Thailand Introduces Certification Framework for Personal Data Protection Standards

Subscribe to Updates

On June 18, 2026, Thailand’s Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette establishing Thailand’s first formal certification framework for personal data protection standards under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The notifications, which took immediate effect, introduce a voluntary certification framework aimed at promoting accountability, strengthening organizational data protection governance, and aligning Thailand more closely with international frameworks that recognize certification as a key compliance tool.

Certification Criteria

The first notification sets out the assessment criteria for organizations seeking certification. Applicants must undergo an evaluation against a framework comprising four assessment categories, 10 focus areas, and 128 assessment criteria covering key elements of a privacy management program. These include:

  • Organizational oversight and internal policies and procedures.
  • Human resource development, including staff training and awareness programs.
  • Clearly defined operational processes and procedures covering data subject rights, transparency obligations, records of processing activities, and lawful basis management, as well as contractual safeguards such as data-processing and data-sharing agreements and risk assessments, including Data Protection Impact Assessments.
  • Technical measures encompassing data security controls and breach response capabilities

Based on the assessment results, organizations may be awarded either a PDPA Compliance Certificate or a higher-level PDPA Certificate accompanied by a certification mark.

Application and Assessment Process

The second notification establishes the application and assessment process for obtaining certification. Eligible applicants include government agencies and private-sector entities that demonstrate sufficient privacy governance maturity and meet the prescribed eligibility requirements.

Applicants must submit their applications along with supporting documentation for review. Upon receiving an application, the Office of the PDPC will conduct a detailed evaluation, which may include both documentary review and on-site inspections. Incomplete applications may be rejected, though applicants are typically given a limited period to correct deficiencies before a final decision is made.

Once granted, certification is valid for three years from the date of issuance unless there are any changes or the certificate is revoked by the Office of the PDPC. Organizations seeking to maintain their certified status must apply for renewal before expiration and continue to comply with all applicable standards.

Applicants are also responsible for certification and assessment fees.

Implications for Organizations

Although certification remains voluntary, the framework signals the PDPC’s increasing emphasis on demonstrable accountability and structured privacy governance. Organizations pursuing certification will likely need to maintain a mature and well-documented privacy compliance program. The certification framework may also serve as a benchmark for regulatory expectations and could influence future enforcement priorities.

Organizations interested in pursuing certification should consider conducting a gap assessment against PDPA requirements, strengthening internal governance frameworks, and preparing the necessary documentation in advance. Beyond compliance, certification may also offer strategic value by enhancing stakeholder trust and demonstrating adherence to recognized data protection standards.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

February 16, 2023
Thailand has issued a Royal Decree on the Supervision of Regulated Digital Identification Authentication and Verification Service Businesses B.E. 2565 (2022) (the “Royal Decree”), aimed at regulating business operators that provide digital identification authentication and verification services (“Digital ID Services”). The Royal Decree was published in the Government Gazette in December 2022, and will take effect 180 days from the publication date, i.e., on June 21, 2023. The key details and requirements of the Royal Decree are as follows: Regulated Digital ID Services Under the Royal Decree, the provision of the following Digital ID Services requires prior approval from the Electronic Transaction Development Agency: Identity verification service – Services for collecting and identifying information relating to the identity of a person, and verifying the connections between the person and the identity. Authenticator issuance and management service – Services relating to the connection between a person who has passed the identification process with an authenticator, and managing actions which are used to identify a person. Authentication service – A process to authenticate a person by inspecting his/her authenticator. Digital ID networks/systems – Provision of networks or systems used to exchange information for digital identification purposes, excluding services provided by an intermediary. Exempted Digital ID Services The Royal Decree also specifies a list of Digital ID Services that are exempted from supervision under the Royal Decree, as follows: Issuance of certificates to support the use of electronic signatures in accordance with the Electronic Transaction Act. Digital ID Services conducted for use within the operator’s own business only, and which do not involve the provision of such services to third parties. Other Digital ID Services as prescribed by the Electronic Transaction Committee. Qualifications of Business Operators The types of business operators qualified to operate Digital ID Services include (i) private limited companies;
Read More
February 10, 2023
On January 16, 2023, Thailand’s Securities and Exchange Commission (SEC) prescribed a set of security measures that digital asset business operators must implement if they provide custody of digital assets for their customers. The new security measures are prescribed in two notifications from the SEC and its office on digital asset wallet management systems and cryptographic key management systems, with the aim of safeguarding digital assets in custody against loss, fraud, and cybertheft. The notifications took immediate effect. The new security measures and the management systems are summarized below. Policy and guidelines for managing systems related to digital asset custody Digital asset business operators must have a written risk management policy for all systems relating to digital asset custody, approved by their board of directors and made accessible to all employees. The policy must be reviewed or revised at least once annually, or promptly if any potential risks are identified. Specific procedures must be implemented, such as establishment of a compliance team and internal controls. Management of systems for digital asset wallets and cryptographic keys Digital asset business operators must have policies and procedures for managing all systems relating to digital asset custody. This includes properly designing, developing, and managing digital asset wallets in a safe and secure manner. The same requirement on policies and procedures applies to cryptographic key management as well. Management of incidents that may affect systems related to digital asset custody Digital asset business operators must have measures in place to manage incidents that may impact systems related to digital asset custody. The measures include designating a person responsible for incident management, testing and reviewing the incident management policy annually, reporting any incidents affecting digital asset custody to the designated responsible person and the SEC immediately, and conducting a digital forensic investigation with an independent
Read More
February 8, 2023
Government Approves Legislative Dossier On February 7, 2023, the Vietnamese government issued Resolution No. 13/NQ-CP (“Resolution 13”) to approve the latest version of the draft Personal Data Protection Decree (“Draft PDPD”)—a draft which has not yet been made public. Similar to Resolution No. 27/NQ-CP issued in March 2022 approving the previous version of the Draft PDPD (“Resolution 27”), Resolution 13 stipulates the different cases where data subjects’ consent is exempted for processing personal data. Most of these lawful bases are similar to those under Resolution 27—except for the fourth case, which is brand new—with some changes for better clarity. According to Article 1 of Resolution 13, personal data can be processed without consent in the following five cases: (1) The processing is to protect the life and health of the data subject or others in an emergency situation. Data Controllers, Data Processors, Parties Controlling and Processing Personal Data, and Third Parties are responsible for proving this case; Remarks: Vietnamese law, including the prior published version of the Draft PDPD, has never used the terms “data controller”, “data processor,” and “parties controlling and processing personal data.” The inclusion of these terms suggests that the latest version of the Draft PDPD has adopted the GDPR-like concepts of “data controller” and “data processor.” However, until the latest version of the Draft PDPD can be assessed, it is uncertain how these concepts are defined and whether they are fully in line with GDPR definitions. (2) The disclosure of personal data is in accordance with the law; (3) The processing of data is performed by competent state agencies in the event of a state of emergency related to national defense, national security, social order and safety, major disaster, or dangerous epidemic; when there is a threat to security and national defense but not to
Read More
January 16, 2023
The January–March 2023 issue of Asia Franchise & Business Opportunities magazine features an article by two franchising specialists in Tilleke & Gibbins’ Bangkok office. Written by Alan Adcock, partner, and Sher Hann Chua, consultant, the article provides a summary of the legislative developments of 2022 most relevant to franchisors and franchisees. The update looks especially at amendments to Thailand’s unfair trade practices in franchising, as well as the far-reaching Personal Data Protection Act, which is reshaping the way businesses—including franchises—are handling the personal data of customers, partners, and employees. The article is accompanied by a Chinese-language summary of the developments. The full article can be read online in the January–March 2023 issue of Asia Franchise & Business Opportunities.
Read More