You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 29, 2026

Thailand Introduces Certification Framework for Personal Data Protection Standards

Subscribe to Updates

On June 18, 2026, Thailand’s Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette establishing Thailand’s first formal certification framework for personal data protection standards under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The notifications, which took immediate effect, introduce a voluntary certification framework aimed at promoting accountability, strengthening organizational data protection governance, and aligning Thailand more closely with international frameworks that recognize certification as a key compliance tool.

Certification Criteria

The first notification sets out the assessment criteria for organizations seeking certification. Applicants must undergo an evaluation against a framework comprising four assessment categories, 10 focus areas, and 128 assessment criteria covering key elements of a privacy management program. These include:

  • Organizational oversight and internal policies and procedures.
  • Human resource development, including staff training and awareness programs.
  • Clearly defined operational processes and procedures covering data subject rights, transparency obligations, records of processing activities, and lawful basis management, as well as contractual safeguards such as data-processing and data-sharing agreements and risk assessments, including Data Protection Impact Assessments.
  • Technical measures encompassing data security controls and breach response capabilities

Based on the assessment results, organizations may be awarded either a PDPA Compliance Certificate or a higher-level PDPA Certificate accompanied by a certification mark.

Application and Assessment Process

The second notification establishes the application and assessment process for obtaining certification. Eligible applicants include government agencies and private-sector entities that demonstrate sufficient privacy governance maturity and meet the prescribed eligibility requirements.

Applicants must submit their applications along with supporting documentation for review. Upon receiving an application, the Office of the PDPC will conduct a detailed evaluation, which may include both documentary review and on-site inspections. Incomplete applications may be rejected, though applicants are typically given a limited period to correct deficiencies before a final decision is made.

Once granted, certification is valid for three years from the date of issuance unless there are any changes or the certificate is revoked by the Office of the PDPC. Organizations seeking to maintain their certified status must apply for renewal before expiration and continue to comply with all applicable standards.

Applicants are also responsible for certification and assessment fees.

Implications for Organizations

Although certification remains voluntary, the framework signals the PDPC’s increasing emphasis on demonstrable accountability and structured privacy governance. Organizations pursuing certification will likely need to maintain a mature and well-documented privacy compliance program. The certification framework may also serve as a benchmark for regulatory expectations and could influence future enforcement priorities.

Organizations interested in pursuing certification should consider conducting a gap assessment against PDPA requirements, strengthening internal governance frameworks, and preparing the necessary documentation in advance. Beyond compliance, certification may also offer strategic value by enhancing stakeholder trust and demonstrating adherence to recognized data protection standards.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

January 12, 2023
The year 2022 witnessed a dynamic environment in the development of information and communications technology (ICT) policy in Vietnam. The following are some highlights of remarkable legislative developments in the ICT space from the past year, and some notes on key draft laws and regulations that are in the pipeline for 2023. 1. Telecommunications Although it has helped Vietnam develop modern telecommunications network infrastructure and a diversified and competitive telecom market with a variety of services, Vietnam’s Telecom Law, which has been in effect since 2010, has posed problems and inadequacies in meeting today’s more complex evolution of new service types and new business models as well as the trend of convergence of telecom, information technology, and automation. Accordingly, the Ministry of Information and Communications (MIC) has been working to replace the existing Telecom Law, with a Draft Telecom Law made available for public consultation from October 27 to December 27, 2022 (the Vietnamese version can be accessed here). The primary amendment of the Telecom Law focuses on widening the scope of application to regulate data center and cloud computing services. Data center services include data center space rental services, server rental services, and data storage space rental services. Cloud computing services include services providing server resources, storage capacity, and networks (IaaS services); services that provide the ability to create, develop, manage, and operate software, including applications (PaaS services); and software delivery services, including applications (SaaS services). According to the Draft Telecom Law, it could be interpreted that all providers of data center services and IaaS cloud computing services, whether onshore or offshore, must obtain a permit to provide the services by registration with the MIC via its online portal; while PaaS and SaaS cloud computing services are exempted from this requirement. In addition, the Draft Telecom Law adds
Read More
January 10, 2023
The National Assembly of Vietnam promulgated a new Law on Cinema in June 2022 with an effective date of January 1, 2023. To guide the implementation of the new law and the sanctioning of administrative violations thereof, the government of Vietnam issued two related decrees in the final days of 2022. Cinema Decree On December 31, 2022, the government issued Decree No. 131/2022/ND-CP elaborating a number of articles of the Cinema Law (“Cinema Decree”), which took effect with the new law on January 1, 2023. Among the many issues under the Cinema Law guided by the Cinema Decree, one that is critical to over-the-top (OTT) media service providers is the set of conditions for performing the mandatory self-rating of films to be disseminated in cyberspace. According to the Cinema Law, meeting the film self-rating conditions is one of the prerequisites for online dissemination of films. If a film disseminator does not meet these conditions, it would be required to request the Ministry of Culture, Sports and Tourism (MOCST) to perform the rating. The conditions for online disseminators to self-rate their films have now been set out under Article 12 of the Cinema Decree. Accordingly, these conditions include: Having a film rating council or technical software or a mechanism to rate the films according to Vietnamese regulations on film rating and taking responsibility for the results of film rating. Having a plan to amend and update film rating results at the request of the cinematography authority (for most providers, this is the Cinematography Department under the MOCST). Having an administrative tool to support the rating of films according to each of the rating criteria and to flexibly display the updated rating immediately after the rating is changed. Having a technical plan and process for suspending and removing films at the
Read More
January 5, 2023
Data protection in Vietnam has been an ever-changing area of law in the last few years, with many legislative and practical developments. From its initiative to build the very first comprehensive Personal Data Protection Decree to meet international standards, to its actions to tackle widespread illegal data processing and trading, the Vietnamese government has shown its determination to strengthen the protection of data, which it has recognized as one of the national key tasks in the Prime Minister’s Strategy for Development of E-Government. The year 2023 is expected to be another year of many important changes made to the law and practices in this area. This article discusses what we anticipate to be the key upcoming developments in Vietnam’s data protection regime that businesses may wish to keep a close eye on to ensure compliance. Tightened Rules on Data Collection and Data Transfer The conditions for personal data processing under the current law are rather sketchily outlined. In general, the data subject’s consent to the scope and purposes of the data processing may be considered sufficient for any collection, use, retention, or sharing of personal data. Explicit consent is not clearly required, except when the data is collected in e-commerce, used for direct marketing purposes, or for other strictly controlled activities. This leads to the practice where data controllers usually do not treat consent as a serious matter. In addition, once consent has been obtained, data controllers tend to comfortably collect whatever data they want, since the law does not require the collection to be “proportionate.” This situation is expected to change in 2023 with more stringent regulations on personal data processing underway. The first and most influential set of rules on data protection to come out early this year will likely be the much talked-about Personal Data Protection
Read More
December 27, 2022
Thailand has issued the Royal Decree on Digital Platforms, which was published in the Government Gazette on December 22, 2022. The royal decree provides a grace period of 240 days from its publication for digital platform providers to take the actions necessary to ensure compliance. The key requirements are outlined below. Definitions After going through various amendments in its draft stages, the published royal decree’s definition of “digital platform” refers to the provision of an electronic intermediary platform that manages information to create connections between “merchants,” “consumers,” and “users” via a computer network in order to create electronic transactions—regardless of whether payment is actually made. However, this does not include digital platforms that offer goods or services of the digital platform operator or an affiliated company acting as its representative, regardless of whether the goods or services are offered to third parties or to affiliated companies. Notification Exemption Under the royal decree, a digital platform provider under the supervision of other authorities, such as the Bank of Thailand and the Securities and Exchange Commission, or falling under the Electronic Transactions Commission’s list of exempted digital platform providers is exempted from the requirement to notify the Electronic Transactions Development Agency (ETDA) of the operation of its digital platform. The commission may also exempt any other digital platform service as it sees fit. Extraterritorial Effect Certain digital platforms located outside Thailand are subject to the royal decree and must appoint a coordinating person in Thailand. This requirement to appoint a local coordinator does not mean that overseas digital platforms have to establish their business in Thailand. Digital Platform Certification Mark The royal decree introduces an ETDA certification mark for digital platforms. Display of the mark appears not to be mandatory, but more specific rules, procedures, and other details will be prescribed
Read More