You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

March 19, 2026

Thailand Opens Public Consultation on New PDPA Guidelines

Subscribe to Updates

Thailand’s Personal Data Protection Committee (PDPC) has launched a public consultation period to gather input for a forthcoming set of guidelines under the country’s Personal Data Protection Act (PDPA). This initiative follows the PDPC’s issuance of guidelines on consent and notification requirements in September 2022.

The main consultation period, using an online questionnaire to gather feedback, runs until March 23, 2026. In addition, an interview-style online session for private-sector participants was held on March 17, and a two-day in-person event will be held on April 1–2—this is already fully booked and  walk-ins will not be accepted, but the session will be livestreamed on the PDPC’s Facebook page.

The PDPC will use the public feedback to design draft guidelines that accurately reflect the operational realities of both public and private organizations, after which the guidelines will be shared with the public.

Consultation Scope

The PDPC has identified six priority areas for which upcoming guidance may be issued:

  • Legal bases for processing: The online questionnaire assesses respondents’ understanding of consent requirements and seeks views on priority issues, such as explanations of the legal bases and considerations for selecting an appropriate legal basis depending on the nature of the processing activity.
  • Security measures and data breach notification: The questionnaire examines respondents’ understanding of data breach reporting and security measure obligations. Topics proposed for inclusion in the guidelines include data breach prevention measures, incident response plans, risk assessment methods, and reporting procedures.
  • Data protection officers: Respondents are invited to share their expectations regarding the DPO’s role and their experiences in contacting a DPO. The survey also asks respondents to identify priority issues, such as response timeframes for data subject requests and complaint procedures.
  • Marketing and direct marketing: The online questionnaire seeks input on preferred topics for guidance, including individuals’ rights to refuse marketing communications, mechanisms for withdrawing consent, and methods for individuals to verify how organizations use their personal data for marketing purposes.
  • Records of processing activities: Proposed topics include the concept and importance of ROPAs and how individuals may exercise their right to request information regarding the processing of their personal data.
  • National ID cards and CCTV for access control: Some questions concern the collection of personal data through CCTV and other data capture methods. Proposed topics for guidance include data minimization, retention practices, and security measures.

The PDPC is also seeking feedback on the preferred format of the guidelines, which may include summary handbooks, infographics, case studies, FAQs, or comparative tables.

Practical Implications

Although the guidelines will be nonbinding, they are expected to have a significant influence on regulatory expectations and enforcement practices. Organizations may find it difficult to deviate from the recommended approaches once issued, as the PDPC is likely to rely on the guidelines when reviewing PDPA compliance. The guidelines are also expected to shape industry norms and may prompt organizations to revisit existing compliance frameworks.

Action Items

Interested organizations should aim to submit feedback through the online questionnaire by March 23, 2026, to ensure the guidelines reflect operational realities and sector-specific challenges.

Upon issuance of the final guidelines, which current indications suggest will be developed over approximately eight months, organizations should review their data protection framework to assess whether updates are required.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

May 28, 2025
Thailand’s Food and Drug Administration (FDA) has launched a strategic collaboration with leading e-commerce platforms Lazada and Shopee to strengthen regulatory oversight of health-related products sold online. This partnership is part of a broader initiative to enhance consumer protection, enforce compliance with Thai health regulations, and foster a safer digital marketplace for health products. As part of this initiative, the Thai FDA is urging all sellers—particularly cross-border vendors—to secure proper FDA registration for their products before market entry. The objective is to ensure that only legally authorized, safe, and quality-assured healthcare products are available to Thai consumers. In pursuit of this goal, the FDA has been working closely with Lazada and Shopee to implement proactive surveillance mechanisms aimed at identifying and removing noncompliant, substandard, or unregistered products. This collaboration has already yielded measurable results. Between September 2023 and 2024, Lazada supported regulatory enforcement by removing 9,454 noncompliant listings and delisting 30 vendors. In addition, 134 sellers were subjected to legal proceedings for regulatory violations. Shopee has taken a similarly rigorous stance, committing to the immediate removal of products found to be in breach of FDA regulations. The platform has also provided educational materials for merchants and implemented consumer complaint mechanisms to enhance accountability. Looking ahead, the Thai FDA plans to roll out a data integration system utilizing API technology, enabling seamless and secure exchange of regulatory data between the agency and e-commerce platforms. This system will be supported by comprehensive training for both Thai FDA officials and e-commerce staff, with a particular focus on the use of the Thai government’s Law Enforcement Request Portal, a secure communication channel for coordinating enforcement actions between government agencies and platform operators. Additionally, a joint product inspection framework is currently under development in partnership with Lazada and Shopee. This framework will incorporate strict
Read More
May 26, 2025
On May 21, 2025, the Trade Competition Commission of Thailand (TCCT) published a press release signaling heightened regulation of digital platforms in response to the influx of products from foreign countries being sold in Thailand via e-commerce platforms. In recent years, the rapid expansion of cross-border multi-sided e-commerce platforms has unlocked unprecedented growth, but it has also flooded Thailand’s digital marketplaces with low-cost imports sold by unregulated foreign vendors via these platforms, unfairly undercutting local merchants’ market share and exposing consumers to uneven product quality. According to the press release, the TCCT announced progress on drafting new guidelines on unfair trade practices, monopolistic conduct, and competition restraint by multi-sided e-commerce platforms at a recent meeting of the Management Committee for Addressing Issues of Foreign Goods and Businesses Violating Laws. This regulatory push is part of a broader governmental effort to tackle issues stemming from the foregoing that create uneven playing fields and undermine consumer welfare. The draft guidelines are designed to regulate platform operators and their complex and multidimensional trade relations that cause network effects and distort competition. The forthcoming guidelines, to be issued under the Trade Competition Act B.E. 2560 (2017), will undergo public consultation to ensure platform operators, the public, and other stakeholders will have an opportunity to provide input before they are finalized and enforced. The guidelines are seen as an important priority, with the minister of commerce urging swift implementation of the measures to achieve the government’s objectives. In addition to the legislative advancement, one of the TCCT commissioners has been appointed to advise a subcommittee on preventing nominee arrangements by foreign investors and a subcommittee dedicated to promoting Thai SMEs and eliminating poor-quality imports. The appointee will also support the nationwide task force against illegal foreign products in overseeing proactive field operations and comprehensive
Read More
May 22, 2025
While digital technologies have significantly enhanced communication and information sharing, they have also created new opportunities for misuse, particularly for children, who are especially vulnerable to online abuse and exploitation. These risks are often difficult for parents and guardians to detect or prevent in a timely manner. To address these concerns, Thailand has drafted an amendment to the Criminal Code to introduce new provisions targeting offenses against children committed via online platforms. The objective is to close existing legal gaps and to provide more robust protections for children in the digital environment. The draft amendment focuses primarily on addressing online offenses against children and enhancing legal protections for children. The draft amendment proposed changes regarding the following issues: Jurisdiction and media misuse Expanding Thailand’s jurisdiction to cover sexual and liberty-related offenses committed against children outside the country. Adding offenses for misuse of media, including recording, publishing, or transmitting text, images, or sounds for unlawful or exploitative purposes. Offenses involving child exploitation Adding penalties for persuading, luring, or enticing children to engage in sexual or indecent conduct. Imposing harsher penalties for aggravated cases relating to child exploitation that result in serious harm or death. Adding penalties for sending or forwarding inappropriate sexual content to children with exploitative intent. Adding penalties for using threats involving sexual conduct to pressure or coerce victims. Removing ignorance of a child’s age as a possible defense for certain offenses (e.g., luring children or sending inappropriate content) when the child is under 13 years old. Special protections for vulnerable individuals Imposing harsher penalties for offenses committed against parents, persons under legal guardianship or parental authority, or individuals unable to protect themselves. Adding penalties to offenses such as luring children, sending inappropriate content, and cases involving serious harm or death. Child pornography Increasing liability for possession and
Read More
May 15, 2025
Thailand’s Electronic Transactions Development Agency (ETDA) held an explanatory session on the draft principles and regulatory approaches of the country’s planned artificial intelligence (AI) law on May 2, 2025. This came after a lull of two years following the initial release of draft legislation on AI. In the session, the ETDA explained that the earlier drafts were modeled after the EU’s legal framework for AI, but given the evolving Thai legal and technological landscape, it is now necessary to revisit and refine the drafts to ensure they remain relevant and effective in the local context. To aid in this process, the ETDA will accept public comments on the draft principles of the AI law until June 9, 2025. Based on gap analysis and a comparative study of how different countries have addressed AI issues, the ETDA’s draft AI law principles are structured into five key areas. These are described below. 1. Risk-Based Requirements The draft principles outline a set of approaches that the legislation will take toward mitigating risk: Delegation of powers to enforcement agency or sectoral regulators The primary legislation will not directly specify a list of prohibited risks or high-risk types of AI. Instead, it will empower an enforcement agency or relevant sectoral regulators to determine and issue such lists. This approach allows regulators in each specific industry to assess the necessity of risk classifications within their respective sectors, based on the principle that sectoral regulators are best positioned to understand the specific risks in their domains. These regulators are expected to issue subordinate legislation in alignment with the overall framework. Meanwhile, the central enforcement agency will coordinate oversight across sectors and cover areas not under the jurisdiction of any specific regulator. Duties of high-risk AI providers Providers of AI deemed by the enforcement agency or sectoral
Read More