You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

April 9, 2026

Thailand’s Public Consultation on Proposed PDPA Guidelines: Key Updates

Subscribe to Updates

As part of its ongoing public consultation process for the development of new practical guidelines under the Personal Data Protection Act B.E. 2562 (2019) (PDPA), Thailand’s Personal Data Protection Committee (PDPC) held a two‑day public hearing on April 1–2, 2026. The hearing followed an online questionnaire and stakeholder engagement activities conducted in March 2026 and reflects the PDPC’s continued efforts to develop guidance that aligns international regulatory standards with Thai operational realities.

The public hearing provided a forum for participants from both the public and private sectors to exchange views with the PDPC on the proposed guidance so that it responds to the needs of the business community while supporting effective and balanced enforcement of the PDPA. The PDPC emphasized that the consultation process is part of a wider policy objective to build trust in the convenient, secure, and internationally aligned exchange of data.

Structure of the Consultation Process

According to the PDPC, the initiative to develop the draft PDPA guidelines is being implemented through three core phases:

  • Review of international best practices. The PDPC has conducted a comparative review of data protection guidance and regulatory approaches in jurisdictions with internationally recognized standards, including Singapore, the United Kingdom, the European Union (EU), and Japan. These materials are intended to serve as a reference point for developing practical recommendations across key subject areas under the PDPA.
  • Identification of practical issues and challenges. To ensure that the guidelines respond to real‑world compliance challenges in Thailand, the PDPC has gathered views from a broad range of stakeholders across the public sector, the private sector, and the general public. This phase included focus group discussions and questionnaires aimed at identifying areas to provide organizations with greater clarity and consistency on regulatory expectations.
  • Preparation of draft guidelines. Insights from the comparative study and stakeholder feedback are being consolidated to prepare draft guidance covering six core thematic areas (see the following section), intended to reflect both international standards and the practical realities of PDPA implementation in Thailand. The input gathered will be used to inform a draft set of guidelines.

Overview of Draft Guidelines

The consultation process has now advanced beyond open‑ended issue identification, with the PDPC presenting substantive draft guidelines that provide clearer insight into the regulatory focus of the six core thematic areas:

  • Lawful basis for processing personal data. The draft guidelines clarify the importance of lawful basis and lay out how organizations should identify, assess, and document lawful bases for the collection, use, and disclosure of personal data. They emphasize necessity, proportionality, and accountability and address both general and sensitive personal data, supported by practical examples, checklists, and FAQs.
  • Security measures and personal data breach notification. To address this area, the draft guidelines set out a structured framework for security measures, covering technical, administrative, and physical measures, as well as consideration for conducting data protection impact assessments (DPIAs) and managing risks arising from third parties and data transfers. They further provide detailed operational guidance on identifying and assessing personal data breaches, determining notification obligations, incident response procedures, documentation, and timelines for notifying the Office of the PDPC and affected data subjects.
  • Data protection officers (DPOs). The draft guidance clarifies when an organization is required to appoint a DPO and sets out expectations regarding the DPO’s role, professional qualifications, independence, reporting lines, and avoidance of conflicts of interest. It also includes checklists for key compliance concerns, such as the appointment process, the DPO’s position within the organization, and accessibility to data subjects and the Office of the PDPC.
  • Marketing and direct marketing. These guidelines also set out relevant data protection principles for the use of personal data for marketing and direct marketing purposes, such as purpose limitation, data minimization, lawful bases for processing, and applicable data subject rights. They categorize different types of marketing activities (including direct marketing, online tracking, profiling, and platform‑based targeting), provide practical organizational procedures on transparency, opt‑out mechanisms, and consent withdrawal, and provide illustrative case studies and FAQs on common marketing scenarios.
  • Records of processing activities (ROPAs). The draft ROPA guidelines position ROPAs as a core accountability and compliance tool, highlighting mandatory content, the roles of controllers and processors, and a structured approach to preparation, review, and updating ROPAs. This includes practical examples (e.g., HR, customer management, IT vendors, CCTV), templates, and a questionnaire for gathering information within the organization for filling in the ROPA.
  • Use of CCTV and access control systems. The guidelines address personal data processing involving CCTV and related surveillance technologies in housing estates and condominiums, with the objective of promoting PDPA‑compliant, industry‑consistent practices. Also covered are common risk areas, such as visitor management, biometrics, license plate recognition, and resident portals, as well as practical guidance and FAQs for typical operational scenarios.

Regulatory Signals

The April 1–2 public hearing indicates that the PDPC is moving into a more mature, internationally informed phase of PDPA guidance development while remaining attentive to domestic operational challenges. Although the forthcoming guidelines will not have the force of law, they are expected to influence regulatory expectations, compliance assessments, and enforcement decisions.

Organizations should therefore anticipate greater clarity but not a relaxation of PDPA obligations, and may wish to begin reviewing current compliance frameworks, particularly in higher‑risk processing areas, internal documentation practices, and governance arrangements, in preparation for the final guidance.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

December 4, 2025
Thailand has expanded the circumstances under which state agencies may bypass competitive bidding procedures to address urgent security challenges. On November 28, 2025, Thailand’s Ministry of Finance published the Ministerial Regulation Determining Cases of Procurement by Specific Method (No. 6) B.E. 2568 in the Royal Gazette, introducing a new pathway for procuring supplies and services needed to address cyber and military threats that may affect the stability of government agencies or the nation. For technology vendors, cybersecurity firms, and defense contractors, this regulatory change creates immediate opportunities to engage directly with government buyers facing urgent security challenges. New Fast-Track Category for Security Threats The regulation amends Thailand’s Public Procurement and Supplies Management Act B.E. 2560 (2017) to add a new category of procurement that qualifies for the “specific method”—a noncompetitive, direct selection process. Previously, agencies could use this expedited method only in limited circumstances, such as emergencies, cases with proprietary technology requirements, or national security operations. The new provision explicitly covers procurement of supplies related to preventing or resolving cyber or military threats that could impact the stability of a state agency or the country. This addition recognizes the urgent nature of modern security challenges, where competitive bidding timelines may leave agencies vulnerable during critical threat windows. State agencies dealing with active cyberattacks, preparing defensive measures against anticipated threats, or responding to military security concerns can now move directly to negotiate with qualified vendors rather than conducting lengthy public tender processes. Vendor Considerations Vendors offering cybersecurity solutions now have a regulatory avenue to work directly with government clients when stability concerns are present. These solutions include threat detection systems, anti-ransomware tools, incident response services, firewalls, and security consulting. Similarly, defense contractors providing military equipment or specialized security supplies can pursue direct engagement channels where traditional procurement methods would create
Read More
December 3, 2025
Thailand’s Civil Court has issued a regulation targeting the use of artificial intelligence (AI) in the preparation of pleadings and other documents submitted to the court. Effective November 17, 2025, the regulation aligns with September 2025 guidance from the president of the Supreme Court, and aims to safeguard accuracy, transparency, and public confidence in civil adjudication. The regulation applies to all parties submitting pleadings or any documents to the Civil Court that are prepared using AI tools or contain AI-generated content. It subjects AI used for these purposes to strict requirements on verification, disclosure, and accountability. Core Obligations The regulation imposes four principal obligations: Lawyers who use AI remain subject to duties of honesty, responsibility to the court, professional standards, and legal ethics, including the duty to assess the appropriateness of the AI tool for the work. Parties and lawyers must verify the accuracy and completeness of all facts, legal provisions, and citations in AI-generated content before submission. Parties and lawyers must disclose to the court any AI-generated content by clearly marking the beginning and end of the AI-generated portion with prescribed statements (see below). Additionally, a certification confirming the use of AI must be provided at the end of the pleading or document, stating that AI was used for certain portions and that the party has reviewed and certifies the accuracy of factual and legal content. Parties and lawyers bear the same full legal and ethical responsibility for AI-generated content as they do for personally authored documents; they cannot evade responsibility or avoid liability by citing AI-related errors. Likewise, parties must ensure that any AI-generated content is truthful, accurate, and unbiased. Prescribed Disclosure Language Each instance of AI-generated content must be preceded by the statement “[The following content was prepared using artificial intelligence]” and must end with “[End
Read More
November 24, 2025
A recent warning from the Central Bank of Myanmar (CBM) against cryptocurrency use upholds the country’s ongoing strategy of enforcing strict prohibitions on unauthorized cryptocurrency activities while also promoting the controlled development of a central bank digital currency (CBDC). The CBM’s warning, issued November 16, 2025, reminded the public of announcements in May 2019 and a notification in May 2020 confirming that all online and offline cryptocurrency transactions are strictly prohibited. The CBM also clarified that no financial institution in Myanmar is authorized to deal with digital currencies. The warning highlighted global risks, such as money laundering, scams, tax evasion, hacking, and severe financial losses caused by price volatility and insufficient regulation. The CBM urged the public to use only legitimate banking channels and avoid illegal cryptocurrency activities. The warning comes five months after the CBM issued a notification announcing the formation of the Central Committee for the Issuance of a Central Bank Digital Currency. This committee includes senior CBM officials, representatives from relevant ministries and the banking sector, and technology experts. Its main role is to research CBDC models, test secure digital payment systems, and ensure that any future implementation aligns with Myanmar’s monetary policy and financial stability objectives. Taken together, these two actions illustrate the CBM’s continued pursuit of its dual strategy to promote innovation through CBDC development while prohibiting cryptocurrency use. Businesses should note that while CBDC pilot programs may appear in the future, cryptocurrencies remain off-limits.
Read More
November 14, 2025
Interest in data center land acquisition has increased significantly over the past year, with a notable rise in inquiries from investors seeking to establish digital infrastructure in Thailand. Although the sector is still in its early stages, this emerging wave of development represents a significant shift in Thailand’s technology infrastructure landscape, driven primarily by multinational technology companies and operators looking to expand their regional presence. Project Development The data center sector in Thailand is attracting a diverse range of international investors, though with clear geographic patterns. Most investors are from China, Singapore, and Japan, with some additional interest from countries outside Asia, including the United States and Europe. This investor base consists primarily of multinational tech companies and operators seeking to establish new facilities rather than acquire existing assets. Data center business activities are also a sector promoted by Thailand’s Board of Investment (BOI), which offers investors both tax and nontax privileges as well as exemptions to foreign investment and land-ownership restrictions. Projects currently underway are still largely in the land acquisition and construction phase. Unlike more mature markets where many facilities are operational and generating revenue, the predominant focus in Thailand remains on securing suitable land and beginning the building process. This means that while interest is high and land assembly is accelerating, the sector as a whole has not yet reached the operational phase that will ultimately drive licensing applications and full regulatory compliance. The licensing process itself remains at an early stage, as most projects must first complete their facilities before applying for the specific licenses required from the telecommunications authority. Once the facilities are built, the next critical step will be obtaining these telecommunications licenses, which are mandatory for data center operations. Legal and Regulatory Considerations The complexity of data center development in Thailand requires
Read More