Thailand’s Personal Data Protection Committee (PDPC) has launched a public consultation period to gather input for a forthcoming set of guidelines under the country’s Personal Data Protection Act (PDPA). This initiative follows the PDPC’s issuance of guidelines on consent and notification requirements in September 2022.

The main consultation period, using an online questionnaire to gather feedback, runs until March 23, 2026. In addition, an interview-style online session for private-sector participants was held on March 17, and a two-day in-person event will be held on April 1–2—this is already fully booked and  walk-ins will not be accepted, but the session will be livestreamed on the PDPC’s Facebook page.

The PDPC will use the public feedback to design draft guidelines that accurately reflect the operational realities of both public and private organizations, after which the guidelines will be shared with the public.

Consultation Scope

The PDPC has identified six priority areas for which upcoming guidance may be issued:

• Legal bases for processing: The online questionnaire assesses respondents’ understanding of consent requirements and seeks views on priority issues, such as explanations of the legal bases and considerations for selecting an appropriate legal basis depending on the nature of the processing activity.
• Security measures and data breach notification: The questionnaire examines respondents’ understanding of data breach reporting and security measure obligations. Topics proposed for inclusion in the guidelines include data breach prevention measures, incident response plans, risk assessment methods, and reporting procedures.
• Data protection officers: Respondents are invited to share their expectations regarding the DPO’s role and their experiences in contacting a DPO. The survey also asks respondents to identify priority issues, such as response timeframes for data subject requests and complaint procedures.
• Marketing and direct marketing: The online questionnaire seeks input on preferred topics for guidance, including individuals’ rights to refuse marketing communications, mechanisms for withdrawing consent, and methods for individuals to verify how organizations use their personal data for marketing purposes.
• Records of processing activities: Proposed topics include the concept and importance of ROPAs and how individuals may exercise their right to request information regarding the processing of their personal data.
• National ID cards and CCTV for access control: Some questions concern the collection of personal data through CCTV and other data capture methods. Proposed topics for guidance include data minimization, retention practices, and security measures.

The PDPC is also seeking feedback on the preferred format of the guidelines, which may include summary handbooks, infographics, case studies, FAQs, or comparative tables.

Practical Implications

Although the guidelines will be nonbinding, they are expected to have a significant influence on regulatory expectations and enforcement practices. Organizations may find it difficult to deviate from the recommended approaches once issued, as the PDPC is likely to rely on the guidelines when reviewing PDPA compliance. The guidelines are also expected to shape industry norms and may prompt organizations to revisit existing compliance frameworks.

Action Items

Interested organizations should aim to submit feedback through the online questionnaire by March 23, 2026, to ensure the guidelines reflect operational realities and sector-specific challenges.

Upon issuance of the final guidelines, which current indications suggest will be developed over approximately eight months, organizations should review their data protection framework to assess whether updates are required.