Thailand’s Personal Data Protection Committee (PDPC) has launched a public consultation period on a draft notification setting out criteria for data subject access requests (DSARs). The draft notification addresses practical uncertainties in handling DSARs by introducing standardized procedural requirements for data controllers. The consultation period runs from April 16 to May 15, 2026. The notification will enter into force 30 days from the date of its publication in the Government Gazette.

Key Features of the Draft Notification

The draft notification covers the following key areas:

• Scope of information subject to access. Data controllers must enable data subjects to access at least the following upon request: (1) personal data collected directly from them; (2) personal data obtained from other sources; and (3) the source of personal data obtained from other sources without consent. Information required under section 23 of the PDPA and information that must be recorded pursuant to section 39 of the PDPA—such as the categories of personal data collected and purposes of processing—must also be made available.
• Submission channels and formal requirements. Data controllers must provide at least in-person and postal channels for DSARs, while electronic or other channels are optional. Requests may be made either directly by the data subject or through an authorized representative, and must be signed and include sufficient identifying information, a preferred response method, and DSAR details. Identity verification documents (and proof of authority if the request is through a representative) are required, and additional documentation may be requested for verification or communication purposes. Data controllers may use different verification methods for DSARs submitted via electronic or other channels, provided this does not create undue obstacles to the exercise of data subject rights.
• Verification and response timelines. Data controllers must complete preliminary verification within seven business days of receiving a request. If a request is incomplete or inaccurate, or the requestor’s identity cannot be verified, the data controller must request rectification or additional documentation to be provided within a specified timeframe, which must not be set at less than 10 days. Failure to respond within this timeframe will result in the request being deemed abandoned, without prejudice to the data subject’s right to submit a new request. If the data subject does provide the requested information or documents, the request will be deemed received on the date correct and complete information or documents are provided. Responses must be provided within 30 days of receipt, extendable by a maximum of 30 days for large-volume requests or due to other necessities, provided the requestor is notified.
• Access methods. Access may be provided through inspection of personal data, copies of documents, or data in electronic or other requested formats, where technically feasible.
• Refusal of DSARs. Requests may be refused where compliance is prohibited by law or court order or would adversely affect third-party rights (including fundamental rights, trade secrets, or intellectual property). Where possible, redaction or other measures should be applied for partial compliance. Refusals must be communicated with reasons and recorded in the record of processing activities.
• Fees. Electronic access or copies that do not require recording media or involve direct transmission costs must be provided free of charge. Reasonable fees may be charged for copies or labor-intensive requests, subject to actual costs and capped rates set out in the draft notification’s schedule. Data subjects must be informed of applicable fees prior to or at the time of exercising their rights.
• Recordkeeping. Data controllers must retain DSAR records, along with any documentary evidence, for at least two years.

Next Steps

Stakeholders may submit comments until May 15, 2026. Once the rules are finalized, organizations will be expected to reassess their DSAR workflows, particularly verification and response timelines.