Thailand’s Data Privacy Day 2026, hosted by the Office of the Personal Data Protection Committee (PDPC), underscored the country’s commitment to strengthening personal data protection, advancing regulatory maturity, and preparing organizations for the next phase of PDPA enforcement. The event marked a clear shift from policy-level compliance toward “Privacy in Action,” signaling that operational readiness and real-world implementation are now priorities. The Office of the PDPC also emphasized that data protection is now a national economic enabler that supports digital trust, competitiveness, and sustainable growth, not just a compliance obligation. The following insights summarize the key takeaways from the Data Privacy Day 2026 event. PDPA in Real Life: What Happens to Your Data Today The Office of the PDPC provided concrete data on enforcement trends and real-world compliance issues facing organizations across Thailand. Complaints and trends. The Office of the PDPC’s Personal Data Protection Act (PDPA) Center recorded 2,672 PDPA-related complaints as of January 2026, with the highest volumes involving failure to comply with the data minimization principle, collection without lawful basis, and use and disclosure without lawful basis. Administrative penalties. Several administrative penalties have been imposed on data controllers and data processors across various sectors, including government, healthcare, retail, SMEs and e-commerce, ranging from tens of thousands to several million baht. Most violations stemmed from weak security measures, failure to notify data breaches within the required timeline, absence of a data protection officer (DPO) when required, and noncompliance with governance requirements such as the Record of Processing Activities (ROPA) and data processing agreements with data processors. Case studies. The Office of the PDPC highlighted specific examples of violations: Hospitals misused personal data for purposes beyond their intended scope (e.g., using personal data collected for providing medical services to send birthday cards) Vendors compromised systems due to inadequate password

Thailand continues to advance its legal and regulatory framework for the technology sector, with several key laws undergoing review and proposed amendments. These developments reflect Thailand’s broader efforts to ensure that its regulatory landscape keeps pace with rapid technological change and aligns more closely with international standards and best practices. The following are key legal developments and proposed legislative reforms in 2026 that are expected to impact businesses operating in the technology sector and the broader Thai business landscape. Data Privacy and Cybersecurity Personal Data Protection Act B.E. 2562 (2019) Following the full enforcement of Thailand’s Personal Data Protection Act (PDPA) in June 2022, businesses and practitioners have identified practical implementation challenges and interpretative issues. These challenges were reflected in an effectiveness assessment conducted by the Personal Data Protection Committee (PDPC) in late 2024. The PDPC published a set of principles for public consultation to identify issues and directions for potential amendments to the PDPA. Key issues: Emerging issues include clarifying the definitions of “data controller,” “data processor,” and “criminal record”; revisiting the scope of sensitive personal data to better reflect Thailand’s context; proposing amendments to the hierarchy of legal bases to avoid misconceptions of consent as the default legal basis; and clarifying the required level of expressiveness for explicit consent, as well as rules for collecting personal data from other sources. Current status: The first round of public consultation has concluded. Next steps: The proposed amendments are proceeding to a revised draft following the consultation outcomes. Cybersecurity Act B.E. 2562 (2019) Thailand is moving forward with proposed amendments to enhance the effectiveness of its national cybersecurity framework, as evolving digital technologies bring new risks such as misinformation, system intrusions, and attacks on critical infrastructure, making cybersecurity a national priority. Key issues: The amendments aim to clarify and strengthen

Tilleke & Gibbins has updated the Cambodia, Myanmar, Thailand, and Vietnam chapters in Multilaw’s Global Data Protection Guide, which collects expert advice from Multilaw member firms in 90 jurisdictions around the world (including a Laos chapter, which is also authored by Tilleke & Gibbins). The guide provides answers to key issues concerning the fast-developing data protection and privacy laws around the world, and helps data protection officers and in-house counsel understand how the regulatory regime for data protection can affect their organizations in various jurisdictions. Each section of the guide identifies the main laws that govern data protection in that jurisdiction, and gives a detailed overview of the legal principles in place as well as the enforcement authorities responsible for overseeing compliance. The guide also covers issues related to data subject rights, data protection officers, impact assessments, data breach notification requirements, and cross border data transfers. The use of personal data in marketing is also considered, with specific information on electronic marketing rules, cookies, and marketing to businesses and consumers. Multilaw, of which Tilleke & Gibbins is a longtime member, is a global network of carefully selected independent law firms able to provide expert legal advice in complex environments around the globe. The full guide is available for free on the Multilaw website.

On September 29, 2025, Thailand’s Office of the Personal Data Protection Committee (PDPC Office) published its Regulations on the Review and Certification of Binding Corporate Rules B.E. 2568 (2025) (the Regulations). The Regulations provide clarity on the PDPC Office’s approach to reviewing and certifying binding corporate rules (BCRs) under Section 29 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), and aim to facilitate international data transfers within a group of undertakings or enterprises (a “corporate group”). In conjunction with this development, the PDPC Office also approved BCRs for two companies operating in Thailand on September 30, 2025. This milestone represents the first concrete progress since the PDPC’s Notification on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the PDPA B.E. 2566 (2023) came into effect in March 2024. Some key features of the Regulations are set out below. Categorization of BCRs BCRs are classified into two types: (1) BCRs for Controllers (BCR-C) and (2) BCRs for Processors (BCR-P). The category must be clearly specified when submitting the BCRs to the PDPC Office. Documentation Requirement The applicant must prepare and submit the application (a standard template may be provided by the PDPC Office in the future) along with supporting documents for review and certification in the Thai language. If the supporting documents are in a foreign language, a certified Thai translation should be provided. The translation must be notarized by a notary public or qualified person. Supporting documents may include, among others, a binding instrument such as an intra-group agreement, or a list of entities subject to the BCRs. Expedited Process Requirement Organizations with existing BCR approvals under the EU or UK GDPR, or from countries announced by the PDPC under Section 28, may apply through an