Thailand Thailand PDPA digital economy

Thailand's New PDPA Certification Mark Bets on Incentives, Not Just Bigger Fines

The PDPC's June 18 gazette notifications create a voluntary, 128-criteria certification scheme as an alternative to Thailand's escalating PDPA enforcement fines.

Thailand's PDPA Certification Scheme by the Numbers People of Internet Research · Thailand 128 Certification assessment criteria Applicants are assessed across fou… 3 years Certificate validity period Renewal must be sought before expi… ฿14.4M 2025 PDPA enforcement fines Six cases fined in 2025, mostly fo… peopleofinternet.com

Key Takeaways

On June 18, 2026, Thailand's Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette — Criteria for PDPA Certification and Certification Marks B.E. 2569 and Methods and Conditions for Personal Data Protection Standards Certification B.E. 2569 — creating the country's first formal certification framework under the Personal Data Protection Act B.E. 2562 (2019). Both took immediate effect.

The timing is not incidental. Thailand's PDPA has existed since 2019, but the PDPC only found its enforcement footing in 2024 and 2025, issuing its first administrative fine (฿7 million, July 2024) and then a wave of penalties in 2025 — six cases totaling roughly ฿14.4 million (~$442,000) against a state hospital, a technology retailer, a cosmetics company, and a collectibles seller, almost all for failing to report breaches within the statutory window. Against that backdrop of rising punitive enforcement, the PDPC has now built a parallel, voluntary track: a trust mark, not a citation.

The Mechanics: Four Categories, 128 Criteria, Three Years

Applicants — government agencies at department level or above, or registered private entities — are assessed against four categories and 10 focus areas comprising 128 criteria, spanning governance and DPO oversight, staff training, data-subject-rights procedures, Records of Processing Activities, Data Protection Impact Assessments, data-sharing agreements, information security, and breach-response capability. Assessment includes document review, interviews, and on-site inspection, with a decision window of up to 180 days (extendable by 30). Successful applicants receive either a base PDPA Compliance Certificate or a higher PDPA Certificate carrying an official certification mark, valid for three years with a one-year follow-up review and a renewal window opening six months before expiry. Entry itself has a floor: applicants must already sit at Level 5 of the PDPC's Privacy Maturity Model, have no rejected application in the prior 45 days, no revoked certificate within a year, and no outstanding non-compliance with a PDPA judgment for at least two years.

The Case For It

The strongest argument for this scheme is straightforward: Thailand's enforcement data shows real, recurring harm — breach notifications missed, security controls absent, data processors left unsupervised — and a punitive-only regime does little to reward the companies already doing this well. A certification mark gives compliant organizations something GDPR's Article 42 certification mechanism and Singapore's Data Protection Trustmark have offered elsewhere: a way to signal governance maturity to regulators, investors, and counterparties without waiting to be sued or fined into visibility. For SMEs competing for contracts with multinationals that increasingly demand vendor due diligence on data handling, a government-backed mark is more portable and credible than a self-attested compliance memo. The PDPC's own framing — building a "Trust Economy" and positioning Thailand as a "Digital Trusted Nation" for cross-border data flows — is a legitimate policy goal, not marketing. Proportionate regulation should include exactly this kind of positive-sum instrument alongside deterrence.

Why It Has to Stay Voluntary

The risk is that a technically voluntary scheme becomes a de facto requirement through market pressure rather than legal mandate — the same dynamic that turned SOC 2 attestation from optional to table-stakes in enterprise software procurement. With a Privacy Maturity Model Level 5 prerequisite, mandatory on-site inspections, and a processing timeline that can stretch to seven months, this certification is realistically reachable only by organizations that already have dedicated compliance functions — banks, telcos, large platforms, government ministries. A small e-commerce operator or a regional hospital network, the exact profile fined most often in 2025, is unlikely to clear that bar even if it wants to. If large customers or foreign partners start treating the certification mark as a prerequisite for doing business — plausible, given the PDPC's own cross-border framing — Thailand risks building a two-tier compliance market where only well-capitalized firms can prove what they're already doing, while smaller controllers are pushed toward opacity rather than toward better practice.

The PDPC has, to its credit, kept this scheme legally optional and separate from baseline PDPA obligations — certification is additive, not a substitute for the underlying law's Section 37 breach-notification duty or Section 27 security requirements, which apply regardless. That design choice matters. Regulators elsewhere have sometimes let voluntary certification schemes quietly calcify into supervisory expectations, at which point the compliance cost of the "optional" program falls hardest on the businesses least equipped to absorb it.

The Verdict

Thailand deserves credit for reaching for an incentive-based tool rather than only tightening the punitive screws that produced ฿14.4 million in fines last year alone. A certification mark that rewards demonstrable governance is a sounder long-run strategy than enforcement-by-headline. But its success should be measured by whether smaller controllers ever find it worth pursuing — and whether the PDPC resists the temptation, three years from now, to fold certification into mandatory supervisory expectations by the back door.

Sources & Citations

  1. Personal Data Protection Act B.E. 2562 (2019), Royal Gazette
  2. Ministry of Digital Economy and Society — PDPA legal framework
  3. Tilleke & Gibbins — PDPA Certification Framework
  4. Dailynews — PDPC certification announcement
  5. DLA Piper Privacy Matters — Thailand PDPA enforcement 2025