Thailand Thailand PDPA digital economy

Thailand's New PDPA Certification Trades Mandates for Market Signals

Two Government Gazette notices create Thailand's first PDPA certification — a voluntary, 128-criteria seal rather than a new compliance mandate.

Thailand's First PDPA Certification Framework People of Internet Research · Thailand 128 Assessment criteria Spread across 10 focus areas group… 3 years Certificate validity Renewable in the 6 months before o… 90% Top-tier certification bar Score needed for the PDPA Certific… ~THB 21.5M PDPC fines since Aug 2025 Eight penalties across five cases,… peopleofinternet.com
Thailand's First PDPA Certification Fr… People of Internet Research · Thailand 128 Assessment criteria 3 years Certificate validity 90% Top-tier certification bar ~THB 21.5M PDPC fines since Aug 2025 peopleofinternet.com

Key Takeaways

On June 18, 2026, Thailand's Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette — "Criteria for Issuing a Certificate and Certification Mark for Personal Data Protection Standards, B.E. 2569" and "Methods and Conditions for Certifying Personal Data Protection Standards, B.E. 2569" — creating the country's first formal certification regime under the Personal Data Protection Act B.E. 2562 (2019).

This is a notable regulatory choice. Rather than writing new mandatory obligations into the PDPA, the PDPC built a voluntary credentialing scheme organizations can opt into to prove, with a government stamp, that their privacy program works.

What Certification Actually Requires

Applicants are assessed against 128 criteria spanning 10 focus areas, grouped into four categories covering governance and DPO oversight, personnel development, operational processes such as records of processing and data protection impact assessments, and technical security and breach-response controls. The PDPC reviews documentation and may conduct on-site inspections, with a decision window of up to 180 days plus a possible 30-day extension.

Two outcomes are available: organizations scoring 80–89.9% of assessed items receive a PDPA Compliance Certificate, while those scoring 90% or above — and meeting every mandatory legal requirement — earn a PDPA Certificate with an official Certification Mark. Before even filing, applicants must have already passed the PDPC's own Privacy Maturity Model self-assessment at Level 5, its highest tier. Certificates run three years, with a compliance check at year one and a renewal window opening six months before expiry.

Eligible applicants include Thai-incorporated entities or foreign companies with a branch or authorized representative in Thailand, and government agencies required to appoint a data protection officer. Applicants that had a certification application rejected in the prior 45 days, had one revoked in the past year, or have unresolved PDPA court judgments within the last two years are barred from applying.

The Case For a Trust Mark

The strongest argument for this framework is straightforward: self-attested privacy compliance is cheap to claim and expensive for counterparties to verify. Investors, business partners, and government procurement officers currently have no efficient way to distinguish a company with a genuinely mature data protection program from one that has simply posted a privacy policy. A government-audited certificate — backed by 128 concrete criteria rather than a vague promise — lowers due-diligence costs across the economy and gives Thai firms a credential that can travel into cross-border deals where partners expect demonstrable governance. PDPC Secretary-General Lt. Gen. Surapong Plengkham framed the goal explicitly around this trust dividend, stating that confidence in personal data handling "will be one of the key factors investors and business partners use in decision-making." That is a defensible bet: in markets where enforcement has teeth, a credible signal is worth more than another unread policy document.

Where Proportionality Gets Tested

Voluntary in name can become mandatory in practice once large buyers start requiring the mark from vendors.

The framework's design is genuinely restrained — it adds no new statutory duty, and PDPC materials are explicit that certification confers no legal immunity from enforcement. But three features deserve scrutiny. First, the prerequisite of a Level 5 Privacy Maturity Model self-assessment plus 128 criteria plus potential on-site inspection is a serious lift; smaller compliant firms without dedicated privacy staff may simply be priced out of a scheme meant to reward good practice, not budget. Second, the PDPC has said fees will be set separately and collected through designated banking channels — until those figures are public, it is hard to judge whether the scheme is accessible or a moat that favors firms that can already afford full-time DPOs and consultants. Third, a decision window stretching to 210 days (180 plus a 30-day extension) is long relative to the pace of commercial deals; if procurement teams start treating the mark as a de facto requirement, that timeline becomes a real cost even for a nominally optional program.

The Enforcement Backdrop Makes This Consequential

The certification launch lands months after the PDPC demonstrated it will use its existing powers aggressively. On August 1, 2025, the regulator announced roughly THB 21.5 million in administrative fines across five cases and eight penalties — including a THB 7 million fine against a computer-accessories retailer no larger than an average SME. That case matters here: it shows the PDPC will penalize ordinary mid-sized businesses, not just multinationals, which raises the practical value of a credential that lets smaller firms demonstrate rigor without waiting to be investigated.

A Reasonable Bet, If PDPC Keeps It Genuinely Optional

A voluntary, fee-funded certification scheme is a better regulatory instrument than a blanket mandate — it lets the market decide how much assurance is worth paying for, while keeping the PDPA's actual legal floor unchanged for everyone else. The PDPC should be pressed to publish fee schedules quickly, keep processing times predictable, and resist any move — through procurement rules or sector-specific guidance — that would convert this optional mark into a hidden cost of doing business for Thailand's smaller data controllers.

Sources & Citations

  1. Ministry of Digital Economy and Society — Personal Data Protection Act B.E. 2562 (2019)
  2. Public Relations Department (Thailand) — PDPA statute host
  3. Thai Post — PDPC certification framework announcement
  4. Tilleke & Gibbins — Thailand Introduces Certification Framework
  5. Tilleke & Gibbins — Eight Serious Fines Imposed in Thai Data Protection Cases