Thailand's digital transformation is steadily shifting from declarative regulation to practical enforcement. While the Personal Data Protection Act, B.E. 2562 (พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562)—commonly referred to as the PDPA—was previously perceived by many businesses as a broad framework, in 2026, the regulator has focused on the procedural detailing of its application.

‍

In this context, the Personal Data Protection Committee (PDPC) is conducting public consultations from April 16 to May 15, 2026, on a draft subordinate act to standardize the processing of Data Subject Access Requests (DSARs).

‍

Foundations of data protection in Thailand

‍

Before analyzing the details of the 2026 procedural changes, it is essential to examine the primary source—the country's fundamental law in this field. The core regulatory act governing this area is the Personal Data Protection Act, B.E. 2562 (hereinafter referred to as PDPA / พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562). Although the Law was officially published in May 2019, its full implementation was postponed twice due to the COVID-19 pandemic and insufficient business readiness. It was not until June 1, 2022, that the Law came into full effect. Since that day, all companies operating in Thailand have been legally mandated to comply with its provisions.

‍

The PDPA is built upon the principles of transparency and accountability. It distinguishes two primary roles for market participants:

‍

• Data Controller (ผู้ควบคุมข้อมูลส่วนบุคคล): A natural or legal person with the authority to make decisions regarding the collection, use, or disclosure of personal data.
• Data Processor (ผู้ประมวลผลข้อมูลส่วนบุคคล): A person or entity that performs data processing activities following the instructions of, or on behalf of, the Data Controller.

‍

The PDPA grants individuals (data subjects) an extensive list of rights that allow them to maintain control over their privacy:

• Right of Access: The ability to obtain a copy of one’s data and inquire about the methods of its collection (this specific right is exercised through the DSAR mechanism).
• Right to Data Portability: The right to receive data in a format suitable for automated processing and for transmission to another controller.
• Right to Object: The possibility to prohibit the processing of data for marketing or statistical purposes.
• Right to Erasure (Right to be Forgotten): The demand to destroy data if it is stored longer than necessary or held without proper consent.
• Right to Restrict Processing: The temporary "freezing" of data usage in specific legal situations.

‍

This list of subjective rights under the PDPA is mirrored by corresponding obligations for businesses. These obligations are not merely declarative; they entail a specific set of operational requirements. Every entity falling under the scope of the law is mandated to comply with the following imperative requirements:

• Existence of a Lawful Basis for Processing — Pursuant to Sections 24 and 26 of the PDPA, the collection and processing of personal data are prohibited unless the Data Controller establishes at least one lawful basis.

‍

This requirement entails obtaining consent that is voluntary, specific, informed, and unambiguous. Processing may also be justified by contractual necessity, meaning such processing is required to fulfill a contract to which the data subject is a party. Furthermore, data processing may constitute a legal obligation to comply with other statutes (e.g., tax or banking laws) or pursue a legitimate interest, provided that the company's interests do not override the fundamental rights of the data subject.

• Ensuring Adequate Security Measures — Under Section 37 (1), the Data Controller is mandated to implement organizational and technical safeguards proportional to the level of risk.

‍

Such measures must prevent unauthorized modification, access, or disclosure of data. They should include encryption, multi-factor authentication, and regular vulnerability audits. The Regulator (PDPC) specifically emphasizes the need to review these measures whenever there is a change in the technology stack.

1. Notification of Data Security Breaches — Section 37 (4) establishes a strict procedural obligation in the event of security incidents (data leaks). The Data Controller must notify the Office of the Personal Data Protection Committee within 72 hours of becoming aware of the breach. If the incident poses a high risk to the rights of data subjects, the Controller is also obligated to immediately notify the subjects themselves and provide recommendations on how to mitigate potential consequences.
2. Appointment of a Data Protection Officer (DPO) — The requirement under Section 41 mandates the compulsory appointment of a DPO (เจ้าหน้าที่คุ้มครองข้อมูลส่วนบุคคล) if the processing is carried out by a public authority, if the company's activities require regular and systematic monitoring of data subjects on a large scale, or if the core activities involve the processing of sensitive data, such as medical records, biometrics, or criminal history. The DPO serves as an intermediary between the company, the data subjects, and the Regulator.
3. Maintenance of a Record of Processing Activities (ROPA) — Pursuant to Section 39, the Data Controller (and, in certain cases, the Processor) is obliged to maintain and keep an up-to-date record of all processing activities.

‍

The mandatory elements of such a register include the purpose of processing, categories of data subjects, categories of data, retention periods, methods for exercising data subject rights, and a description of security measures. Providing this register upon the Regulator's request is the first step of any audit. The absence of an ROPA constitutes formal grounds for administrative liability.

‍

Public consultations on the reform.

‍

If the PDPA laid the foundation, the new notification being discussed this spring is intended to improve and standardize the procedure for businesses.

‍

The primary initiator and moderator of these changes is the Personal Data Protection Committee (PDPC / คณะกรรมการคุ้มครองข้อมูลส่วนบุคคล) of Thailand.

‍

The process is being conducted in the format of Public Consultations. This is a formal procedure during which the Regulator publishes the draft text on a specialized government portal to collect comments from legal professionals, business representatives, and the public. The discussion primarily takes place through the official PDPC portal and specialized digital platforms for gathering feedback.

‍

The process follows an approximate timeline:

1. April 16, 2026: Official launch of public consultations.
2. May 15, 2026: Deadline for submitting comments and proposals from interested parties.
3. June – July 2026 (Expected): Finalization of the text, signing by the Chairman of the Committee, and publication in the Government Gazette (ราชกิจจานุเบกษา).
4. Entry into Force: The Notification becomes effective 30 days after its official publication.

‍

The official title of the working document is the Draft Notification of the Personal Data Protection Committee re: Criteria and Procedures for Data Subject Access Requests.

‍

Unlike the Personal Data Protection Act (PDPA) of Thailand, which establishes general rights (specifically the right of access under Section 30), the new notification is aimed at addressing a major gap—the lack of clear procedures for processing DSARs. It was this very ambiguity that previously allowed businesses to delay or fulfill requests only formally.

‍

The notification is expected to establish basic rules for submitting requests, including the use of both electronic and traditional channels. At the same time, the mandatory use of a specific channel is not envisioned—the emphasis is placed on unification and accessibility.

‍

A separate block will address the applicant's verification. The Regulator is likely to formalize the controller's right to request additional information for identification, though without setting fixed timelines. The core guideline remains the principle of "without undue delay."

‍

The content of the DSAR response is being significantly refined. A requirement is expected to provide structured information: categories of data, purposes of processing, sources of collection, and categories of recipients, rather than just a formal confirmation of processing.

‍

The notification also details the procedural framework. Although the Personal Data Protection Act (PDPA) of Thailand does not set strict deadlines, it is expected to specify approaches to timeliness, including handling complex requests and the possibility of extending deadlines.

‍

Furthermore, grounds for refusal or restriction of access will be specifically defined—particularly in cases where disclosure of data might infringe upon the rights of third parties, commercial secrets, or other legislative restrictions.

‍

Practical implications for business, risks, and liability

‍

The introduction of the Personal Data Protection Committee notification regarding DSAR signifies a shift from formal compliance to an operational model. Companies will no longer be able to process requests manually or haphazardly—a structured system is now required.

‍

In practice, this necessitates:

• Implementation of a dedicated DSAR process (policy + workflow);
• Appointment of a responsible person (DPO or compliance officer);
• Data integration across systems (CRM, payments, logs);
• Implementation of tracking for requests and deadlines;
• Preparation of standardized response templates.

‍

Effectively, a DSAR becomes an internal audit: every request verifies whether a lawful basis for processing exists, whether retention periods are observed, and whether processes are correctly organized.

‍

Regarding liability, the Personal Data Protection Act (PDPA) of Thailand already provides for substantial sanctions:

• Administrative fines — up to 5 million THB for violations;
• Typical fines for incidents (leaks, inadequate security) — up to 3 million THB;
• In regulatory practice, cumulative fines can exceed 7 million THB.
• Civil claims — with compensation exceeding actual damages.

‍

Reputational risk often outweighs the financial burden. A data leak or an incorrect response to a DSAR can lead to the loss of clients and the blocking of partnerships with banks and payment providers.

‍

A separate risk involves regulatory audits. The practice of the Personal Data Protection Committee demonstrates a move toward active enforcement: a DSAR complaint often serves as the entry point for a full audit of the company. In specific cases, total fines have already exceeded 20 million THB, indicating a systemic approach to oversight.

‍

Conclusion

‍

The Draft Notification of the Personal Data Protection Committee: Criteria and Procedures for DSAR does not alter the substance of the rights established in the Personal Data Protection Act (PDPA) of Thailand, but rather makes them practically applicable.

‍

Its primary objective is to eliminate procedural uncertainty and transform DSAR into a standardized process with clear requirements for submission, verification, and the content of the response.

‍

For business, this signifies a transition from formal compliance to operational readiness, necessitating the implementation of internal procedures, deadline monitoring, and the technical integration of data.

‍

Connect with TUCC

‍

Stay updated with the latest market insights, legal guides, and networking opportunities within the Thai-Ukrainian business corridor.

‍

Website: thaiukraine.org

‍

Email: info@thaiukraine.org

‍

LinkedIn: Thai-Ukrainian Chamber of Commerce

‍