pdpa thailand


We will comply with PDPA THAILAND REGULATIONS but will smaller firms, one man bands or online only anonymous legal services providers comply? your date is paramount, ask your lawyer for their policy before you commit to being represented.

Thailand Releases Notification on Data Protection Officer Appointment

Topic: Personal Data Protection Act B.E. 2562 (PDPA)



  • Personal Data Protection Act B.E. 2562 (PDPA)


  • The Personal Data Protection Committee (PDPC) of Thailand has published a notification on the requirements for the appointment of a data protection officer (DPO) in the Government Gazette. The notification took effect on December 13, 2023.
  • The notification lays out the criteria for what constitutes processing of personal data requiring “regular monitoring of the personal data or the system” by reason of “having large-scale personal data,” which requires data controllers and data processors to appoint a DPO under the PDPA.

Criteria for Appointment:


  • Core activity: When determining whether processing of personal data requires regular monitoring due to having large-scale personal data, only the “core activity” of the data controller or data processor is to be taken into consideration. The term “core activity” denotes an essential and integral activity directly related to the primary operations of the data controller or data processor and does not include any supplementary business activities (e.g., human resources and information technology activities).
  • Processing activities that require regular monitoring of personal data: This refers to activities relating to tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals, and generally involves the processing of personal data in a systemic manner on a usual or regular basis. Examples include membership card programs, credit scoring, insurance premium consideration, fraud prevention, processing of personal data by computer network system service providers or telecommunications operators, behavioral advertising, and so on.
  • Large-scale processing of personal data: To determine whether processing activities constitute “large-scale processing of personal data,” various factors are considered:
    • Volume, type, or nature of personal data processed;
    • Duration or permanence of the processing of personal data;
    • Number or proportion of data subjects whose personal data is processed, compared to the total number of potential data subjects; and
    • Scope or areas of the processing of the personal data.
  • Processing personal data of 100,000 data subjects or more is considered “large-scale processing of personal data.” 

DPO Duties:

  • The DPO appointment notification also emphasizes that the DPO can carry out other duties if the data controller or data processor warrants that these duties do not conflict with the DPO duties prescribed in the PDPA.

Impact on Isan Lawyers:

Isaan lawyers will be aware of the new DPO appointment requirements and take steps to comply with the law if they are required to appoint a DPO. This may involve reviewing their data processing activities and assessing whether they meet the criteria for regular monitoring or large-scale processing of personal data. If a DPO is required, Isan lawyers should identify a qualified individual to fill the role and ensure that they have the necessary training and resources to carry out their duties.

contact us

In Pattaya you may want to contact our sister company

Recent Posts
Post categories

Enquiry form

Fill out the form below and we will
contact you as soon as possible!

Dropdown Example

    Schedule an Appointment