What are the key data privacy laws and regulations?
Last review date: 31 December 2025
- The Personal Data Protection Act B.E. 2562 (2019)
- Royal Decree Prescribing Characteristics, Businesses, or Organizations which are Exempted from the Personal Data Protection Act B.E. 2562 (2019) B.E.2566 (2023)
- Notification of the PDPC re: Exemption from Maintenance of Records Obligation of the Data Controller Which Is a Small Organization B.E. 2565 (2022)
- Notification of the PDPC re: Rules and Methods for Preparation and Maintenance of Records of Personal Data Processing Activities for the Data Processor B.E. 2565 (2022)
- Notification of the PDPC re: Security Measures of the Data Controller B.E. 2565 (2022)
- Notification of the PDPC on Rules and Methods of Personal Data Breach Notification B.E. 2565
- Notification of the PDPC re: Rules for Issuance of Orders of Expert Committee under the Personal Data Protection Act B.E. 2562 B.E. 2566
- Notification of the PDPC re: the Criteria for Determining Administrative Fines by the Expert Committee B.E. 2568 (2025)
- Notification of the PDPC re: the Data Controller and the Data Processor that Are Public Authorities Required to Appoint a Data Protection Officer B.E. 2566 (2023)
- Notification of the PDPC re: the Data Controller and the Data Processor that are Public Authorities Required to Appoint a Data Protection Officer (No. 2) B.E. 2568 (2025)
- Notification of the Personal Data Protection Committee re: Personal Data Protection Officers under Art.41(2) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
- Notification of the Personal Data Protection Committee re: Security Measures of Personal Data for the Data Controller exempted from the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
- Notification of the Personal Data Protection Committee re: Suitable Measures for Collection of Personal Data for the Achievement of the Purpose relating to Historical Documents or Archives
- Notification of the Personal Data Protection Committee re: Criteria for Protection of Personal Data for Cross-border Transfer under Art.28 of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
- Notification of the Personal Data Protection Committee re: Criteria for Protection of Personal Data for Cross-border Transfer under Art.29 of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
- Notification of the Personal Data Protection Committee re: Appropriate Measures for the Collection of Personal Data for the Achievement of the Purpose relating to Research or Statistics under Section 24 (1) and the Scientific, Historical, or Statistic Research Purposes, or other Public Interests under Section 26 (5) (d) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023)
- Notification of the Personal Data Protection Committee re: Criteria on the Protection Measures for the Collection of Personal Data relating to Criminal Records which is not carried out under Control of Authorized Official Authority under the Law B.E. 2566 (2023)
- Announcement of the Personal Data Protection Committee on the Master Plan for the Promotion and Protection of Personal Data in the Country B.E. 2567 – 2570 (2024 – 2027)
- Notification of the PDPC re: Criteria for Deletion or Destruction or De-identification of Personal Data B.E. 2567 (2024)
- Notification on the exemption to maintain the Record of Processing Activities of Data Controller who is a small organization B.E. 2567 (2024)
- Notification on the exemption to maintain Record of Processing Activities Data Processor which is a small organization B.E. 2567 (2024)
- Rules of the PDPC re: the Filing, Refusal of Acceptance, Dismissal, Consideration, and Timeframe for the Consideration of the Complaints B.E. 2565
- Operational Guideline re: Obtaining Consent from Data Subjects under the PDPA
- Operational Guideline re: the Notification of the Purposes and Details of Collection of Personal Data from the Data Subjects under the PDPA
- Guideline for Data Controllers and Data Processors: Case Studies from Consultation Concerning Enforcement of the Personal Data Protection Act B.E. 2562
- The Notification of the National Broadcasting and Telecommunications Commission re: Measures to Protect Telecommunications Users, Data Privacy, Privacy Rights and Freedom of Communications
- The Credit Information Business Operation Act B.E. 2545 (2002)
- The Child Protection Act B.E. 2546 (2003)
- The National Health Act B.E. 2550 (2007)
- The Payment System Act B.E. 2560 (2017)
- The Notification of the Bank of Thailand SorGorSor2. 4/2563 re: Market Conduct Rules
- The Notification of the Office of Insurance Commission re: Rules, Methods for Issuing and Offering of Non-life Insurance Policy for Sale and the Performing of Duty of Non-life Insurance Agent, Broker and Bank B.E. 2563 (2020)
- The Notification of the Office of Insurance Commission re: Rules, Methods for Issuing and Offering of Life Insurance Policy for Sale and the Performing of Duty of Life Insurance Agent, Broker and Bank B.E. 2563 (2020)
- The Notification of the Office of Insurance Commission re: Personal Data Protection Guideline for Life Insurance Business B.E. 2564 (2021)
- The Notification of the Office of Insurance Commission re: Personal Data Protection Guideline for Non-life Insurance Business B.E. 2564 (2021)
- The Notification of the Office of Insurance Commission re: Personal Data Protection Guideline for Loss Adjuster Business B.E. 2564 (2021)
- The Official Information Act B.E. 2540 (1997)
What are the key cybersecurity laws and regulations?
Last review date: 31 December 2025
- The Cybersecurity Act B.E. 2562 (2019)
- The National Cybersecurity Committee Notification re: Policy and Plan on Maintaining Cybersecurity (B.E. 2565-2570) (2022-2027)
- The Cybersecurity Regulating Committee Regulation re: Delegation of Power to Critical Cyber Threat Committee B.E. 2565 (2022)
- Office of the Prime Minister Notification re: Appointment of Competent Officials Under CSA B.E. 2566 (2023)
- The National Cybersecurity Committee Notification re: Establishment, Duties, and Authority of National Computer System Security Coordination Center B.E. 2564 (2021)
- The National Cybersecurity Committee Notification re: Characteristic, Duties, Responsibilities of the Computer System Security Coordination Center for Critical Information Infrastructure Organizations and Relevant Tasks of Services B.E. 2564 (2021)
- The National Cybersecurity Committee Notification re: Prescribing Criteria and Types of Organizations with Tasks or Services as Critical Information Infrastructure Organizations and Assigning Control and Regulation B.E. 2564 (2021)
- The Cybersecurity Regulating Committee Notification re: Code of Practice and Standard Framework for Maintaining Cybersecurity for Government Agency and CII B.E. 2564 (2021)
- The National Cyber Security Committee Notification re: Characteristics of the Cyber Threats, the Measures to Prevent, Cope with, Assess, Suppress, and Suspend the Cyber Threats in Each Level B.E. 2564 (2021)
- The Cybersecurity Regulating Committee Notification re: Rules and Procedures for Reporting Cyber Threats B.E. 2566 (2023)
- The National Cybersecurity Agency Notification re: Criteria and Rates of Fees, Maintenance Fees, Remuneration, and Service Fees for Operations B.E.2566 (2023)
- The National Cybersecurity Committee Notification re: Standard and Guideline for Promoting and Developing the Cybersecurity related Service System B.E. 2566 (2023)
- The National Cybersecurity Committee Notification re: Minimum Standard of Data or Information System B.E. 2566 (2023)
- The National Cybersecurity Committee Notification re: Standard for Determining Cybersecurity Characteristics for Data or Information Systems B.E. 2566 (2023)
- The National Cybersecurity Agency Notification re: Guideline for the Preparation of Cybersecurity Plan B.E. 2567 (2024)
- The Cybersecurity Regulating Committee Notification re: Duties of the Critical Information Infrastructure Organization and Regulator B.E. 2567 (2024)
- The National Cybersecurity Committee Notification re: Measures and Guidelines for Improving Skills, Knowledge, and Expertise in Cybersecurity B.E. 2567 (2024)
- The National Cybersecurity Committee Notification re: Cybersecurity Standards for Cloud Systems B.E. 2567 (2024)
- The National Cybersecurity Agency Notification re: Guideline for Determining Cybersecurity Characteristics for Data or Information Systems B.E. 2567 (2024)
- The National Cybersecurity Committee Notification re: Criteria and Characteristics of Agencies Whose Missions or Services Qualify as Critical Information Infrastructure Agencies and on the Assignment of Control and Supervision B.E. 2568 (2025)
- The National Cybersecurity Committee Notification re: Security Standards for Websites B.E. 2568 (2025)
- The National Cybersecurity Committee Notification re: the Criteria, Procedures, and Conditions for the Certification of the Quality of Cybersecurity Service Providers, B.E. 2568 (2025).
- The National Cybersecurity Committee Notification re: the Types and Scope of Services Eligible for Quality Certification of Cybersecurity Service Providers, B.E. 2568 (2025)
- The National Cybersecurity Committee Notification re: the Requirements for Documentation Certifying Personnel Skills and Competencies and Work Processes in Accordance with International Standards, B.E. 2568 (2025).
- The National Cybersecurity Committee Notification re: Audit and Assessment Requirements for the Certification of the Quality of Cybersecurity Service Providers, B.E. 2568 (2025).
What are the key laws and regulations relating to non-personal data?
Last review date: 31 December 2025
In Thailand, there are some key laws and regulations relating to non-personal data per the list below:
- The Official Information Act B.E. 2540 (1997) imposes obligations on government authorities regarding information in their possession or control. This includes information related to the operations of government authorities or the private sector, which may be both non-personal data and personal data.
- The Credit Data Business Operation Act B.E. 2545 (2002) governs businesses related to credit information, particularly the use of information pertaining to credit data or credit scoring. This information includes non-personal data, such as approved loans, loan payment history, payment history for goods and services through credit cards, and account status.
- The National Cybersecurity Committee Notification re: Cybersecurity Standards for Cloud Systems B.E. 2567 (2024) governs the use of cloud services by organizations subject to the Cybersecurity Act. The use of cloud services could include hosting both non-personal data and personal data of such organizations. It imposes specific obligations on both cloud users and cloud service providers, particularly concerning the security of cloud services.