IAS Advisory joins consultation hosted by the Office of the PDPC

IAS Advisory co-founding partner Mr Anuwat Ngamprasertkul and senior associate Mr Piniti Chomsavas, both PDPA specialists, recently joined a consultation hosted by Thailand’s Office of the Personal Data Protection Committee (PDPC). The consultation brought together lawyers and representatives from leading law firms and consulting organisations to provide feedback on the draft sector-specific guidelines and to discuss ways to raise PDPA compliance standards through cooperation between consultants and the PDPC Office.

Anuwat and Piniti shared their views on stakeholder collaboration and the draft sector-specific guidelines for 11 target industry groups, consisting of:

• National Security;
• Essential Public Services;
• ICT & Telecommunications;
• Transportation & Logistics;
• Energy & Public Utilities;
• Public Health;
• Education;
• Finance, Investment & Insurance;
• Tourism;
• Wholesale, Retail & E-Commerce; and
• Real Estate.

The consultation, which took place on 8th July 2026, focused on ensuring that the guidelines provide clear, practical, and sector-appropriate guidance on compliance with Thailand’s Personal Data Protection Act (PDPA). Once finalised, the guidelines are expected to reflect the PDPC’s expectations and serve as a key reference for businesses, while promoting consistent privacy practices and strengthening confidence in Thailand’s digital economy.

We are grateful to the PDPC for the invitation to share practical insights and support the development of helpful industry-specific guidance that will assist businesses in meeting their PDPA obligations more effectively. More importantly, this dialogue reflects the shared commitment of the PDPC and PDPA consultants to supporting and uplifting PDPA compliance standards in Thailand.

PDPA enforcement update & implications for your business

Yesterday, on 21st August 2024, the Office of the Personal Data Protection Committee (the “PDPC”) and the Ministry of Digital Economy & Society announced a significant enforcement action. The Expert Committee on Technology & Related Issues (Committee 2) imposed a fine of up to THB 7,000,000 (Seven Million Thai Baht) on a major private company engaged in online trade.

The fine was levied due to the company’s failure to adequately protect personal data, leading to a breach that exposed sensitive information to call centre gangs.

The company had collected personal data from over 100,000 customers but did not appoint a Data Protection Officer, as mandated by Section 41 of the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”). From the PDPC’s investigation, the Company was found to have insufficient security measures in place to protect customer data as required by Section 31(1). They also failed to identify the breach and notify the affected customers and the PDPC of the breach in a timely manner, in violation of Section 37(4).

This is the first administrative fine to be issued under the PDPA. Such enforcement action reflects the PDPA’s alignment with the European Union’s General Data Protection Regulation (the “GDPR”).

Mr Prasert Jantarawongthong, Minister of Digital Economy & Society, emphasised that this decision underscores the importance of compliance with data breach reporting requirements and serves as a cautionary message to all organisations. A further release of the full directive is expected and should benefit other operators in implementing their own compliance practices. It will also provide a clearer picture of the PDPC’s enforcement approach.

For guidance on navigating the PDPA and ensuring the compliance of your organisation, please contact us. Our team of lawyers is here to help you implement effective data protection strategies and avoid regulatory pitfalls.

This article was researched and prepared by Ms Lavanya Dev-Kauffmann.