PDPA compliance reinforced: DPOs mandatory for all state agencies
All state agencies are now required to appoint Data Protection Officers (DPOs) under a new regulation. DPOs will advise, monitor, and coordinate compliance with Thailand’s PDPA, which takes effect on December 9, 2025.
The Royal Gazette has published a new regulation titled “Announcement of the Personal Data Protection Committee on State Agencies Required to Appoint Data Protection Officers (No. 2) 2025”, issued on October 9, to expand and update the previous regulation under Thailand’s Personal Data Protection Act (PDPA) (2019).
The new announcement broadens the scope of state agencies that must appoint Data Protection Officers (DPOs), covering entities that handle large volumes of citizens’ personal data or conduct operations deemed to pose a high risk to the rights and freedoms of data subjects.
Under the regulation, government bodies in sectors such as national security, finance, education, public health, and personnel administration are now required to designate DPOs. These officers will be responsible for advising, monitoring, and ensuring compliance with the PDPA within their respective organisations.
The DPOs will also serve as the primary liaison between their agencies and the Office of the Personal Data Protection Committee (PDPC), as well as act as a point of contact for citizens seeking to exercise their data rights, including requests for data deletion, correction, or processing restrictions, to ensure transparency and effective protection.
The regulation will take effect on December 9, 2025, giving all affected government agencies time to prepare personnel, management systems, and internal practices to comply fully with the PDPA’s legal requirements.
