Protection file

Thailand details procedures for data protection complaints – Data Protection

To print this article, all you need to do is be registered or log in to

Thailand’s Personal Data Protection Committee (PDPC) has issued regulations establishing procedures for filing and handling data subject complaints under the Personal Data Protection Act (PDPA) BE 2562 (2019). The Complaint Filing, Dismissal, Termination, Review and Review Period Rules BE 2565 (2022) were published in July 2022 and entered into force on July 12, 2022.

The PDPA permits data subjects to file complaints against data controllers, processors, and employees or service providers of either whose operations do not comply with the PDPA. This article sets out the various requirements and procedures for filing and handling such a complaint.

Filing complaint

The body designated by the PDPA to be responsible for handling complaints and imposing administrative penalties is called the “panel of experts”. Data subjects who wish to file a complaint can submit it to the Expert Panel directly at the PDPC office, send it to the office by post, or submit the complaint electronically.

The written or electronic complaint must use clear, simple, polite and appropriate language, and must not appear to be directly or indirectly extortionate or intimidating. The complaint must include at least the following information:

  • Name, address and telephone number or e-mail address of the complainant (or an authorized representative), together with an identity card, passport or other official identification document (plus a power of attorney if submitted by a representative);

  • Details and facts of the non-compliance or violation of the PDPA;

  • Details of the resulting damage or impact;

  • Supporting evidence (e.g. documentary evidence, physical evidence, witness statements); and

  • Desired action of the offender.

The complaint must include a statement attesting to its veracity and must be signed by the complainant or authorized representative.

Consideration of complaints

When a complaint is submitted, the official receiving the complaint verifies that the complaint is complete and then issues a receipt to the complainant. The official will then carry out a preliminary examination of the complaint within 15 days before proposing it to the committee of experts through the Secretary General of the PDPC for examination. In its review, the committee aims to determine:

  • whether the act stated in the complaint constitutes a breach or violation of the PDPA;

  • whether there are grounds for filing the complaint and whether the complaint is well-founded and reasonable;

  • whether the complaint falls within the competence of the committee of experts; and

  • if the duties and power to investigate the complaint are subject to any other law or authority.

The Panel may dismiss a complaint, for example, if it does not relate to non-compliance or violation of the PDPA, if it has complete information or supporting documentation, if it duplicates a complaint already settled, etc. If the panel considers the complaint to be negotiable, it may ask the complainant and the offender to consider doing so.

Generally, the Expert Panel will complete its review of the complaint within 90 days of its first meeting. With the approval of the PDPC, this period can be extended twice, up to 60 days each time.


After concluding its examination, the panel of experts will inform the complainant of the result as well as the relevant reasoning. If the complaint is dismissed or dismissed because it falls within the jurisdiction of another law or authority, the complainant may submit the complaint to that authority, who will then consider the date of receipt of the complaint to be the date on which the Committee of Experts received the complaint.

If the complaint is not negotiable, or is negotiable but the parties fail to reach a settlement, the Panel will review the complaint and may impose administrative penalties on the controller or processor in accordance with the PDPA.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Privacy from Thailand

Data Protection Laws in India – All You Need to Know

Vaish Associates Lawyers

Data protection refers to the set of privacy laws, policies and procedures that aim to minimize the intrusion into an individual’s privacy caused by the collection, storage and dissemination of personal data. Personal Data generally refers to information or data relating to an individual who can be identified from that information or data, whether collected by a government or private organization or agency.

Draft National Data Governance Framework Policy, 2022

LCT law firms

The Ministry of Electronics and Information Technology (“MeitY”) released the draft National Data Governance Framework Policy (the “Policy”) on May 26, 2022, inviting the public to provide comments and comments on this.

The era of open borders for data is coming to an end

FTI Council

The idea of ​​“data sovereignty” has taken over the world of data privacy and, indeed, how organizations do business with each other. This is certainly the case for the problems that we accompany our customers.