+44 (0) 121 582 0192 [email protected]


The landscape of data privacy is continuously evolving, and with it, the regulations governing personal data protection. In a significant development, under Section 41 (2) of the Personal Data Protection Act (PDPA), it has been mandated that data controllers and processors appoint a Data Protection Officer (DPO). This directive comes as part of the latest announcement of new guidance on DPO Appointment Requirements from 13th December 2023 by the Personal Data Protection Committee (PDPC), significantly impacting businesses and their data handling practices.


Key Details of the PDPC Notification re: DPO Designation

The PDPC Notification re: DPO Designation, published in the Government Gazette on 14 September 2023, outlines the criteria for designating a DPO. This regulation will come into force from 13 December 2023, marking a crucial shift in how businesses must approach data privacy and protection.


Understanding the Criteria for DPO Designation

  1. Core Activities Criteria: The PDPC defines ‘core activities’ as operations essential and significant to a business’s primary objectives. These do not include ancillary activities, which merely support business operations.
  2. Regular Monitoring Criteria: Activities that involve systematic tracking, monitoring, analysing, or profiling of personal data fall under the ambit of regular monitoring, necessitating the appointment of a DPO.
  3. Large-Scale Criteria: Factors such as the number of data subjects (100,000 or more) and the nature of activities like behavioral advertising, insurance, and telecommunications operations determine if the data handling is on a ‘large scale’.


Next Steps for Businesses

Despite the PDPC Notification re: DPO Designation not specifying the forms and qualifications of the DPO, businesses are advised to prepare for this transition. Flexibility in designating a DPO is currently available, but further regulations regarding qualifications may be introduced in the future. With the  complexity of the PDPA it is best to select a service that includes a dedicated DPO, Full Legal Support and Full PDPA operational suport.


Actionable Steps for Compliance

Businesses falling under the PDPA should assess whether they meet the criteria for appointing a DPO. If applicable, they must complete the designation process and notify both the data subjects and the Office of the PDPC by the deadline of 13 December 2023.



The appointment of a DPO is not just a regulatory requirement; it’s a strategic move towards strengthening data privacy and trust within your organisation. As the deadline approaches, businesses must take proactive steps to ensure compliance and safeguard their operations against potential data privacy risks.

Formiti is your trusted partner in navigating this complex landscape. With our service, you gain the peace of mind that comes from knowing your business is not only PDPA-compliant but also at the forefront of data privacy excellence. Discover more about how we can help you with Thailand’s PDPA at Formiti’s Thailand PDPA Service.