The Royal Gazette of Thailand published, on 20 June 2022, four laws that accompany the Personal Data Protection Act 2019 ('PDPA'). In particular, the four laws constitute the supplementary laws anticipated by the Ministry of Digital Economy and Society ('MDES'), namely:

• the requirements to maintain appropriate security measures for the personal data controller ('the Appropriate Security Measures Law');
• the criteria and methods for organising, making, and keeping records of processing activities ('the Criteria for ROPA');
• the exemption from the requirement of organising, making, and keeping records of processing activities for small and medium-sized enterprises ('SMEs') ('the Exemption from ROPA'); and
• the criteria for issuing administrative fines and orders of the expert committee ('the Administrative Fines Law').

You can view the Appropriate Security Measures Law here, the Criteria for ROPA here, the Exemption from ROPA here, and the Administrative Fines Law here, all only available in Thai.