The Royal Gazette of Thailand published, on 20 June 2022, four laws that accompany the Personal Data Protection Act 2019 ('PDPA'). In particular, the four laws constitute the supplementary laws anticipated by the Ministry of Digital Economy and Society ('MDES'), namely:

• the requirements to maintain appropriate security measures for the personal data controller ('the Appropriate Security Measures Law');
• the criteria and methods for organising, making, and keeping records of processing activities ('the Criteria for ROPA');
• the exemption from the requirement of organising, making, and keeping records of processing activities for small and medium-sized enterprises ('SMEs') ('the Exemption from ROPA'); and
• the criteria for issuing administrative fines and orders of the expert committee ('the Administrative Fines Law').

You can view the Appropriate Security Measures Law here, the Criteria for ROPA here, the Exemption from ROPA here, and the Administrative Fines Law here, all only available in Thai. 

UPDATE (31 October 2022)

Supplementary legislation enters into force

OneTrust DataGuidance Research confirmed, on 31 October 2022, with Kritiyanee Buranatrevedhya and Thananya Chaikamonsuk, Partner and Associate at Baker McKenzie respectively, that the Appropriate Security Measures Law, the Exemption from ROPA, and the Administrative Fines Law became effective as of 21 June 2022, whereas the Criteria for ROPA will be effective and thus enter into force on 17 December 2022.