Thailand PDPA Compliance Checklist: Balancing Regulatory Requirements with AI Utilization

For companies operating in Thailand and implementing AI, compliance with the Personal Data Protection Act (PDPA) is unavoidable. PDPA violations can result in fines of up to 5 million baht and imprisonment, and regulatory enforcement continues to intensify. This article provides a checklist for achieving both AI utilization and compliance across each stage of data collection, processing, and storage. It is intended as a practical guide for IT managers, legal officers, and executives when reviewing their organization's AI initiatives.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific compliance measures, please consult a lawyer or law firm well-versed in Thai law.

Thailand's Personal Data Protection Act (PDPA: Personal Data Protection Act B.E. 2562) is a law that establishes comprehensive rules governing the collection, use, and disclosure of personal data in Thailand. Since AI systems process large volumes of personal data, they frequently intersect directly with the provisions of the PDPA. The following outlines the scope of application and the key obligations that should be particularly noted in AI operations.

The PDPA applies to all organizations that collect, use, or disclose personal data within Thailand. Even businesses operating outside Thailand are subject to the PDPA if they offer goods or services to data subjects in Thailand, or monitor the behavior of individuals within Thailand.

Checklist for Determining Applicability:

• Do you have a base of operations in Thailand (branch office, local subsidiary, or representative office)?
• Are you collecting personal data from users located in Thailand?
• Are you providing services in Thai, or accepting payments in Thai Baht?
• Are you tracking or analyzing the behavior of users located in Thailand?

If any of the above apply, there is a high likelihood that you are subject to the PDPA.

Overview of Penalties:

The PDPC (Personal Data Protection Committee) is stepping up its enforcement efforts, with the primary grounds for action being inadequate security measures, failure to appoint a DPO (Data Protection Officer), deficiencies in contracts with data processors, and delays in reporting data breaches. The assumption that "we probably won't get caught" is no longer a viable position to hold.

There are six key PDPA obligations that require particular attention when operating AI systems.

1. Ensuring a Lawful Basis for Collection

Collecting personal data requires either consent or a statutory exception (such as contract performance, legitimate interests, or legal obligations). Even when using data for AI training, it must be confirmed that such use aligns with the purpose stated at the time of collection.

2. Purpose Specification and Use Limitation

Collected personal data may only be used within the scope of the purposes previously notified. If "AI model training" was not included in the original collection purpose, additional consent must be obtained.

3. Notification Obligations to Data Subjects

Data controllers must notify data subjects in advance of the purpose of collection, the retention period, and the rights of data subjects. Where AI-based processing is involved, this should be explicitly stated in the privacy policy.

4. Strict Management of Sensitive Data

Sensitive data — including race, ethnicity, political opinions, religion, biometric data, and health information — may not be collected without explicit consent. The use of facial recognition or voice recognition in AI systems may directly conflict with this provision.

5. Contractual Obligations with Data Processors (Article 40)

When outsourcing data processing to an external AI service provider, a written contract incorporating PDPA requirements is necessary. The scope of processing, security measures, and data breach reporting obligations must be clearly defined.

6. Implementation of Security Measures

Technical and organizational measures are required to prevent the leakage, loss, or unauthorized access of personal data. Where an AI model retains large volumes of personal data, implementing encryption and access controls is essential.

The starting point of any AI project is data collection. Under PDPA, "lawfulness at the time of collection" forms the foundation for all subsequent processing — meaning that any deficiencies at this stage will leave legal risks lingering no matter how many measures are taken in later steps.

Checklist:

• Clarity of Consent: Is the consent form clearly separated from other documents (e.g., Terms of Service)?
• Specificity of Purpose: Is "analysis and processing by AI" explicitly stated as a purpose of data collection?
• Ease of Withdrawal: Is there a mechanism allowing data subjects to easily withdraw consent (the ease of withdrawal must be equivalent to that of the original consent)?
• Record Retention: Are records maintained of who consented, when, and to what scope?
• Explicit Consent for Sensitive Data: When processing biometric data, health information, or similar data with AI, is explicit consent obtained separately from standard consent?
• Handling of Minors: When processing data of minors (the age of majority under Thai law is 20), is consent obtained from a legal representative?

Example of Non-Compliance: Embedding a checkbox stating "I consent to data analysis including AI processing" at the end of the Terms of Service. Under the PDPA, consent must be obtained in a "clearly distinguishable form," and mixing consent clauses with other clauses risks invalidating the consent.

Items to Include in the Privacy Policy:

The Privacy Policy must include, at a minimum, the following:

• Name and contact information of the data controller
• Types of personal data collected
• Purposes of collection, use, and disclosure (explicitly stating when AI processing is involved)
• Data retention period
• Rights of data subjects (access, rectification, erasure, portability, and objection)
• In the event of cross-border transfers, the destination and safeguards in place

When using personal data to train AI models, the central question is whether such use falls within the scope of the purpose declared at the time of collection.

Checklist:

• Purpose consistency: Does the purpose notified at the time of collection include "AI model training and improvement"?
• Consent for secondary use: If not included in the original purpose, has additional consent been obtained?
• Consideration of anonymization: If training data is anonymized (rendered into a state where individuals cannot be identified), it may fall outside the scope of PDPA. Has the technical feasibility of complete anonymization been assessed?
• Verification of publicly available data: Even publicly available data collected via web scraping or similar means is subject to the PDPA if it constitutes personal data
• Lawfulness of third-party data: Has the basis for collecting data obtained from data brokers or partner companies been verified?

The difference between anonymization and pseudonymization:

In the context of the PDPA, a clear distinction must be drawn between "anonymization" and "pseudonymization."

• Anonymization: A state in which identification of an individual has become irreversibly impossible. Falls outside the scope of the PDPA.
• Pseudonymization: A state in which an individual can be identified when combined with additional information. Falls within the scope of the PDPA.

When using pseudonymized data for AI training, continued compliance with the provisions of the PDPA is required. The assumption that "hashing makes it safe" is dangerous. Even if the original data cannot be restored from a hash value, there are many cases where re-identification is possible by cross-referencing with other data. The sufficiency of anonymization should be carefully evaluated taking into account available technologies and the accessibility of additional information.

After collecting data, the process moves into the AI processing and analysis phase. Here, the focus is on whether the scope of processing deviates from the purpose at the time of collection, and whether the rights of data subjects are being violated.

The PDPA does not contain an explicit provision equivalent to Article 22 of the EU's GDPR, which establishes the "right to object to decisions based solely on automated processing." However, this does not mean that profiling is entirely unregulated.

Checklist:

• Notification of profiling purposes: If AI-based profiling (behavioral analysis, scoring, etc.) is conducted, have data subjects been notified accordingly?
• Inference of sensitive data: If non-sensitive data is being used to infer health conditions, political opinions, or similar attributes, this may constitute the "collection" of sensitive data. Has this been considered?
• Handling objections: Are procedures in place to handle objections raised by data subjects regarding the processing of their data?
• Human oversight: Where AI makes decisions that significantly affect individuals (credit assessments, hiring decisions, etc.), is there a mechanism for human review?

While not an explicit obligation under the PDPA, a mechanism for final human judgment is strongly recommended as a practical risk mitigation measure from an Accountability standpoint. Since the GDPR explicitly enshrines the right to object to automated decision-making, the possibility that Thailand will introduce a similar provision in the future cannot be ruled out. Proactively designing a human oversight framework also serves as a safeguard against the risk of regulatory change.

It should also be noted that the PDPC has published guidelines requiring organizations that process data involving profiling to appoint a DPO. Organizations conducting AI-based profiling should give serious consideration to appointing a DPO.

PDPA stipulates that the collection of personal data should be "limited to what is necessary." This principle can easily come into conflict with AI, which tends to improve in accuracy the more data it is fed.

Checklist:

• Necessity assessment: Have you evaluated whether each data item fed into the AI model is truly necessary to achieve its purpose?
• Exclusion of unnecessary fields: Are fields that do not contribute to model accuracy—such as name, address, and phone number—being excluded before processing?
• Consideration of aggregation and statistical processing: Have you considered whether the objective can be achieved using aggregated data rather than individual-level data?
• Periodic data inventory: Are you periodically reviewing the datasets held by the AI model and deleting any unnecessary data?

Approaches to balancing data minimization with AI accuracy:

The notion that "more data is better" remains deeply ingrained in AI development, yet not every data item contributes equally to predictive accuracy. By combining the following technical methods, it is possible to maintain model utility while limiting the use of personal information.

• Feature Selection: Select only the features that contribute to the model's predictions, and exclude unnecessary features that contain personal information.
• Differential Privacy: Add noise to training data to reduce the risk of individual identification while preserving model utility.
• Federated Learning: Perform training locally on each device rather than aggregating data on a central server. This minimizes the transfer of personal data itself.

Each of these approaches involves technical trade-offs. The balance between accuracy requirements and compliance requirements must be assessed individually for each use case.

After AI model operations have commenced, ongoing management of retention periods and responses to the exercise of data subject rights continue to be required. In particular, since regulations surrounding cross-border data transfers remain fluid, the latest developments must be closely monitored.

Retention Period Checklist:

• Retention period configuration: Have retention periods been established for each data category based on the purpose of use?
• Deletion of overdue data: Is there a mechanism in place to regularly delete or anonymize data that has exceeded its retention period?
• Data within AI models: If personal data remains in trained models, is it included within the scope of retention period management?
• Backup data: Are retention period policies also applied to backups?

Cross-Border Transfer Checklist:

When using overseas AI services (cloud APIs, SaaS-based AI tools, etc.), personal data is transferred outside the country. Compliance measures based on PDPA Articles 28 and 29 are required.

• Identification of transfer destinations: Have you confirmed which country's servers the data is stored and processed on?
• Adequacy decision verification: Have you confirmed whether the transfer destination is listed on the PDPC's adequacy decision list (Section 28)?
• Appropriate safeguards: Where no adequacy decision exists, have appropriate safeguards under Section 29 been implemented, such as Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC)?
• Contractual provisions: Do contracts with AI service providers include data protection clauses covering the scope of processing, security measures, and obligations such as data breach notification within 72 hours?
• Consent-based transfer: Where none of the above measures are available, has explicit consent been obtained from data subjects after explaining the associated risks?

The PDPC has not yet published an adequacy decision list (as of the time of writing). Therefore, establishing SCCs or BCRs currently represents the standard practical approach. For SCCs, the common practice is to use the ASEAN Model Contractual Clauses or the EU Standard Contractual Clauses as a base, supplemented with Thailand-specific requirements (such as data breach notification within 72 hours).

The PDPA grants data subjects multiple rights. When operating AI systems, it is necessary to design in advance how to handle the exercise of these rights.

Checklist:

• Right of Access: If a data subject requests access to their personal data, can you provide it, including data processed by the AI?
• Right of Rectification: Can rectification requests from data subjects be reflected in the AI model's input data and training data?
• Right of Erasure: When a data subject requests erasure, the removal of data from a trained model (Machine Unlearning) may be technically challenging. Have you considered alternative measures?
• Right to Data Portability: Can you accommodate requests from data subjects to receive their data in a structured, electronic format?
• Right to Object: Is there a procedure in place for handling cases where a data subject objects to processing by the AI?
• Response Deadline: Is a system in place to respond to rights exercise requests within 30 days of receipt?

AI-Specific Challenges — The Right of Erasure and Trained Models:

"Machine Unlearning" — the complete removal of a specific individual's data from a trained AI model — is a technically evolving field. The following are practical approaches to consider:

• Delete the relevant data from the training dataset and reflect the change at the next retraining
• Build models using only anonymized data, placing them outside the scope of erasure requests
• Define in advance alternative measures for when an erasure request is received (e.g., suspending the use of inference results)

In all cases, it is important to honestly explain to the data subject both the measures taken and any technical limitations. Rather than simply responding with "it cannot be done," the appropriate approach is to present alternative solutions and proceed in a manner that the data subject can accept.

In addition to the key items on the checklist, there are points that tend to be overlooked in practice. In particular, the use of external AI services and the auditing of internal AI tools are prone to becoming blind spots.

When introducing generative AI services or image/speech recognition APIs into business operations, your organization will often act as the Data Controller, while the service provider acts as the Data Processor.

Checklist:

• Role clarification: Have the roles of Data Controller and Data Processor been clearly defined between your organization and the service provider?
• Data Processing Agreement (DPA): Has a written contract compliant with PDPA Article 40 been executed?
• Limitation of processing scope: Is the service provider configured to not use your data for training their own models (e.g., via opt-out settings)?
• Sub-processor awareness: If the service provider uses sub-processors, have you obtained a list of them?
• Data location: Have you confirmed in which countries the service provider processes and stores data?
• Incident reporting: Has the contract established an agreed-upon reporting flow for data breaches (including the obligation to report to the PDPC within 72 hours)?

One aspect that tends to be overlooked is employees' day-to-day use of generative AI. Cases where customers' personal data is entered into prompts are more common than one might expect. It is essential to establish internal usage guidelines and explicitly document rules around the input of personal data (e.g., prohibition or mandatory anonymization). Continuing to use these tools unconsciously because they are "convenient" — only for the issue to surface during a PDPC investigation — is a situation you cannot afford to find yourself in.

The PDPA imposes record-keeping obligations on data controllers regarding data processing activities. When operating AI tools in-house, fulfilling these obligations in practice presents a real operational challenge.

Checklist:

• Records of processing activities: Are logs maintained of which personal data the AI tool processed, when, and for what purpose?
• Access logs: Are records kept of who accessed the AI tool and what data was viewed or processed?
• Model version control: Can changes to training data and model update history be tracked?
• Output records: Are the results of AI-driven decisions—particularly those affecting individuals—recorded and traceable?
• Regular audits: Is there a mechanism in place to periodically audit AI tool usage and compliance?

Audit logs also serve as evidence when responding to investigation requests from the PDPC or to rights exercise requests from data subjects. It is advisable to set the log retention period to at least the equivalent of the data retention period.

In practice, manually managing all usage logs for AI tools is not realistic. It is recommended to build in a mechanism at the API gateway or proxy layer to automatically record request/response metadata (timestamps, user IDs, and processing purposes).

Q1: What are the differences between PDPA and GDPR? What should be noted from an AI utilization perspective?

The PDPA was enacted with reference to the GDPR, but there are several important differences. The most significant distinction is that the PDPA does not contain an explicit provision equivalent to Article 22 of the GDPR, which establishes the "right not to be subject to a decision based solely on automated processing." However, this does not mean that automated processing by AI is permitted without restriction. Since the PDPA does include the right to object and the right to oppose processing based on legitimate interests, careful consideration is still required when designing AI operational frameworks.

Q2: If an employee inputs personal data into a generative AI tool for work purposes, does this constitute a PDPA violation?

It depends on the circumstances. If personal data entered into a prompt is transmitted to the service provider's servers, this may constitute "disclosure" of personal data. If the purpose stated at the time of collection did not include "processing by external AI services," there is a risk of a PDPA violation as a use beyond the original purpose. Countermeasures include establishing an internal policy prohibiting the input of personal data, anonymizing data when using APIs, and enabling data non-retention settings under enterprise plans.

Q3: Does anonymization place data outside the scope of the PDPA?

If true "anonymization"—a state in which individuals can no longer be identified—is achieved, the data falls outside the scope of the PDPA. However, "pseudonymization" (a state in which identification remains possible when combined with additional information) remains within the scope of the PDPA. Simple hashing alone may be insufficient to qualify as anonymization. The adequacy of anonymization must be assessed on a case-by-case basis, taking into account available technologies and the accessibility of additional information.

Q4: What measures are required when using cloud-based AI services located outside Thailand?

Compliance measures based on Article 28 (adequacy decisions) or Article 29 (appropriate safeguards) of the PDPA are required. Since the PDPC has not yet published an adequacy decision list, the practical recommendation is to establish Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). It is important to incorporate data protection clauses into contracts with AI service providers, and to clearly define the location of data processing, security measures, and data breach reporting procedures.

Thailand's PDPA does not prohibit the use of AI. By securing an appropriate legal basis, clarifying purposes, protecting data subjects' rights, and implementing security measures, compliance and AI utilization can be fully reconciled.

The key points of the checklist introduced in this article are summarized below.

• Data Collection: Meet the formal requirements for obtaining consent and explicitly state the purposes of AI processing
• Data Processing: Establish mechanisms for profiling notifications, data minimization, and human oversight
• Data Storage: Establish retention period management, legal bases for cross-border transfers, and procedures for responding to data subjects' rights requests
• Preventing Oversights: Do not forget to execute DPAs with external AI services and maintain audit logs for internal AI tools

Enforcement by the PDPC is intensifying year by year. Use this checklist to regularly review your organization's compliance status, and build a framework that enables rapid adaptation to legislative amendments and new guidelines. For specific implementation measures, it is strongly recommended to consult a law firm well-versed in Thai law and receive advice tailored to your organization's circumstances.