PDPA (Thailand Personal Data Protection Act)

For companies operating in Thailand, PDPA compliance is unavoidable. This fully enforced law applies to all organizations handling personal data within Thailand—not only Thai legal entities, but also foreign companies that process data of Thailand-based residents. Similar to the GDPR, it mandates obtaining consent from data subjects (individuals), prohibits use beyond the stated purpose, and requires notification of data breaches within 72 hours. At the same time, there are differences from the GDPR in the interpretation of Lawful Basis and enforcement frameworks, meaning that "GDPR compliance does not automatically equal PDPA compliance." In the context of AI adoption, the handling of personal information contained in training data becomes a key issue. When training models using customer data, it is necessary to clearly state the purpose and obtain consent, and the choice of anonymization or pseudonymization methods also becomes a governance-level decision. Penalties for violations can reach a maximum of 5 million baht (approximately 20 million yen), which, while not as substantial as GDPR fines, cannot be taken lightly given the associated reputational risks. Japanese companies with operations in Thailand are required to coordinate with local legal counsel to ensure appropriate compliance.