Thailand Personal Data Protection Act (PDPA) — AI Provisions: AI Compliance Requirements

Thailand's Personal Data Protection Act B.E. 2562 (2019) became fully effective June 1, 2022. In February 2026, the Personal Data Protection Committee (PDPC) released draft Guidelines on Personal Data Protection in AI Development and Use — creating de facto mandatory standards for AI deployments. Key AI obligations: (1) DPIAs are mandatory for high-risk AI processing. (2) Automated decisions with legal effects require human-in-the-loop capability and a mechanism for individuals to contest decisions. (3) AI model training contracts must include model training prohibitions (preventing vendors from using your data to train third-party models). (4) Data processing agreements with AI vendors must specifically address model training restrictions. Applies to any organization processing personal data of Thai residents.

Check your compliance — free Download checklist

Key Facts

Effective Date

June 1, 2022

Maximum Penalty

Administrative fine up to THB 5,000,000 (~$135K USD) per violation; criminal penalties up to THB 1,000,000 + imprisonment for intentional violations

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Data Protection Impact Assessment for AI (Thailand PDPA)

High Priority

Under PDPC 2026 AI guidelines: DPIAs are mandatory for AI systems that: (1) Make automated decisions with legal effects. (2) Involve large-scale processing of personal data. (3) Use sensitive categories (health, biometric, financial). (4) Are deployed using new or experimental technology. Conduct DPIA before deployment and review annually or on material change.

Human-in-the-Loop for Automated Decisions

High Priority

Thailand PDPA + PDPC AI guidelines: AI systems making significant automated decisions affecting Thai residents must provide a mechanism for individuals to: (1) Be informed that a decision was automated. (2) Request human review of the decision. (3) Contest or provide their viewpoint on the decision. Implement a documented escalation path for automated decision challenges.

AI Vendor Contract — Model Training Prohibition

Medium Priority

PDPC 2026 guidelines specifically require that contracts with AI service providers (OpenAI, Google, Anthropic, etc.) include explicit provisions prohibiting the vendor from using your customers' personal data to train third-party AI models. Review and update all AI vendor DPAs/ToS to include this restriction. Document evidence of vendor compliance.

Frequently Asked Questions

Does Thailand Personal Data Protection Act (PDPA) — AI Provisions apply to my business?

What is the penalty for non-compliance?

The maximum penalty under Thailand Personal Data Protection Act (PDPA) — AI Provisions is: Administrative fine up to THB 5,000,000 (~$135K USD) per violation; criminal penalties up to THB 1,000,000 + imprisonment for intentional violations. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Thailand Personal Data Protection Act (PDPA) — AI Provisions?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://fosrlaw.com/2025/ai-machine-learning-big-data-thailand-legal-regulatory-2025/

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan