Does Thailand PDPA require consent for AI automated decisions?

Yes. Section 26 of Thailand PDPA bans processing of sensitive personal data — including health, biometric, and financial data — without explicit consent. For AI automated decisions relying on non-sensitive data, a lawful basis under Section 24 (contract, legitimate interests, legal obligation) is required. Most commercial AI systems must obtain consent or rely on contract necessity.

What rights do Thai data subjects have regarding AI decisions?

Thai data subjects have rights to access (Section 30), data portability (Section 31), erasure (Section 33), and objection to processing (Section 32). There is no explicit 'right to explanation' equivalent to GDPR Art.22, but the right to object applies to automated processing and requires the controller to cease processing unless compelling legitimate grounds exist.

Who is a Data Controller under Thailand PDPA for AI systems?

Under Section 6, a Data Controller is any person or entity that determines the purpose and means of personal data processing. For AI systems, this is the company deploying the model — not the model vendor. Third-party AI API providers are typically Data Processors under Section 6, requiring a Data Processing Agreement (DPA).

Does Thailand PDPA require a Data Protection Officer (DPO)?

Section 41 requires DPO appointment for large-scale systematic monitoring, processing of sensitive data on a large scale, or public authority processing. AI companies processing behavioral data at scale, health-tech platforms using clinical AI, or fintech using credit-scoring AI are likely to require a DPO.

What are the cross-border transfer rules for AI APIs under Thailand PDPA?

Section 28 requires that cross-border transfers go only to countries with adequate protection or covered by binding corporate rules, standard contractual clauses, or derogations. The PDPC has not yet published a whitelist of adequate countries, so most transfers currently rely on contractual safeguards or consent.

What are the fines for Thailand PDPA violations?

Criminal penalties reach THB 5 million (~$140K) per violation. Civil compensation is unlimited (actual damages). The Personal Data Protection Committee (PDPC) can issue administrative fines up to THB 5 million. Unlike GDPR, fines are per-violation rather than percentage of global turnover, but criminal liability for individual officers is a significant additional risk.

Does Thailand PDPA apply to foreign AI companies?

Yes. Section 5 has extraterritorial reach: PDPA applies to any entity processing personal data of persons in Thailand, regardless of where the controller is established. A foreign SaaS company whose AI model processes Thai users' data must comply, including appointing a local representative if no Thai establishment exists.

What is the breach notification requirement under Thailand PDPA?

Section 37 requires Data Controllers to notify the PDPC within 72 hours of becoming aware of a personal data breach that is likely to result in risk to the rights and freedoms of data subjects. If the breach is likely to result in high risk, affected data subjects must also be notified without undue delay.

Thailand PDPA AI Compliance: Automated Decisions, Consent Under Section 26, and PDPC Enforcement

Thailand's Personal Data Protection Act (PDPA, พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562) came into full enforcement on June 1, 2022, after a two-year delay. Section 26 categorically prohibits collecting, using, or disclosing sensitive personal data — health, biometric, financial, racial/ethnic, religious, political, sexual, criminal, genetic, disability, and labor union data — without explicit consent unless a narrow statutory exemption applies. For AI teams, this means any credit-scoring model using Thai financial data, any health AI processing Thai clinical records, or any biometric authentication system must obtain explicit per-purpose consent before processing. PDPC (Personal Data Protection Committee) enforces with administrative fines up to THB 5 million (~$140K) per violation; criminal penalties include individual officer imprisonment up to 1 year. Section 5 extraterritorial reach applies PDPA to any entity processing personal data of persons in Thailand regardless of establishment location.

Section 26: Sensitive Data Prohibition and Its AI Implications

Section 26 is the provision that creates the most immediate AI compliance obligations under Thailand PDPA. Unlike GDPR Article 9 (which permits processing sensitive data on 10 grounds), Thailand PDPA Section 26 permits sensitive data processing only with explicit consent or when a narrow exception applies: vital interests where consent cannot be given; public benefit activities of nonprofit organizations with appropriate safeguards; public disclosure of the data by the data subject; legal claims establishment, exercise, or defense; medical/health purposes by health professionals; and public interest or scientific/historical research with appropriate safeguards. Sensitive categories broader than GDPR: Thailand PDPA includes financial data (banking records, credit history) as a sensitive category — a distinction from GDPR which treats financial data as ordinary personal data. This means any AI fintech application using Thai consumer financial data must obtain explicit consent — the legitimate interests basis available under GDPR is not available for this data type in Thailand. Biometric AI: face recognition, voice authentication, fingerprint-based access control — all require Section 26 explicit consent for Thai data subjects. Health AI: clinical notes, diagnoses, medication data, wellness app data — explicit consent before any processing, even for improving the model. Explicit consent standards: Section 19 requires consent to be specific to each purpose, freely given, informed, unambiguous, and documented. Blanket consent in T&Cs does not satisfy Section 26 for sensitive data.

Section 24 Lawful Bases for Non-Sensitive AI Processing

For non-sensitive personal data (name, contact info, behavioral data, purchase history), Section 24 provides six lawful bases: (1) Consent — specified purpose, freely given, documented, revocable; (2) Contract necessity — processing necessary to perform a contract with the data subject or to take pre-contractual steps at request; (3) Vital interests — processing necessary to protect life or health, where consent cannot be given; (4) Public task — processing for official duties or state authority functions; (5) Legitimate interests — processing for legitimate interests of the controller or third party, unless overridden by the data subject's fundamental rights; (6) Legal obligation — processing necessary to comply with a legal obligation. For commercial AI systems, the primary bases are consent (most explicit, most revocable), contract necessity (limits processing to what is required for the specific contract), and legitimate interests (requires proportionality analysis — not available for sensitive data). Legitimate interests analysis for AI: the PDPC expects controllers using legitimate interests to document a three-step test: identify the legitimate interest pursued; assess whether processing is necessary and cannot be achieved by less intrusive means; and balance the controller's interest against the data subject's rights. Behavioral profiling, AI personalization, and cross-device tracking based on legitimate interests require documented LIA, and must not apply to sensitive personal data.

Data Subject Rights: Access, Objection, Erasure, and Portability

Thailand PDPA provides a comprehensive set of data subject rights with a 30-day response deadline for most requests. Right to access (Section 30): request access to all personal data held, the purposes, the retention period, and information about automated processing involving their data; controllers must respond within 30 days with meaningful information; for AI systems, this means the access response should include which AI-driven decisions were made about the individual and what data was used. Right to data portability (Section 31): receive personal data in a structured, machine-readable format when processing is based on consent or contract; this applies to AI inference inputs and outputs where the individual provided the source data — credit application data, health profile data, behavioral data collected with consent. Right to erasure (Section 33): request deletion when data is no longer necessary, consent is withdrawn, processing is unlawful, or objection to processing is sustained; AI systems must implement erasure propagation — deleting source data and ensuring derived AI records referencing the individual are also addressed. Right to object (Section 32): object to processing based on legitimate interests or for direct marketing/profiling; controller must cease unless compelling legitimate grounds exist; AI behavioral profiling systems must support per-individual objection at the inference layer, not just at campaign scheduling. Right to restriction (Section 34): suspend processing pending accuracy disputes or necessity review.

Cross-Border Transfer Rules: Section 28 and PDPC Guidelines

Section 28 governs international transfer of personal data from Thailand to overseas entities — critical for any AI system using overseas API providers (OpenAI, Anthropic, Google, AWS, Azure) or cloud infrastructure. Transfer is permitted if: (1) the destination country has adequate data protection standards (the PDPC has not published an adequacy whitelist as of May 2026, making this pathway practically unavailable); (2) appropriate safeguards are in place, such as binding corporate rules, standard contractual clauses, or binding arrangements between controllers; or (3) the data subject has given consent to the specific transfer with information about the destination country and associated risks. PDPC SCC guidance: the PDPC has indicated it will publish SCC templates modeled on GDPR SCCs; pending publication, parties are using contractual mechanisms incorporating the PDPC's stated requirements. DPA requirement: Section 39 requires a written data processing agreement with each Data Processor, including processors outside Thailand. Any overseas AI API provider processing Thai personal data on behalf of a Thai or Thailand-serving controller must have a Section 39-compliant DPA. Practical action: review each AI provider's data processing documentation; if PDPC SCCs are not yet published, negotiate contractual safeguards incorporating Section 28 requirements; document transfer relationships and legal basis in the records of processing activities.

PDPC Enforcement Priorities and Breach Notification

The Personal Data Protection Committee (PDPC) has been active since enforcement commenced in June 2022. Regulatory approach: PDPC focuses on consent management failures (bundled consent, lack of specific purpose), cross-border transfers without safeguards, inadequate privacy notices, and breach notification delays. The PDPC has issued formal investigations against healthcare organizations for AI-driven personalization using sensitive health data without Section 26 consent, and against e-commerce platforms for behavioral profiling based on implied rather than explicit consent. Section 37 breach notification: Data Controllers must notify the PDPC within 72 hours of becoming aware of a personal data breach likely to cause risk to data subjects' rights and freedoms. For AI systems, relevant breach events include: unauthorized access to training datasets containing personal data; model output logs accessed by unauthorized parties; prompt injection attacks that extract personal data from AI context; and insider exfiltration of inference history. High-risk breach: if the breach is likely to result in high risk (identity theft, discrimination, financial loss, reputational damage), affected individuals must also be notified without undue delay. Thai-language notification: notifications to data subjects must be in Thai or in a language understood by the affected individuals — for Thai data subjects, this requires Thai-language communication capability.