+44 (0) 121 582 0192 [email protected]


In an increasingly interconnected digital landscape, Japanese organisations providing products and services or engaging in profiling activities in the United Kingdom, the European Union, and Thailand face a complex web of data privacy obligations. These obligations, articulated in the UK’s General Data Protection Regulation (UK GDPR) Article 27, the EU GDPR Article 27, and Section 37 (5) of Thailand’s Personal Data Protection Act (PDPA), present both challenges and opportunities for Japanese businesses.


The Importance of Local Representation

Under the specified regulations, Japanese companies without legal entities in the UK, EU, or Thailand are required to appoint local representatives in these regions. This mandate is more than a bureaucratic formality; it’s a crucial step towards ensuring compliance with local data privacy laws and building trust with international consumers.


UK GDPR and EU GDPR: Article 27’s Mandate

Article 27 of both the UK GDPR and EU GDPR stipulates that non-EU organisations must designate a representative within the EU or UK, respectively. This representative acts as a point of contact for supervisory authorities and individuals in the region regarding data protection matters. Failure to appoint such a representative can result in significant fines and reputational damage.


Thailand’s PDPA: A Closer Look at Section 37 (5)

Thailand’s PDPA echoes this requirement in Section 37 (5). It mandates that international companies appoint a representative within Thailand who is authorised to act on behalf of the data controller, without any limitation of liability. This representative is responsible for ensuring compliance with the PDPA’s provisions regarding personal data collection, use, and disclosure.


Why Compliance Matters

For Japanese organisations, compliance with these regulations is not just a legal necessity but a strategic imperative. By adhering to these laws, companies demonstrate their commitment to protecting personal data, thus enhancing their credibility and trustworthiness in the eyes of international consumers.


The Risks of Non-Compliance

Non-compliance carries significant risks, including hefty fines, legal actions, and a loss of consumer trust. In an era where data breaches and privacy concerns are increasingly common, failing to comply with data privacy regulations can be detrimental to a company’s reputation and financial stability.


Steps Towards Compliance

  1. Understand the Regulations: Familiarise yourself with the specifics of the UK GDPR, EU GDPR, and Thailand’s PDPA. Each region has unique requirements and nuances.
  2. Appoint a Representative: Select a knowledgeable and reliable representative in each region. This individual should be well-versed in local data protection laws and capable of liaising with local authorities and individuals.
  3. Update Policies and Procedures: Ensure your data handling policies and procedures align with the requirements of each region’s data protection laws.
  4. Educate Your Team: Train your staff on the importance of data protection and the specifics of international compliance.
  5. Regular Audits and Assessments: Conduct regular assessments to ensure ongoing compliance and address any gaps promptly.



For Japanese organisations operating globally, navigating the complexities of international data privacy laws is essential. By understanding and complying with regulations like the UK GDPR, EU GDPR, and Thailand’s PDPA, these companies can not only avoid legal pitfalls but also foster a culture of trust and transparency, pivotal in today’s data-driven world.

See More