Thailand PDPA Local Representative:

A: Yes. Thailand’s PDPA already applies to many AI providers, and emerging Thai AI rules are adding further obligations for high‑risk AI systems and foreign AI companies.

Q2: Does Thailand’s PDPA apply to AI providers?

A: Yes Thailand’s PDPA applies whenever your AI system processes personal data relating to identifiable individuals in Thailand, whether you are based in the Kingdom or operating from overseas. If your AI platform offers services to Thai users or monitors their behaviour online, you are likely considered a data controller targeting Thai data subjects, which triggers PDPA obligations and, for non‑resident controllers, the Section 37 Local Representative requirement.

• For AI providers, this typically includes recommendation engines, profiling tools, automated credit and risk‑scoring models, HR and recruitment screening systems, marketing automation, healthcare decision‑support, and any AI that influences individuals with legal or similarly significant effects. Under Section 34, where decisions are made solely by automated means, data subjects have specific rights, and your organisation must explain the logic, significance, and consequences of those automated decisions.
• Foreign AI companies face an additional layer of regulation beyond the PDPA. High‑risk AI providers must appoint a local legal representative in Thailand under the draft AI framework, while PDPA Section 37 requires a Local Representative for non‑resident controllers that target Thai users or monitor their behaviour. This means an AI company without a Thai office can still be legally required to maintain a Thailand‑based point of contact for both PDPA and AI‑specific supervisory authorities.
• As Thailand’s risk‑based AI regulation formalises, regulators are gaining broad enforcement powers, including the ability to issue stop orders, require platform takedowns, and coordinate investigations through the AI Governance Center and sectoral regulators. For AI providers, aligning PDPA compliance (lawful basis, transparency, DSAR handling, cross‑border transfers) with AI‑specific governance (risk classification, human oversight, incident reporting, record‑keeping) is becoming a single, integrated compliance task rather than two separate exercises.

Q3: We operate an AI platform with no Thai office – do we need a Local Representative?”

If your AI platform has Thai users or monitors the behaviour of people in Thailand, you are likely required to appoint a Local Representative. This usually applies where your AI uses profiling, behavioural tracking, or automated decision‑making involving Thai residents, even if all infrastructure and staff are outside Thailand. If you actively target the Thai market (for example through Thai‑language services, pricing, or campaigns), the Local Representative requirement is even more likely to apply.

Q4: How does a Local Representative help with AI‑related PDPA incidents?
A: A Local Representative acts as your on‑the‑ground point of contact for regulators and data subjects when AI‑related incidents occur. The Legal team can coordinate responses to regulatory inquiries and enforcement actions, the Privacy team can assess AI model breaches, training‑data issues, and automated decision complaints, and the Operations team can execute DSAR handling, evidence collection, and communication workflows through the platform. This ensures that investigation, containment, notification, and ongoing engagement with Thai authorities and affected individuals are managed in a structured, defensible way.