Skip to main content
THeAILAND.com
ไทย

Search content

PDPA + AI Checklist for Organizations: Tick These Before Feeding Personal Data to AI

Checklist ~11 min Updated 20 June 2026

AI for Business AB128

Customer data typed into a chat box is still under the law

Many organizations assume that pasting customer or employee data into an AI chat box to help draft work is an internal matter nobody sees. The reality is that when that data is personal data, the act falls squarely under Thailand’s Personal Data Protection Act B.E. 2562 (PDPA). Most AI tools also process on servers abroad, which brings the stricter rules on cross-border data transfer into play as well.

This article is organized as a checklist a team can actually tick through, covering the lawful basis, data minimization, cross-border transfer, vendor contract terms, data subject rights, breach response, and an internal AI-use policy. The goal is to let executives and the relevant functions answer the key questions before they press go.

This article is information to build understanding and ask the right questions, useful for framing internal work. Decisions with binding legal consequences should go through legal counsel and follow the latest PDPC guidance, because the sub-regulations and the list of destination countries are still evolving.

Update box: rules and guidance are still moving (June 2026)

The PDPA framework is already in force, but sub-regulations and guidance keep being issued. Points worth keeping current:

  • The sub-regulations on cross-border data transfer were published in the Government Gazette on 25 December 2023 and came into force on 24 March 2024, covering both the criteria for adequate destination countries and the BCR and appropriate-safeguards mechanisms.
  • As of now the PDPC has not yet published a list of destination countries deemed to have adequate standards, so the “safe destination” route cannot yet be relied on in practice. Organizations must lean on other mechanisms such as consent or standard contractual clauses.
  • Each AI provider’s policy, such as terms on not using data to train models, can change and differs across vendors. Read each vendor’s latest contract yourself.
  • Always treat the PDPC announcements at pdpc.or.th as the latest source.

Before using any set of personal data with AI, you must first be able to answer what basis gives the organization the right to use it. The PDPA requires a lawful basis for collecting, using, or disclosing personal data at all times. For general data this often relies on clear consent, or another basis the law allows, such as performance of a contract or legitimate interest.

Tick before you start

A common slip is taking data collected for one purpose and using it with AI for another, without reviewing whether the original basis still covers it.

Part 2: Collect and feed only what is necessary

The PDPA sets the principle of collecting only data necessary for the purpose. This principle runs against the habit of AI use, where it often feels that the more you feed in, the more accurate the result. The practice that reduces risk is to feed in only the data genuinely necessary for the output.

Tick before you feed

Masking or removing identifying data before feeding substantially lowers PDPA risk when that data can no longer be linked back to an individual.

Part 3: Cross-border data transfer (the most commonly forgotten point)

This is the point where using foreign AI touches the law in a way many organizations do not notice. Popular AI tools such as ChatGPT, Gemini, and Claude process on servers abroad. Sending personal data to these tools may therefore amount to cross-border transfer of personal data, which the PDPA covers with specific, stricter rules.

The core principle is that cross-border transfer is restricted and permitted only when it meets a mechanism the law recognizes, such as a destination country with an adequate protection standard, consent from the data subject, standard contractual clauses, or Binding Corporate Rules within a group of undertakings. An important point to know is that as of now the PDPC has not yet announced a list of destination countries deemed to have adequate standards, so the “safe destination” route cannot yet be relied on. Organizations must lean on another mechanism.

Tick before data leaves the country

Cross-border transfer is a condition separate from consent to use the data. Even when the organization has a lawful basis to use the data, it still needs a mechanism to support sending that data out of the country as a further layer.

Part 4: Vendor contracts (enterprise vs personal accounts)

A difference many do not know is that enterprise packages and free personal accounts carry very different data terms. According to OpenAI’s policy as of 2026, data fed through ChatGPT Enterprise, Business, Team, and the API is not used to train models by default, and a Data Processing Addendum is available to sign in support of data-protection compliance. This differs from using a free personal tier, where data may be used to improve the model unless you turn it off yourself.

This is a provider policy that can change, and each tool has different terms. This article uses OpenAI as the example because its documentation is clear. To use any given tool you must read that vendor’s contract yourself.

Tick before choosing a package

Part 5: Data subject rights and breach notification

The PDPA grants data subjects the right to access, correct, delete, or object to the processing of their data. When an organization uses personal data with AI, it must be ready to respond to these rights, and it must have appropriate data security together with a plan for responding when a breach occurs.

Tick to be ready

For AI projects that make decisions in place of people or use sensitive data, consider conducting a Data Protection Impact Assessment (DPIA), because they fall into high-risk processing for data subject rights.

Part 6: Internal AI-use policy

The whole checklist only holds in practice when there is a written policy stating clearly which categories of data must not be fed into public AI tools, who may use which tool, and what approval is required. This policy helps guard against shadow AI, where employees take organizational data to personal tools without anyone knowing.

Tick for a complete policy

⚠️ Cautions

This article is practical guidance; binding decisions must go through legal counsel. Use this checklist to frame the work and ask the right questions. Setting actual policy and interpreting the law in specific cases requires legal counsel and the latest PDPC guidance.

Do not interpret on your own that “using the cloud does not count as a transfer.” There is an interpretation that sending data to a cloud provider where no third party accesses the data may not count as a cross-border transfer, but this is a fine point that depends on the facts and the contract in each case. Check case by case. Do not assume cloud use is unconditionally permitted.

The no-train policy is a provider statement that can change. This term can be confirmed from provider documentation at a point in time, but it changes and differs across vendors. Always read each vendor’s latest contract yourself.

AI can still produce information that sounds credible yet is wrong. A data-protection checklist does not guarantee the accuracy of content the AI produces. Work with binding consequences must always have a human check it.

Next steps

Start by clearly defining the categories of data that must not be fed into public AI tools, then choose an enterprise package whose data terms support compliance, and only then write the AI-use policy down. A clear data boundary and a policy everyone understands reduce risk far more than relying on individual judgment.

Last updated: 20 June 2026 · Type: Checklist