Skip to main content
AI & Technology

PDPC Issues Draft Personal Data Protection Guidelines for AI — How Organizations Using AI Must Adapt

สคส. เปิดร่างแนวปฏิบัติคุ้มครองข้อมูลส่วนบุคคลสำหรับ AI ฉบับแรกของไทย กำหนดให้องค์กรที่ใช้ AI เป็น Data Controller และต้องจัดการข้อมูลตาม PDPA อย่างเข้มงวด

3 Mar 20265 minMondaq
PDPAAI Governanceสคส.Data Protection

PDPA and AI — Now Formally Converging

In February 2026, Thailand’s Personal Data Protection Committee Office (PDPC) released the draft Personal Data Protection Guidelines for the Development and Use of Artificial Intelligence for public consultation across sectors.

It may sound technical, but in reality it directly affects every organization currently using AI — whether for customer service chatbots, customer data analytics systems, or even HR tools that use AI to screen applications.

Key Issues Organizations Need to Understand

1. Organizations that deploy AI are Data Controllers

The draft guidelines clearly state that organizations using AI with personal data are considered data controllers, meaning they bear the full set of responsibilities required under the PDPA, including consent, data minimization, and transparency.

This applies not only to tech companies building AI, but also to any organization that adopts and uses AI in practice.

2. Vendors that use data to train AI may be classified as Data Controllers

This is a critical issue for organizations using external AI services. If a vendor uses your customer data to train its model without a clearly defined agreement, that vendor may be reclassified as a data controller. This is something organizations should review in their contracts immediately.

3. What the guidelines cover

The draft focuses on four main areas:

  1. Consent — Clear consent must be obtained before using data in AI, not merely through general terms in an agreement
  2. Data Minimization — AI should use only the data that is genuinely necessary, rather than ingesting all available data for processing
  3. Transparency — Users must understand what decisions AI is making, how those decisions are made, and on what basis
  4. Data Subject Rights — Data subjects retain their rights to object, correct, or delete data used in AI systems

Not Yet Legally Enforceable, but the Direction Is Clear

The draft does not yet have legal force, but the direction of future enforcement is already very clear. The PDPC is building a framework that can be used to assess whether the AI systems organizations use are compliant with the PDPA.

A key point of caution is that the PDPC’s Eagle Eye Crawler is already operating proactively, which means these guidelines may begin to serve as evaluation criteria even before they are formally enacted.

What Should Organizations Do Now?

If your organization uses AI anywhere in its operations, whether extensively or in limited ways, it should start with the following:

  • Conduct an AI Data Flow Audit — Identify where personal data flows through AI systems and what outputs it generates
  • Review Consent Coverage — Confirm whether existing consent covers AI-related use cases
  • Reassess Vendor Contracts — Check whether your AI vendor agreements clearly prohibit using your data to train models
  • Prepare Transparency Notices — Ensure users or customers receive clear explanations of how AI uses their data

Enersys’ PrivacyHub helps manage the consent lifecycle from the outset, creates a data inventory that identifies which data flows into which AI systems, and builds an audit trail that demonstrates to the PDPC that the organization handles data responsibly — both before and after these guidelines become formally effective.

References: Mondaq | IAPP | Personal Data Protection Committee Office

ลิงก์ที่เกี่ยวข้อง

Genesis AI Platform

แพลตฟอร์ม Agentic AI สำหรับองค์กร

AI Readiness Assessment

ประเมินความพร้อม AI ขององค์กรฟรี

ติดต่อปรึกษา AI Strategy

พูดคุยกับผู้เชี่ยวชาญ

Back to Insights

Related Articles

AEO + SEO — The Survival Guide for When AI Swallows Google Search

Gartner predicts search volume will drop 25% by 2026 and 50% by 2028 — while zero-click search has surged to 65%. Websites that fail to adapt will disappear from customers’ view. This article is a complete guide for Thai businesses.

AEO vs GEO — A Deep Dive into the Two Strategies That Determine Whether AI Will "See" or "Skip" Your Website

Web mentions correlate with AI citations 3x more strongly than backlinks, AI referral traffic grew 527% YoY, and websites with schema are 2.5x more likely to be cited by AI — a complete AEO vs GEO guide with audit steps and website optimization tips.

Agentic AI in the Enterprise — From 5% to 40% by 2026: Opportunities and Risks Every Executive Should Know

The Agentic AI market is growing from $1B to more than $9B in just two years. Gartner predicts that 40% of enterprise applications will include AI agents by the end of 2026, but more than 40% of projects may also be canceled. Here is a practical look at the opportunities, risks, and strategies for Thai enterprises.

"Empowering Innovation,
Transforming Futures."

ติดต่อเราเพื่อทำให้โปรเจกต์ของคุณเป็นจริง