The Gateway to Thailand: Why Global Organisations Need a Local PDPA Representative

For global organizations, Thailand represents a vibrant and expanding market. However, accessing its 71 million citizens comes with a critical data privacy obligation under the Personal Data Protection Act (PDPA). Even if your company has no office, no employees, and no legal entity within the Kingdom of Thailand, you may still be legally required to appoint a Local Representative.

This is not a mere administrative formality; it is a core component of the PDPA's extraterritorial reach. Failure to comply can sever your connection to the market, exposing your organization to severe financial penalties and regulatory action from Thailand's Personal Data Protection Committee (PDPC).

This article, explains this critical requirement. We will detail who needs a representative, their exact responsibilities, and how partnering with a trusted expert with a local presence—can transform this legal mandate into a seamless part of your global compliance strategy.

The PDPA's Long Reach: Extraterritoriality Explained

The PDPA applies to any organization, regardless of its location, that processes the personal data of individuals in Thailand. This "extraterritorial" scope is triggered if your organization:

  • Offers Goods or Services: This applies to any company that targets individuals in Thailand, whether a payment is required or not. This includes e-commerce websites, SaaS platforms, and digital service providers.
  • Monitors Behaviour: This applies to any company that tracks the behaviour of individuals within Thailand. This commonly includes the use of website cookies, analytics, or profiling for targeted advertising.

If your organization is based in Europe, the Americas, or anywhere else outside Thailand and you meet either of these conditions, you are subject to the PDPA. And if you are subject to the PDPA without a legal entity in Thailand, you must appoint a local representative.

The Local Representative: Your Legal Bridge to Thailand

The requirement for a local representative is a key mechanism for regulators to hold foreign companies accountable. This representative is not the same as a Data Protection Officer (DPO).

  • A Data Protection Officer (DPO) is an internal role responsible for overseeing your data protection strategy and ensuring compliance from within.
  • A Local Representative is an external-facing legal entity or individual based in Thailand, appointed to act as your official point of contact.

Key Responsibilities of a PDPA Representative

Your appointed representative serves as the essential liaison between your organization and both Thai citizens and the regulator. Their mandatory duties include:

  • Serving as the Point of Contact for Data Subjects: The representative must be easily accessible to individuals in Thailand. They are the channel through which data subjects can exercise their rights under the PDPA (such as the right to access, rectify, or erase their data).
  • Liaising with the Regulator (PDPC): The representative is your official addressee for all communications from the Personal Data Protection Committee. This includes receiving legal notices, information requests, and potential enforcement actions.
  • Maintaining Records of Processing Activities (ROPA): The representative must maintain a copy of your ROPA on your behalf and make it available to the PDPC upon request.

By mandating this role, the PDPC ensures that a Thai citizen or the regulator itself does not have to navigate international jurisdictions just to communicate with your company about data privacy.

The High Cost of Non-Compliance

The PDPC is actively enforcing the PDPA, and the penalties for non-compliance are among the strictest in Asia. They can include:

  • Administrative Fines: Up to THB 5 million (approx. USD 135,000) for violations, which can include the failure to meet compliance obligations.
  • Civil Liability: Compensation for actual damages, plus punitive damages up to twice the amount of actual damages.
  • Criminal Penalties: In severe cases, violations can lead to imprisonment for up to one year for the responsible persons.

Failing to appoint a local representative is a clear and easily identifiable violation. It signals to the regulator that your organization is not taking its PDPA obligations seriously, making you a prime target for audits and fines.

❓ Q&A: Thailand PDPA Representative Explained

Q: We are a B2B company. Do we still need a representative?

A: Yes. The PDPA protects "individuals," which includes business contacts, sole traders, and employees of your clients in Thailand. If you are processing their personal data (e.g., in a CRM for marketing) from outside Thailand, the rules apply.

Q: What is the difference between a Representative and a DPO?

A: A DPO (Data Protection Officer) is an internal oversight and advisory role, mandatory for certain high-risk or large-scale processing. A Representative is a local point of contact, mandatory for foreign companies without a legal entity in Thailand that are subject to the PDPA. You may need one, the other, or both.

Q: Can our representative be held liable for our PDPA violations?

A: The representative is primarily a point of contact, but they are responsible for their own duties, such as facilitating communication and maintaining records. The ultimate liability for a data breach or processing violation rests with your organization as the Data Controller. However, choosing an incompetent representative can lead to non-compliance (e.g., by failing to notify you of a PDPC request).

Q: We are a small company. Does this still apply?

A: Yes. Unlike some laws, the PDPA's extraterritorial scope does not have a revenue or volume threshold. If you offer goods or services to, or monitor the behaviour of, individuals in Thailand, you are in scope.

Your Next Step: Secure Your Access to the Thai Market

Do not let a compliance gap become a barrier to one of Asia's most dynamic markets. Ensure your organization is fully compliant and protected.

Contact Formiti Data International today to discuss our Thailand PDPA Representative services and get a demo of the Privacy360 platform. Let our local experts in Nakhon Sawan, backed by our global enterprise tool, be your trusted partner in Thailand.