- 24
- May
Our earlier piece Claude Team Admin Console answered what admins can and cannot do. This article answers what Thai DPOs and legal teams keep asking: "How do I configure it to align with PDPA?" Every section here names the exact menu to click, the PDPA article that backs the control, and what Claude Team can or cannot enforce — so an admin can stand up and configure right after reading.
TL;DR — How Thailand's PDPA maps to Claude Team
- Roles (PDPA §6): your company = Data Controller, Anthropic = Data Processor, via a DPA auto-incorporated into the Commercial Terms.
- Cross-border §27-29: data leaves Thailand for the US. Anthropic uses EU-style SCCs as the transfer mechanism — Thailand's PDPDC accepts SCC-equivalent safeguards, but you still owe an updated Privacy Notice disclosing the overseas processor.
- §37 Security: configured in Settings → Members (role), Connectors (allowlist), MCP (Premium), Tool Permissioning (Premium).
- §40 Retention: Team (Standard/Premium) uses Anthropic's default retention with no custom override — custom retention or Zero Data Retention requires Enterprise.
- §30-39 Data Subject Rights: members export/delete their own data at Settings → Account; the Primary Owner requests a workspace export via support.
- §37(4) Breach detection: Settings → Audit Log shows admin actions, but does not log chat content.
- Caveat: the Anthropic DPA names SCCs for GDPR/UK/Swiss, not PDPA explicitly — handle the gap with an internal addendum + Privacy Notice + DPIA.
1. PDPA map — which article maps to which Claude Team menu
Quick reference before the detail: which PDPA article you're satisfying and which menu you click.
| PDPA article | Topic | Where you configure it | Tier required |
|---|---|---|---|
| §6 | Controller/Processor roles | Accept Commercial Terms (DPA attached) + request countersigned DPA via privacy@anthropic.com |
Team / Enterprise |
| §19-21 | Lawful basis + purpose limitation | Internal policy + Acceptable Use Policy signed by staff | All tiers |
| §23-25 | Privacy Notice | Your company's Privacy Notice — disclose Anthropic as processor | All tiers |
| §27-29 | Cross-border transfer | Anthropic SCCs (in DPA) + disclose in Privacy Notice + DPIA | Team / Enterprise |
| §30-37 | Data Subject Rights | Member: Settings → Account → Data Controls. Workspace: Primary Owner requests data export. | Team / Enterprise |
| §37 Security | Security measures | Settings → Members (role) + 2FA + Connectors + MCP + Tool Permissioning | Team (basics), Premium (MCP/Tool) |
| §37(4) | Breach detection + 72h notice | Settings → Audit Log + internal workflow + Anthropic security contact | Team / Enterprise |
| §40 | Data retention | Team uses default — Enterprise: Organization settings → Data and Privacy → Retention period (min 30 days) | Enterprise only |
| §41 | DPO inside your org | Appoint a DPO + make the DPO an Owner/Admin on the workspace | All tiers |
2. Sign the DPA with Anthropic (PDPA §20)
§20 requires the Controller (you) to have a written contract with the Processor (Anthropic) covering scope, duration, security measures, and return/destruction of data. Anthropic publishes a DPA template.
📍 Where to do it:
- Open privacy.claude.com → find the article "How do I view and sign your Data Processing Addendum (DPA)?"
- Anthropic states the DPA + SCCs are automatically incorporated into the Commercial Terms — accepting the Commercial Terms at workspace creation = accepting the DPA.
- If legal needs a countersigned DPA with both logos, email
privacy@anthropic.comwith your workspace ID, legal entity name, and address. - Archive the DPA + Commercial Terms signed at workspace creation as evidence for PDPA §20.
Caveat: Anthropic's DPA enumerates GDPR, UK GDPR, and Swiss FADP compliance. It does not list Thai PDPA explicitly. The SCC mechanism it uses can be mapped to PDPA §28-29 — but draft a short PDPA addendum (one page stating that the DPA's SCCs cover PDPA transfer requirements) and have your legal counsel review it.
3. Your Privacy Notice (PDPA §23-25)
§23-25 require notifying data subjects (employees, customers, partners) before processing. If your staff prompts their data into Claude, you must disclose it — and that's done in your company's own Privacy Notice, not in the Claude Admin Console.
Add to your Privacy Notice (short template):
- Disclose use of Anthropic's Claude as a processing tool.
- State Anthropic is a Data Processor under a signed DPA.
- List categories of data that may be processed (internal email, documents, source code).
- Disclose cross-border transfer to the US and the SCC safeguard.
- State the retention default and how data subjects exercise rights through your company (not via Anthropic directly — you are the Controller).
4. Roles and access (PDPA §37 Security)
§37 requires "appropriate security measures." Access control is the foundation.
📍 Where: Settings → Members
- Add a backup Owner — protects you when the primary Owner leaves and legal needs to answer a DSAR.
- Role assignment: Owner (full + billing + delete workspace), Admin (manage members + settings, no delete), Member (regular use).
- Least privilege: general AI users → Member, IT/DPO → Admin, MD → Owner.
- 2FA: Anthropic offers 2FA at the user account level. Make it policy that every seat in the workspace enables 2FA (each user sets it in Settings → Account → Security).
- Offboarding: when staff leave, click "Remove from workspace" in Members. The user loses access immediately; workspace history remains.
5. Data Settings — confirm No Training (PDPA §21 purpose limitation)
§21 limits processing to the stated purpose. Becoming AI training material is a "new purpose" that data subjects did not consent to.
📍 Where: Settings → Data Settings
- Verify "Use data for training" — Team/Enterprise plans have this OFF by default (no toggle needed), per Anthropic's policy. The admin still needs to see it personally so it can be used as evidence.
- Trust & Safety review: Anthropic may inspect content flagged for abuse — separate from training, and disclose this in your Privacy Notice.
- Screenshot the current state as evidence for DPO audits.
Watch out for personal accounts: if staff log into a Pro/Max personal account on a company device, no-training is not the default — the user has to toggle it. This is the governance reason for forbidding personal accounts with company data and mandating Team seats.
6. Connector + MCP allowlist (PDPA §37 Security)
Connectors (Google Drive, Slack, GitHub, M365) and MCP servers are the doorways through which Claude reaches into your systems. Without an allowlist, Claude can pull PDPA-sensitive data outward.
📍 Settings → Connectors:
- Only enable what's used: your Google Workspace, your GitHub org — disable external connectors you don't need.
- Pick the scope: if Anthropic lets you choose Drive scopes granularly, pick only the folders Claude actually works with — not the whole account.
📍 Settings → MCP Configuration (Premium only):
- Set the allowlist: members can only add MCP servers the admin has pre-approved — block MCPs from vendors that haven't passed security review.
- Recommended pattern: allow only internal MCPs (in-house Postgres, GitHub Enterprise) plus first-party MCPs Anthropic certifies — block unknown third-party MCPs.
📍 Settings → Tool Permissioning (Premium only):
- Block Claude Code from running
rm -rf,sudo, system-file deletes. - Block edits outside the project directory.
- Block network egress to endpoints outside the allowlist.
7. Data retention (PDPA §40)
§40 requires deletion or anonymization once data is no longer needed. Team plan options are limited here:
| Plan | Custom retention? | How |
|---|---|---|
| Team (Standard/Premium) | ✗ | Uses Anthropic default — members delete chats, Anthropic deletes from backend per policy. |
| Enterprise | ✓ minimum 30 days | Organization settings → Data and Privacy → Retention period |
| Enterprise (qualifying) | ✓ Zero Data Retention (ZDR) | Sign a ZDR agreement with Anthropic — only qualifying API customers. |
On Team plan: state in your Data Retention Policy that you "rely on Anthropic's default retention" plus an internal workflow where admin sweeps unused Projects each quarter. For regulated industries (healthcare, finance, government) that need explicit retention control, upgrade to Enterprise.
8. Data Subject Rights (PDPA §30-37)
§30-37 grant access, rectification, deletion, and portability. Split this into two cases.
Case 1: the employee themself (a workspace user)
📍 Settings → Account → Data Controls (member self-serve):
- Export their own conversations.
- Delete chats individually or in bulk.
- Review Privacy & Security settings on the account.
Case 2: an outside person (customer) whose data lives inside a staff chat
Example: Customer A asks you to delete their data, but staff once prompted A's name/email into Claude. Your company carries the obligation — you're the Controller.
📍 The workflow:
- Primary Owner requests a data export for the workspace through Anthropic support (per Help Center).
- Search the export for the data subject's information.
- Direct the relevant members to delete the chats (or admin archives the Project).
- Contact Anthropic to delete the backend copy under the retention default.
- Respond to the data subject within 30 days (PDPA §32).
9. Audit Log + breach detection (PDPA §37(4))
§37(4) requires breach notification within 72 hours. You need a detection mechanism first.
📍 Settings → Audit Log:
- What it shows: every admin action (add/remove user, change setting, allow connector) with timestamp + actor + target.
- What it does not show: member chat content, prompts, file contents — log entries hold only a unique identifier.
- Workflow: schedule a second admin to review the audit log every 7 days to catch anomalies fast.
- How long it's kept: Anthropic retains workspace audit log per policy. For longer retention, export the log to internal storage.
10. PDPA-compliant setup checklist — first 30 minutes after opening the workspace
Open a new workspace and follow this list. In 30 minutes you reach reasonable PDPA alignment.
| # | Task | Menu / where | PDPA |
|---|---|---|---|
| 1 | Archive evidence of DPA + Commercial Terms acceptance | Screenshot at Terms-accept time | §20 |
| 2 | Set Workspace name + logo | Settings → Workspace → Brand | §41 (DPO identification) |
| 3 | Invite backup Owner + DPO as Admin | Settings → Members → Invite | §37, §41 |
| 4 | Assign roles (Owner/Admin/Member) | Settings → Members → Role | §37 (least privilege) |
| 5 | Enforce 2FA policy for every seat | Communication + Settings → Account → Security per user | §37 (security) |
| 6 | Verify Data Settings — no-training is OFF (default) | Settings → Data Settings → screenshot | §21 |
| 7 | Set Connector allowlist | Settings → Connectors → disable unused | §37 (security) |
| 8 | Set MCP allowlist (Premium) | Settings → MCP Configuration | §37 (security) |
| 9 | Set Tool Permissioning (Premium) | Settings → Tool Permissioning | §37 (security) |
| 10 | Set Spend Cap (Premium) | Settings → Spend Cap | Risk management |
| 11 | Update company Privacy Notice | Company documents (not in Anthropic) | §23-29 |
| 12 | Set up Audit Log review (second admin reviews weekly) | Settings → Audit Log + Calendar | §37(4) |
| 13 | Run a DPIA for Claude usage | Company documents + held by DPO | §33 (best practice) |
| 14 | Have employees sign Acceptable Use Policy | HR / internal documents | §21 (purpose limitation) |
| 15 | Publish DSAR contact in your Privacy Notice | DPO email + 30-day response SLA | §30-37 |
PDPA does not require you to use any particular vendor — it requires your organization to act as a responsible Controller. Misconfigure Claude Team, and your company bears the liability, not Anthropic — because you are the one feeding data into the system.
- Controller-Processor principle, PDPA §6 and §20
11. Questions DPOs ask most — quick answers
- Is moving from Personal to Claude Team enough to satisfy PDPA? → No — add DPA + Privacy Notice update + DPIA + signed AUP + DSAR workflow + 72-hour breach workflow.
- Can Anthropic count as a "foreign processor" under §27-29? → Yes, if the SCC mechanism in the DPA is in place + disclosed in your Privacy Notice + a DPIA exists. EU-style SCCs are equivalent enough for Thai PDPDC purposes.
- Can Team plan set its own retention? → No — only Enterprise can. Team uses Anthropic defaults.
- Can admins read staff chats? → Not in the Console UI. But the Primary Owner can request a workspace data export — your AUP must tell staff that workspace accounts are not as private as Personal accounts.
- Does Audit Log include chat content? → No — only admin actions + identifiers, no prompt/response.
- If a breach happens on Anthropic's side, who notifies the Thai PDPDC within 72 hours? → You (the Controller). Anthropic (Processor) must notify you per the DPA — then you notify the PDPDC. Make sure you have a working contact channel with Anthropic security.
- Can HR/legal sensitive data go into Claude Team? → Standard personal data: yes, with lawful basis disclosed in the Privacy Notice. Special-category data (PDPA §26 — religion, health, biometric): only with explicit consent + Enterprise + DPIA. Team plan is not appropriate for §26 sensitive data.
References
- Anthropic Privacy Center — How do I view and sign your DPA?
- Anthropic Privacy Center — Configure custom data retention (Enterprise)
- Anthropic Trust Center — SOC 2, DPA, training data policies
- Anthropic Privacy Policy
- Claude Help Center
- Thailand Personal Data Protection Committee (PDPDC)
- Saeree ERP — Claude Team Admin Console: Setting Policy by Data Governance
- Saeree ERP — AI Governance for Thai Organizations
- Saeree ERP — Claude Team Premium $100 with Admin Controls
Interested in Claude Team for your organization? Request a quote from Grand Linux Solution
Grand Linux Solution has been a Claude Team Premium customer since launch — tell us the number of seats you need (Standard/Premium) and the number of users, and our team will send you a quote with setup recommendations tailored to your organization's data governance.
Request a quoteTel 02-347-7730 | sale@grandlinux.com
