Huge Fines Imposed by Thailandâs PDPC A Major Alert on Data Privacy Violations Thailand Lexology
pAccess realtime intent data to measure your success and maximise engagementppUse advanced tools to take your marketing strategy to the next levelppMeasure the effectiveness of your content against peersppadd to folderpp
Find out more about Lexology or get in touch by visiting our About page
pp1 BackgroundppOn 1 August 2025 Thailands Personal Data Protection Committee PDPC announced the issuance of 8 fines totaling THB 145 million approximately USD 448000 which were levied against one government agency and other private entities for noncompliance with the Personal Data Protection Act of 2019 PDPA in 5 casesppSince the official enforcement of the PDPA this marks the second significant instance in which the PDPC has imposed fines on noncompliant data controllers and data processors The first issuance of fines occurred last year when the PDPC penalized data controllers for their failure to provide appropriate security measures notify the PDPC of the data breach and appoint a Data Protection Officer DPO with fines totaling THB 7000000 approximately USD 216000 Consequently the cumulative total of fines issued by the PDPC up to the present time amounts to approximately THB 215 million approximately USD 660000pp2 Summary of noncompliance cases ppAccording to the public statements of the PDPC the 5 cases of noncompliance with the PDPA can be summarized as followsppppppIn addition to the fines the PDPC also issued administrative orders against the entities above which failed to comply with the PDPA requiring them to rectify the system on which the hacking and leakage occurred The payment of fines and the rectification of noncompliance shall be done within 30 days from the date of receipt of such administrative order from the PDPC Failure to comply with such order from the said PDPC will result in an additional administrative fine of not more than THB 500000 being imposedpp3 Key takeawaysppBy addressing violations of the PDPA the PDPC reinforces the notion that protecting personal data is a universal responsibility and there exists accountability as well as legal requirements under the PDPA The PDPC presents its stance that such responsibility and accountability shall apply equally to every organization whether in the public and private sectors andor every individual person so long as such organization or person processes personal data regardless of size industry or sector Hence penalties under the PDPA can be imposed on juristic persons individual persons and government agencies This is evident from the outcomes of Case 1 and Case 2 where the fines were imposed on a government agency and an individual person respectivelyppIn addition having the status of either a data controller or a data processor does not engender differing levels of penalties As demonstrated in Case 5 the data processor was subject to a higher penalty than the data controller In all cases including the case where the data processor is appointed to handle personal data the data controller solely has the power to make decisions over the data processing activities Although a data processor does not have decision making power over data processing activities this PDPC decision shows that the data processor shall still strictly comply with the PDPAppImportantly Case 2 serves as a strong warning for data controllers to exercise careful consideration when selecting third parties as data processors for the processing of personal data eg for maintaining analyzing or destructing personal data on their behalf This PDPCs decision suggests that the selection of a reliable data processor should be included as part of the data controllers responsibility In addition the data controller should be mindful to closely monitor the processing activities of the data processor to ensure the effective protection of personal datappNotably the cases summarized above show that when determining fines the PDPC took into account the factor of data controllers and data processors actions towards the data breach including the extent to which affected data subjects received remedies the steps taken by the relevant data controllers and data processors after the occurrence of a data breach incident and the timing and adequacy of postincident measuresppAmong Cases 3 5 the PDPC took into account the remedies provided to the data subjects when determining the fines imposed on the data controllers in each case This is evident from the differing approaches in Case 3 as compared to Cases 4 and 5 In Case 3 the data controller which did not provide any remedy to the affected data subjects was fined at the maximum range In contrast in Cases 4 and 5 the data controllers provided remedies to the affected data subjects We can see the fines for Cases 4 and 5 were lower than it was in Case 3 Although the details of the provided remedies were not disclosed we may assume that the existence of such remedies had influenced the consideration of the PDPC regarding the severity of the finepp4 ConclusionppThis movement of the PDPC reflects its heightened rigor in enforcing the PDPA emphasizing that compliance is not merely a regulatory formality but is instead a binding obligation for all entities handling personal data This decisive move of the PDPC highlights the need to implement robust personal data protection measures and maintain a welldefined incident response plan to manage data breach incidents effectively and potentially reduce penaltiesppadd to folderpp
Mastering Data Processing Agreements Drafting Negotiating Mitigating Risk Learn Live
pp
AI for Lawyers A Beginners Guide Learn Live
pp
Artificial Intelligence Data Protection The Key Issues Learn Live
pp Copyright 2006 2025 Law Business Researchp
Find out more about Lexology or get in touch by visiting our About page
pp1 BackgroundppOn 1 August 2025 Thailands Personal Data Protection Committee PDPC announced the issuance of 8 fines totaling THB 145 million approximately USD 448000 which were levied against one government agency and other private entities for noncompliance with the Personal Data Protection Act of 2019 PDPA in 5 casesppSince the official enforcement of the PDPA this marks the second significant instance in which the PDPC has imposed fines on noncompliant data controllers and data processors The first issuance of fines occurred last year when the PDPC penalized data controllers for their failure to provide appropriate security measures notify the PDPC of the data breach and appoint a Data Protection Officer DPO with fines totaling THB 7000000 approximately USD 216000 Consequently the cumulative total of fines issued by the PDPC up to the present time amounts to approximately THB 215 million approximately USD 660000pp2 Summary of noncompliance cases ppAccording to the public statements of the PDPC the 5 cases of noncompliance with the PDPA can be summarized as followsppppppIn addition to the fines the PDPC also issued administrative orders against the entities above which failed to comply with the PDPA requiring them to rectify the system on which the hacking and leakage occurred The payment of fines and the rectification of noncompliance shall be done within 30 days from the date of receipt of such administrative order from the PDPC Failure to comply with such order from the said PDPC will result in an additional administrative fine of not more than THB 500000 being imposedpp3 Key takeawaysppBy addressing violations of the PDPA the PDPC reinforces the notion that protecting personal data is a universal responsibility and there exists accountability as well as legal requirements under the PDPA The PDPC presents its stance that such responsibility and accountability shall apply equally to every organization whether in the public and private sectors andor every individual person so long as such organization or person processes personal data regardless of size industry or sector Hence penalties under the PDPA can be imposed on juristic persons individual persons and government agencies This is evident from the outcomes of Case 1 and Case 2 where the fines were imposed on a government agency and an individual person respectivelyppIn addition having the status of either a data controller or a data processor does not engender differing levels of penalties As demonstrated in Case 5 the data processor was subject to a higher penalty than the data controller In all cases including the case where the data processor is appointed to handle personal data the data controller solely has the power to make decisions over the data processing activities Although a data processor does not have decision making power over data processing activities this PDPC decision shows that the data processor shall still strictly comply with the PDPAppImportantly Case 2 serves as a strong warning for data controllers to exercise careful consideration when selecting third parties as data processors for the processing of personal data eg for maintaining analyzing or destructing personal data on their behalf This PDPCs decision suggests that the selection of a reliable data processor should be included as part of the data controllers responsibility In addition the data controller should be mindful to closely monitor the processing activities of the data processor to ensure the effective protection of personal datappNotably the cases summarized above show that when determining fines the PDPC took into account the factor of data controllers and data processors actions towards the data breach including the extent to which affected data subjects received remedies the steps taken by the relevant data controllers and data processors after the occurrence of a data breach incident and the timing and adequacy of postincident measuresppAmong Cases 3 5 the PDPC took into account the remedies provided to the data subjects when determining the fines imposed on the data controllers in each case This is evident from the differing approaches in Case 3 as compared to Cases 4 and 5 In Case 3 the data controller which did not provide any remedy to the affected data subjects was fined at the maximum range In contrast in Cases 4 and 5 the data controllers provided remedies to the affected data subjects We can see the fines for Cases 4 and 5 were lower than it was in Case 3 Although the details of the provided remedies were not disclosed we may assume that the existence of such remedies had influenced the consideration of the PDPC regarding the severity of the finepp4 ConclusionppThis movement of the PDPC reflects its heightened rigor in enforcing the PDPA emphasizing that compliance is not merely a regulatory formality but is instead a binding obligation for all entities handling personal data This decisive move of the PDPC highlights the need to implement robust personal data protection measures and maintain a welldefined incident response plan to manage data breach incidents effectively and potentially reduce penaltiesppadd to folderpp
Mastering Data Processing Agreements Drafting Negotiating Mitigating Risk Learn Live
pp
AI for Lawyers A Beginners Guide Learn Live
pp
Artificial Intelligence Data Protection The Key Issues Learn Live
pp Copyright 2006 2025 Law Business Researchp
