
The Thai Personal Data Protection Committee (PDPC) has imposed its inaugural administrative penalty under the Personal Data Protection Act B.E. 2562 (2019) (PDPA), marking a significant milestone in enforcement.
In a press conference on August 21, 2024, the Thai PDPC announced that it had imposed fines totalling 7 million baht (approximately USD205,520) on a major private corporation responsible for safeguarding the personal data of over 100,000 individuals. The company was found to have violated multiple key provisions of the PDPA, following an investigation triggered by a data breach.
This action underscores the increasing importance of data protection in Thailand, particularly in light of growing concerns over personal data breaches and their misuse by criminal organizations, such as call center scammers.
This case is particularly significant as it represents the first instance of the PDPC taking strict and decisive enforcement action since the PDPA fully came into effect in 2022. The PDPC imposed a substantial fine and mandated corrective measures, setting a precedent for how data breaches will be addressed across both government and private sectors in Thailand.
This decisive administrative action delivers a clear message to all organizations: compliance with data protection regulations is now being strictly monitored and enforced. It underscores the PDPC’s strong commitment to upholding PDPA standards and serves as a stark warning to organizations in Thailand regarding the critical importance of data protection.
Organisations operating in or connected to Thailand should promptly review their data protection strategies to ensure compliance with current legal requirements and prevent similar breaches and penalties in the future.
Case Background
The incident came to light when customers received unsolicited phone calls from scammers shortly after making online purchases from the company, a retailer of IT products through its online trading platform.
After a complaint was filed by a personal data subject, the company not only disregarded the issue but also failed to implement any corrective measures. The late report of the incident to the PDPC led to a violation of Section 37(4) of the PDPA.
PDPC investigations uncovered that the company’s failure to implement appropriate security measures resulted in the data leak to fraudulent groups and call center gangs, who then used the information to commit fraud.
Key Areas of Non Compliance
The PDPC identified three violations of key provisions of the PDPA:
a. Failure to appoint a Data Protection Officer (DPO), as mandated by Section 41 of the PDPA for organizations handling substantial volumes of personal data. This violation is subject to an administrative fine of up to 1 million baht.
b. Failure to implement adequate security measures, in violation of Section 37(1) of the PDPA, which requires appropriate safeguards to prevent unauthorized access, use, modification, or disclosure of personal data. This breach carries a fine of up to 3 million baht.
c. Failure to notify the PDPC of the personal data breach within the mandated timeframe. This violation is also subject to a fine of up to 3 million baht.
The maximum administrative penalties was imposed due to the magnitude of the data breach and the company’s failure to address the breach promptly after an initial warning. In addition to the financial penalty, a corrective order detailing specific actions directives the company must comply with was also issued.
Enforcement Actions
The company is ordered to:
a. pay a fine of 7 million baht (USD $205,810); and
b. enhance security measures to prevent future data breaches. These includes:
(i) Promote awareness among staff: The company must conduct training programs for relevant employees
to foster understanding of data compliance and protection guidelines.
(ii) Implement up-to-date security measures: The company must strengthen its security measures to
safeguard against data breaches and ensure that these measures keep pace with the ever-changing threat
landscape.
(iii) Reporting the relevant correction measures taken on the corrective order to the PDPC within 7 days.
Conclusion and Key Takeaways
Data protection is not merely a legal requirement but also an ethical duty. Organisations should implement robust data protection measures not only to comply with regulations but also to demonstrate their commitment to safeguarding customer data and building trust.
This landmark decision serves as a key reminder to all businesses (in both public and private sectors) in Thailand that the government is taking personal data protection very seriously. Organisations operating in or with connections in Thailand must reassess and constantly update their personal data protection strategies to ensure they are compliant with the legal requirements under Thailand’s PDPA and to avoid similar violations and penalties.
This also underscores the Thai PDPC’s strong commitment to data protection, demonstrating their proactive approach, with expectations that more enforcement actions will follow in the future.
As data protection regulations evolve globally, this is a timely reminder for organisations doing business in the region to get their act together. For companies operating in Thailand, this recent enforcement action underscores the importance of robust data protection practices and working closely with a qualified data protection officer that understands the requirements under the PDPC.
To comply with the PDPA, organizations must fulfill all obligations, including appointing a Data Protection Officer (DPO) when required, implementing robust security measures, and adhering to timely breach notification protocols. As a leading provider of data protection and privacy services in the Asia Pacific region, Pristine Privacy keeps its clients updated on regulatory changes across APAC, guiding them through the complexities of data protection compliance and helping them stay aligned with evolving local regulations.