In August 2024, Thailand’s Personal Data Protection Committee (PDPC) made headlines with its first landmark fine — THB 7 million imposed on a major IT retailer for failing to appoint a Data Protection Officer (DPO), implement adequate security measures, and notify the PDPC of a breach. That case set the tone for Thailand’s data protection landscape.
Fast forward to 1 August 2025, and the PDPC has escalated its enforcement efforts, announcing eight fines totaling THB 21.5 million across five distinct cases. These actions mark a shift from isolated penalties to systemic enforcement, sending a clear message: compliance is no longer optional.
Each case reveals vulnerabilities that are not unique to Thai businesses — they are highly relevant to international schools operating in or recruiting from Thailand.
1. Government Agency Cyberattack.
A compromised web application led to the leak of 200,000+ personal records, later sold on the dark web. The agency and its developer were fined for failing to implement privacy-by-design, conduct risk assessments, and secure vendor agreements.
2. Private Hospital Disposal Breach
Over 1,000 patient records were found used as snack wrappers due to improper disposal by a contractor. The hospital was fined THB 1.2M for failing to monitor the process and ensure secure handling of physical data.
3. Technology Retailer Scam Breach
Scam calls targeted 100+ individuals after a breach. The retailer had no DPO, failed to report the breach, and lacked adequate safeguards — resulting in a THB 7M fine.
4. Cosmetics Company Breach
Poor security allowed scam operators to access customer data. The company failed to notify the PDPC and was fined THB 2.5M.
5. Toy Retailer & Processor Breach
A processor managing a reservation system failed to contain a breach affecting 200,000 records. Both the processor and retailer were fined, highlighting shared liability.
International schools often operate with complex data ecosystems — admissions platforms, learning management systems, third-party vendors, and cross-border data flows. These cases underscore several critical lessons:
• Vendor Risk is Real:
Schools must ensure third-party processors are contractually bound and monitored.
• Physical Data is Still a Threat:
Printed student records and health forms require secure disposal protocols.
• DPO Appointment is Not Optional:
Schools processing large volumes of personal data must appoint a qualified DPO.
• Breach Notification Protocols Must Be Operationalised:
Policies alone are not enough — schools need tested response plans and staff training.
These enforcement actions challenge the assumption that having basic policies equals compliance. They highlight the need for leadership accountability in operationalising privacy frameworks — a theme that resonates across Asia’s evolving regulatory landscape.
For international schools, this means moving beyond checklists and templates to embedding privacy into daily operations, staff culture, and strategic planning.
Thailand’s PDPC has made its stance clear: zero tolerance for data breaches. For international schools, this is not just a Thai issue — it’s a regional signal. With similar laws emerging in Vietnam, Indonesia, and Malaysia, the time to act is now.
Pristine Privacy supports international schools in navigating these challenges — from DPO appointment to breach readiness and vendor governance. Let’s turn compliance into confidence.