You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

August 1, 2025

More Than a Warning: Eight Serious Fines Imposed in Thai Data Protection Cases

Thailand’s Personal Data Protection Committee (PDPC) announced to the press on August 1, 2025, that it had issued eight new administrative fines under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) in five cases of noncompliance by public and private entities. The enforcement actions reflect a growing commitment by the PDPC to penalize noncompliance across all sectors, regardless of organizational type or size. The total amount imposed to date was approximately THB 21.5 million (approx. USD 654,690), underscoring the financial risks tied to PDPA violations.

The five cases—one involving a state agency and the remainder in the private sector—are summarized below.

Case 1: State Agency Providing Online Services to the Public

The order in this case stemmed from a cyberattack on a state agency’s web app, resulting in personal data of 200,000 data subjects being leaked to and sold on the dark web. The software developer was also found to have implemented no privacy by design, lacked an access control system, had no data breach prevention measures, and failed to conduct risk assessments or review existing security measures.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Weak password protection
  • No risk assessment or ongoing review of security measures
  • No data processing agreement with software developer that acted as data processor

The state agency and the developer were each fined THB 153,120 (approx. USD 4,670).

Case 2: Private Hospital

This case involved a hospital that engaged an individual contractor to destroy patient medical record documents. However, the contractor stored the documents at their own premises, failed to follow the required destruction protocols, and ultimately used the medical records to wrap sweets, resulting in the leak of over 1,000 records during the destruction process. The contractor also failed to notify the hospital of the data breach. Although there was a written agreement between the parties, hospital’s failure to properly monitor and control the destruction process in accordance with the prescribed standards led to the medical records not being destroyed and being used for other purposes. The images of the wrapped sweets were later posted on social media and discovered by the PDPC.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to report data breach incidents

The hospital was fined THB 1,210,000 (approx. USD 36,880), while the individual contractor was fined THB 16,940 (approx. USD 515).

Case 3: Computer and Accessories Trading Giant

Over 100 data subjects filed complaints with the PDPC following a call center scam resulting from a data breach incident. The company did not provide remedial action for the affected data subjects within the specified timeframe.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to report data breach incidents
  • No appointment of a data protection officer (DPO)

The company was fined THB 7 million (approx. USD 213,380). The company’s revenue and size were taken into account when determining the fine amount.

Case 4: Cosmetics Company

In this case, a cosmetics company failed to implement adequate security measures as required by the PDPA, resulting in leakage of personal data to a call-center gang (scam operators). The company also failed to notify the Office of the PDPC of the data breach incident as required by the PDPA. However, the company did provide remedial action for the affected data subjects.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to notify the PDPC of data breach incident.

The company was fined THB 2.5 million (approx. USD 76,210).

Case 5: Collectible Toy Company

This case involved a collectible toy company that hired a data processor to manage its reservation system. The system was compromised and accessed by an unauthorized party for about 10 minutes, resulting in approximately 200,000 personal data records being amended without authorization. The toy company, as the data controller, promptly provided remedial action for the affected data subjects. However, the data processor failed to (1) take prompt action to contain the incident, (2) notify the data controller of the incident, and (3) provide remedial action for the affected data subjects.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to comply with data breach notification

The collectible toy retailer was fined THB 500,000 (approx. USD 15,240), while its data processor was fined THB 3,000,000 (approx. USD 91,450).

Considerations

The five cases highlight three common failures that can lead to the imposition of administrative fines:

  • Lack of appropriate security measures or regular review of the measures
  • Failure to report data breach incidents
  • Failure to appoint a DPO

The PDPC reiterated its “zero data breach” objective and stated that organizations are required to comply with the PDPA, ensure appropriate security measures are in place, regularly conduct risk assessments, and establish transparent monitoring systems.

This latest wave of enforcement confirms that PDPA compliance is no longer optional or merely a matter of paperwork, as both public and private entities are now subject to active scrutiny and penalties requiring strict adherence. The recurrence of key noncompliance issues across all five cases provides a clear roadmap of regulatory expectations. Organizations subject to the PDPA should act without delay to reassess their data protection frameworks, address compliance gaps, and ensure preparedness for future enforcement actions.

RELATED INSIGHTS​