You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
August 1, 2025

More Than a Warning: Eight Serious Fines Imposed in Thai Data Protection Cases

Subscribe to Updates

Thailand’s Personal Data Protection Committee (PDPC) announced to the press on August 1, 2025, that it had issued eight new administrative fines under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) in five cases of noncompliance by public and private entities. The enforcement actions reflect a growing commitment by the PDPC to penalize noncompliance across all sectors, regardless of organizational type or size. The total amount imposed to date was approximately THB 21.5 million (approx. USD 654,690), underscoring the financial risks tied to PDPA violations.

The five cases—one involving a state agency and the remainder in the private sector—are summarized below.

Case 1: State Agency Providing Online Services to the Public

The order in this case stemmed from a cyberattack on a state agency’s web app, resulting in personal data of 200,000 data subjects being leaked to and sold on the dark web. The software developer was also found to have implemented no privacy by design, lacked an access control system, had no data breach prevention measures, and failed to conduct risk assessments or review existing security measures.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Weak password protection
  • No risk assessment or ongoing review of security measures
  • No data processing agreement with software developer that acted as data processor

The state agency and the developer were each fined THB 153,120 (approx. USD 4,670).

Case 2: Private Hospital

This case involved a hospital that engaged an individual contractor to destroy patient medical record documents. However, the contractor stored the documents at their own premises, failed to follow the required destruction protocols, and ultimately used the medical records to wrap sweets, resulting in the leak of over 1,000 records during the destruction process. The contractor also failed to notify the hospital of the data breach. Although there was a written agreement between the parties, hospital’s failure to properly monitor and control the destruction process in accordance with the prescribed standards led to the medical records not being destroyed and being used for other purposes. The images of the wrapped sweets were later posted on social media and discovered by the PDPC.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to report data breach incidents

The hospital was fined THB 1,210,000 (approx. USD 36,880), while the individual contractor was fined THB 16,940 (approx. USD 515).

Case 3: Computer and Accessories Trading Giant

Over 100 data subjects filed complaints with the PDPC following a call center scam resulting from a data breach incident. The company did not provide remedial action for the affected data subjects within the specified timeframe.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to report data breach incidents
  • No appointment of a data protection officer (DPO)

The company was fined THB 7 million (approx. USD 213,380). The company’s revenue and size were taken into account when determining the fine amount.

Case 4: Cosmetics Company

In this case, a cosmetics company failed to implement adequate security measures as required by the PDPA, resulting in leakage of personal data to a call-center gang (scam operators). The company also failed to notify the Office of the PDPC of the data breach incident as required by the PDPA. However, the company did provide remedial action for the affected data subjects.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to notify the PDPC of data breach incident.

The company was fined THB 2.5 million (approx. USD 76,210).

Case 5: Collectible Toy Company

This case involved a collectible toy company that hired a data processor to manage its reservation system. The system was compromised and accessed by an unauthorized party for about 10 minutes, resulting in approximately 200,000 personal data records being amended without authorization. The toy company, as the data controller, promptly provided remedial action for the affected data subjects. However, the data processor failed to (1) take prompt action to contain the incident, (2) notify the data controller of the incident, and (3) provide remedial action for the affected data subjects.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to comply with data breach notification

The collectible toy retailer was fined THB 500,000 (approx. USD 15,240), while its data processor was fined THB 3,000,000 (approx. USD 91,450).

Considerations

The five cases highlight three common failures that can lead to the imposition of administrative fines:

  • Lack of appropriate security measures or regular review of the measures
  • Failure to report data breach incidents
  • Failure to appoint a DPO

The PDPC reiterated its “zero data breach” objective and stated that organizations are required to comply with the PDPA, ensure appropriate security measures are in place, regularly conduct risk assessments, and establish transparent monitoring systems.

This latest wave of enforcement confirms that PDPA compliance is no longer optional or merely a matter of paperwork, as both public and private entities are now subject to active scrutiny and penalties requiring strict adherence. The recurrence of key noncompliance issues across all five cases provides a clear roadmap of regulatory expectations. Organizations subject to the PDPA should act without delay to reassess their data protection frameworks, address compliance gaps, and ensure preparedness for future enforcement actions.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

August 1, 2025
On July 30, 2025, Myanmar’s Cybersecurity Law No. 1/2025 came into effect with the State Administration Council’s issuance of Notification 113/2025. The law, which was enacted on January 1, 2025, aims to regulate various aspects of digital security and online activities. Below are some key provisions, implications, and penalties under the Cybersecurity Law. Extraterritorial penalties. The law contains an important provision that authorizes penalties against Myanmar citizens who are found guilty of violations, even if these occur outside the country’s borders. VPN definition and regulation. Virtual private networks (VPNs) are defined by this law as specific systems that function as backup networks by using technological means in order to ensure the safety of linking networks to each other. This definition sets the framework for subsequent regulations and penalties associated with VPN usage. The law does not restrict individuals or entities from using VPNs; it regulates VPN service providers. Penalties for unapproved VPN services. Establishing a VPN or providing VPN services without approval from the designated ministry (to be appointed later by the government) can result in significant penalties. For individuals, the punishment may be imprisonment for 1–6 months, a fine of MMK 1–10 million (approx. USD 476–4,760), or both, with the proceeds of the violation being confiscated. If the violator is a company or organization, the minimum fine will be MMK 10 million, and the proceeds will be confiscated. Government oversight. The ministry designated by the government is authorized to investigate and take control of cybersecurity services and digital platform services for national defense and security purposes, or upon request from a government department or organization in accordance with respective laws. Licensing requirements. The Cybersecurity Law introduces two types of licenses, valid for a period of 3–10 years, for (1) cybersecurity services and (2) digital platform providers. Digital platforms with
Read More
August 1, 2025
On July 21, 2025, Thailand’s National Cyber Security Agency (NCSA) released a draft amendment to the Cybersecurity Act B.E. 2562 (2019) for public hearing, aiming to address the rapid evolution of technology and increasing complexity of cyber threats. The proposed changes to the country’s cybersecurity framework would extend regulatory oversight to cloud service providers and data center operators hosting data for critical information infrastructure (CII) organizations regulated under the Cybersecurity Act. The NCSA will accept comments on the draft until August 5, 2025. Following the close of the public consultation period, the draft amendment will be subject to further revision during the legislative process. Key proposed amendments are discussed below. Expanded Critical Infrastructure Scope The Cybersecurity Act currently applies only to state agencies, supervising or regulating organizations, and designated CII organizations as announced by the National Cyber Security Committee (NCSC). It defines CII organizations as public or private organizations related to or providing national security, significant public services, banking and finance, information technologies, telecommunications, transportation and logistics, energy and public utilities, or public health. The draft amendment expands the scope of CII organizations to include public and private organizations related to or providing industrial work (to be further defined in subregulations) as well as service providers that store or possess data for CII organizations, such as cloud and data center service providers. CII organizations must comply with cyber threat reporting requirements and are subject to the NCSA’s interception powers. Updated Definitions and New Terminology The draft amendment more clearly distinguishes between “cyber threats” (which have yet to occur but have the potential of causing damage or impact) and “cyber incidents” (which have already occurred and have caused or are expected to cause damage or impact). The draft amendment also expands the definition of “cybersecurity” to explicitly cover both prevention
Read More
July 30, 2025
Artificial intelligence (AI) model training and data scraping are essential processes in the development of modern AI systems. AI model training involves using large datasets to teach machine learning algorithms to recognize patterns, make predictions, or generate new content. Data scraping refers to the automated extraction of information from websites or digital sources, often to assemble the vast datasets required for effective AI training. As these practices become more widespread, questions about the legality of using third-party content—especially copyrighted works—have become increasingly important. In Thailand, the legal landscape for AI developers is shaped primarily by the Copyright Act, which presents unique challenges due to the absence of a fair-use exception. This article examines the copyright-related risks and legal uncertainties facing AI developers under Thailand’s current copyright law and practices, offering strategic guidance for navigating this complex environment. Copyright Risks in AI Scraping and Training Thailand’s Copyright Act does not provide a broad fair use or fair dealing exception, unlike some other jurisdictions, such as the United States. This absence has significant consequences for AI developers: No general defense for AI training: Any use of copyrighted material for AI model training is presumed to be infringing unless a specific, narrow statutory exception applies or explicit permission is obtained from the rights holder. There is no general legal basis for using copyrighted works in AI training without authorization. Increased rights clearance burden: Developers must identify and secure licenses for every copyrighted work included in their training datasets. Given the scale and diversity of data required for effective AI models, this process can be both impractical and costly. Legal ambiguity and litigation risk: The lack of clear statutory guidance or case law leaves developers in a legal gray area. There is no established precedent clarifying whether certain uses of copyrighted material for
Read More
July 24, 2025
Thai authorities have escalated efforts to block unlawful cross-border digital asset business operators. On June 19, 2025, the Ministry of Digital Economy and Society (MDES) issued a notification empowering it to ban internet access to operations or services offered by digital asset business operators who lack licenses from the Thailand Securities and Exchange Commission (SEC) under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). This ban, issued under the 2023 Royal Decree on Measures for the Prevention and Suppression of Technology Crime, particularly aims to block Thai users’ access to services offered by unlicensed offshore digital asset providers via their own apps or websites or through public social media platforms. Compliance Requirements The notification requires internet service providers and social media platforms selected by MDES to immediately impose internet access restrictions on identified apps, websites, and IP addresses of illegal operators upon receiving MDES orders. Takedown Orders There are two tracks for competent officials at MDES to issue orders to operators: If the competent official is notified by the SEC of licensing noncompliance by a particular digital asset business operator, the competent official can issue a takedown order to the operator upon approval from the permanent secretary of MDES. If the competent official independently discovers, or receives a complaint from any third party other than the SEC, that a digital asset business operator may have violated licensing requirements, the competent official can ask the SEC to verify and confirm the relevant facts and noncompliance before seeking approval from the permanent secretary of MDES to issue the takedown order. Streamlined Enforcement Prior to this notification, the SEC could obtain takedown orders only from Thai courts under the 2007 Computer Crime Act to take down or block access to unlicensed digital asset platforms and apps. This was a relatively
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice