You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
August 1, 2025

More Than a Warning: Eight Serious Fines Imposed in Thai Data Protection Cases

Subscribe to Updates

Thailand’s Personal Data Protection Committee (PDPC) announced to the press on August 1, 2025, that it had issued eight new administrative fines under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) in five cases of noncompliance by public and private entities. The enforcement actions reflect a growing commitment by the PDPC to penalize noncompliance across all sectors, regardless of organizational type or size. The total amount imposed to date was approximately THB 21.5 million (approx. USD 654,690), underscoring the financial risks tied to PDPA violations.

The five cases—one involving a state agency and the remainder in the private sector—are summarized below.

Case 1: State Agency Providing Online Services to the Public

The order in this case stemmed from a cyberattack on a state agency’s web app, resulting in personal data of 200,000 data subjects being leaked to and sold on the dark web. The software developer was also found to have implemented no privacy by design, lacked an access control system, had no data breach prevention measures, and failed to conduct risk assessments or review existing security measures.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Weak password protection
  • No risk assessment or ongoing review of security measures
  • No data processing agreement with software developer that acted as data processor

The state agency and the developer were each fined THB 153,120 (approx. USD 4,670).

Case 2: Private Hospital

This case involved a hospital that engaged an individual contractor to destroy patient medical record documents. However, the contractor stored the documents at their own premises, failed to follow the required destruction protocols, and ultimately used the medical records to wrap sweets, resulting in the leak of over 1,000 records during the destruction process. The contractor also failed to notify the hospital of the data breach. Although there was a written agreement between the parties, hospital’s failure to properly monitor and control the destruction process in accordance with the prescribed standards led to the medical records not being destroyed and being used for other purposes. The images of the wrapped sweets were later posted on social media and discovered by the PDPC.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to report data breach incidents

The hospital was fined THB 1,210,000 (approx. USD 36,880), while the individual contractor was fined THB 16,940 (approx. USD 515).

Case 3: Computer and Accessories Trading Giant

Over 100 data subjects filed complaints with the PDPC following a call center scam resulting from a data breach incident. The company did not provide remedial action for the affected data subjects within the specified timeframe.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to report data breach incidents
  • No appointment of a data protection officer (DPO)

The company was fined THB 7 million (approx. USD 213,380). The company’s revenue and size were taken into account when determining the fine amount.

Case 4: Cosmetics Company

In this case, a cosmetics company failed to implement adequate security measures as required by the PDPA, resulting in leakage of personal data to a call-center gang (scam operators). The company also failed to notify the Office of the PDPC of the data breach incident as required by the PDPA. However, the company did provide remedial action for the affected data subjects.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to notify the PDPC of data breach incident.

The company was fined THB 2.5 million (approx. USD 76,210).

Case 5: Collectible Toy Company

This case involved a collectible toy company that hired a data processor to manage its reservation system. The system was compromised and accessed by an unauthorized party for about 10 minutes, resulting in approximately 200,000 personal data records being amended without authorization. The toy company, as the data controller, promptly provided remedial action for the affected data subjects. However, the data processor failed to (1) take prompt action to contain the incident, (2) notify the data controller of the incident, and (3) provide remedial action for the affected data subjects.

Key noncompliance identified:

  • Lack of appropriate security measures
  • Failure to comply with data breach notification

The collectible toy retailer was fined THB 500,000 (approx. USD 15,240), while its data processor was fined THB 3,000,000 (approx. USD 91,450).

Considerations

The five cases highlight three common failures that can lead to the imposition of administrative fines:

  • Lack of appropriate security measures or regular review of the measures
  • Failure to report data breach incidents
  • Failure to appoint a DPO

The PDPC reiterated its “zero data breach” objective and stated that organizations are required to comply with the PDPA, ensure appropriate security measures are in place, regularly conduct risk assessments, and establish transparent monitoring systems.

This latest wave of enforcement confirms that PDPA compliance is no longer optional or merely a matter of paperwork, as both public and private entities are now subject to active scrutiny and penalties requiring strict adherence. The recurrence of key noncompliance issues across all five cases provides a clear roadmap of regulatory expectations. Organizations subject to the PDPA should act without delay to reassess their data protection frameworks, address compliance gaps, and ensure preparedness for future enforcement actions.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

August 21, 2025
On August 19, 2025, the Trade Competition Commission of Thailand (TCCT) released its draft Guidelines on the Consideration of Unfair Trade Practices and Conduct Constituting Monopoly, Reducing Competition, or Restricting Competition in Multi-Sided Platform Businesses in the Category of Digital Platforms for the Sale of Goods or Services (E-commerce). A public comment period on the guidelines is open until September 18. The draft provides the first detailed framework for how the TCCT will interpret and enforce the substantive provisions under the Trade Competition Act against digital platforms, which have a unique network effect and require complex competition analysis. This development will profoundly impact the operations of e-commerce platforms, sellers, and associated service providers in Thailand. The guidelines primarily target e-commerce digital platform business operators, which are defined as follows: E-commerce digital platform: A medium facilitating the sale, purchase, or exchange of goods or services, including any operations to create transactions or interactions between business operators via an electronic transaction system, regardless of whether service fees are charged. E-commerce digital platform business operator: A service provider of a digital platform for the sale of goods or services who acts as an intermediary facilitating the sale of goods or services, including any operations to create transactions or interactions through an electronic transaction system by receiving orders for goods or services transacted via an electronic system, whether in the form of an e-marketplace, a social marketplace, or any other form that connects purchase orders for goods or services with business operators through an electronic system. Prohibited Conduct The guidelines classify potentially anticompetitive conduct and unfair trade practices into two categories: price-related and non-price-related conduct. 1. Price-related conduct The TCCT is targeting pricing strategies that can harm competition. Key prohibited behaviors include: Price below cost: Setting prices below the average total cost without
Read More
August 21, 2025
On August 18, 2025, Thailand’s Securities and Exchange Commission (SEC), in collaboration with the Ministry of Finance, the Anti-Money Laundering Office, and the Ministry of Tourism and Sports, announced the launch of TouristDigiPay. The initiative, implemented under the SEC’s Regulatory Sandbox, allows foreign tourists to convert digital assets into Thai baht for use in everyday transactions in Thailand. Foreign tourists who opt to participate in TouristDigiPay must open two accounts once they are in Thailand: An account with a licensed digital asset operator to sell or exchange digital assets for Thai baht; and A tourist wallet account with a licensed e-money operator regulated by the Bank of Thailand. Funds from digital asset sales will be transferred into the tourist wallet, enabling tourists to make payments at participating merchants that accept e-money. Key Regulatory Requirements The TouristDigiPay project will operate for a period of up to 18 months, with the following conditions: Only licensed digital asset brokers, dealers, and exchanges integrated with licensed e-money operators are eligible to participate. Operators must implement anti-money laundering (AML) protocols that are proportionate to the assessed risk level. These include: Conducting know-your-customer and customer-due-diligence (KYC/CDD) checks on all users. For monthly transactions exceeding THB 50,000 per person, verifying the source of the digital assets and assessing AML risk using internationally recognized blockchain forensic tools or equivalent procedures. Suspending or rejecting services if digital assets are transferred from wallets flagged for AML concerns. Ensuring that conversion between digital assets and fiat includes safeguards such as matching account names and returning digital assets only to the original wallet. The following transaction limits apply to participants in the TouristDigiPay initiative: Payments to small vendors are capped at THB 50,000 per month. Payments to vendors who have completed the know-your-merchant (KYM) process are capped at THB 500,000 per
Read More
August 15, 2025
More than a decade after the issuance of Decree No. 52/2013/ND-CP (as amended by Decree No. 85/2021/ND-CP; collectively, “Decree 52”), Vietnam’s legal framework for e-commerce is under growing pressure to keep pace with the evolving digital economy. While Decree 52 has provided a foundational framework, it has shown certain limitations in keeping up with issues such as counterfeit goods, intellectual property enforcement, unqualified products, and emerging models like livestream selling and affiliate marketing. To address these regulatory gaps, the Ministry of Industry and Trade (MOIT) has released the 2025 Draft E-Commerce Law (“Draft Law”) for public consultation. The Draft Law is intended to supersede the current framework under Decree 52 and establish a more detailed and comprehensive legal foundation for the regulations of e-commerce activities in Vietnam. It is currently expected to be submitted to the National Assembly for review and potential adoption during its 10th session in October 2025. In this article, we discuss the Draft Law’s most significant updates and legal developments in comparison to existing regulations, and assess the practical challenges that businesses may face in preparing for implementation in the near future. Platform Classification: Toward a More Nuanced Framework Unlike Decree 52’s simpler structure, which broadly categorized platforms into either (i) websites selling goods and services or (ii) websites providing e-commerce services, the Draft Law introduces a more detailed framework that aims to classify platforms based on their technical functions and business models. Specifically, the Draft Law introduces a four-tier classification system for e-commerce platforms, consisting of: (i) Direct Business Platforms, (ii) Intermediary Platforms, (iii) Social Networks with E-Commerce Functions, and (iv) Multi-Service Integrated Platforms. This approach reflects an effort to more accurately capture the complexity of today’s e-commerce landscape, including hybrid platforms such as TikTok Shop. While this approach reflects the growing complexity of
Read More
August 6, 2025
Thailand’s Digital Government Development Agency (DGA) has released drafts of two pivotal documents to guide Thai government agencies in adopting cloud technology and classifying data for cloud usage. These draft guidelines, open for public hearing through August 12, 2025, are part of the national “Go Cloud First” policy, which aims to accelerate digital transformation, improve efficiency, and ensure robust data security across the public sector. The new standards will have significant implications for both government agencies and cloud service providers operating in Thailand. Highlights of the draft guidelines are presented below. Government Cloud Usage Guidelines Cloud-first transformation: All government agencies are directed to prioritize cloud solutions for new IT projects, in line with the cabinet’s “Go Cloud First” policy. Cloud model selection: Agencies must assess their needs and select the most appropriate cloud deployment model—public, private, hybrid, or community cloud—based on the sensitivity of the data and operational requirements. Service types: The guidelines provide criteria for choosing between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), emphasizing the importance of using standard, non-customized services where possible. Cost management: Agencies are required to plan and separate cloud-related expenses, ensuring transparency and efficient budget allocation. Cloud migration: The guidelines outline the steps for migrating to the cloud and highlight the role of cloud service providers in facilitating the process, including supporting innovation and enabling smooth exit strategies. Procurement compliance: All cloud procurement must comply with public sector procurement laws and regulations. Only providers meeting government-mandated standards can be selected. Security and shared responsibility: The guidelines clarify the division of security responsibilities between cloud providers and government agencies. While providers manage infrastructure security, agencies remain responsible for data, application, and access controls. Legal framework: Agencies must comply with the Digital Government Administration Act, Cybersecurity
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice