Thailand’s Personal Data Protection Committee (PDPC) announced to the press on August 1, 2025, that it had issued eight new administrative fines under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) in five cases of noncompliance by public and private entities. The enforcement actions reflect a growing commitment by the PDPC to penalize noncompliance across all sectors, regardless of organizational type or size. The total amount imposed to date was approximately THB 21.5 million (approx. USD 654,690), underscoring the financial risks tied to PDPA violations. The five cases—one involving a state agency and the remainder in the private sector—are summarized below. Case 1: State Agency Providing Online Services to the Public The order in this case stemmed from a cyberattack on a state agency’s web app, resulting in personal data of 200,000 data subjects being leaked to and sold on the dark web. The software developer was also found to have implemented no privacy by design, lacked an access control system, had no data breach prevention measures, and failed to conduct risk assessments or review existing security measures. Key noncompliance identified: Lack of appropriate security measures Weak password protection No risk assessment or ongoing review of security measures No data processing agreement with software developer that acted as data processor The state agency and the developer were each fined THB 153,120 (approx. USD 4,670). Case 2: Private Hospital This case involved a hospital that engaged an individual contractor to destroy patient medical record documents. However, the contractor stored the documents at their own premises, failed to follow the required destruction protocols, and ultimately used the medical records to wrap sweets, resulting in the leak of over 1,000 records during the destruction process. The contractor also failed to notify the hospital of the data breach. Although there was a

Now halfway through 2025, Thailand continues to advance in the realm of data privacy, with the ambitious goal of achieving zero data breaches. The Personal Data Protection Committee (PDPC), an independent government body established by the Personal Data Protection Act (PDPA), is taking a more proactive approach, having published several rulings and orders to enhance data protection measures and clarify compliance expectations for businesses. Here is a look back at Thailand’s data privacy developments in the first half of the year. Strengthening Law Enforcement and New Guidance for Compliance Enforcement of existing data protection laws and regulations has taken a step forward this year. Some of the specific initiatives include: Increased enforcement by the PDPC. A key trend to watch from the first half of 2025 is the PDPC’s active enforcement of the PDPA as it intensifies oversight through compliance orders and public warnings against noncompliant organizations while ramping up efforts to prevent and halt the illegal trading of personal data by actively monitoring emerging societal issues. Call center scams and cyber fraud control. Thailand published an amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes to strengthen measures against technological crimes, particularly targeting call center scams and cyber fraud. Orders from the Expert Committee. Several orders issued by the Expert Committee under the PDPA were announced in the first half of this year. These include directives for data controllers to take corrective actions to comply with the PDPA, as well as initiatives to raise awareness of data privacy within organizations, reflecting the regulator’s focus on promoting organizational awareness and compliance. A guideline report summarizing the Expert Committee’s decisions and orders was also published to serve as a reference for compliance. Public issue monitoring. The PDPC has been taking a more proactive approach

Attorneys from Tilleke & Gibbins have updated the latest edition of Doing Business in Thailand, a Q&A-style guide from Thomson Reuters Practical Law that offers an overview of key legal considerations for companies operating in jurisdictions worldwide. The contribution outlines the country’s legal and regulatory framework for foreign investment and business operations and reflects the latest legislative developments. The chapter addresses the following core topics: Legal system: Structure of the courts and the codified nature of Thai law. Foreign investment: Business restrictions under the Foreign Business Act, sector-specific regulations, exchange control rules, and investment incentives. Business vehicles: Overview of partnerships, private and public limited companies, and other legal entities. Employment: Labor protections, employment contracts, foreign worker requirements, and termination procedures. Tax: Corporate and personal income tax, indirect taxes, and tax obligations for residents and non-residents. Intellectual property: Registration and enforcement of patents, trademarks, designs, and copyrights. Data protection: Key provisions of the Personal Data Protection Act and related compliance obligations. Competition law: Regulatory framework under the Trade Competition Act. Anti-bribery and corruption: Relevant legislation and enforcement mechanisms. E-commerce and digital business: Legal regime for online transactions and digital platforms. Marketing and advertising: Consumer protection laws and regulations affecting advertising and marketing practices. Product regulation and liability: Safety standards, liability regimes, and roles of enforcement authorities. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The insurance and reinsurance guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the guide, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.

Tilleke & Gibbins has contributed the Thailand chapter to Data Protection 2025, a newly published comparative guide from Global Legal Post’s Law Over Borders series. This comprehensive Q&A-style resource provides insights into data protection regulations across multiple jurisdictions worldwide, offering valuable guidance for businesses navigating the complex landscape of global data privacy requirements. The Thailand chapter offers a detailed analysis of the country’s data protection framework, with particular focus on the Personal Data Protection Act (PDPA) that came into full effect in 2022. The chapter addresses key aspects of data protection in Thailand through the following topics: Regulatory framework: National laws governing personal data, scope of application, territorial reach, and regulated operations. Data categories and protection: Types of personal data covered, special categories subject to enhanced protection, and processing requirements. Compliance obligations: Requirements for lawful processing, organizational responsibilities, and data subject rights. Marketing and cross-border considerations: Rules for commercial communications and international data transfers. Enforcement mechanisms: Regulatory powers, investigation procedures, sanctions, and remedies for noncompliance. Tilleke & Gibbins also contributed the Vietnam chapter to Data Protection 2025. Readers can access the complete Data Protection 2025 guide through Global Legal Post’s Law Over Borders platform.