What’s Changed with Thailand’s PDPA Enforcement
Since full enforcement of the Privacy Data Protection Act (PDPA) in mid‑2022, the Personal Data Protection Committee (PDPC) has moved from awareness raising toward active enforcement.
As of August 1, 2025, PDPC has issued five enforcement cases, covering eight fines (both controllers and processors involved), totaling over THB 21.5 million.
Recent Cases & Fines under the PDPA
Here are the key cases that illustrate where organizations are falling short, and the penalties imposed:
| Case | Entity / Sector | Violation(s) | Fine(s) |
|---|---|---|---|
| 1 | Government agency & system developer | Leaked data (~200,000 records) due to weak security, no risk assessments, no data processing agreement (DPA) with processor; poor access controls. | Each fined THB 153,120 |
| 2 | Private hospital + individual contractor | Sensitive health records improperly destroyed; documents abused publicly (used as snack wrappers); contractor failed to notify. | Hospital: THB 1,210,000; Contractor: THB 16,940 |
| 3 | Electronics / Technology retailer | Multiple failings: inadequate security, no Data Protection Officer (DPO) where required, failure to report breach. | THB 7,000,000 |
| 4 | Cosmetics company | Poor technical safeguards; did not notify PDPC of breach in time. | THB 2,500,000 |
| 5 | Collectible Toy / Reservation System + its processor | External breach via processor, controller’s data exposed; unauthorized access / modification of data; processor delayed notifying controller. | Controller: THB 500,000; Processor: THB 3,000,000 |
What Are the Common Triggers of PDPA Fines?
From the above cases and multiple reports, the recurring compliance failures include:
- Inadequate security measures (weak passwords, lack of risk assessment, poor oversight of systems)
- Not appointing a Data Protection Officer (DPO) when required
- Failure to notify the PDPC or affected individuals of a data breach within the legally required timeframe
- Poor handling / destruction of sensitive data, especially via third‑party processors or contractors
Lessons & Next Steps for Businesses
With enforcement stepping up, even smaller oversights can lead to major fines. Here’s what organizations should do:
1. Conduct regular risk assessments of systems, especially those handling sensitive personal data.
2. Appoint a DPO if your operations involve large‑scale or sensitive data processing.
3. Ensure strong contracts / agreements with any processors or third‑party service providers, including DPAs.
4. Monitor their compliance.
5. Implement solid breach notification protocols so you can report promptly to PDPC and affected persons.
6. Train staff in proper data handling; include requirements for secure destruction and access control.
Are Fines Already Reaching the Maximums?
The PDPA allows for civil fines up to THB 5 million for serious violations, among other penalties. While the recent largest fine (THB 7 million) has exceeded that in reported cases – that may involve separate orders or combined penalties for multiple violations or entities.
Also, criminal penalties may apply in cases of intentional misuse or gross negligence, particularly with sensitive data. Damages may also be claimed by individuals harmed.
Conclusion
PDPA enforcement in Thailand is no longer theoretical: multitudes of recent cases show real financial and reputational risk. Whether you’re in public or private sector, ignoring PDPA requirements – even for “small” operations – can cost you.
For organizations in Bangkok or beyond, now is the moment to review your data policies, train your people, and get legal support so that you’re compliant, not penalized.