This guide provides a detailed overview of doing business in Thailand. Topics covered in the guide include investment, import and export regulations, exchange controls, tax, requirements for establishment of a business, structures for doing business, cessation or termination of a business, labor legislation, and immigration requirements. The guide provides an invaluable primer for investors new to the Thai business investment.
August 22, 2024
The Personal Data Protection Committee (PDPC) of Thailand’s Ministry of Digital Economy and Society (MDES) has announced the first administrative fine under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). A major private company was fined THB 7 million for noncompliance with specific PDPA requirements, resulting in the unauthorized disclosure of personal data to a call center gang (phone scam fraudsters). Key Findings of Noncompliance The PDPC determined that there were three key violations of specific requirements of the PDPA: Failure to appoint a data protection officer (DPO): Despite processing personal data for over 100,000 individuals as part of its core operations, the company did not appoint a DPO. Inadequate security measures: The company lacked the required security measures, leading to a data breach involving a call center gang, causing widespread damage. Delayed data breach notification: The company did not notify authorities of the data breach within the required timeframe and failed to address the breach promptly, making it impossible to remedy the situation. In addition to the monetary fine, the PDPC, along with the PDPA’s Expert Committee, issued a corrective order requiring the company to undertake the following actions and notify the Office of the PDPC of the relevant correction measures within seven days of receiving the order: Implement up-to-date security measures: The company must improve its current security measures to prevent future breaches and ensure that the security measures are up-to-date with changing technologies. Raise awareness of personnel: The company must provide training to relevant personnel to ensure awareness of data compliance and protection practices. This significant administrative action establishes a precedent for addressing data breaches in both governmental and commercial sectors in Thailand. It also confirms the importance of PDPA compliance, particularly the need for robust security measures, timely breach notifications, and the appointment of