The Personal Data Protection Committee (PDPC) of Thailand’s Ministry of Digital Economy and Society (MDES) has announced the first administrative fine under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). A major private company was fined THB 7 million for noncompliance with specific PDPA requirements, resulting in the unauthorized disclosure of personal data to a call center gang (phone scam fraudsters).

Key Findings of Noncompliance

The PDPC determined that there were three key violations of specific requirements of the PDPA:

• Failure to appoint a data protection officer (DPO): Despite processing personal data for over 100,000 individuals as part of its core operations, the company did not appoint a DPO.
• Inadequate security measures: The company lacked the required security measures, leading to a data breach involving a call center gang, causing widespread damage.
• Delayed data breach notification: The company did not notify authorities of the data breach within the required timeframe and failed to address the breach promptly, making it impossible to remedy the situation.

In addition to the monetary fine, the PDPC, along with the PDPA’s Expert Committee, issued a corrective order requiring the company to undertake the following actions and notify the Office of the PDPC of the relevant correction measures within seven days of receiving the order:

• Implement up-to-date security measures: The company must improve its current security measures to prevent future breaches and ensure that the security measures are up-to-date with changing technologies.
• Raise awareness of personnel: The company must provide training to relevant personnel to ensure awareness of data compliance and protection practices.

This significant administrative action establishes a precedent for addressing data breaches in both governmental and commercial sectors in Thailand. It also confirms the importance of PDPA compliance, particularly the need for robust security measures, timely breach notifications, and the appointment of a designated DPO.

The monetary fine highlights the financial and reputational risks tied to noncompliance. Organizations need comprehensive data protection safeguards, not only for regulatory adherence but also for protecting personal data and maintaining public trust.

This landmark decision establishes a new standard for data protection and compliance in Thailand. Businesses operating in or with connections to Thailand should reassess their data protection strategies to ensure they meet the latest legal requirements and avoid similar breaches and penalties in the future.

For further information or assistance with data protection compliance in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Napassorn Lertussavavivat at [email protected].