[author: Chutikarn Boonnark]
Since the full enforcement of Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) in June 2022, the Personal Data Protection Committee (“PDPC”) has moved decisively from awareness-building to active enforcement. The transition emerged in 2024 when a leading e-commerce company was fined THB 7 million for breaching the law.
In 2025, enforcement has intensified, with five additional cases announced involving both public and private sectors. This reveals a significant shift in regulatory posture underscoring that PDPA compliance is no longer optional, but a legal necessity.
Case Highlights
Case 1: State Agency
A government agency engaged an unqualified service provider without a valid data processing agreement and failed to implement adequate security measures. This resulted in a cyberattack and the exposure of nearly 200,000 personal data records. Both the agency and the service provider were fined THB 153,120 (approx. USD 4,700) each.
Case 2: Private Hospital
Sensitive health information from over 1,000 patient records was leaked due to improper disposal by a third-party service provider. The hospital was fined THB 1,210,000 (approx. USD 37,300), while the individual responsible for the disposal was fined THB 16,940 (approx. USD 520).
Case 3: Technology Retailer
A technology retailer failed to implement appropriate security measures, to appoint a Data Protection Officer (DPO), and to report a data breach to the local authority. The company was fined THB 7 million (approx. USD 215,680).
Case 4: Cosmetics Company
Due to inadequate security measures and failure to notify the local authority of a data breach, the company was fined THB 2.5 million (approx. USD 77,030).
Case 5: Collectible Toy Retailer
A collectible toy retailer outsourced its reservation system to a service provider that lacked proper security controls, resulting in a data breach. Although the company promptly compensated affected individuals, it was fined THB 500,000 (approx. USD 15,405), and the service provider received a THB 3 million fine (approx. USD 92,435).
Key Takeaways
These cases reveal recurring compliance failures:
- Inadequate security measures
- Failure to report data breaches
- Insufficient oversight of data processors
These recurring failures emphasize a broader issue: a lack of strategic commitment to data protection. While financial penalties are substantial, the reputational damage from noncompliance can be even more severe. Businesses must treat data protection as a strategic priority, not merely a legal requirement.
The PDPA crackdown has begun. Are you next?
This latest wave of enforcement is not a regulatory update; it is a clear signal that the PDPC is intensifying its scrutiny. No sector is immune. Whether a state agency or private entity, large or small, organizations must act decisively by staying vigilant, strengthening internal controls, and ensuring full compliance with PDPA requirements to avoid becoming the next example. The cost of inaction is no longer theoretical. It is financial, reputational, and operational.
[View source.]
