Thailand's Personal Data Protection Committee (“PDPC”) has significantly intensified its enforcement of Thailand's Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), announcing on 1 August 2025 eight new administrative fines across five cases involving both public and private entities.
The fines, totaling approximately THB 21.5 million (USD 654,690), mark the PDPC's shift away from building awareness about the PDPA to active scrutiny over compliance.
Moreover, the recurrence of key issues of noncompliance across the recent cases provides clear indication of the PDPC's regulatory expectations.
Organizations subject to the PDPA must promptly assess compliance and ensure preparedness for future enforcement actions.
Case highlights
- State Agency: A cyberattack on a state- run web application led to the leak of 200,000 records containing personal data. Both the agency and its developer were fined THB 153,120 (USD 4,670) for lacking privacy-by-design and breach prevention protocols.
- Private Hospital: Medical records were improperly handled by a contractor who was engaged by a private hospital to perform document destruction, resulting in a personal data breach. The hospital was fined THB 1.21 million (USD 36,880) and the contractor was fined THB 16,940 (USD 510).
- Technology Retailer: A data breach at a technology retailer led to scam calls affecting over 100 individuals. The company was fined THB 7 million (USD 213,380) for a lack of adequate security measures, failing to report the data breach and not appointing a DPO.
- Cosmetics Company: A lack of adequate security measures at a cosmetics company led to a data breach which enabled scam operators to contact customers. The company was fined THB 2.5 million (USD 76,210) for failing to notify the PDPC of the data breach and for their inadequate technical and organizational safeguards.
- Toy Retailer: The company engaged a processor to manage the company’s reservation system. The third-party processor failed to contain a data breach and notify the company that a data breach had occurred. The processor was fined THB 3 million (USD 91,450), and the company was fined THB 500,000 (USD 15,240).
Key enforcement issues
The cases reveal recurring compliance failures, in the following areas:
- Inadequate security measures: All five cases involved insufficient technical and organizational safeguards to protect personal data.
- Failure to report data breaches: Several entities failed to notify the PDPC or affected individuals of a data breach in a timely manner.
- Lack of oversight of data processors: Controllers were penalized for failing to monitor third-party contractors.
- Absence of a Data Protection Officer (DPO): One company was fined for not appointing a DPO, which was a mandatory requirement for them under the PDPA.
Implications for clients in Thailand and beyond
These recent enforcement actions mark a decisive shift into a new era of active regulatory oversight under Thailand’s PDPA. No organization is exempt from the PDPA, regardless of sector, size, or whether they’re headquartered in Thailand or simply operating within its borders. All businesses must now treat PDPA compliance as a strategic priority.
Organizations must ensure breach protocols, processor oversight, and DPO appointments are in place. The PDPC’s “zero data breach” stance suggests that even minor compliance lapses may attract scrutiny, and thus regular risk assessments and transparent monitoring systems are now baseline expectations for all organizations.
Next steps
All organizations subject to the PDPA should:
- Immediately Review PDPA Compliance: Organizations must urgently reassess their data governance structures to ensure full alignment with PDPA mandates.
- Implement Mandatory Controls and Appointments: Key compliance requirements under the PDPA, such as breach response protocols, third-party processor oversight, and formal appointment of a DPO must be firmly in place.
- Account for the PDPC’s Zero-Tolerance Enforcement Climate: The PDPC’s “zero data breach” stance signals that even minor infractions, delayed reporting, incomplete documentation, or oversight gaps, may trigger regulatory scrutiny.
- Keep Abreast of Regulatory Updates: Monitor PDPC guidance and enforcement trends to stay ahead of regulatory expectations.
[View source.]
