NO&T Thailand Legal Update
On 1 August 2025, Thailand’s Personal Data Protection Committee (“PDPC”) announced the issuance of 8 fines totaling THB 14.5 million (approximately USD 448,000), which were levied against one government agency and other private entities for non-compliance with the Personal Data Protection Act of 2019 (“PDPA”) in 5 cases.
Since the official enforcement of the PDPA, this marks the second significant instance in which the PDPC has imposed fines on non-compliant data controllers and data processors. The first issuance of fines occurred last year, when the PDPC penalized data controllers for their failure to provide appropriate security measures, notify the PDPC of the data breach, and appoint a Data Protection Officer (“DPO”), with fines totaling THB 7,000,000 (approximately USD 216,000). Consequently, the cumulative total of fines issued by the PDPC, up to the present time, amounts to approximately THB 21.5 million (approximately USD 660,000).
According to the public statements of the PDPC, the 5 cases of non-compliance with the PDPA can be summarized as follows:
| No. | Type of entity subject to fines | Key non-compliance with the PDPA | Amount of fines imposed |
|---|---|---|---|
| Case 1 – A government authority which provides services to the public through a Web App experienced a cyberattack, resulting in the personal data of more than 200,000 data subjects being offered for sale on dark web. | |||
| (1) |
A government authority providing service to the public through a Web App (as the data controller) |
|
THB 153,120 (approximately USD 4,700) |
| (2) | A company in charge of the development and monitoring of the system (as the data processor of the entity in (1) above) |
|
THB 153,120 (approximately USD 4,700) |
| Case 2 – A report circulated on social media revealed that a document containing medical records from a private hospital was used as a small bag or container for a local Thai pancake (called “Kanom Tokyo”). It was later discovered that the hospital had entered into an agreement with a small-scale business having the nature of a family business (individual person), appointing him/her to handle and carry out the destruction of medical record documents. However, the individual person took the medical record documents to his/her residence and failed to conduct the appropriate destruction of the documents as agreed with the hospital. As a result, approximately 1,000 medical record documents from the private hospital were leaked to the public during the destruction process. | |||
| (3) |
A private hospital (as the data controller) |
|
THB 1,210,000 (approximately USD 37,000) |
| (4) |
An individual person appointed to handle the destruction of the medical record documents containing personal data (as the data processor of the entity in (3) above) |
|
THB 16,940 (approximately USD 520) |
| Case 3 – There was a leakage of personal data to scammers at a call center. The data controller has not provided any remedies to the relevant data subjects. Around several hundred affected data subjects have filed claims with the PDPC regarding this data leakage. | |||
| (5) | A company conducting wholesale and retail of computers and its parts |
|
THB 7,000,000 (approximately USD 215,000) |
| Case 4 – There was a leakage of personal data to scammers at a call center. The data controller has provided remedies to the relevant data subjects. The affected data subjects have filed claims to the PDPC regarding this data leakage. | |||
| (6) | A company conducting the sale of cosmetics |
|
THB 2,500,000 (approximately USD 77,000) |
| Case 5 – A collectible art toy company’s system used for making reservations was hacked. The data controller promptly provided remedies to the relevant data subjects. The data processor negligently provided the hacker with access to the system of the data controller, resulting in the alteration of approximately 200,000 items out of 10,000,000 items of personal data. | |||
| (7) |
A company conducting the sale of collectible art toys (as the data controller) |
|
THB 500,000 (approximately USD 15,400) |
| (8) |
The company appointed to develop the system for making reservations (as the data processor of the entity in (7) above) |
THB 3,000,000 (approximately USD 924,000) |
|
In addition to the fines, the PDPC also issued administrative orders against the entities above which failed to comply with the PDPA, requiring them to rectify the system on which the hacking and leakage occurred. The payment of fines and the rectification of non-compliance shall be done within 30 days from the date of receipt of such administrative order from the PDPC. Failure to comply with such order from the said PDPC will result in an additional administrative fine of not more than THB 500,000 being imposed.
By addressing violations of the PDPA, the PDPC reinforces the notion that protecting personal data is a universal responsibility, and there exists accountability as well as legal requirements under the PDPA. The PDPC presents its stance that such responsibility and accountability shall apply equally to every organization, whether in the public and private sectors, and/or every individual person, so long as such organization or person processes personal data, regardless of size, industry, or sector. Hence, penalties under the PDPA can be imposed on juristic persons, individual persons, and government agencies. This is evident from the outcomes of Case 1 and Case 2 where the fines were imposed on a government agency and an individual person, respectively.
In addition, having the status of either a data controller or a data processor does not engender differing levels of penalties. As demonstrated in Case 5, the data processor was subject to a higher penalty than the data controller. In all cases, including the case where the data processor is appointed to handle personal data, the data controller solely has the power to make decisions over the data processing activities. Although a data processor does not have decision making power over data processing activities, this PDPC decision shows that the data processor shall still strictly comply with the PDPA.
Importantly, Case 2 serves as a strong warning for data controllers to exercise careful consideration when selecting third parties as data processors for the processing of personal data (e.g., for maintaining, analyzing, or destructing personal data) on their behalf. This PDPC’s decision suggests that the selection of a reliable data processor should be included as part of the data controller’s responsibility. In addition, the data controller should be mindful to closely monitor the processing activities of the data processor to ensure the effective protection of personal data.
Notably, the cases summarized above show that, when determining fines, the PDPC took into account the factor of data controllers and data processors’ actions towards the data breach, including the extent to which affected data subjects received remedies, the steps taken by the relevant data controllers and data processors after the occurrence of a data breach incident, and the timing and adequacy of post-incident measures.
Among Cases 3 – 5, the PDPC took into account the remedies provided to the data subjects when determining the fines imposed on the data controllers in each case. This is evident from the differing approaches in Case 3 as compared to Cases 4 and 5. In Case 3, the data controller, which did not provide any remedy to the affected data subjects, was fined at the maximum range. In contrast, in Cases 4 and 5, the data controllers provided remedies to the affected data subjects. We can see the fines for Cases 4 and 5 were lower than it was in Case 3. Although the details of the provided remedies were not disclosed, we may assume that the existence of such remedies had influenced the consideration of the PDPC regarding the severity of the fine.
This movement of the PDPC reflects its heightened rigor in enforcing the PDPA, emphasizing that compliance is not merely a regulatory formality, but is instead a binding obligation for all entities handling personal data. This decisive move of the PDPC highlights the need to implement robust personal data protection measures and maintain a well-defined incident response plan to manage data breach incidents effectively and potentially reduce penalties.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
Shunsuke Minowa, Poonyisa Sornchangwat (Co-author)
Shohei Sasaki, Shunsuke Minowa, Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
(June 2025)
Hiroshi Mitoma, Tomohiko Iwasaki, Kosuke Hamaguchi (Co-author)
Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat (Co-author)
Shohei Sasaki, Shunsuke Minowa, Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
Long Nguyen
Shunsuke Minowa, Poonyisa Sornchangwat (Co-author)
(June 2025)
Hayata Matsunaga (Co-author)
(June 2025)
Keiji Tonomura, Yukiko Konno, Minh Thi Cao Koike, Yoshiteru Matsuzaki (Co-author)
Yuan Yao Lee
Shunsuke Minowa, Poonyisa Sornchangwat (Co-author)
Shohei Sasaki, Shunsuke Minowa, Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yothin Intaraprasong, Theerada Temiyasathit (Co-author)
Justin Ee, Kennosuke Muro (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat (Co-author)
Shohei Sasaki, Shunsuke Minowa, Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yothin Intaraprasong, Theerada Temiyasathit (Co-author)
Justin Ee, Kennosuke Muro (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat (Co-author)
Shohei Sasaki, Shunsuke Minowa, Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yothin Intaraprasong, Theerada Temiyasathit (Co-author)
Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
