News

Thailand ramps up data protection enforcement

11 August 2025
""
""

Thailand's Personal Data Protection Committee (“PDPC”) has significantly intensified its enforcement of Thailand's Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), announcing on 1 August 2025 eight new administrative fines across five cases involving both public and private entities.

The fines, totaling approximately THB 21.5 million (USD 654,690), mark the PDPC's shift away from building awareness about the PDPA to active scrutiny over compliance.

Moreover, the recurrence of key issues of noncompliance across the recent cases provides clear indication of the PDPC's regulatory expectations.

Organizations subject to the PDPA must promptly assess compliance and ensure preparedness for future enforcement actions.

Case highlights

  • State Agency: A cyberattack on a state- run web application led to the leak of 200,000 records containing personal data. Both the agency and its developer were fined THB 153,120 (USD 4,670) for lacking privacy-by-design and breach prevention protocols.
  • Private Hospital: Medical records were improperly handled by a contractor who was engaged by a private hospital to perform document destruction, resulting in a personal data breach. The hospital was fined THB 1.21 million (USD 36,880) and the contractor was fined THB 16,940 (USD 510).
  • Technology Retailer: A data breach at a technology retailer led to scam calls affecting over 100 individuals. The company was fined THB 7 million (USD 213,380) for a lack of adequate security measures, failing to report the data breach and not appointing a DPO.
  • Cosmetics Company: A lack of adequate security measures at a cosmetics company led to a data breach which enabled scam operators to contact customers. The company was fined THB 2.5 million (USD 76,210) for failing to notify the PDPC of the data breach and for their inadequate technical and organizational safeguards.
  • Toy Retailer: The company engaged a processor to manage the company’s reservation system. The third-party processor failed to contain a data breach and notify the company that a data breach had occurred. The processor was fined THB 3 million (USD 91,450), and the company was fined THB 500,000 (USD 15,240).

Key enforcement issues

The cases reveal recurring compliance failures, in the following areas:

  • Inadequate security measures: All five cases involved insufficient technical and organizational safeguards to protect personal data.
  • Failure to report data breaches: Several entities failed to notify the PDPC or affected individuals of a data breach in a timely manner.
  • Lack of oversight of data processors: Controllers were penalized for failing to monitor third-party contractors.
  • Absence of a Data Protection Officer (DPO): One company was fined for not appointing a DPO, which was a mandatory requirement for them under the PDPA.

Implications for clients in Thailand and beyond

These recent enforcement actions mark a decisive shift into a new era of active regulatory oversight under Thailand’s PDPA. No organization is exempt from the PDPA, regardless of sector, size, or whether they’re headquartered in Thailand or simply operating within its borders. All businesses must now treat PDPA compliance as a strategic priority.

Organizations must ensure breach protocols, processor oversight, and DPO appointments are in place. The PDPC’s “zero data breach” stance suggests that even minor compliance lapses may attract scrutiny, and thus regular risk assessments and transparent monitoring systems are now baseline expectations for all organizations.

 

 

Authored by Charmian Aw and Ciara O'Leary.

Next steps

All organizations subject to the PDPA should:

  • Immediately Review PDPA Compliance: Organizations must urgently reassess their data governance structures to ensure full alignment with PDPA mandates.
  • Implement Mandatory Controls and Appointments: Key compliance requirements under the PDPA, such as breach response protocols, third-party processor oversight, and formal appointment of a DPO must be firmly in place.
  • Account for the PDPC’s Zero-Tolerance Enforcement Climate: The PDPC’s “zero data breach” stance signals that even minor infractions, delayed reporting, incomplete documentation, or oversight gaps, may trigger regulatory scrutiny.
  • Keep Abreast of Regulatory Updates: Monitor PDPC guidance and enforcement trends to stay ahead of regulatory expectations.

Should you need assistance or have enquiries about whether and how this affects your organization, please reach out to your usual contact at Hogan Lovells or the authors.

Contacts

bio-image

Ciara O'leary

Associate

location Singapore

View more

Related topics

Related countries

Related keywords

Load more

Articles you may be interested in

image_1
News

Asia-Pacific privacy authorities publish data anonymisation guide

11 August 2025
image_1
News

Myanmar’s Cybersecurity Law Comes into Effect: Key implications for international stakeholders

07 August 2025
image_1
Insights and Analysis

Vietnam enacts landmark law on personal data protection: stable standing with stricter compliance

30 July 2025
image_1
Insights and Analysis

APAC AI Monitor Series | Japan

19 June 2025
image_1
News

Australia mandates first-of-its-kind reporting of ransomware payments

13 June 2025
image_1
News

APAC AI Monitor Series | Hong Kong

10 June 2025
image_1
News

Malaysia enacts data sharing rules for public sector

04 June 2025
image_1
News

Australia’s Model Clauses provide framework for AI procurement

03 June 2025
image_1
News

The Global Cross Border Privacy Rules – A new paradigm in data protection

29 May 2025
left_arrow
right_arrow

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register