Introduction
On Friday, 1 August 2025, the Office of the Personal Data Protection Committee (“PDPC Office“) held a press conference to announce its proactive enforcement measures under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“). The PDPC Office disclosed that administrative fines had been imposed on both government and private sector organisations that have failed to, among other things: (i) implement adequate security measures for safeguarding personal data; (ii) notify the PDPC Office of a data leakage incident; and (iii) appoint a Data Protection Officer (“DPO“).
This Update summarises the key points from the press conference and outlines five cases in which administrative fines were imposed, serving as precedents to remind organisations that PDPA compliance is not merely an internal matter but a broader responsibility to uphold individuals’ fundamental rights relating to personal data.
Cases where Administrative Fines were Imposed
- Government Agency: Personal Data Stolen and Sold on the Dark Web
A government agency providing services to people through its web app was hacked and personal data therein of up to 200,000 people was illegally stolen and traded on the Dark Web. The evidence suggests that the government agency lacked sufficient security measures for safeguarding personal data due to the use of weak passwords, lack of risk assessment, and lack of consistent review of security measures. Additionally, the government agency had not entered into a Data Processing Agreement with the system developer to act as a data processor. The relevant system developer also failed to implement sufficient security measures. As a result, the Expert Committee appointed by the Personal Data Protection Committee (“PDPC”) (“Expert Committee“) imposed an administrative fine of THB 153,120 for each party.
- Large Private Hospital: Medical Records Not Destroyed and Leaked
A private hospital engaged a small family-run business under contract to securely destroy patient medical records. However, the hospital failed to adequately monitor and supervise the destruction process, which led to the leakage of approximately 1,000 medical records classified as sensitive health data under Section 26 of the PDPA. Disturbingly, some of these documents were found repurposed as bags for ‘Kanom Tokyo,’ a type of Thai street snack. The contracted business did not comply with the agreed destruction procedures; instead, it removed the documents from the site and took them to a private residence. Moreover, the business neglected to inform the hospital of the data breach, constituting a violation of the data processor’s obligations. As a result, the Expert Committee imposed an administrative fine of THB 1,210,000 on the hospital and THB 16,940 on the family business.
- Electronics Retailer: No Security Measure and Failure to Notify of Data Leakage
An electronics retailer failed to implement appropriate security measures, did not notify the PDPC Office of a data leakage as required by the PDPA, and regularly collected a large volume of personal data without appointing a DPO despite being legally obligated to do so. Based on these three violations, the Expert Committee issued an administrative fine of THB 7 million.
- Cosmetics Company: Inadequate Security Measures and Failure to Notify of Data Leakage
A cosmetics company failed to implement appropriate personal data security measures and did not report a personal data breach to the PDPC Office as required by law. Based on these two violations, the Expert Committee imposed an administrative fine of THB 2.5 million.
- Collectible Toy Company: Inadequate Security Measures
A toy company failed to implement appropriate personal data security measures. As a result, the Expert Committee imposed an administrative fine of 500,000 THB on the collectible toy company and THB 3 million on the data processor. A data processor is one generally engages in the collection, use, or disclosure of personal data under the instructions of, or on behalf of, a data controller, without being the data controller themselves.
Key Lessons Learnt
The five cases disclosed by the PDPC Office highlight the critical importance of PDPA compliance, particularly the implementation of adequate security measures, the appointment of a DPO, and timely data breach notification. Organisations must not only ensure that third parties handling data on their behalf comply with legal and contractual obligations, but also actively monitor their activities. Failure to implement appropriate security measures, report data breaches, or appoint a DPO when required can result in severe penalties. Overall, these cases reinforce the need for proactive compliance, internal oversight, and accountability across both data controllers and processors to mitigate legal and reputational risks under the PDPA.
What is Next?
These five cases serve as a clear warning to all sectors, including government agencies, private organisations, and relevant service providers, that personal data management is not merely a technical or administrative issue, but a matter of responsibility that requires robust security standards, regular risk assessments, and transparent oversight mechanisms. These elements are essential to prevent irreparable harm to individuals’ rights. The PDPC Office is currently reviewing a large number of cases and will continue to take strict legal enforcement in accordance with the law. At the same time, it is committed to advancing proactive prevention measures, aiming to make the goal of “zero data breaches” a shared priority across all organisations in Thailand.
The Chinese version of this Update is available here, and the Japanese version is accessible here.
Contribution Note
This Legal Update is contributed by the listed Contact Partner, with the assistance of Kittipol Chamsawarng (Senior Associate, Rajah & Tann (Thailand) Limited) and Chanon Prasirtsuk (Associate, Rajah & Tann (Thailand) Limited).
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
