Global Law Experts Logo

Find a Global Law Expert

Specialism
Country
Practice Area

Awards

Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.

PDPC Issued First Administrative Sanction Under Thailand's Personal Data Protection Act

posted 3 days ago

The Personal Data Protection Committee (PDPC) of Thailand has taken a significant step in enforcing the Personal Data Protection Act B.E. 2562 (2019) (PDPA) by issuing its first administrative sanction. This action marks a turning point in the implementation of data protection regulations in the country, particularly in light of ongoing concerns about personal data breaches and their exploitation by criminal entities such as call center scam operations.

The PDPC, in a press conference held on 21 August 2024, announced that it had imposed administrative fines of 7,000,000 baht on a large private corporation following a personal data breach incident. The company, which handles the personal data of over 100,000 individuals, was found to violate several key provisions of the PDPA.

The violations cited by the PDPC include:

  1. Failure to appoint a Data Protection Officer (DPO), as required under Section 41 of the PDPA for organizations processing large volumes of personal data. This violation carries a potential administrative fine of 1 million baht.
  2. Inadequate implementation of security measures, contravening Section 37(1) of the PDPA, which mandates appropriate safeguards against unauthorized access, use, alteration, or disclosure of personal data. This violation is subject to a fine of 3 million baht.
  3. Failure to report a personal data breach to the PDPC within the stipulated 72-hour timeframe, as required by law. This violation also carries a potential fine of 3 million baht.

The PDPC stated that it had imposed the maximum administrative penalties due to the scale of the data breach and the company’s lack of response following an initial warning. Additionally, the company has been ordered to implement remedial measures for affected data subjects.

This case is particularly noteworthy as it represents the first instance of the PDPC taking strong enforcement action since the PDPA came into full effect in 2022. It serves as a clear signal to both private and public sector organizations that compliance with data protection regulations is now being strictly monitored and enforced.

The PDPC also outlined its strategy for ongoing enforcement and compliance promotion. This includes the establishment of an offensive mechanism, termed “PDPA Eagle Eye,” which actively monitors for PDPA violations across both private and public sectors. Complementing this is a defensive mechanism, the PDPA Center, designed to provide advice, raise awareness, and receive complaints from affected individuals.

The Committee emphasized the importance of public participation in reporting suspected or known personal data breaches, underlining that data protection is a shared responsibility across society.

This landmark case may have further legal implications, as it opens the possibility for affected individuals to pursue class action lawsuits against the company in question. It also sets a precedent for future enforcement actions and underscores the PDPC’s commitment to safeguarding personal data in Thailand.

As organizations operating in Thailand process this development, it is clear that ensuring robust data protection measures and full compliance with the PDPA has become more critical than ever. The PDPC’s actions demonstrate that the era of strict enforcement of data protection laws in Thailand has begun in earnest.

Key Takeaways:

  1. The Personal Data Protection Committee (PDPC) has imposed its first serious administrative sanction under the Personal Data Protection Act B.E. 2562 (2019).
  2. The sanction was issued against a large private company for multiple violations, including failure to appoint a Data Protection Officer, inadequate security measures, and failure to report a data breach.
  3. Maximum administrative fines were imposed, totaling up to 7 million baht.
  4. The PDPC has implemented both offensive and defensive enforcement mechanisms to ensure compliance with the PDPA.
  5. This case sets a precedent for stricter enforcement of data protection regulations in Thailand.

Author

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0

Join

who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

Newsletter Sign Up

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Contact Us

Stay Informed

Join Mailing List

GLE