Thailand's PDPC Signals Tougher Enforcement With Multi-Million Baht Fines

Thailand's Personal Data Protection Committee (PDPC) has made it clear that the era of warnings and gentle reminders is over. On 1 August 2025, the regulator announced eight administrative fines across five separate cases under the Personal Data Protection Act B.E. 2562 (PDPA). The penalties amounted to THB 14.5 million, pushing the total fines imposed since enforcement began beyond THB 21 million. These cases involved both public and private organisations, demonstrating that no sector is immune from scrutiny.

Lessons from the Cases

The recent decisions highlight a range of compliance failures. In one case, a government agency and its software developer were each fined over THB 150,000 following a cyberattack that exposed the personal data of roughly 200,000 individuals. Investigations revealed weak security measures, poor password management, lack of risk assessments, and the absence of a proper data processing agreement.

In another case, a private hospital was fined more than THB 1.2 million, while its contractor received a smaller penalty, after patient records were mishandled during disposal—astonishingly being used to wrap sweets. The fines reflected not only the breach itself but also the hospital's failure to properly supervise the contractor and to report the incident in a timely manner.

Private businesses were also targeted. A retailer of IT products was fined THB 7 million for a breach that resulted in the misuse of customer information in fraudulent call centre operations. The company had failed to appoint a Data Protection Officer (DPO), did not report the breach, and had inadequate security safeguards in place. A cosmetics company faced a THB 2.5 million fine for similar shortcomings, after personal data leaks were exploited by scam operations. Finally, a toy company and its data processor were penalised THB 500,000 and THB 3 million respectively, following a breach of an online reservation system affecting 200,000 records. The processor's failure to notify the controller or take swift remedial action proved particularly costly.

Enforcement Priorities

Across these cases, certain themes stand out. First, the PDPC is willing to enforce against both controllers and processors—in some instances, processors received higher penalties than the organisations that engaged them. Second, the regulator expects proactive and timely action, i.e. entities that failed to notify breaches or provide remedies faced harsher consequences. Third, enforcement applies across the board, with even state agencies now subject to financial penalties.

What Businesses Should Do

The message for organisations is clear. Compliance with the PDPA must be operational and continuous, not limited to paperwork. Companies should conduct regular audits of their security systems, establish clear breach-response and notification protocols, and ensure that DPOs are properly appointed and resourced. Contracts with third-party processors should impose strict security and reporting obligations, backed by active oversight. Just as importantly, all measures should be documented so that, if investigated, organisations can show tangible evidence of compliance.

Conclusion

The PDPC's latest actions confirm that PDPA enforcement in Thailand is gathering pace and that penalties are becoming significant. Businesses must take a proactive approach to compliance, as lapses in security, governance, or incident management can now result in multimillion-baht fines alongside reputational damage. In short, the cost of non-compliance is rising sharply, and organisations can no longer afford to treat data protection as an afterthought.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.