Personal Data Protection Update – PDPC Issues First Administrative Penalty Under PDPA, Imposes 7M Baht Administrative Fines for Non-Compliance with Personal Data Protection Act

On Wednesday, 21 August 2024, the Personal Data Protection Committee (PDPC) of Thailand announced its first administrative penalty since the full implementation of the Personal Data Protection Act B.E. 2562 (2019) in Thailand in 2022. The penalty was imposed on a major online shopping platform, the name of which was not disclosed.

The data controller was fined for failing to comply with its obligations under the PDPA, specifically:

• Failure to designate a data protection officer (DPO): This data controller did not appoint a DPO, as required by Section 41 of the PDPA and the PDPC’s Announcement on the appointment of a data protection officer under Section 41 (2) of PDPA, B.E 2566 (2023). The PDPA requires data controllers and data processors to have a DPO when the collection, use, or disclosure activities meet relevant criteria, for example, requiring regular inspections of personal data or systems due to processing a large volume of personal data. Specifically, data controllers and data processors processing personal data that includes in excess of 100,000 records as part of their core activities must designate a DPO.
• Failure to provide adequate security measures: This data controller did not implement sufficient security measures to prevent unauthorized use and access, which led to a data breach incident. This violates Section 37(1) of the PDPA.
• Failure to comply with data breach protocol: After the data breach occurred, the data controller was notified by data subjects, but neglected to notify the PDPC and failed to mitigate damages. This non-compliance with the data controller’s obligations resulted in severe damages to data subjects, in violation of Section 37(4) of the PDPA.

In light of these violations, the PDPC determined that this data controller’s non-compliance poses significant risks to individuals’ rights and freedoms. The PDPC also noted a potential connection to ongoing call center scam issues in Thailand. Consequently, the PDPC imposed the maximum penalty (7 million Baht) on the data controller. In addition to the administrative penalty, the PDPC also ordered the data controller to conduct a comprehensive review of its security measures across organizational, personnel, and technological aspects of its business to prevent future data breaches. The company also must submit a report on these improvements to the PDPC within 7 days after receipt of the order.

This administrative penalty, the first to impose the maximum fine under the PDPA, not only seeks to prevent further harm from call center scams but also to ensure all data controllers (both private and governmental) comply with the law, to raise awareness of the importance of personal data protection, and to establish a standard procedure moving forward. This decisive action underscores the PDPC's commitment to enforcing data protection standards designed to safeguard individuals' personal information in the digital landscape and to ensuring compliance with data protection laws by businesses operating in Thailand.

The PDPC strongly encourages all data controllers and related parties to comply with the PDPA. This will help balance the interests of data controllers while protecting the rights and freedoms of data subjects. We recommend that any organization handling personal data review and reassess its current procedures for protecting personal data to ensure they meet the minimum legal requirements.

The penalty serves as a reminder to all data controllers in Thailand of the importance of adhering to PDPA requirements, particularly in the areas of appointing a DPO, taking proper security measures, and ensuring and following data breach protocols.

Authors