First fine imposed under Thailand's Personal Data Protection Act

Two years after Thailand's Personal Data Protection Act 2019 became fully effective and enforceable, the PDPA's expert committee issued its first administrative fine 31 July, marking a significant moment for the country's data protection enforcement.

A prominent private company that trades goods online received a substantial penalty of THB7 million due to notable compliance failures.

The case initiated after 23 customers filed a complaint with the Office of the Personal Data Protection Committee, reporting they received calls from individuals impersonating employees, who had specific customer information including full names, addresses, contact details and more. Customers argued they were misled and harmed.

In addition, the company reportedly failed to address multiple complaints directed to the Office of the PDPC, allowing a group of call center scammers to continually misuse customers' personal data.

Information regarding the data breach was widely disseminated on social media and online platforms, making it publicly known. These actions are considered negligent and demonstrate a lack of commitment to protect the rights of data subjects.

Key violations

The PDPC identified three critical violations of the PDPA's specific requirements.

It noted the company failed to appoint a data protection officer, despite handling personal data for over 100,000 individuals as a core activity of its operations through product distribution nationwide. Given the scale of personal data involved, this triggered the PDPA's requirement to designate a DPO. Though the company now has a DPO, the appointment was not made when the appointment obligation was triggered and followed the occurrence of the personal data breach.