Thailand’s data privacy landscape has entered a new era of aggressive enforcement, marked by a decisive crackdown on non-compliant organizations by the Personal Data Protection Committee (PDPC) in 2025. This year has seen a significant shift from awareness-building to active scrutiny, with the PDPC issuing a total of eight fines across five separate cases, totaling a staggering THB 21.5 million (approximately $654,690 USD). This series of penalties serves as a clear signal that the cost of inaction on data privacy is no longer a theoretical risk.
The enforcement actions targeted a wide range of entities, from a government agency and a private hospital to a technology retailer, a cosmetics company, and a collectible toy retailer. The cases highlight a recurring pattern of fundamental failures that led to the heavy fines. The most common violations were a lack of appropriate security measures, a failure to report data breaches in a timely manner, and, in some instances, a failure to appoint a Data Protection Officer (DPO) as mandated by law.
In one notable case, a private hospital was fined THB 1.21 million after a contractor improperly handled medical records, top to a data leak. Similarly, a technology retailer faced a THB 7 million fine for inadequate security and for failing to notify the PDPC of a breach that resulted in a call-center scam. The PDPC’s actions also extended to the relationship between data controllers and their processors. For example, a collectible toy company was fined THB 500,000 and its third-party processor was hit with a THB 3 million fine for their collective failure to manage a reservation system securely, which led to a data breach.
These enforcement actions provide crucial lessons for businesses operating in Thailand. They emphasize that responsibility for data security extends to third-party partners. Organizations must implement robust, ongoing security measures and have clear, well-rehearsed data breach protocols. The PDPC’s “zero data breach” objective indicates that even minor lapses will not be tolerated. The crackdown underscores the need for a strategic, top-down commitment to data protection, moving beyond simple compliance checklists to a culture of constant vigilance. For businesses, the choice is clear: prioritize data privacy or risk substantial financial penalties and severe reputational damage.
