Data Protection in Thailand

Enforcement in Thailand

Since the PDPA has fully come into force, there has been approximately 1,048 cases of complaints (including approximately 706 complaints in 2024), and 610 reports of data breach incidents submitted to the Regulator. While there are administrative orders issued, the details of the cases and orders are not publicly available.

Recently, the Regulator has delegated internal working group / division called "PDPC Eagle Eye" who works together with other competent authorities for prevention and investigation of data breach incidents. However, the information of precedent cases, the investigations, and the Regulator's imposition of penalty are still confidential and not publicly available.

Penalties under the PDPA

There are three types of penalties under the PDPA — civil, criminal and administrative penalties. The amount of penalty will depend on the offence committed. The maximum administrative fine is THB 5,000,000. Punitive damages may also be awarded by the court but this is limited to twice the amount of actual compensation. In the event that the offender is a juristic person, the director, manager or the responsible person may also be criminally liable under the PDPA if the relevant offence(s) resulted from such person's order, action or omission. It is unclear at this early stage what direction the Regulator will take in terms of actual enforcement.

Data Processors who do not comply with their obligations are liable to an administrative fine under the PDPA. There may also be liability under tort law.

Additionally, the Regulator has issued a subordinate regulation under the PDPA, the Notification of the Regulator on the Criteria for Considering the Issuance of Administrative Fine Order by the Expert Committee B.E. 2565 (2022), as amended, under which the severity of the violation or failure to comply with the PDPA shall be determined based on the details of the offense (intentional or gross negligence), the size of the Data Controller or Data Processor's business, the value of damage and severity caused by such wrongdoing, etc. Based on such severity, the expert committee may give notice and order amendment, or impose an administrative fine on the Data Controller or Data Processor.

Exemption from enforcement of certain provisions of the PDPA

The Royal Decree issued on 17 August 2023 exempts certain obligations of Data Controllers under the PDPA in respect of the processing of Personal Data by the listed authorities, such as the National Anti-Corruption Commission, Department of Revenue, Customs Department, Excise Department. However, the exempted Data Controllers must still provide security measures as prescribed by the Regulator to ensure that the exemption does not unreasonably affect the personal data protection principle.

Continue reading

  • no results

Previous topic
Back to top