Two years after Thailand's Personal Data Protection Act 2019 became fully effective and enforceable, the PDPA's expert committee issued its first administrative fine 31 July, marking a significant moment for the country's data protection enforcement.

A prominent private company that trades goods online received a substantial penalty of THB7 million due to notable compliance failures.

The case initiated after 23 customers filed a complaint with the Office of the Personal Data Protection Committee, reporting they received calls from individuals impersonating employees, who had specific customer information including full names, addresses, contact details and more. Customers argued they were misled and harmed.

In addition, the company reportedly failed to address multiple complaints directed to the Office of the PDPC, allowing a group of call center scammers to continually misuse customers' personal data.

Information regarding the data breach was widely disseminated on social media and online platforms, making it publicly known. These actions are considered negligent and demonstrate a lack of commitment to protect the rights of data subjects.

Key violations

The PDPC identified three critical violations of the PDPA's specific requirements.

It noted the company failed to appoint a data protection officer, despite handling personal data for over 100,000 individuals as a core activity of its operations through product distribution nationwide. Given the scale of personal data involved, this triggered the PDPA's requirement to designate a DPO. Though the company now has a DPO, the appointment was not made when the appointment obligation was triggered and followed the occurrence of the personal data breach.

The company's security measures fell short of PDPA standards, particularly regarding access control and authorization management related to personal data processing. Employees from nearly the whole organization were able to entirely access customers' personal data. This insufficiency led to a data breach where personal data was exposed to a call center scam operation.

The company was also slow to report the breach to the Office of the PDPC. Under the PDPA, data controllers must notify without delay and within 72 hours of becoming aware of a breach. The delayed response hampered timely efforts to address the incident. According to the PDPC's decision, the company was aware of the data breach incidents at an early stage, but did not report them to the PDPC as required.

Fines and corrective orders

The enforcement action went beyond the THB7 million fine. In the expert committee issued a corrective order mandating the company take immediate action and report corrective measures to the Office of the PDPC within seven days.

Specifically, the company was ordered to implement updated security measures to prevent future breaches and ensure measures evolve with technological advancements. Additionally, it is required to conduct staff training to strengthen adherence to data compliance and protection protocols.

Failure to comply with these corrective actions could result in an additional administrative fine of up to THB500,000.

Looking forward

This case sets an important precedent for future data protection enforcement in Thailand, demonstrating the PDPC's commitment to strict regulatory compliance. It underscores the critical need for organizations to adhere to PDPA requirements, especially in maintaining strong security measures, promptly notifying authorities of breaches, and appointing a DPO.

The fine serves as a critical wake-up call for businesses, underscoring the substantial financial and reputational risks associated with noncompliance. It highlights the importance for organizations to implement comprehensive data protection mechanisms, not only to adhere to regulatory requirements but also to safeguard personal data and foster public trust.

To prevent similar fines or enforcement actions under the PDPA, organizations must ensure full compliance with all PDPA obligations by conducting a data compliance audit and appointing a DPO. A thorough review of data handling practices across departments is essential to identify and address any compliance gaps and designating a DPO or establishing a data privacy team responsible for overseeing data privacy matters ensures effective management, particularly in relation to data breaches.

This proactive strategy not only mitigates the risk of penalties but enhances customer confidence through a robust privacy framework.

Ultimately, this landmark ruling sets a new benchmark for data protection and compliance in Thailand. Businesses operating within or with connections to Thailand are strongly advised to review their data protection frameworks and ensure alignment with current legal requirements to avoid future breaches and penalties.

Nop Chitranukroh, CIPP/A, and Nopparat Lalitkomon are partners and Gvavalin Mahakunkitchareon, CIPP/A and CIPP/E, is senior associate at Tilleke & Gibbins.