The Personal Data Protection Act B.E. 2562 (2019) (PDPA) of Thailand, enforced from June 1, 2022, has reshaped the data protection landscape by mandating strict compliance standards for organizations. One of the key enforcement tools available under the PDPA is the imposition of administrative fines for non-compliance.
Following the issuance of the Royal Gazette Notification in April 2025, the procedures for administrative fines are now clearly outlined. Below is a comprehensive overview of the administrative fine system and process.
Scope of Administrative Fines:
Administrative fines apply to:
Data Controllers who fail to comply with lawful processing, security standards, or respect for data subject rights.
Data Processors who act beyond instructions or fail to maintain required security standards.
Representatives acting on behalf of overseas controllers or processors carrying out activities in Thailand.
Violations triggering fines include:
Unlawful data processing without valid consent or legal basis.
Inadequate responses to data subject rights.
Failure to report data breaches promptly.
Unauthorized data sharing or cross-border data transfers.
Absence of proper organizational security measures.
Authorities Empowered to Act:
The Personal Data Protection Committee (PDPC) and its designated investigating officers have the authority to:
Conduct investigations.
Summon witnesses and request evidence.
Recommend fines for PDPC approval.
Issue administrative orders enforceable under administrative law.
PDPA Administrative Fine Process:
The administrative fine process is clearly structured into the following key stages:
1. Preliminary Investigation
An investigating officer gathers evidence, interviews involved parties, and assesses whether there are grounds for a violation. If sufficient evidence exists, the officer proceeds with the next step.
2. Notice of Allegations
The alleged violator receives a formal notification, detailing:
The alleged facts.
Applicable legal provisions breached.
The right to submit a defense or clarifications within a stipulated period.
3. Consideration and Decision
The competent authority reviews all evidence, defenses, and mitigating factors. The seriousness of the violation, damages, prior conduct, and cooperation are taken into account when determining the fine amount.
4. Issuance of Administrative Order
An administrative order is issued specifying:
The nature of the violation.
The amount of the fine imposed.
Payment instructions and deadlines.
Failure to comply may result in further legal enforcement actions.
5. Right to Appeal
The fined party may appeal the administrative order in accordance with the Administrative Procedure Act B.E. 2539 (1996).
PDPA: Handling Personal Data of Third-Party Representatives in Contractual Communications
Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) regulates how companies, say Company K, which provides building management and outsourcing services, manage personal data. The Subcommittee under the Personal Data Protection Committee has clarified Company K’s obligations regarding consent and lawful bases for data processing in two scenarios: business transactions with representatives and property management services. This analysis details the facts, the subcommittee’s rulings, and the compliance implications.
Factual Background:
Company K operates in building administration and outsourcing, requiring the collection, use, and disclosure of personal data. It raised two issues: (1) When dealing with natural persons or entities, it coordinates with employees or agents, collecting their names, phone numbers, and other personal data – does it need their consent? Given Section 24(3)’s contractual exemption applies only to direct parties? (2) When managing condominiums/villages, either as the legal manager or an outsourced administrator, it handles residents’ data for billing, security, parking stickers, registries, and services—must it obtain consent, or does an exemption apply?
Subcommittee Decisions:
The subcommittee provided rulings on both issues:
Data of Representatives in Business Transactions
Case 1: Natural Person as Counterparty: When Company K contracts with an individual (e.g., for goods and services), it can collect their data under PDPA Section 24(3)—necessary for contract performance or pre-contractual steps—without consent. This includes names and contact details for coordination, as the individual is a direct party.
Case 2: Representatives of Entities: When coordinating with employees/agents of a legal entity counterparty, these individuals are not parties to the contract, so Section 24(3) does not apply. Instead, Company K can use Section 24(5)—legitimate interests—if the data collection (e.g., names, phone numbers for quotes and documents) is necessary, outweighs data subject rights, and respects reasonable expectations in business contexts. Caution is required to minimize impact and avoid excessive use. For sensitive data under Section 26 (e.g., health and criminal records), additional lawful bases from Section 26 are needed. Consent is not mandatory if these conditions are met.
Data of Residents in Property Management
Whether Company K manages a condominium/village as the legal entity (registered under condominium or land allocation laws) or as an outsourced administrator, it processes residents’ data (e.g., for billing, security and parking) under instructions from the condominium/village legal entity. Here, Company K is not a “data controller” (Section 6)—an entity deciding data use—but a “data processor” (Section 40), acting on behalf of the controller (the legal entity). The controller must secure a lawful basis under Sections 24 or 26 (e.g., contract and legal duty), not Company K. As a processor, Company K does not need residents’ consent or a direct lawful basis; it follows the controller’s lawful instructions (Section 40(1)). The controller must establish a data processing agreement per Section 40, paragraph 3, ensuring compliance.
Implications for Compliance:
Company K can avoid consent in business dealings by leveraging contractual (Section 24(3)) or legitimate interest (Section 24(5)) bases, tailoring its approach to the counterparty’s status, with extra care for sensitive data. In property management, its processor role shifts responsibility to the legal entity, requiring clear agreements to define duties and ensure lawful data handling. This dual framework simplifies Company K’s compliance while upholding PDPA standards.
Key Takeaways:
Contractual Base for Direct Parties: Section 24(3) exempts consent for natural person counterparties, covering pre and post-contract data.
Legitimate Interest for Agents: Section 24(5) supports collecting representatives’ data without consent, if necessary and balanced, with Section 26 for sensitive data.
Processor Role in Management: As a processor, Company K does not need consent or a direct basis; the controller (legal entity) bears that duty.
Agreements Are Key: Section 40 mandates controller and processor agreement to align outsourced data handling with PDPA.
This ruling enables Company K to streamline operations under PDPA, distinguishing its roles and leveraging exemptions effectively.
PDPA: Personal Data in Medical Certificates Defined by the Medical Council
Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), effective June 1, 2023, governs the handling of personal data, including sensitive health information, with exemptions for medical purposes. The Subcommittee under the Personal Data Protection Committee has addressed the Medical Council’s inquiry about its standardized medical certificate forms, balancing professional standards with privacy compliance. This analysis outlines the facts, the subcommittee’s rulings, and the compliance implications.
Factual Background:
The Medical Council, established under the Medical Profession Act B.E. 2525 (1982), regulates medical practice standards per Section 7, including two medical certificate forms: (1) a health check certificate (2561/2018 version) and (2) a driver’s license certificate (2564/2021 version). Each form has two parts: Part 1, completed by the patient (e.g., name, address, congenital diseases), and Part 2, completed by the doctor. Part 1 ensures accurate health history for first-time patients without prior records. The council seeks clarification on PDPA compliance for patient self-reported sensitive data, third-party disclosure by patients, and form improvements.
Subcommittee Decisions:
The subcommittee ruled on three issues:
Patient Self-Reported Sensitive Data in Part 1
Healthcare facilities, as data controllers, collect health data (e.g., congenital diseases) under PDPA, Section 26(5)(a), exempt from consent when necessary for legal duties (e.g., Medical Profession Act B.E. 2525 (1982)), preventive medicine, occupational health, diagnosis, treatment, or healthcare system management. Alternatively, Section 24(3) applies for patient-doctor contractual obligations, or Section 26(5)(a) for professional confidentiality. The council’s forms—requiring patients to input and sign off on personal data like name, address, and health history—fit these exemptions. Collection is lawful if limited to what’s necessary for the certificate’s purpose (e.g., epilepsy history for driving safety, per transport regulations). For new patients lacking records, self-reporting ensures accuracy, avoiding misleading certificates. Thus, this aligns with PDPA, Sections 24 and 26, provided data is purpose-specific and proportionate, per Section 22.
Disclosure to Third Parties by Data Subjects
The National Health Act B.E. 2550 (2019), Section 7, deems health data confidential, barring disclosure that harms the individual unless consented or legally mandated. PDPA Section 26 and Section 27(1) echo this, prohibiting controllers from disclosing health data without explicit consent, except under exemptions. However, neither law restricts data subjects (patients) from sharing their own data. PDPA Section 30 grants data subjects access to their data, implying freedom to disclose it (e.g., to employers, and authorities). Thus, patients can share their certificates with third parties without PDPA or National Health Act violations, as this is their prerogative, not the controller’s action.
Recommendations for Certificate Forms
Health data’s sensitivity (potentially impacting rights and freedoms) requires recipients (e.g., employers, and agencies) to secure it per PDPA, Section 37. The subcommittee suggests the council add guidance on forms or issue best practices for certificate use, ensuring third parties handle data appropriately and align with collection purposes. This enhances compliance without altering the forms’ structure, maintaining their professional utility.
Implications for Compliance:
The council’s forms comply with PDPA by leveraging medical exemptions, requiring only necessary data, and allowing patient disclosure flexibility. Healthcare facilities must ensure purpose-driven collection, while third-party recipients bear security duties. Adding guidance strengthens the ecosystem, aligning professional standards with privacy protections.
Key Takeaways:
Exemptions Enable Self-Reporting: Patient data in Part 1 is lawful under Section 26(5)(a) or Section 24(3) for medical purposes, no consent is needed if necessary (Section 22).
Patient Disclosure Is Unrestricted: Patients can share certificates freely per Section 30, unbound by PDPA or National Health Act restrictions on controllers.
Necessity Rules Collection: Data must match certificate purposes (e.g., driving safety), balancing medical needs with privacy.
This ruling affirms the council’s approach, integrating PDPA exemptions with medical practice while suggesting proactive steps to protect data downstream.
PDPA: Announcement on Administrative Fine Guidelines Seeks Public Comments
The Personal Data Protection Committee (PDPC) is set to issue a new announcement concerning the “Guidelines for Issuing Administrative Fine Orders by the Expert Committee.” Before finalizing, the PDPC is inviting public comments to ensure that the guidelines are comprehensive and effective. This article outlines the key elements, issues, and principles involved in this draft announcement.
Background and Principles:
Under Sections 74 and 90 of the Personal Data Protection Act B.E. 2562 (2019), administrative enforcement measures must align with the law governing administrative procedures. The current draft aims to repeal the definition of “administrative fine enforcement officer” and introduce a new definition for “administrative enforcement officer,” ensuring consistency with existing laws.
Key Issues:
Revised Definitions: The draft proposes to repeal the term “administrative fine enforcement officer” and introduce “administrative enforcement officer,” aligning with administrative laws.
Clear Procedures: Specifies detailed procedures for issuing fines and enforcing measures such as seizure, attachment, or auction.
Consideration Factors: Lists factors like severity of violation, size of operations, and impact on data subjects to consider when imposing fines.
Key Elements:
Administrative Enforcement Officer:
Defined as an official or employee of the Office of the Personal Data Protection Committee appointed by the Secretary-General.
Responsible for implementing measures like seizure, attachment, and auction.
Fine Definition:
Refers to the administrative fine ordered by the Expert Committee.
Notification Methods:
Allows for electronic notifications under urgent circumstances or if preferred by the affected party.
Factors for Consideration:
Includes details of the offense, severity, size of operations, effectiveness of the fine, benefits to data subjects, extent of damages, history of fines, responsibility levels, ethical codes, remedies, compensation payments, reasons and limitations, and other relevant facts.
Issuing Orders:
Non-severe cases may involve warnings or corrective actions.
Severe cases or ineffective initial orders will result in administrative fines.
Enforcement Actions:
If the obligated party fails to pay the fine, enforcement officers will issue a written notice demanding payment within no less than seven days.
Failure to comply can lead to seizure, attachment, or auction of property.
Public Consultation Period:
The PDPC invites stakeholders and the public to review the draft and provide feedback from 20 February to 6 March 2025. This consultation period aims to gather diverse insights to enhance the effectiveness and fairness of the guidelines.
Conclusion:
By aligning with administrative laws and considering public input, the PDPC aims to strengthen data protection enforcement in Thailand. All interested parties are encouraged to participate in this crucial consultation phase to shape robust data protection measures.
This draft announcement underscores the PDPC’s commitment to ensure that administrative enforcement actions under the Personal Data Protection Act are consistent, clear, and effective. Your participation in the public consultation can significantly contribute to achieving these goals.
The outbreak of the COVID-19 pandemic has significantly altered consumer behavior, leading to a surge in reliance on digital platforms for activities like shopping and food delivery. This shift has played a pivotal role in the rapid growth of the digital economy, both in Thailand and globally. Citizens have become increasingly dependent on these platforms, which offer convenience and ease in daily life. As digital platforms now cover almost every facet of modern existence, the government has recognized the need to regulate these services to ensure economic and social stability, enhance credibility, and mitigate any potential risks to the public at large.
In response to this, Thailand initially enacted the Royal Decree on the Operation of Digital Platform Service Business Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”), which regulates and imposes obligations on digital platform service operators. These operators, such as Shopee or Lazada, manage platforms that connect business users and consumers through data networks to facilitate electronic transactions. However, recognizing the evolving landscape, the Ministry of Digital Economy and Society (“MDES“) has proposed the Draft Digital Platform Economy Act B.E. …. (the “Draft Bill”), which aims to expand regulation to include a broader range of platform services not covered under the Royal Decree, also known as, digital media services.
The Draft Bill seeks to regulate various digital platform services more comprehensively, promoting fair trade, encouraging self-regulation, and supporting operators in adopting good governance principles. Below are the key aspects of the Draft Bill.
Categorization of Digital Media Services
The Draft Bill defines Digital Media Services as any service provided over a computer network, internet system, or telecommunications network that acts as a medium between the sender and the data receiver. It categorizes these services into three types, each with distinct legal responsibilities for the operators:
Mere Conduit Service: This refers to the provision of electronic data transmission services or access to an electronic communications network. Mere conduit providers are not liable for illegal activities during data transmission, as long as they can prove they neither initiated the data nor altered it in any way.
Caching Service: Caching services involve temporary data storage for faster transmission. Providers are not held responsible for illegal activities, provided they meet the terms for data access and follow standard industry practices.
Hosting Service: Hosting services provide data storage on behalf of users. These providers are only held accountable if they are aware of illegal content stored and fail to take action by either removing or blocking access to it.
General Obligations for Digital Media Services Platform Operators
Under the Draft Bill, platform operators are required to comply with obligations prescribed in Chapter 3 of the Draft Bill, which includes notifying the users of their rights and obligations, as well as the risks associated with using digital media services; providing a complaint resolution channel that responds within 24 hours and reports on the investigation outcome within 60 days; disclosing advertising information, publishing clear terms and conditions, as mandated by the law, and appointing a point of contact to liaise with the Electronic Transactions Development Agency (“ETDA“).
Very Large Online Platform (VLOP)
The Draft Bill introduces the concept of Very Large Online Platforms (“VLOP“). To qualify as a VLOP, a platform must meet one of the following criteria:
A net income (before expenses) of over 1,000 million Baht per year from the provision of services in Thailand.
More than 6 million active users per month.
Poses a high risk to the economic or social security of Thailand, as determined by the ETDA.
VLOPs are subject to additional obligations, such as reporting data to the ETDA, tracking business users’ activities, suspending services for users engaged in serious illegal activities, and submitting annual transparency reports.
Core Platform Services & Gatekeepers
Chapter 5 of the Draft Bill defines core platform services and identifies platform operators that act as “gatekeepers” to other service providers. Core platform services currently include 10 types of digital media services such as online search engines, video-sharing services, cloud computing, and online advertising services, among others. A platform operator may be classified as a gatekeeper if it meets three criteria:
Significant impact on the economy, with annual income (before expenses) exceeding 7 billion Baht.
Serves as a critical gateway for business users to reach end users, with more than 15 million consumer users and 10,000 business users annually.
Has the power to limit competition from other platform service providers, maintaining a dominant position.
Gatekeepers are subject to additional responsibilities, such as ensuring fair treatment of business users, facilitating free communication between consumers and businesses, preventing unfair practices that hinder competition, and more.
ETDA and Digital Platform Economy Committee’s Power to Enforce Data Platform’s Compliance
In order to enforce the Draft Bill effectively, the Draft Bill grants ETDA various powers to enforce compliance, including but not limited to the power to request data from platform operators to assess compliance, power to access and inspect platforms’ computer systems and physical premises if there is reasonable suspicion of illegal activities, the power to impose fines, service suspensions, or even criminal charges for severe violations.
Regulatory Transition
To ensure a smooth transition in the enforcement of this Draft Bill from the existing Royal Decree, the Draft Bill includes a grandfather clause allowing the platform operators who have already submitted notification under the Royal Decree to be deemed to have been notified under this Draft Bill as well. Nonetheless, they are required to update their information to align with the new requirement within 120 days of its enactment. Whilst the Royal Decree shall cease to be effective on the enforcement date of this Draft Bill, the sub-ordinate regulations issued under the Royal Decree shall remain in effect for as long as they do not conflict with the Draft Bill, or the new-subordinate regulation to be issued under the Draft Bill.
Conclusion
The Draft Bill represents a proactive step toward regulating the rapidly expanding digital economy in Thailand. By establishing clear guidelines for digital platform operators, categorizing services, and introducing additional obligations for large and influential platforms, the Draft Bill aims to foster fair competition, ensure consumer protection, and maintain economic stability. As digital platforms continue to play an integral role in modern society, this legislation will be crucial in balancing innovation with accountability, ensuring that the digital economy can thrive in a secure and sustainable manner. As such, the passage of the Draft Bill will likely have far-reaching implications, not only for platform operators but also for the broader economy and society.
Data Privacy: Criminal Penalties Imposed by the Court Raise Concerns of Practice
Recent decisions by the Phuket Provincial Court have garnered significant attention from data privacy practitioners. These rulings have highlighted critical issues concerning the enforcement of Thailand’s Personal Data Protection Act (PDPA) and its implications for criminal penalties.
Overview of the Cases
In two related cases, the offenders allegedly obtained personal data from online gambling platforms and advertised the sale of this data on social media. The personal data involved includes names, phone numbers, email addresses, and account identification numbers. The offenders were found guilty under several laws, including the Computer-Related Crime Act, the Gambling Act, the PDPA, and the Penal Code.
Application of Section 80 of the PDPA
A notable aspect of these decisions is the application of Section 80 of the PDPA, which was used as a basis for determining the punishments for the offenders. Section 80 states:
“Any person who comes to know the Personal Data of another person as a result of performing duties under the PDPA and discloses it to any other person shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.”
The court’s interpretation of Section 80 is significant as it expands the enforceability of criminal sanctions and imprisonment to conduct beyond the violation of sensitive personal data outlined in Section 79 of the PDPA. Traditionally, Section 80 was thought to apply only to competent officials who disclose personal data learned while performing their duties under the PDPA. Consequently, the elements of damages and intention were not included in the legal text.
However, the court’s decisions to criminalize the two offenders under Section 80 allow for general data controllers to face imprisonment penalties. This interpretation could lead to broader applications of criminal sanctions, moving beyond just sensitive personal data violations under Section 79 of the PDPA, which requires specific elements such as intention and damages for enforcement.
Analysis of Sections 79 and 80 of the PDPA
Section 79 of the PDPA focuses on the unauthorized disclosure of sensitive personal data. For a violation occurring under this section, there must be elements of intention and resultant damages. The penalties under Section 79 are designed to address severe breaches involving sensitive data, emphasizing the need for intention and actual harm.
Section 80, on the other hand, addresses the unauthorized disclosure of personal data in a broader sense. Initially, it was interpreted to apply primarily to officials handling personal data as part of their duties. The court’s recent rulings have expanded this interpretation, suggesting that any data controller could be subject to criminal penalties for disclosing personal data, even if the data is not classified as sensitive and without the traditional elements of intention and damages.
Implications and Future Developments
This shift in interpretation has sparked debate among scholars and data privacy practitioners regarding its appropriateness. Some argue that expanding the scope of Section 80 to include general data controllers could lead to excessive criminalization, while others believe it is necessary to enhance data protection enforcement.
In response to these developments, the Ministry of Digital Economy and Society is pushing to increase penalties for the illegal trading of personal data. They propose raising the maximum imprisonment term from one year to five years by amending the Royal Decree on Measures to Prevent and Suppress Technology Crimes B.E. 2566 (2023). A draft amendment to the Royal Decree is currently under consideration by the Council of State and is expected to be submitted to the Cabinet for further review and approval soon.
These court’s rulings, being those of the court of first instance, signify a potentially transformative period for data privacy enforcement in Thailand, with significant implications for data controllers and practitioners alike.
A draft Announcement on the Additional Duties for Digital Platform Services in Specific Goods Market Categories
A draft Announcement on the Additional Duties for Digital Platform Services in Specific Goods Market Categories
The Electronic Transaction Development Agency (“ETDA”) has conducted a public hearing on the subordinate regulations under the Royal Decree on the Operation of Digital Platform Services Business that are Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”), a draft Announcement on the Additional Duties for Digital Platform Services in Specific Goods Market Categories as prescribed in Section 18 (2) of the Royal Decree B.E. …. (the “Draft Bill”). The Draft Bill has recently undergone public consultation, where comments and feedback provided therein may be reflected in the further revision of the Draft Bill. Nonetheless the following summarizes the initially proposed provisions.
The Draft Bill imposes additional obligations on Digital Platform Services (DPS) that pose risks to financial and commercial security, reliability, and creditability in data message systems, or potential harms to the public, as prescribed under Section 18 (2) of the Royal Decree as follows:
Registration, Authentication, and Verification of the Business Users: The DPS is required to put in place an authentication and verification of the identity of the person who offers goods or services to consumers through a digital platform service (“Business User”). The authentication and verification may be by means of a collection of information or the use of an authentication system having a reliability standard of no lesser than the Identity Assurance Level (IAL2);
Maintaining Record of Registry: The DPS is required to maintain a record of registry for Business Users, it may be required to submit such record to ETDA periodically or upon request.
Obligations in Relation to the Products that Are Subject to Specific Quality Standard: Certain types of products may be subjected to a specific quality standard under the law relating to industrial product standards, foods, medicines, or cosmetic products (“Products with Specific Standards”). In this regard, the DPS is required to (1) have in place a policy regarding the advertisement or sale of the Products with Specific Standards. Such policy must be specified in the terms and conditions of the DPS; (2) prohibits the sale and advertisement of products that are restricted by the law; (3) requires the Business User to submit relevant permits or approvals in relation to the Products with Specific Standards; (4) display information relating to the Products with Specific Standards onto the platform; (5) provide a channel for users to verify accuracy of information relating to Products with Specific Standards against the government agency database; and (6) display a symbol or message indicating that such products are Products with Specific Standards.
Obligations in relation to the Unlawful Sale or Advertisement of Products with Specific Standards: Apart from the preventive mechanisms prescribed above, the DPS is also required to (1) put in place a notice-and-takedown mechanism for the users to notify the DPS of unlawful Products with Specific Standards; (2) put in place a remedial measure for the users; and also (3) maintain a record of users who reviewed the Products with Specific Standards on the platform.
Under this Draft Bill, the DPS is required to specify the penalties for Business Users who fail to comply with the aforesaid obligations, the level of penalty is left open for public opinion on whether there shall be a written warning and grace period for correction, or Business Users failure to comply shall be subjected to termination of service by the DPS without prior notification.
Subject to the result of public consultation under this round, there may be an additional round of public consultation before finalization.
Data Privacy – Thailand Draft Exemption for Small Organizations Acting as Data Processors
The Thailand Personal Data Protection Act B.E. 2562 (“PDPA“) governs personal data processing and defines the roles and responsibilities of parties involved in such activities. Under the PDPA, a “Data Processor” is defined as a person or entity that processes personal data on behalf of another party. Since Data Processors do not have authority over processing activities, the Personal Data Protection Committee (“PDPC“) has determined it necessary to reduce certain regulatory burdens for smaller entities. Consequently, the draft Announcement on the Exemption for Small Organizations Acting as Data Processors (“Draft“) has been prepared and is undergoing public consultation through 14 November 2024.
Data Processor obligations are prescribed under Section 40 of the PDPA. Specifically, Section 40 (3) requires Data Processors to record personal data processing activities according to PDPC – prescribed criteria and methods. The Draft exempts the following types of organizations from this obligation:
Small and medium enterprises, as defined by the Small and Medium Enterprise Promotion Act B.E. 2543 (2000)
Community enterprises, as defined by the Community Enterprise Promotion Act B.E. 2548 (2005)
Social enterprises, as defined by the Social Enterprise Promotion Act B.E. 2562 (2019)
Cooperatives, as defined by the Cooperative Act B.E. 2542 (1999)
Foundations, associations, religious organizations, and non-profit organizations
Condominium associations, as defined by the Condominium Act B.E. 2522 (1979)
Individuals conducting household activities in a non-commercial capacity
Individual data processors (as distinct from organizations or larger entities)
(collectively referred to as “Small Size Data Processors“).
However, this Draft exemption does not apply to personal data processing activities that:
Pose risks to the rights and freedoms of data subjects
Involve regular or systematic collection, use, or disclosure of personal data (as opposed to occasional processing)
Involve the processing of sensitive personal data
Additionally, the exemption does not apply to any Small Size Data Processor that is required to appoint a Data Protection Officer, also known as, DPO.
PDPC Issued First Administrative Sanction Under Thailand’s Personal Data Protection Act
The Personal Data Protection Committee (PDPC) of Thailand has taken a significant step in enforcing the Personal Data Protection Act B.E. 2562 (2019) (PDPA) by issuing its first administrative sanction. This action marks a turning point in the implementation of data protection regulations in the country, particularly in light of ongoing concerns about personal data breaches and their exploitation by criminal entities such as call center scam operations.
The PDPC, in a press conference held on 21 August 2024, announced that it had imposed administrative fines of 7,000,000 baht on a large private corporation following a personal data breach incident. The company, which handles the personal data of over 100,000 individuals, was found to violate several key provisions of the PDPA.
The violations cited by the PDPC include:
Failure to appoint a Data Protection Officer (DPO), as required under Section 41 of the PDPA for organizations processing large volumes of personal data. This violation carries a potential administrative fine of 1 million baht.
Inadequate implementation of security measures, contravening Section 37(1) of the PDPA, which mandates appropriate safeguards against unauthorized access, use, alteration, or disclosure of personal data. This violation is subject to a fine of 3 million baht.
Failure to report a personal data breach to the PDPC within the stipulated 72-hour timeframe, as required by law. This violation also carries a potential fine of 3 million baht.
The PDPC stated that it had imposed the maximum administrative penalties due to the scale of the data breach and the company’s lack of response following an initial warning. Additionally, the company has been ordered to implement remedial measures for affected data subjects.
This case is particularly noteworthy as it represents the first instance of the PDPC taking strong enforcement action since the PDPA came into full effect in 2022. It serves as a clear signal to both private and public sector organizations that compliance with data protection regulations is now being strictly monitored and enforced.
The PDPC also outlined its strategy for ongoing enforcement and compliance promotion. This includes the establishment of an offensive mechanism, termed “PDPA Eagle Eye,” which actively monitors for PDPA violations across both private and public sectors. Complementing this is a defensive mechanism, the PDPA Center, designed to provide advice, raise awareness, and receive complaints from affected individuals.
The Committee emphasized the importance of public participation in reporting suspected or known personal data breaches, underlining that data protection is a shared responsibility across society.
This landmark case may have further legal implications, as it opens the possibility for affected individuals to pursue class action lawsuits against the company in question. It also sets a precedent for future enforcement actions and underscores the PDPC’s commitment to safeguarding personal data in Thailand.
As organizations operating in Thailand process this development, it is clear that ensuring robust data protection measures and full compliance with the PDPA has become more critical than ever. The PDPC’s actions demonstrate that the era of strict enforcement of data protection laws in Thailand has begun in earnest.
Key Takeaways:
The Personal Data Protection Committee (PDPC) has imposed its first serious administrative sanction under the Personal Data Protection Act B.E. 2562 (2019).
The sanction was issued against a large private company for multiple violations, including failure to appoint a Data Protection Officer, inadequate security measures, and failure to report a data breach.
Maximum administrative fines were imposed, totaling up to 7 million baht.
The PDPC has implemented both offensive and defensive enforcement mechanisms to ensure compliance with the PDPA.
This case sets a precedent for stricter enforcement of data protection regulations in Thailand.
The Legal Dilemma: When Data Protection Clashes with Justice
In the bustling financial district of Bangkok, a peculiar challenge has emerged, pitting the pursuit of justice against the shield of personal data protection. This is the story of Company XYZ, a business caught in the crossfire of evolving legal landscapes.
For years, Company XYZ operated smoothly, relying on a time-tested system of check payments from its customers. When the occasional bad check surfaced, their legal team swiftly moved to prosecute the offenders. It was a straightforward process: identify the check signer, file a case, and let justice take its course.
However, the winds of change swept through Thailand with the enactment of the Personal Data Protection Act (PDPA) in 2019. Suddenly, the well-oiled machine of legal recourse began to sputter and stall. Banks, once cooperative in providing crucial information about check signatories, now hesitated, their silence fortified by the new data protection walls.
The company’s legal advisor, a seasoned attorney accustomed to navigating the intricacies of commercial law, found himself in uncharted waters. “We’re not asking for state secrets,” he argued, “just the name of someone who owes us money.” But the banks stood firm, leaving Company XYZ grappling with a surge of uncollectible debts and a growing sense of frustration.
In their quest for a solution, the company turned to the letter of the law, specifically Section 4(5) of the PDPA. This provision exempts certain judicial and criminal justice processes from the Act’s restrictions. Surely, they reasoned, their efforts to bring fraudsters to justice would fall under this umbrella.
However, the legal landscape proved more nuanced than anticipated. The Privacy Sub-Committee, tasked with interpreting the new law, drew a fine line. While courtroom proceedings and official investigations were indeed exempt, the preliminary evidence-gathering by private attorneys did not enjoy the same privilege. Company Y found itself caught in legal limbo, unable to access the information needed to initiate proceedings, yet still bound by the obligation to protect personal data.
This predicament raises profound questions about the balance between individual privacy and corporate rights. How can businesses protect themselves from fraud when the tools to identify wrongdoers are placed out of reach? And how do we ensure that data protection does not inadvertently become a shield for those seeking to evade financial responsibilities?
The story of Company XYZ is far from over. As they continue to navigate these choppy legal waters, a glimmer of hope emerges. The Privacy Committee suggests that banks may have grounds to disclose information under certain circumstances, particularly when there is a legitimate interest at stake. This potential pathway offers a ray of light, hinting at a future where data protection and the pursuit of justice might find a harmonious coexistence.
As Thailand, like many nations, grapples with the implications of stringent data protection in an increasingly digital world, the experiences of Company XYZ serve as a cautionary tale. It reminds us that in our quest to protect personal information, we must be vigilant not to inadvertently obstruct the very systems of accountability and justice that underpin a fair and functioning society.
Key Takeaways:
The Personal Data Protection Act (PDPA) has limited banks’ willingness to share information about check signatories.
Private attorneys and plaintiffs are not exempt from data protection laws when gathering evidence before filing a case.
Banks may have legal grounds to disclose information in certain circumstances without violating data protection laws.
Balancing data protection and the pursuit of justice requires careful consideration of legal exemptions and legitimate interests.
