In August of 2024, a Thai company operating in the retail sector was found to be in violation of the Personal Data Protection Act B.E. 2562 (“PDPA”) which resulted in the leak of personal information of its customers. It was alleged that the personal data was leaked to fraudulent call centers and many of the company’s customers were affected. The PDPC took a landmark step towards enforcement against the company following the filing of a number of complaints from affected data subjects.
The company was fined by the PDPC on the follow grounds:

It failed to appoint a Data Protection Officer
The company was deemed to be a data controller under the PDPA and given that it processed over 100,000 customers for marketing purposes, the processing of personal data was considered to be one of the company’s core activities. Therefore, it was required to appoint a Data Protection Officer (“DPO”) under section 41(2) of the PDPA. However, the company failed to appoint a DPO within the required timeframe, only doing so after a personal data breach occurred.

It had inadequate security measures
As a data controller, the company was required to implement adequate security measures as prescribed by the PDPC. Upon investigation it was revealed that the company’s employees across different departments had unregulated access to customer data.

It did not notify of the breach
The company was a data controller and was required to make the following notifications:
1) Notify the PDPC when a personal data breach poses a risk to the rights and freedom of the relevant persons.
2) Notify the PDPC as well as the affected data subjects when a personal data breach poses a ‘high risk’ to the rights and freedom of the relevant persons.

The company was required to make the notification to the relevant stakeholders within 72 hours of becoming aware of a personal data breach, but has failed to do so. In fact it was revealed that the company was are of the data breach since 2020 but did not take corrective action.

What was the penalty?
1) For failing to appoint a DPO in accordance with section 41(2) of the PDPA the company was fined 1 million Baht.
2) For failing to put in place adequate security measures as required by section 37(1) of the PDPA the company was fined 3 million Baht.
3) For failing to notify the PDPC and the affected data subjects of the personal data breach in accordance with section 37(4) of the PDPA the company was fined 3 million Baht.

In total, the company was fined 7 million Baht for the three violations. Additionally, it was ordered to take a series of other actions including ratification of its security measures and notifying the affected data subjects, and report the progress to the PDPC within the prescribed time.
Given the above companies should ensure strict compliance with the PDPA as the above case serves as a landmark case which sets a benchmark for the PDPC in subsequent cases.

Have questions regarding PDPA compliance?
Contact: info@rattananpartners.com