The Personal Data Protection Committee in Thailand (“PDPC”) has significantly intensified its enforcement of Thailand's Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), announcing 8 new administrative fines in five cases of noncompliance by public and private entities on 1 August 2025.

泰國個人資料保護委員會(“PDPC”)已顯著加強對泰國佛曆2562年(2019)《個人資料保護法》 (“PDPA”)的執行力度，宣布於 2025 年 8 月 1 日對 5 起公共和私人實體不遵守規定的案件處以 8 項新的行政罰款。

The total amount imposed to date was approximately THB 21.5 million (USD 654,690), underscoring the financial risks tied to PDPA violations. Organizations subject to the PDPA must promptly assess compliance and ensure preparedness for future enforcement actions.

迄今為止，罰金總額約為2,150萬泰銖(約654,690美元)，凸顯違反PDPA的財務風險。受PDPA約束的機構必須及時評估其合規性，並為未來的執法行動做好準備。

Following is brief introduction of the 5 cases:

以下對5起案件進行簡要介紹:

Ø  State Agency: Cyberattack on a state-run web application led to the leak of 200,000 records containing personal data. Both the agency and its developer were fined THB 153,120 (USD 4,670) for lacking privacy-by-design and breach prevention protocols.

國家機構：針對國營網路應用程式的網路攻擊導致20萬筆包含個人資料的記錄外洩。此機構及其開發者因缺乏隱私設計和違規預防協議而被罰款153,120泰銖(4,670美元)。

Ø  Private Hospital: Medical records were improperly handled by a contractor who was engaged by a private hospital to perform document destruction, resulting in the leak of over 1,000 records during the destruction process. The contractor also failed to notify the hospital of the data breach. The hospital was fined THB 1.21 million (USD 36,880), while the contractor was fined THB 16,940 (USD 510).

私人醫院：一家私人醫院委託的承包商在銷毀文件過程中，對醫療記錄處理不當，導致超過1,000份記錄在銷毀過程中洩露。此承包商也未將資料外洩事件告知醫院。醫院被罰款121萬泰銖(36,880美元)，承包商被罰款16,940泰銖 (510美元)。

Ø  Technology Retailer: A data breach at a technology retailer led to scam calls affecting over 100 individuals. The company was fined THB 7 million (USD 213,380) for a lack of adequate security measures, failing to report the data breach and not appointing a DPO. The company’s revenue and size were taken into consideration when deciding the fine amount.

科技零售商：一家科技零售商的資料外洩事件導致超過100人受到詐騙電話的影響。此公司因缺乏足夠的安全措施、未通報資料外洩事件以及未任命DPO而被罰款700萬泰銖(約213,380美元)。此公司的收入和規模決定罰款金額。

Ø  Cosmetics Company: A cosmetic company failed to conduct adequate security measures required by the PDPA led to a data breach which enabled scam operators to contact customers. The company was fined THB 2.5 million (USD 76,210) for failing to notify the PDPC of the data breach and for their inadequate technical and organizational safeguards. However, the company did provide remedial action for the affected data subject.

化妝品公司：一家化妝品公司未能按照PDPA的要求採取充分的安全措施，導致資料洩露，使詐騙分子得以聯繫客戶。此公司因未向PDPC通報資料外洩事件，且技術和組織保障措施不足，被罰款250萬泰銖(76,210美元)。不過，此公司已為受影響的資料主體採取補救措施。

Ø  Toy Retailer: The company hired a processor to manage the company’s reservation system. The third-party processor failed to contain a data breach and notify the company that a data breach had occurred. 200,000 personal data records was being amended without authorization. The processor was fined THB 3 million (USD 91,450), while the company was fined THB 500,000 (USD 15,240).

玩具零售商：此公司聘請一家資料處理商來管理公司的預訂系統。此第三方資料處理商未能控制資料外洩並通知此公司資料外洩已發生。20萬筆個人資料記錄在未經授權的情況下被修改。此資料處理商被罰款300萬泰銖(91,450美元)，該公司被罰款50萬泰銖(15,240美元)。

The five cases reflect three common failures that led to the imposition of administrative fines, namely:

這五起案件反映導致行政罰款的三個常見失誤，即：

Ø  Lack of appropriate security measures or failure to regularly review such measures;

缺乏適當的安全措施或未能定期審查此類措施;

Ø  Failure to report data breach incidents;

未通報資料外洩事件;

Ø  Failure to appoint a Data Protection Officer (DPO).

未能任命資料保護官(DPO)。

The recent enforcement action showing that all organization are required to comply with the PDPA, there is no exemption. Both public and private entities are subject to real inspections and severe penalties. Compliance is no longer merely a matter of paperwork. The PDPC reiterated its “zero data breach” objective. Organizations subject to the PDPA should review their data protection frame without delay, address compliance gaps, and be ready for future enforcement actions.

最近的執法行動表明，所有組織都必須遵守PDPA，沒有例外。 公共和私人實體都將受到切實的檢查和嚴厲的處罰。合規不再只是紙上談兵。PDPC 重申其“零資料外洩”的目標。受PDPA約束的組織應立即審查其資料保護框架，以彌補合規的差距，並為未來的執法行動做好準備。

#泰國資料保護 #thaidataprotection #違反泰國資料保護 #violationofthaidataprotection  #thailaw #泰國法律 #泰國中文律師 #IBC法律金融會計事務所 #泰國律師 #泰國法律事務所 #泰國律師事務所 #泰國會計 #泰國審計 #泰國會計事務所 #泰國審計事務所 #法律顧問 #泰國會計師 #泰國華人律師事務所 #thaiaccountant #thailawyer #IBCFirm #ThaiLawFirm #ThaiAccountingFirm #泰國台灣律師