October 2024
Thailand’s Personal Data Protection Committee (“PDPC”) has issued what is believed to be its first fine for violation of the Personal Data Protection Act (“PDPA”). The fine, estimated to be the Thai Baht equivalent of just under Euro 200,000, is substantial from a Thai market perspective.
The circumstances for the relatively high fine suggest that the violating data controller displayed slipshod compliance with the PDPA. For example, the data breach was not reported within the 72-hour requirement of the PDPA, and the violating party had no data protection officer.
Further, the data breach was material insofar as more than 100,000 personal data records were breached, and the violator provided insufficient explanation as to how the security breach would be rectified.
Additionally, numerous complaints were made by data subjects to the PDPC.
From our perspective, we believed the PDPC would eventually start issuing fines after a few years of establishing its internal customs and practices and would start issuing fines in relatively smaller amounts.
Based on the circumstances of the PDPA breach mentioned above and the fine issued in the above case, the PDPC is taking a more assertive approach to enforcing the PDPA than initially anticipated.
The comments here are for general information purposes only. Nothing here should be or can be relied on as legal advice.
For any questions, you may contact Formichella & Sritawat at [email protected]
© Formichella & Sritawat Attorneys at Law