For years after the PDPA came into force, the most frequently asked question was: “Is this law really being enforced?” That question was answered clearly in 2025, when the Personal Data Protection Committee Office (PDPC) imposed administrative fines totaling THB 21.5 million in Thailand’s first real enforcement case.
This article analyzes what happened, why penalties were imposed, and the lessons every organization should apply.
What happened
This case began with a data breach in which a large volume of customers’ personal data was exposed externally. The leaked data included full names, phone numbers, email addresses, and transaction information. The data was later published and traded on the online dark web, causing many data subjects to become targets of phone and SMS scams.
Who was fined
The organization subject to enforcement was a large private company processing significant volumes of customer personal data. The PDPC launched an investigation after receiving complaints from multiple data subjects and found several violations of the PDPA.
Why the organization was fined — 5 key issues
1. Inadequate security measures
The PDPC found that the organization failed to implement appropriate security measures as required under Section 37(1). The systems used to store personal data had security weaknesses that should have been identified and remediated earlier. There was no adequate data encryption, access controls were weak, and there was no effective intrusion detection system.
2. Failure to notify the breach within 72 hours
The organization knew that a data breach had occurred but did not notify the PDPC within 72 hours. This delay had a direct impact on data subjects, who were denied the opportunity to protect themselves promptly, whether by changing passwords or being alert to fraudsters.
3. Failure to notify affected data subjects
This issue was directly linked to the previous one. The breach posed a high risk to the rights and freedoms of data subjects, yet the organization still failed to notify them without delay, as required under Section 37(4).
4. Outdated RoPA and Data Inventory
When the PDPC requested to review the RoPA, it found that the documentation did not reflect the actual processing taking place. The Data Inventory was also unclear. As a result, the organization could not quickly determine the scope of the breach.
5. Failure to respond to data subject requests (DSRs) within the required timeframe
After the data breach became public, many data subjects submitted requests to access and delete their data. The organization was unable to respond within 30 days because it lacked a structured DSR process.
Breakdown of the THB 21.5 million fine
The total administrative fine of THB 21.5 million consisted of multiple violations. Under the PDPA, each violation carries an administrative fine of up to THB 5 million. When several violations are combined, the total can become very substantial.
What organizations must understand is that this amount represents only the administrative fine. It does not include:
- Civil damages that data subjects may claim through litigation (with no statutory cap)
- Criminal penalties for executives who were involved or knowingly complicit, which may include imprisonment of up to 1 year and/or a fine of up to THB 1 million
- Reputational damage, which may be impossible to quantify in monetary terms
What changed after this case
Organizations became more alert
This case marked an important turning point, prompting organizations nationwide to recognize that the PDPA is not merely a law on paper. It is being actively enforced, with real and painful consequences. Data protection budgets increased significantly across many organizations after this case.
The PDPC made its position clear
This enforcement action sent a strong signal that the PDPC is prepared to act seriously and will not accept excuses such as “we didn’t know” or “we didn’t have time.” More intensive enforcement can be expected in the future.
A new industry standard
This case set a new benchmark for what constitutes “appropriate security measures.” Organizations can no longer claim that having only a firewall and antivirus software is sufficient. They must implement layered, risk-based measures aligned with the sensitivity and volume of the data they process.
How to avoid this — 7 actions to take now
Review your security before someone else does
Conduct a security assessment to identify vulnerabilities before attackers do. Review encryption, access control, logging, patch management, and vulnerability scanning. This is the most fundamental step, yet it was one of the core failures in this case.
Incident response plan — rehearse first, don’t improvise during a crisis
If you wait until a breach occurs to decide who does what, it is already too late. You need a plan that clearly defines responsibilities, timelines, and response procedures, and it should be tested at least twice a year.
Prepare your 72-hour notification templates in advance
When a real incident occurs, 72 hours passes faster than most organizations expect. If you have to start drafting a notification to the PDPC from scratch, you may already be too late. Ready-to-use templates for notifying both the PDPC and affected data subjects can make a major difference.
RoPA and Data Inventory must be genuinely updated, not created once and forgotten
Many organizations hired consultants to prepare their RoPA when the law first came into effect, then never touched it again. When the PDPC requested to review it, the records no longer matched actual processing activities. Review and update these documents at least every 6 months, or whenever processing changes.
Build a real, structured DSR process
Data subjects have the legal right to request access to, correction of, or deletion of their data, and organizations must respond within 30 days. Without a clear intake channel and a system for tracking request status, organizations risk missing deadlines—just as happened in this case.
Train employees — everyone who handles data, not just IT
A common misunderstanding is that PDPA compliance is only an IT or legal issue. In reality, every employee who handles personal data must understand what is permitted and what is not.
Use the right tools — not Excel
Managing PDPA compliance through Excel spreadsheets and email is not sufficient for organizations processing large volumes of data. You need a systemized platform with verifiable audit trails and the ability to demonstrate to the PDPC that compliance activities are actually being carried out.
The most expensive lesson is the one you did not have to learn yourself
A THB 21.5 million fine is a very high price for a lesson that could have been avoided. Smart organizations learn from the mistakes of others instead of waiting to become the next case.
PrivacyHub is a Privacy Governance Platform that helps organizations manage PDPA compliance end to end through 6 modules covering every area the PDPC reviews—from Consent Management, DSR Management, Data Inventory, and RoPA to Breach Management and Vendor Management. It does not store actual personal data (Zero PII Storage), retaining only metadata and audit trails. This helps reduce risk while strengthening your ability to demonstrate compliance to the PDPC.
Don’t let your organization become the next case. Get started today at enersys.co.th/en/products/privacyhub
