The PDPC Is No Longer Just Waiting for Complaints
If you still think PDPA enforcement in Thailand is mainly reactive—waiting for complaints before taking action—this news may change your view. Thailand’s PDPC has a tool called Eagle Eye Crawler, an automated PDPA violation detection system that crawls organizations’ websites and digital channels.
Put simply, the PDPC can inspect your website without your knowledge—checking whether your consent banner is compliant, what data is being collected, and whether your privacy policy is complete.
Fine Levels Are Becoming More Serious
In August 2025, the PDPC issued 8 penalty orders across 5 cases involving both public-sector and private-sector entities, totaling approximately THB 21.5 million.
That may not sound significant compared with GDPR, but the key points are:
- This is only the beginning — The PDPC has only recently begun enforcing the law more seriously, and penalties are likely to increase over time.
- Reputational damage can exceed the fine itself — Organizations that are penalized often become newsworthy, which can undermine customer trust more than the monetary penalty.
- Executives may bear personal liability — PDPA penalties do not apply only to companies; responsible executives may also face personal consequences.
Industries Under Closer Scrutiny
Based on current enforcement trends, the PDPC appears to be paying particular attention to these sectors:
- E-commerce — Customer data collection and personalized marketing
- Healthcare — Health data is sensitive personal data and carries heightened compliance risk
- Telecommunications — Large customer databases create elevated exposure
- Government agencies — Massive volumes of citizen data are subject to stricter review
In reality, however, any organization that collects personal data falls within scope, regardless of size.
