TL;DR
In the second half of 2025, Thailand's Personal Data Protection Committee (PDPC) shifted modes on enforcement. The previous emphasis on guidance and warnings gave way to penalties, and administrative fines gained a criminal-law companion.
Three events make the direction clear.
On 1 August 2025 the PDPC issued eight fines across five cases, totalling roughly THB 21.5 million, in a single day. It is the largest set of fines released on one day in the history of PDPA enforcement.
On 13 April 2025 the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes, No. 2, B.E. 2568, came into force. It introduced criminal penalties for the sale of personal data, with a maximum of five years' imprisonment and a fine of THB 500,000.
In late November 2025 the PDPC ordered TIDC Worldverse, the Thai operating agent for Sam Altman's World project (previously known as Worldcoin), to halt iris-scan services in Thailand and to delete the biometric records of 1.2 million users it had already collected.
For Thai businesses that hold personal data, the operating environment in 2026 is meaningfully different. This piece sets out the facts, the reasoning behind each enforcement action, and the questions a data controller should be ready to answer.
1 August 2025. Eight Fines, THB 21.5 Million
The PDPC published eight fines across five cases on the same day. The volume and value of fines released in a single batch had no precedent in six years of PDPA enforcement.
The five cases, with totals in baht.
- A state agency and the software developer that worked with it. THB 306,240
- A private hospital and the contractor that handled patient data on its behalf. THB 1,226,940
- A computer retailer whose data breach led to scam calls against more than 100 customers. THB 7,000,000
- A cosmetics company. THB 2,500,000
- A toy retailer and the processor that handled data for it. THB 3,500,000
The principal violations across the five cases were consistent.
- Inadequate security measures
- Failure to report the data breach within 72 hours
- Absence of a Data Protection Officer where the law required one
- Insufficient oversight of vendors handling personal data on the controller's behalf
The largest fine, on the computer retailer, was driven by downstream harm. The breach led to scam calls in which real customers lost money. The weighting suggests the PDPC is treating downstream consequences as material to penalty calculation, not only the breach itself.
Three practical takeaways for Thai businesses.
First, the absence of a DPO is no longer a theoretical risk. It is a line item with a price attached.
Second, processors and vendors handling data are an enforcement risk that controllers carry directly. Shifting liability to a vendor in a contract does not relieve the controller in the PDPC's eyes.
Third, the failure to notify a breach within 72 hours appears in nearly every case. An incident response runbook that can actually be triggered in time is worth checking now, not after the fact.
13 April 2025. The Tech Crimes Decree
Six months before the major fines batch, a different change moved the criminal-law side of the picture.
The Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes, No. 2, B.E. 2568, came into force on 13 April 2025.
It introduced criminal penalties on two tiers.
For general conduct, up to one year of imprisonment or a fine of up to THB 100,000, or both.
For commercial activity involving the buying or selling of personal data, up to five years of imprisonment or a fine of up to THB 500,000, or both.
The practical reading is that anyone in the chain of trading personal data, including aggregators, buyers, and intermediaries, may face criminal exposure, not only administrative fines.
For businesses involved in data enrichment, lead generation, or the procurement of third-party data lists, the diligence on the source of data is no longer a line in vendor management. It is a question that touches personal liability for the decision-maker.
November 2025. Order to Halt Iris Scans and Delete 1.2 Million Records
In late November 2025, the PDPC ordered TIDC Worldverse, the Thai operating agent of the World project (formerly Worldcoin), to halt iris-scan services in Thailand and to delete the biometric records of 1.2 million users it had collected.
The World project, founded by Sam Altman under the name Tools for Humanity, is an identity-verification scheme that scans the iris with a device called the Orb. Participants who consented to the scan received WLD tokens as compensation.
The PDPC identified multiple problems.
Consent was not freely given. The provision of tokens served as monetary incentive, which the regulator concluded undermined the freedom of consent required by PDPA for sensitive data processing.
Transparency was insufficient. Users were not adequately informed about what their biometric data would be used for, how long it would be retained, or with whom it would be shared.
Cross-border transfers and long-term retention did not meet the requirements PDPA sets out for this category of data.
Several regulators in Germany, Spain, South Korea, Indonesia, and Brazil have issued similar orders against the same project. The PDPC referred to those positions in its reasoning.
For Thai businesses that collect biometric data, including fingerprint, facial recognition, and iris scans, three observations are worth carrying forward.
- Consent traded for a benefit with monetary value can be read as not freely given
- Transparency about purpose, retention, and third parties has to be at a level the general user can understand, not buried in legalese at the end of a privacy policy
- Cross-border transfer of biometric data requires a clear lawful basis
The Shape of PDPC Enforcement in 2026
Taken together, the three events outline a clear change in the PDPC's operating mode.
From the moment PDPA came into full force in 2022, most controllers were in a wait-and-see posture, and PDPC's early years emphasised guidance over penalty. In 2025 the posture changed.
Three characteristics define enforcement in 2025 and into 2026.
First, batch enforcement. Multiple fines published on the same day signal the market with one statement, rather than fining cases individually and quietly.
Second, downstream harm counts. Cases where end-users were harmed in measurable ways were penalised more heavily than cases that involved a breach without downstream consequences.
Third, sensitive data receives particular attention. Health, biometric, and financial data fall under heightened scrutiny.
What Data Controllers Should Review in 2026
Five areas worth opening this year before becoming the next case.
DPO appointment under Section 41. Many businesses assume they are out of scope. The threshold is worth re-reading carefully, or asking a data-protection adviser.
Incident response runbook with a 72-hour clock. The runbook is not a document to file and store. It is a playbook that the team has to rehearse so it can be invoked in time. Test the alert chain, and test the channel for notifying the PDPC.
Vendor security review before integration. Vendor failures are responsible for a meaningful share of the cases the PDPC has penalised, and the controller still carries the liability.
Consent flows reviewed by a UX designer who respects the user, not designed only to maximise the rate of yes-clicks. Consent that holds up in court is consent the user actually understood.
Sensitive data audit. If the system holds biometric, health, or financial data, run a Data Protection Impact Assessment in earnest and revisit it on a 12-month cycle.
Closing
The era of warnings has passed. From 2025 the PDPC has acted in batches, penalised harm, paired its work with the criminal exposure introduced by the Tech Crimes Decree, and set firm boundaries on new categories of sensitive data such as iris scans.
For Thai businesses, the question is not whether risk exists. The question is whether the organisation is ready to answer the PDPC within 72 hours.
Enersys has worked on Data Privacy and PDPA for Thai enterprises since 2021. From that experience we have built PrivacyHub, an end-to-end privacy governance platform that brings consent management, vendor review, breach response, and DPIA into one place. We are open to a conversation with leaders who want a clear picture of where their organisation stands.
Sources
- Saeree ERP, Thailand PDPA Crackdown 2026, PDPC Issues 8 Fines and Emergency Decree. Summary of the eight fines in one day and the Tech Crimes Decree No. 2.
- Chambers and Partners, Data Protection and Privacy 2026, Thailand Trends and Developments. Practitioner guide on PDPA enforcement in Thailand.
- Hogan Lovells, Thailand Ramps Up Data Protection Enforcement. International law firm perspective on the PDPC's shift.
- Biometric Update, Thailand shuts down World iris scanning operation, orders deletion of biometrics. Report on the halt order and the 1.2 million records deletion.
- Nation Thailand, Thailand orders halt to iris-scan crypto scheme, deletes 1.2m biometric records over PDPA breaches. Coverage of the World project in Thailand and the PDPC position.
- Bangkok Post, PDPC tells firm to halt iris scan service. Official PDPC order details.
- IAPP, Thailand's PDPC clarifies data breach notification requirements. Guidance on 72-hour notification.
