Quick summary
If you still think PDPA is "a documentation exercise" or "something the PDPC isn't serious about yet" — read this article to the end.
On 1 August 2025, Thailand's Personal Data Protection Committee (PDPC) announced 8 administrative fines across 5 cases totaling roughly THB 21.5 million — a clear shift from awareness-building to active enforcement.
In late November 2025, the PDPC ordered Worldcoin/World (the iris-scan crypto service) to halt operations in Thailand and delete biometric data belonging to roughly 1.2 million users — a message that no company is too big, too global, or too well-funded to be beyond reach.
In this article we will walk through:
- All 5 cases in detail — who got fined, how much, and why
- The failure patterns that repeat across every case (spoiler: it is not "no privacy policy")
- A 5-step action plan every Thai business must start this quarter
Let's go.
Why 2025 was the turning point
Thailand's PDPA came into full force on 1 June 2022, but for the first three years the PDPC chose to operate in "warn and educate" mode rather than enforce.
The result was predictable — most Thai businesses did three things and stopped:
- Published a privacy policy on their website
- Added a cookie banner
- Waited to see who would get fined first
In 2025, the PDPC answered that question — loudly. Everyone who was waiting is now the next target.
What's striking is that the announced cases are not the mega-corporations everyone expected. They include a state agency, a private hospital, a technology retailer, a cosmetics company, and a collectible toy retailer — every size, every sector.
The 5 cases that changed the game
Case 1 — State agency (two fined parties)
Fine: approximately THB 153,120 (~USD 4,700) for each of the state agency and its service provider
Data exposed: personal data of approximately 200,000 individuals
What went wrong:
- Engaged an unqualified service provider
- No valid Data Processing Agreement in place
- Inadequate security measures
Lesson: State agencies are not exempt — and outsourcing does not transfer liability. You remain the data controller, and you remain fully accountable.
Case 2 — Private hospital
Fine: THB 1,210,000 (~USD 37,300) for the hospital, plus THB 16,940 for an individual involved
Data exposed: medical records of 1,000+ patients
What went wrong:
- Improper disposal of physical patient records by a third-party contractor — documents were discarded in a readable state
- No meaningful oversight of a vendor handling sensitive data
Lesson: Health data is sensitive data under PDPA Section 26 — penalties and risk are meaningfully higher. And physical destruction is part of the data lifecycle — it needs controls, contracts, and audit trails.
Case 3 — Technology retailer (the largest single fine)
Fine: THB 7,000,000 (~USD 215,680) — the largest single fine in this announcement
What went wrong:
- Inadequate security measures
- No Data Protection Officer appointed, despite meeting the legal threshold
- Failed to notify the PDPC of a data breach within the required timeframe (72 hours)
Lesson: This is the clearest signal in the whole batch of what the PDPC weighs most heavily. The combination of "no DPO" + "no breach report" is what pushed this fine into seven figures — not the breach itself.
Case 4 — Cosmetics company
Fine: THB 2,500,000 (~USD 77,030)
What went wrong:
- Inadequate security measures
- Failed to notify the PDPC when a breach occurred
Lesson: SMEs are not exempt, and "wait and see before reporting" is the most expensive decision in the playbook. On-time breach notification can cut fines by more than half.
Case 5 — Collectible toy retailer
Fine: THB 500,000 for the retailer + THB 3,000,000 for its service provider
What went wrong:
- Outsourced the reservation system to a service provider without appropriate security controls
- No due diligence on the provider before handing over customer data
Lesson: This is the only case in the batch where the processor was fined more heavily than the controller — a clear signal that the PDPC is willing to go after the full supply chain, not just the data owner.
Bonus case — Worldcoin / World (November 2025)
Not part of the 1 August announcement, but too important to skip.
In late November 2025, the PDPC ordered Worldcoin/World — the iris-scan-for-crypto service associated with Sam Altman — to halt operations in Thailand and delete biometric data belonging to approximately 1.2 million users.
Key points:
- Iris data is biometric data, the highest tier of sensitive data
- Consent obtained by exchanging data for tokens was interpreted as not freely given
- This was the first time the PDPC exercised its power to order a service to stop operating, not just to fine it
Lesson: The PDPC is willing to use its structural powers, not just its financial ones. For any business whose model depends on sensitive data, this is a very loud warning shot.
The repeating pattern — what the PDPC cares about most
Lay the 5 cases side by side and three patterns emerge immediately.
1. Third-party failures — 3 out of 5 cases
Cases 1, 2, and 5 all started with a third-party service provider — document destruction, IT services, reservation system vendor.
The PDPC's message is unambiguous: outsourcing does not transfer liability. You must do vendor due diligence, have real Data Processing Agreements, and monitor actual practice — not just paperwork.
2. Breach reporting failures — 2 out of 5 cases
Cases 3 and 4 represent THB 9.5 million in combined fines, and both share the same failure: not notifying the PDPC in time.
PDPA requires data controllers to report breaches that pose a risk to data subjects' rights within 72 hours. This is a bright-line rule — easy to check, painful to fail.
3. "Documentation alone is not sufficient"
That phrase comes from the international legal analysis of these cases — and it summarises the entire batch in one sentence.
The PDPC is not asking "do you have a privacy policy?" The PDPC is asking "do you have real technical, organisational, and administrative safeguards that actually work?"
The gap between "we have a policy" and "we follow the policy" is exactly where fines live.
The 5-step action plan (to start this quarter)
1. Map every piece of personal data you hold — for real
Not just "customer records in the main database." Include spreadsheets on employee laptops, log files, backup tapes, physical documents, Line chats containing ID cards, shared Google Drives.
If you don't know where the data is, you cannot protect it — and you cannot file a breach notification inside 72 hours.
2. Audit every vendor contract — seriously
For every vendor that touches your personal data (CRM, email marketing, payroll, cloud backup, reservation systems, anything):
- Is there a signed Data Processing Agreement?
- Does the DPA clearly assign breach-notification responsibilities?
- Have you done diligence on their security capability?
- Do you have audit rights?
Three of the five cases started here. This is the highest-ROI step in the plan.
3. Appoint a DPO (or a DPO-as-a-Service)
If you process large volumes of personal data, or sensitive data as a core business — appointing a DPO is a legal requirement.
Case 3 (THB 7M) was hit so hard partly because no DPO existed. That fine is larger than multiple years of DPO salary, many times over.
4. Build an incident-response playbook — and rehearse it
When a real breach happens, you don't have time to think. You only have time to execute what you've already rehearsed.
The playbook must answer:
- Who is the incident commander?
- What is the internal communication channel?
- Who authorises the PDPC notification?
- Where is the notification template?
- When does the 72-hour clock start?
Rehearse at least twice a year.
5. Start a gap assessment now — don't wait for an inspection
Knowing your gaps before the PDPC does is orders of magnitude cheaper than learning them afterwards.
A good gap assessment is not a checklist — it is honest answer to one question: "If we had a breach today, would we survive it?"
For the Enersys team — what we prepared
To be clear up front: Enersys is a Software House specialising in Odoo ERP, Enterprise AI, and Data Privacy (PDPA). Privacy is not an add-on we tacked on because it's trending — it has been one of our three core pillars since day one.
We won't walk through our full methodology here (it's the team's competitive moat), but we can share how we think about it:
- We don't treat PDPA as a documentation problem — we treat it as a data architecture problem. When your ERP is designed well, data minimisation, retention, and consent tracking happen by default, not as extra work bolted on at the end
- Every Odoo project we deliver maps PII during the discovery phase — we don't wait for a compliance team to come back later and bolt things on
- For clients with large vendor footprints, we help build a third-party risk framework that aligns with both PDPA and ISO 27001 — because 3 of the 5 fined cases started in the vendor chain
- For AI and analytics work, we design for privacy-by-default from day one, not as a retrofit — pulling production data into a model training pipeline without safeguards is an anti-pattern we refuse to build
- For incident readiness, we help clients set up and rehearse the playbook — because a playbook you haven't rehearsed is not a playbook
We see PDPA as a competitive advantage, not a cost centre. Clients with stronger compliance posture win bigger deals, earn enterprise trust faster, and don't lose sleep waiting for a notification from the PDPC.
Takeaways
- The "awareness" era is over — in 2025 the PDPC fined THB 21.5M across 5 cases
- 3 of 5 fines started with third parties — outsourcing doesn't transfer liability
- 2 of 5 fines were amplified by failure to report the breach in 72 hours
- The largest single fine (THB 7M) was driven by no DPO + no breach report — not the breach itself
- SMEs are not exempt — cosmetics and toy retailers got hit hard
- The Worldcoin case shows the PDPC is willing to order service shutdowns, not just fines
What to do this quarter: data mapping, vendor contract audit, appoint a DPO, build an incident playbook, run a gap assessment.
What not to do: wait to see who gets fined next — because that's exactly what the 5 companies above did.
If you want to talk about how your ERP and workflows can be architected so that compliance happens by default — our team is happy to chat.
Sources
This article is the Enersys team's analysis of PDPA enforcement impact on Thai businesses — all figures and facts are drawn from the sources listed above. This is not legal advice.
