The administrative penalties in all 5 cases

More details of each case are as follows:

1. A government agency and its system developer

A government agency providing services to the public through a web application developed by the system developer was attacked, resulting in the personal data of over 200,000 citizens being leaked and illegally posted for sale on the Dark web. Most of the leaked personal data belonged to elderly individuals, and they may not have been aware of the data breach; thus, there is no claim for damages in this case.

• Non-compliance issues:
  (1) The government agency, as the data controller, failed to provide appropriate security measures and failed to enter into a Data Processing Agreement (DPA) with the system developer.
  (2) The system developer, as the data processor, failed to provide appropriate security measures and failed to protect against any risk of data leakage, although it did not obtain a DPA from the government agency to do so.
• Penalty:
  • The government agency was fined THB 153,120.
  • The system developer was fined THB 153,120.

 

2. A private hospital and an individual as a data processor

Over 1,000 copies of medical records containing sensitive data were leaked during the destruction process when a private hospital outsourced the disposal of medical records to an individual. Instead of being disposed of, the medical records were sold and used as paper bags to wrap snacks, and then a picture of the paper bag was posted on the Internet.

• Non-compliance issues:
  (1) The private hospital, as the data controller, failed to monitor or oversee the destruction process of its data processor.
  (2) The outsourced individual, as the data processor, failed to implement the agreed procedures to destroy the personal data, and failed to notify the private hospital of the incident when the personal data was leaked.
• Penalty:
  • The private hospital was fined THB 1,210,000.
  • The individual was fined THB 16,940.

 

3. An IT product sales company with the highest penalties

A company selling computers and equipment leaked its customers’ personal data; as a result, the customers were called and deceived by a gang of scammers. However, the sufferers did not receive any compensation from the company.

• Non-compliance issues:
  (1) Failure to provide appropriate security measures;
  (2) Failure to report to the PDPC on the personal data breach incident; and
  (3) Failure to appoint a Data Protection Officer (DPO) when falling into the requirement.
• Penalty:
  • The company was fined THB 7,000,000 for all 3 non-compliances.

 

4. A cosmetics company

A company selling cosmetics leaked its customers’ personal data and caused the customers to be called and deceived by a gang of scammers.

• Non-compliance issues:
  (1) Failure to provide appropriate security measures; and
  (2) Failure to report to the PDPC on the personal data breach incident.
• Penalty:
  • The company was fined THB 2,500,000 for 2 non-compliances.

5. A toy company and its system developer

A company selling toys by using a reservation system developed by a system developer.  The system was hacked, resulting in a personal data breach incident. The company compensated the sufferers for the damage, while the system developer did not take any action for the compensation.

• Non-compliance issues:
  (1) The toy company, as the data controller, failed to put in place appropriate security measures.
  (2) The outsourced system developer, as the data processor, failed to provide appropriate security measures.
• Penalty:
  • The toy company was fined THB 500,000.
  • The individual was fined THB 3,000,000.

 

Lessons learned from the cases

1. Penalty for both data controller and data processor

There has been a noticeable number of cases where personal data was leaked due to security deficiencies in the systems of data processors or their improper handling of information. While it is natural that data processors with inadequate security measures are penalized, data controllers who outsourced to them have also been subject to penalties. This indicates the need not only to strengthen one’s own security measures but also to ensure and supervise the security framework across the entire supply chain, including outsourcing partners.

 

2. Keys for the consideration of issuing administrative fine orders

The Notice of the PDPC re the Criteria for Considering the Issuance of Administrative Fines Orders of the Expert Committee B.E. 2568 (2025) (the “Notice”), published in the Royal Gazette on 23 April 2025[1], specifies the factors that the expert committee will take into account when determining administrative fines, including the following.

• The business scale of a data controller or a data processor
• A data controller or data processor’s security standards for personal data upon a breach occurring
• Remediation and mitigation of damage that are carried out by a data controller or a data processor upon becoming aware of the cause of the breach
• Compensation to relieve the damage arising to data subjects

Based on the published cases, the following trends can be observed:
(i) large-scale businesses tend to receive higher fines compared to smaller businesses or individuals; and
(ii) authorities tend to impose heavier penalties on businesses that refuse to compensate the victims.

In conclusion, the lessons learned from the latest administrative fines are as follows:

1. Both a data controller and a data processor have an obligation to put in place appropriate security measures to protect personal data and prevent a personal data breach for any reason.
2. In the event of a personal data breach, the implementation of necessary measures to remedy damage and compensate sufferers for the damages may help to mitigate the administrative fines, depending on the consideration of the expert committee.

The PDPC continues to investigate several pending cases, demonstrating the seriousness of its supervision. Therefore, it would be better for companies subject to the PDPA to review and ensure their compliance with the PDPA, particularly their security measures against a personal data breach.

 

Authors:
Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)

---

[1] Please find the full Thai version here. The Notice repeals the previous notice regarding the criteria for considering the issuance of administrative fines orders of the expert committee announced in 2022, and the second amendment announced in 2024.