“A major private company in Thailand has been fined with the first administrative liability under the PDPA after the Second Expert Committee of the PDPC issued an official order.”
August 31, 2024 – Second Expert Committee (Complaints related to digital technology and other matters)
The Personal Data Protection Committee (PDPC) issued an order dated July 31, 2024, requiring the private company to strictly comply with the Personal Data Protection Act. The order specifies administrative liability under the PDPA, with total fines of 7,000,000 baht.
What happened to private sectors and Personal Data Protection?
Previously, a major online retailer company in Thailand, experienced a massive personal data breach. This resulted in unauthorized use of customers’ personal data, causing harm to Data Subjects. The incident gained widespread attention on social media, leading to the company being summoned to declare to the Personal Data Protection Committee (PDPC).
An investigation confirmed that the leaked data included customers’ purchase records and personal information, with multiple violations of PDPA.
The PDPC has gathered evidence related to the violations and submitted it to the Expert Committee for consideration of administrative liability.
Details of administrative liability and fines
Second Expert Committee (Complaints related to digital technology and other matters) official ordered the company to face administrative fines under the Personal Data Protection Act B.E. 2562 (PDPA) and its subordinate regulations on 3 issues as follows:
1. Failed to appoint Data Protection Officer: DPO) – 1,000,000 THB
The company qualifies as a large-scale enterprise that collects, uses, or processes personal data as a ‘core activity of the Data Controller’ through nationwide product distribution. With a large volume of customer personal data (100,000 records or more), it falls under the legal requirement to appoint a Data Protection Officer (DPO) in accordance to Section 41 (2) of the PDPA.
2. Failed to implement appropriate Data Security Measures – 3,000,000 THB
The company failed to implement Data Security Measures that meet the minimum legal standards or provide sufficient effectiveness, violating Section 37 (1) of the PDPA. This resulted in ongoing personal data breaches.
Additionally, the company also lacked of key security controls, including:
Access Control
Authorization
3. Failed to report the data breach incident – 3,000,000 THB
When a data breach occurs, the company is required to notify PDPC within 72 hours of becoming aware of the incident. Additionally, if the breach is assessed to impact the rights of Data Subjects, the company must also inform the affected individuals, as mandated by Section 37 (4) of the PDPA.
Apart from the administrative fine, the official announcement outlines further compliance measures ordered by the Expert Committee, including:
Improving Data Security Measures to prevent future incidents.
Conducting training sessions for employees involved in accessing, collecting, using, or disclosing personal data.
Updating Data Security Measures to keep pace with evolving technologies.
Providing progress updates to the PDPC within 7 days.
Failure to comply with these directives may result in an additional fine of up to 500,000 baht, in accordance with Section 89 of the PDPA.
