On 21 August 2024, the Office of the Personal Data Protection Committee (“PDPC”) imposed an administrative fine on a major private company specializing in computer and electronic device sales through online channels. The fine was issued due to the company’s negligence, which led to a significant personal data breach affecting its customers. The PDPC cited the company’s inadequate security measures, failure to report the breach within the required timeframe, and lack of a designated Data Protection Officer (“DPO”) as the reasons for the fine.
The PDPC’s expert committee imposed the administrative fine, totaling THB7,000,000 on the following grounds of non-compliance with the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”):
- Non-compliance with Section 41 of the PDPAThe company did not appoint a DPO as mandated by law. When the data leak occurred, the company was unable to address the issue effectively. As a result, the company is subject to a fine of THB1,000,000;
- Non-compliance with Section 37(1) of the PDPAThe company failed to implement the appropriate security measures, leading to a major data breach involving call center gangs. Consequently, the company is subject to a fine of THB 3,000,000; and
- Non-compliance with Section 37(4)Despite receiving complaints from 23 customers, the company ignored these issues and failed to notify the PDPC of the incidents within the required 72-hour timeframe. As a result, the company is subject to a fine of THB3,000,000.
Due to the aforementioned issues, the company was mandated to enhance its security measures to prevent future personal data breaches or violations as soon as possible. This involves implementing organizational, technical, and physical measures to address vulnerabilities in its data management systems internally. As part of the order, the company must report and satisfy the results of these corrective actions to the PDPC within 30 days of receiving the order.
Additionally, the company must promote personal data protection and security awareness among its personnel, employees, and officers involved in accessing, collecting, using, or disclosing personal data.
Given that this is the first of its kind seen in Thailand, it is notable to see Thai regulators taking a strong stance on enforcing security breach regulations. This development is a positive step for industry confidence, reinforcing trust in Thailand’s commitment to data protection as the global economy’s reliance on IT security systems and technologies are at an all-time high. Foreign investors are likely to view this regulatory enforcement favourably, seeing it as a sign of a robust legal framework. Existing businesses should take this opportunity to revisit and strengthen their internal processes to ensure full compliance with data protection laws to minimize risks of violations moving forward.
Further information
Should you have any questions on how this article may affect you or your business, please get in touch with the following persons:
