On August 21, 2024, Isranews reported that the website https://pdpathailand.com/ published news about a decision by the Personal Data Protection Committee (PDPC) on July 31, 2024. The committee issued an order requiring a private company to comply strictly with data protection laws, imposing administrative penalties and fines totaling up to 7,000,000 THB. This action followed a major leak of personal data from a large e-commerce company, which led to misuse of customer information and significant damage reported on social media. The company was summoned to clarify the violations to the PDPC, which found that customer purchase data and personal information were indeed compromised, and there were multiple deficiencies in compliance with the Personal Data Protection Act (PDPA).
The order imposed fines on the company under the Personal Data Protection Act, B.E. 2562 (PDPA) and related regulations in three areas:
Failure to Appoint a Data Protection Officer (DPO) – 1,000,000 THB
The company, being a large enterprise handling personal data as a core activity with over 100,000 customers, was required to appoint a DPO under PDPA Section 41 (2).
Inadequate Security Measures – 3,000,000 THB
The company lacked appropriate security measures for personal data as required by PDPA Section 37 (1), leading to repeated data breaches. Specific deficiencies included:
Lack of access control measures
Inadequate authorization protocols
Failure to Notify Data Breaches – 3,000,000 THB
The company did not report data breaches to the PDPC within 72 hours of discovering the breach, nor did it inform affected individuals as required under PDPA Section 37 (4).
In addition to the fines, the committee ordered the company to:
Enhance security measures to prevent data leaks.
Conduct training for staff involved in handling personal data.
Update security measures in line with evolving technology.
Report progress to the PDPC within 7 days.
Failure to comply with these directives could result in additional fines up to 500,000 THB under PDPA Section 89.
Summary of Lessons from the Case: The stringent enforcement of PDPA by the Thai data protection authorities highlights the need for organizations to adhere strictly to data protection laws to avoid penalties. Failure to implement effective data protection measures not only risks substantial fines but also damages the organization’s reputation and trust with customers and stakeholders.
Businesses handling large volumes of personal data (over 100,000 individuals) must appoint a DPO, ensure robust security measures, and promptly report any data breaches to remain compliant with PDPA.
Comments