ARTICLE
16 September 2025

PDPA Fines & Firsts: A 6-year Timeline Of Thailand's Data Privacy Enforcement

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
From legislative promise to active enforcement, Thailand's Personal Data Protection Act B.E. 2562 (2019) (as amended) ("PDPA") has reshaped how businesses and individuals...
Thailand Privacy
Supisara Pothikanon and Nonnabhat Paiboon
Your Author LinkedIn Connections
Supisara Pothikanon’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy topic(s)
  • with Inhouse Counsel
Herbert Smith Freehills Kramer LLP are most popular:
  • in United States

From legislative promise to active enforcement, Thailand's Personal Data Protection Act B.E. 2562 (2019) (as amended) ("PDPA") has reshaped how businesses and individuals think about privacy. Here is a quick visual timeline of the PDPA's evolution and key developments throughout the years.

2019: PDPA Enacted

  • 28 May 2019: Thailand officially passes the PDPA.
  • Introduces comprehensive rules for personal data processing.
  • One-year grace period granted for compliance readiness.

2020–2021: Postponements & Preparation

  • Enforcement delayed twice via royal decrees (May 2020 & May 2021).
  • Businesses urged to prepare internal policies and appoint Data Protection Officers ("DPOs").
  • PDPC begins drafting sub regulations and interpretative guidance.

2022: Enforcement Begins

  • 1 June 2022: PDPA comes into full force.
  • Personal Data Protection Committee ("PDPC") officially formed.
  • Initial enforcement focused on awareness and voluntary compliance.
  • Enforcement targeted sectors with high data sensitivity: e-commerce, healthcare and financial services
  • Key sub-regulations included:
    • Security measures (issued and came into effect in June 2022): Appropriate security measures to prevent unauthorised or unlawful access, use, alteration, correction, or disclosure of personal data.
    • ROPA requirements (issued in June 2022 and came into effect in December 2022): Minimum data processing records.
    • Data breach notification (issued and enforced in December 2022): Mandatory reporting within 72 hours for high-risk breaches.

2023–2024: Enforcement Picks Up

  • PDPC issues administrative orders and cooperates with other authorities e.g. Cybercrime Investigation Bureau to penalise violations.
  • Sub-regulations clarify security standards
    • Appointment of DPOs (issued in September 2023 and came into effect in December 2023): Mandatory appointment in case where an entity's core activities involve large-scale personal data processing that requires regular monitoring of the personal data or systems.
    • Cross-Border Data Transfers (issued in December 2023 and came into effect in March 2024): Criteria for sending personal data out of Thailand. Data must be transferred to countries or organisations with "adequate data protection standards" or be protected by approved methods such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).

2025: Strategic Enforcement

  • Enforcement is now routine, with regulators targeting sectors like e-commerce, healthcare, telecommunications and financial services.
  • The PDPC has issued administrative fines in a total of 5 cases across 8 orders, with a total value of more than THB 21.5 million (including one prior case from 2024).
    • Public Sector: A government agency providing online services via a web application developed by a private company was attacked, leading to a data leak of over 200,000 citizens' data, which was sold on the DARK Web. The government agency was fined THB 153,120 for failing to implement appropriate security measures, not conducting risk assessments, and using weak passwords. The system development company (Data Processor) involved was also fined the same amount.
    • Large Private Hospital: Over 1,000 patient medical records were leaked externally due to a flaw in the document destruction process. The hospital was fined THB 1,210,000 for failing to properly supervise the contractor, allowing sensitive health data to be exposed. The individual contractor responsible for the document destruction was also fined THB 16,940.
    • Retail/Wholesale and Online Companies:
      • Computer and equipment seller: Fined THB 7 million baht for three violations:
        1. Failure to implement appropriate security measures;
        2. Failure to notifying the PDPC of a data breach as required by law; and
        3. Failure to appoint a DPO despite holding a large volume of personal data.
      • Cosmetics company: Fined THB 2.5 million for failing to implement appropriate security measures and not notifying the PDPC of a data breach.
      • Collectible toy seller: Data Controller fined for THB 500,000 and Data Processor fined for THB 3 million for failing to implement appropriate security measures.

Key Takeaways

Thailand's PDPA is not just a legal requirement, it is a cultural shift toward transparency, accountability, and digital dignity following the PDPC's policy of "zero data breach". It is clear the PDPC is becoming more active in its enforcement approach, with an upwards trend on level of fines imposed. The past six years have built a foundation for data privacy in Thailand – and the next chapter will define its true strength.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Supisara Pothikanon
Supisara Pothikanon
Photo of Nonnabhat Paiboon
Nonnabhat Paiboon
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More