In the 2025 financial year, the Personal Data Protection Commission (PDPC), under Thailand's Ministry of Digital Economy and Society, issued 5 cases and 8 fines, totaling over 21.5 million baht for violations of the PDPA. These fines were imposed on both public and private sectors that failed to properly protect personal data.
Personal data of over 200,000 citizens was leaked to the Dark Web due to the agency’s failure to implement proper security measures, including using weak passwords, lack of risk assessment, and not regularly reviewing security measures. The agency also neglected to establish a Data Processing Agreement (DPA) with the system provider, which did not take any steps to prevent the data leakage. This resulted in a fine of 153,120 baht for both the agency and its system provider.
Patient records were improperly disposed of and leaked on social media. The hospital had contracted a small business for document destruction but failed to ensure proper handling and monitoring, leading to the leak. The contractor also failed to follow agreed procedures and did not notify the hospital of the data breach. Consequently, the hospital was fined 1,210,000 baht, and the contractor was fined 16,940 baht.
Failed to implement security measures, did not appoint a Data Protection Officer (DPO), and failed to notify the PDPC of a data breach. The company received a fine of 7 million baht for neglecting to protect personal data.
Did not maintain adequate security measures or notify the PDPC of a data breach, resulting in a 2.5 million baht fine.
Lacked security measures, with fines of 500,000 baht for the data controller and 3 million baht for the data processor.
PDPC is currently reviewing several other cases and will proceed with legal action in strict accordance with the law. PDPC is also working to implement proactive prevention strategies, ensuring that the goal of "Zero Data Leakage" becomes a top priority for every organization in Thai society.
