The Office of the Personal Data Protection Committee (PDPC) has issued an order on 31 July 2024 requiring a private e-commerce company to strictly comply with the Personal Data Protection Act B.E. 2562 (2019) (PDPA) and order the first administrative fine for the amount up to 7 million Baht (approximately USD 213,000) for non-compliance with the PDPA.
In such case, there was a significant leak of customer personal data, leading to misuse and resulting in damage to individuals. This incident sparked discussions on social media and was later found that the leaked data included actual purchase information and personal details of the company’s customers, highlighting several instances of non-compliance with the PDPA.
The details of the administrative fine are as follows:
- Failure to appoint the Data Protection Officer (DPO) (Section 41(2) and Section 82 of the PDPA): THB 1,000,000 (approximately USD 30,400)
- Failure to implement appropriate security measures (Section 37(1) and Section 83 of the PDPA): THB 3,000,000 (approximately USD 91,400)
- Failure to notify data breaches (Section 37 (4) and Section 83 of the PDPA): THB 3,000,000 (approximately USD 91,400)
In addition to the administrative fines, the PDPC also impose several directives for the company to follow and report back to the PDPC within 7 days:
- Improve security measures to prevent data leaks;
- Update security measures to keep pace with evolving technology;
- Conduct training for personnel involved in accessing, collecting, using, or disclosing personal data; and
Failure to comply with these orders may result in additional administrative fines of no more than THB 500,000 (approximately USD 15,300), as stipulated by Section 89 of the PDPA.
The Minister of Digital Economy and Society emphasized that the fines are intended to protect the public from call center scams and personal data leaks, which have been significant issues in Thailand over the past two years. The fines also serve as a warning to both public and private sector organizations to report data breaches to the PDPC as required by law. This action sets a standard and precedent for handling data breaches.
The Minister highlighted that these orders would raise awareness about the importance of complying with the PDPA and help deter misuse of personal data. Additionally, these measures aim to mitigate damage to individuals affected by data leaks and build public confidence in the use of personal data online.