On August 21, 2024, the second expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019, issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by the PDPA. The committee imposed the maximum administrative fine of 7 million baht (approximately $205,520) for the following offences:
- Failure to Appoint a Data Protection Officer (DPO): The company collected personal data from over 100,000 customers and used it for its core business operations but did not appoint a DPO as required by law. This failure hindered the company’s ability to address data breaches effectively.
- Inadequate Security Measures: The company lacked appropriate security measures as mandated by the PDPA, leading to data leaks to call center gangs and causing widespread damage.
- Failure to Report Data Breaches: The company ignored complaints from data subjects and delayed reporting the breaches to the PDPC, preventing timely remediation.
In addition to the 7 million baht fine, the second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.
This administrative fine is the first of its kind imposed on a major private company by the second expert committee since the PDPA came into effect. It aligns with the principles of the European Union’s General Data Protection Regulation (GDPR).
Minister Prasert emphasized that the fine aims to protect the public from call center scams and data leaks, which have been major issues in Thailand over the past two years. The fine serves as a warning to both public and private entities to report data breaches to the PDPC as required by law. This case sets a standard for handling data leaks in the future.
The minister also noted that this enforcement action will raise awareness among public and private sectors about the importance of complying with the PDPA. It is part of broader measures to combat call center scams that misuse personal data. Additionally, these measures will help mitigate the damage to data subjects and build public trust in the use of personal data online.