In August 2024, Thailand’s Personal Data Protection Committee (the regulator appointed under the Personal Data Protection Act) imposed an administrative fine of 7 million Baht ($200,000) on a major private company involved in online sales.
This is the first occasion that the regulator has exercised its powers of punishment since the Personal Data Protection Act came into operation.
Facts: The company allowed a considerable amount of personal data to be leaked to call centers without imposing adequate security measures. The offences for which the fine was imposed were as follows:
- Failing to Appoint a Data Protection Officer: The company collected personal data from over 100,000 customers and used this in its business operations, but did not appoint a DPO as required under the Act. This failure hindered the company’s ability to address data breaches effectively.
- Inadequate security measures: The company lacked appropriate security measures as required under the PDPA, leading to data leaks to call centers and causing widespread loss.
- Failure to report data breaches: The company ignored complaints from data owners and delayed reporting the breaches to the regulator, preventing the prompt taking of action to remedy breaches of the Act.
Further regulatory action: In addition, the regulator ordered the company to:
- improve its security procedures to prevent future data leaks,
- put in place staff training measures,
- update security measures to ensure these keep pace with technological changes, and
- report these improvements to the regulator within seven days of receiving the formal order.