- 09
- May
On August 1, 2025, Thailand's Personal Data Protection Committee (PDPC) issued eight administrative fines across five cases in a single day. The largest — THB 7 million — was levied on a computer retailer that had no Data Protection Officer (DPO) and failed to report a data breach. This is the moment Thailand's PDPA shifted from "warnings" to "enforcement" — alongside an Emergency Decree on Technology Crimes effective April 13, 2025, adding criminal penalties of up to 5 years' imprisonment + THB 500,000 fine for unlawful disclosure of personal data.
Quick summary: What's new in Thailand's PDPA enforcement?
- Aug 1, 2025: PDPC issued 8 fines in 5 cases — totaling roughly THB 21.5M — the first time the regulator has imposed fines at this scale in one day
- Largest single fine: THB 7M (computer retailer — no DPO + no breach notification)
- Other major fines: Private hospital THB 1.21M, cosmetics company THB 2.5M, collectible toy retailer THB 3.5M (controller + processor combined)
- Apr 13, 2025: Emergency Decree on Technology Crimes (No. 2) B.E. 2568 took effect
- New criminal penalties: Up to 1 year + THB 100,000 fine (general) | Up to 5 years + THB 500,000 fine (commercial misuse)
- 2026 enforcement priorities: e-commerce, healthcare, telecommunications, public services
1. The Five Cases — Real Examples to Learn From
The PDPC didn't pick these cases at random — they share recurring compliance failures that the regulator wants to flag publicly:
| Case | Data Compromised | Primary Violation | Fine (THB) |
|---|---|---|---|
| State agency + software developer | 200,000 personal records leaked to the dark web | Weak passwords + no risk assessment + no DPA with processor | 153,120 × 2 = 306,240 |
| Private hospital + contractor | 1,000+ medical records improperly destroyed/repurposed | Inadequate security + failure to notify breach | 1,210,000 + 16,940 = 1,226,940 |
| Computer/accessories retailer | 100+ customers fell victim to call-center scams | No DPO + no breach reporting + inadequate security | 7,000,000 |
| Cosmetics company | Customer data reached scam operators | Inadequate security + failure to notify PDPC | 2,500,000 |
| Collectible toy retailer + processor | ~200,000 records altered without authorization | Service provider lacked security controls + no breach reporting | 500,000 + 3,000,000 = 3,500,000 |
Notice — all 5 cases share the same 4 violation patterns that the PDPC uses as its compliance yardstick. See PDPA & ERP for what an ERP system needs to support these requirements.
2. The 4 Recurring Compliance Gaps — Use as a Checklist
Across all five cases, the PDPC pinpointed the same patterns:
| Gap | What PDPC Examines | ERP Example |
|---|---|---|
| 1. Security measures | Weak passwords, no 2FA, no encryption, missing patches | 2FA + role-based access + audit log |
| 2. Breach notification | Required within 72 hours — every fined case failed this | Alert system + incident log inside ERP |
| 3. Data Protection Officer (DPO) | Mandatory for some organizations — missing = automatic fine | DPO governs the ERP modules holding personal data |
| 4. Processor oversight | Data Processing Agreements (DPA) + vendor security audits | Cloud-hosted ERP or third-party vendors must have signed DPAs |
Critical observation — every single case was fined for "failure to report breach." This is the strongest signal yet that the PDPC will rigorously enforce Section 37(4) of the PDPA, which requires breach notification within 72 hours.
3. Emergency Decree on Tech Crimes — New Criminal Penalties
Beyond PDPC's administrative fines, the government enacted the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No. 2) B.E. 2568, effective April 13, 2025. It introduces criminal penalties specifically for personal data misuse linked to technology crimes:
| Conduct | Imprisonment | Fine |
|---|---|---|
| Collecting/possessing/disclosing personal data with intent to enable criminal activity | Up to 1 year | Up to THB 100,000 |
| Commercial misuse (buying/selling/exchanging/profiting unlawfully) | Up to 5 years | Up to THB 500,000 |
Practical implication — beyond fining the organization, PDPC can now pursue separate criminal proceedings against executives, employees, and vendors involved — particularly when data is sold or traded, the most common pattern in leaks that fuel call-center scams.
4. ERP & PDPA Compliance — The Features You Need
An ERP system that holds employee, customer, and supplier data is "risk hotspot #1" in PDPC's eyes. These are the features your ERP should have to stay compliant:
| Feature | Relevant Section | Why It Matters |
|---|---|---|
| 2FA + Strong Password Policy | S.37 (security measures) | Case 1 (state agency) was fined for weak passwords |
| Role-Based Access Control (RBAC) | S.37 + least privilege principle | Limits who sees what data |
| Tamper-proof Audit Log | S.40 (demonstrable compliance) | Case 5 (toy retailer) — data was altered without authorization |
| Data Encryption (at-rest + in-transit) | S.37 | Reduces impact if servers are breached |
| Breach Detection + Alerting | S.37(4) — 72-hour notification | Every fined case failed because they didn't know a breach occurred |
| Data Retention + Erasure | S.39 (right to deletion) | Users can request data deletion |
| Vendor / Processor Audit Trail | S.40 + DPA requirements | Tracks when vendors access data |
Additionally, see file storage in ERP — for documents like ID cards copies, encryption and strict access control are essential.
5. 7-Point Checklist — Get Audit-Ready
For 2026, the PDPC has explicitly named four sectors as enforcement priorities — e-commerce, healthcare, telecommunications, public services. If your organization sits in any of these, the risk is materially higher.
7-point checklist for Thai organizations:
- Appoint a DPO + register with PDPC — verify whether your organization is legally required to (see Knowledge Center)
- Audit your ERP + accounting systems — confirm the 7 features above are all in place
- Enable 2FA for all users — especially admins, finance, HR (see 2FA Guide)
- Sign DPAs with every vendor — including cloud, hosting, accounting outsourcing
- Build an Incident Response Plan — who reports, how, and within 72 hours
- Train your staff — especially anyone handling customer/HR data
- Review Privacy Notices + Consent — keep them current and aligned with actual practice
6. Questions Executives Should Ask Their IT/HR Team
Use these questions as a starting point for risk assessment:
| Question | "Pass" Criteria |
|---|---|
| 1. Do we have a DPO — and what does she/he actually do? | Designated person + has authority + reports to executives |
| 2. If a data breach occurred today, can we report it within 72 hours? | Documented playbook + tested at least 1×/year |
| 3. Do all our vendors have signed DPAs? | Complete list + signed + reviewed annually |
| 4. Is our ERP/accounting audit log tamper-proof? | Immutable + retained for at least 1 year |
| 5. Does our password policy meet NIST/PDPC guidelines? | Length ≥ 12 chars + no reuse + 2FA |
7. Why PDPC Announced 8 Fines on the Same Day
Issuing 8 fines simultaneously was not coincidence — it was a "signal moment" sending three messages:
- 1. The "warning" era is over — six years since PDPA took full effect (June 1, 2022) — no more "we didn't know" excuses
- 2. Public and private sectors both targeted — case 1 was a state agency — no exemption
- 3. Both controllers and processors fined — vendors and outsourcers can't hide behind their clients
Add to that the 2026 cybersecurity trend — cyber threats keep rising — and PDPA compliance becomes more than "avoiding fines." It's about protecting your customers from real harm.
Summary
| Area | What to Do |
|---|---|
| Administrative fines | Up to THB 5M per violation — repeatable + applied to both controller and processor |
| Criminal penalties (new, Apr 2025) | Up to 5 years' imprisonment + THB 500,000 fine for commercial misuse |
| 4 gaps to close | Insufficient security, no breach reporting, no DPO, no processor oversight |
| Sectors under heaviest scrutiny | e-commerce, healthcare, telecommunications, public services |
| A compliant ERP | 2FA, RBAC, audit log, encryption, breach detection — all of them |
"PDPC's eight fines in a single day are not the end — they're the beginning of the enforcement era of Thailand's PDPA. A THB 7M fine on a computer retailer that's no larger than an average SME sends one clear message: regardless of size, if you handle personal data, you must take security, breach reporting, DPO, and DPA seriously — all four, not pick-one."
References
- DLA Piper Privacy Matters — Thailand PDPA Crackdown 2025 (Sep 2025)
- Tilleke & Gibbins — Eight Serious Fines Imposed
- Chambers Practice Guides 2026 — Thailand Data Protection & Privacy
- Hogan Lovells — Thailand Ramps Up Data Protection Enforcement
- PDPC — Personal Data Protection Committee Thailand
Is Your ERP Ready for a PDPC Audit?
Saeree ERP includes the full PDPA-compliance stack — 2FA, role-based access, tamper-proof audit log, encryption, breach detection. Get a free assessment of your current gaps.
Free ConsultationCall 02-347-7730 | sale@grandlinux.com
