Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Thailand: PDPC fines company THB 7M following data breach
On August 21, 2024, the Personal Data Protection Committee (PDPC) announced that it had issued a fine of THB 7 million (approx. $204,280) on an unnamed company for violations of the Personal Data Protection Act (PDPA) following a data breach. The PDPC noted that it was the first administrative fine issued under the PDPA.
Background to the decision
The PDPC stated that a data breach at the company, which trades goods online, had resulted in the disclosure of personal data to unauthorized persons, in this case, a call center group that uses people's personal data to commit fraud.
Findings of the PDPC
Following an investigation, the PDPC determined that the company had violated:
- Section 41 of the PDPA by failing to appoint a data protection officer (DPO), despite processing personal data for over 100,000 individuals as part of its core business;
- Section 37(1) of the PDPA by failing to implement appropriate security measures resulting in the data leak to the fraudulent group; and
- Section 37(4) of the PDPA by failing to take corrective action and notify the authorities of the data breach as soon as it became aware of the breach.
Outcomes
As a result of the above, the PDPC imposed a fine of THB 7 million (approx. $204,280) on the company. In addition to the fine, the PDPC, in collaboration with the PDPA's Expert Committee, ordered the company to take corrective actions. These include enhancing its security measures to prevent future data breaches, training its staff, and notifying the PDPC of the implemented corrective actions within seven days of receiving the order.
You can read the press release, only available in Thai, here.