On August 21, 2024, the Ministry of Digital Economy and Society (MDES) announced that the second expert committee of the Personal Data Protection Committee (PDPC) imposed an administrative fine of 7 million THB (approx. $204,665) on a company for violations of the Personal Data Protection Act 2019 (PDPA), following complaints.

Background

The MDES explained that in a conference with the PDPC, there was a discussion on preventing data leakage problems in the public and private sectors, including the problem of call center gangs using people's personal data to commit illegal acts, as was the case with the concerned company.

Findings of the second expert committee

The MDES noted that the committee found the following:

• the company collected the personal data of more than 100,000 customers and used such data for the company's core business but did not appoint a personal data protection officer (DPO), thereby violating Section 41 of the PDPA;
• the company did not have appropriate security measures, which caused data to be leaked from the company to the call center gang and caused widespread damage, thereby violating Section 37(1) of the PDPA; and
• the company ignored a complaint filed by an affected individual and did not take any corrective action. The company also reported the incident to the PDPC late, which made it impossible to provide compensation. Its actions thereby violated Section 37(4) of the PDPA.

Outcome

In light of the above, the committee imposed an administrative fine of 7 million THB (approx. $204,665) on the company. The committee also ordered the company to:

• train its staff;
• add security measures to keep up with changing technology; and
• notify the PDPC of such corrective measures within seven days of receiving the order.

You can read the press release, only available in Thai, here.