Thailand's Personal Data Protection Committee ("PDPC") has made a significant move by issuing what is believed to be its first fine for violation of the Personal Data Protection Act ("PDPA"). The hefty fine (by Thailand standards), estimated to be the Thai Baht equivalent of just under Euro 200,000, carries significant weight from the Thai market perspective.
The circumstances for the relatively high fine suggest that the violating data controller displayed slipshod compliance with the PDPA. While the exact action or inaction that led to the data breach is unknown, based on public reporting, it can be extrapolated that the PDPC took notice of this violation. For example, the data breach was not reported within the 72-hour requirement of the PDPA, and had ample time to report the data breach to the PDPC (for more on breach notices, see https://fosrlaw.com/personal-data-breach-notifications/). The violating party had no data protection officer.
Further, the data breach was material, as more than 100,000 personal data records were breached, and the violator provided insufficient explanation as to how the violator would rectify the security breach.
Additionally, numerous complaints were made by data subjects to the PDPC.
It was expected that the PDPC would eventually start issuing fines after a few years of setting up its internal customs and practices and would begin issuing fines in relatively smaller amounts.
Based on the circumstances of the PDPA breach mentioned above and the fine issued in the above case, the PDPC is taking a more assertive and urgent approach to enforcing the PDPA than initially expected. This should serve as a clear signal to all data controllers to ensure strict compliance with the PDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.