Skip to main content
PDPA & Privacy

PDPA 2026 — Real Enforcement, Real Fines, Real Cases: What Thai Businesses Must Know

The warning era is over — Thailand PDPC imposed over THB 21.5 million in fines across 5 landmark cases, hitting IT retailers, cosmetics firms, and government agencies alike. With tightening cross-border transfer rules, Thai businesses must act now.

20 Mar 202610 min
PDPAData PrivacyPDPCComplianceCross-Border DataGDPRDPOERP

PDPA 2026 — Real Enforcement, Real Fines, Real Cases: What Thai Businesses Must Know

August 1, 2025 marked a turning point for data protection in Thailand. The Personal Data Protection Committee (PDPC) announced its first major round of administrative fines — over THB 21.5 million across 5 cases and 8 penalties, covering both public agencies and private companies.

The era of warnings and grace periods is officially over. The PDPC is now enforcing the law with real consequences, and businesses that are not prepared face tangible risks.

The Current Landscape: From Paper Law to Active Enforcement

Thailand's Personal Data Protection Act (PDPA), B.E. 2562, has been fully effective since June 2022. However, for the first 2-3 years, the PDPC focused on awareness-building rather than penalization, leading many organizations to adopt a "wait and see" posture.

The answer is now clear — enforcement is real.

The August 2025 fines signaled a decisive shift from PDPC as an "educator" to PDPC as an "enforcer." No organization is exempt — neither government agencies nor private enterprises.

Real Cases: 5 Landmark Enforcement Actions Thai Businesses Must Learn From

Case 1: Government Agency — 200,000 Records Leaked

A state-run web application suffered a cyberattack, exposing 200,000 personal data records. Both the agency and its system developer were fined a combined THB 153,120 for:

  • Lack of privacy-by-design in system development
  • No breach prevention or response protocols
  • Failure to notify the PDPC and data subjects within the required timeframe

Lesson: Even government agencies face penalties, and Data Processors (system developers) are held accountable alongside Controllers.

Case 2: IT Retailer — THB 7 Million Fine

An IT products retailer was fined THB 7 million after customer data leaked and was exploited by fraudulent call center operations. Key failures:

  • No Data Protection Officer (DPO) appointed despite processing large volumes of personal data
  • Failed to report the data breach
  • Inadequate security safeguards

Lesson: Failure to appoint a DPO when legally required is a severe violation carrying multi-million baht penalties.

Case 3: Cosmetics Company — THB 2.5 Million Fine

A cosmetics company was fined THB 2.5 million for failing to implement adequate security measures and not notifying the PDPC of a data breach.

Lesson: Regardless of company size, if you handle significant volumes of customer personal data, you must maintain robust security standards.

Case 4: Toy Company and Data Processor — THB 3.5 Million Combined

A toy company and its data processor were fined THB 500,000 and THB 3 million respectively after an online reservation system breach affected 200,000 records.

Notably, the Data Processor was fined more heavily than the Data Controller because:

  • Failed to notify the Controller of the breach
  • Did not take swift remedial action
  • Lacked accountability as a data processor

Lesson: Vendors and outsourced partners acting as Data Processors bear direct legal liability under the PDPA.

Cross-Border Data Transfer Rules: Significantly Tightened

What Has Changed

In 2025, the PDPC issued several critical new regulations on cross-border data transfers:

1. Binding Corporate Rules (BCRs) Framework

The PDPC published its Regulations on the Review and Certification of BCRs (B.E. 2568) on September 29, 2025, and approved the first two companies' BCRs the following day — a landmark shift from theory to practice.

2. Legal Pathways for Data Transfers

  • Adequacy Route (Section 28): Transfer data to jurisdictions recognized by the PDPC as having adequate protection — but no adequacy list has been published yet
  • Appropriate Safeguards (Section 29): Use BCRs or Standard Contractual Clauses (SCCs) based on ASEAN or EU models

3. Business Impact

Since the PDPC has not yet published an adequacy list, all cross-border transfers must be treated as going to non-adequate jurisdictions, requiring appropriate safeguards in every case.

What Businesses Must Do

  • Review all cloud services with servers located outside Thailand
  • Create comprehensive Data Flow Mapping
  • Prepare SCCs or apply for BCRs for intra-group transfers
  • Audit vendor agreements for adequate data protection provisions

PDPA vs GDPR: 2026 Comparison Update

Businesses operating across borders need to understand the differences between PDPA and GDPR to plan comprehensive compliance strategies.

Key Differences

Topic PDPA (Thailand) GDPR (EU)
Maximum Fine THB 5 million (~EUR 130,000) per case EUR 20 million or 4% of global revenue
Criminal Penalties Yes — up to 1 year imprisonment None at EU level
Consent Implied consent allowed in some cases Explicit consent always required
Right to Data Portability In the law but lacking practical guidance Fully enforced
DPO Requirement Per PDPC conditions Based on processing activities
Breach Notification 72 hours (to PDPC) 72 hours (to Supervisory Authority)
Cross-Border Transfer Developing — no adequacy list yet Adequacy decisions for multiple countries

Critical Watch Points

  • PDPA includes criminal penalties absent in the GDPR — executives may face personal liability
  • While PDPA fines appear lower than GDPR, the PDPC can also impose civil damages and order processing suspension, which may have greater business impact than fines alone
  • The PDPC is rapidly developing its enforcement framework and is expected to become even stricter in 2026

Impact on ERP Systems and Enterprise Applications

ERP systems are the backbone of personal data storage and processing in organizations — from employee records and customer data to partner information and financial records. The PDPA is forcing organizations to upgrade their ERP systems across several dimensions:

1. Data Retention — How Long Can You Keep Data?

The PDPA requires that personal data be retained only as long as necessary for the stated purpose. ERP systems must be able to:

  • Define clear retention periods for each data category
  • Alert when data reaches its retention deadline
  • Automatically delete or anonymize expired data

2. Consent Management — Systematic Consent Tracking

Systems must comprehensively record and track data subject consent:

  • Record who consented to what, when, and through which channel
  • Support consent withdrawal and exercise of rights
  • Provide complete audit trails for PDPC inspections

3. Right to Be Forgotten — Data Deletion Rights

Data subjects have the right to request deletion of their personal data. In ERP systems where data is interconnected across modules:

  • Systems must be designed to delete or anonymize data without compromising data integrity
  • Processes must verify that data is deleted from all storage locations
  • Backups and archives must also be addressed

4. Data Breach Detection — Detect and Report Breaches

Systems must be capable of:

  • Detecting anomalous data access patterns
  • Immediately alerting the DPO team when a breach is discovered
  • Generating reports for the PDPC within 72 hours

What Thai Businesses Must Do Now — Compliance Checklist

Organizational Level

  • Appoint a DPO if you haven't — review PDPC requirements for mandatory appointment
  • Create a Data Inventory — know what data you collect, how much, and where it's stored
  • Assess Data Flows — map where data goes, both domestically and internationally
  • Review Privacy Policies — ensure they are comprehensive and up-to-date
  • Develop a Data Breach Response Plan — have clear procedures for when incidents occur

Technology Level

  • Audit Security Controls across all systems storing personal data
  • Review Vendor Contracts — ensure Data Processing Agreements are in place
  • Configure Retention Policies in ERP systems and databases
  • Test Incident Response with simulation exercises at least annually

People Level

  • Train all staff on PDPA requirements and personal data handling
  • Build a Data Protection Culture — not just compliance, but a mindset shift
  • Define clear roles and responsibilities for data protection

Trends to Watch in 2026

1. Fines Will Increase

The PDPC is establishing enforcement precedents. Expect fines to escalate, especially for organizations found to have "known but not acted."

2. Adequacy List Coming

The PDPC is expected to begin publishing its list of countries with adequate data protection standards, which will simplify cross-border data transfers.

3. Sector-Specific Guidelines

Expect additional industry-specific guidelines for sectors such as healthcare, financial services, and retail.

4. AI and Automated Decision-Making

The use of AI in making decisions that impact individuals will face increased scrutiny.

Why Thai Businesses Must Act Today

THB 21.5 million in fines may seem modest compared to GDPR, but the real impact goes far beyond the numbers:

  • Reputation — When the PDPC announces penalties, organization names are made public. Reputational damage is incalculable
  • Customer Trust — Modern consumers are increasingly aware of their data rights
  • Criminal Liability — Executives may face personal criminal charges
  • Business Continuity — The PDPC can order processing suspension, which could halt business operations entirely

Investing in data protection is not a cost — it's a competitive advantage. Organizations with robust data management systems earn greater trust from customers and partners.

How Enersys Can Help With PDPA Compliance

Enersys has extensive experience helping Thai organizations of all sizes establish data protection systems aligned with the PDPA:

  • PDPA Gap Assessment — Evaluate your current posture and identify areas for improvement
  • Data Protection Framework Design — Design a protection framework tailored to your business needs
  • ERP Data Compliance — Configure ERP systems to support PDPA including retention, consent management, and right to be forgotten
  • Cross-Border Transfer Advisory — Expert guidance on international data transfers, SCCs, and BCRs
  • Training & Awareness — PDPA training programs for all organizational levels

Consult Enersys experts today — don't wait until you're fined. Prepare now to protect your business.

References

ลิงก์ที่เกี่ยวข้อง

PrivacyHub

Privacy Governance Platform สำหรับองค์กรไทย

PDPA Compliance Assessment

ประเมิน PDPA Compliance Score ฟรี

ติดต่อปรึกษา PDPA

พูดคุยกับผู้เชี่ยวชาญ

Back to Insights

Related Articles

Cybersecurity ธุรกิจไทย 2026: ภัยคุกคามและวิธีป้องกัน

รู้เท่าทันภัยคุกคามไซเบอร์ที่ธุรกิจไทยต้องเผชิญในปี 2026 พร้อมแนวทางป้องกันที่ผู้บริหารต้องรู้

Colorado AI Act — กฎหมาย AI ฉบับแรกของสหรัฐฯ ที่บังคับตรวจสอบ Algorithmic Discrimination มีผล มิ.ย. 2026

Colorado เป็นรัฐแรกของสหรัฐฯ ที่ออกกฎหมาย AI ครอบคลุม บังคับให้ผู้พัฒนาและผู้ใช้ AI ประเมินความเสี่ยงด้าน algorithmic discrimination — มีผลบังคับใช้ 30 มิถุนายน 2026

PDPA กับข้อมูลพนักงาน — สิ่งที่ HR ต้องรู้ตั้งแต่รับสมัครจนถึงลาออก

คู่มือปฏิบัติสำหรับ HR ในการจัดการข้อมูลส่วนบุคคลของพนักงานตาม PDPA ครอบคลุมทุกขั้นตอนตั้งแต่การรับสมัคร การจ้างงาน จนถึงการลาออกและการเก็บรักษาข้อมูลหลังสิ้นสุดสัญญา

"Empowering Innovation,
Transforming Futures."

Contact us to make your project a reality.