In the first of its kind case, Thailand’s Personal Data Protection Committee (PDPC) has levied penalties against a company following a complaint. A THB 7,000,000 (about USD 200,000) fine was issued in accordance with the Personal Data Protection Act (PDPA), sending a strong message to data processors and controllers operating in the region to ensure personal data is safeguarded.   

The issue came to light after customers reported receiving unsolicited phone calls from scammers shortly after making online purchases from the online trading business in question. The regulator carried out an investigation and found that customer personal data had been shared with a call centre group that uses information it has acquired to commit fraud. The regulator additionally noted the company’s failure to designate a Data Protection Officer (DPO) as required under section 41 of the PDPA, as well as a lack of adequate security protocols to safeguard client information. Additionally, the business failed to disclose the security violation in a timely manner, as required under Section 37(4).   

Taking measures to protect online personal data 

Organisations often find themselves in trouble with data protection authorities due to failure to implement simple guardrails and processes that would ensure personal data is securely protected. As well as the financial penalty, the regulator has ordered the company to overhaul its data security protocols, update its cybersecurity measures, and ensure better employee training on data protection processes.  It is also required to update the regulator within 7 days of implementing these corrective measures. 

As global data protection laws continue to be updated and implemented, this is a timely reminder for organisations doing business in the region to get their act together.  For companies operating in Thailand, this development signals the importance of rigorous data protection practices and working closely with a data protection officer that understands the requirements under the PDPC. Businesses must ensure they meet all PDPA requirements, including appointing a DPO when necessary, implementing robust security measures, and adhering to timely breach notification procedures. As a global Data Protection Officer services provider, HewardMills keeps its clients updated on regulations in the APAC region to ensure compliance with ever-changing local requirements.  

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.