Thailand's Personal Data Protection Act has moved firmly from awareness-building into active enforcement. For organisations processing personal data in Thailand, understanding the current enforcement climate is essential. This article presents only verified facts.
The Foundation
Thailand's Personal Data Protection Act is the PDPA B.E. 2562 (2019). It was published in the Royal Gazette on 27 May 2019, with a two-year transition period. Due to the COVID-19 pandemic, full enforcement of the key provisions was postponed several times. The PDPA officially came into full effect on 1 June 2022, meaning all organisations subject to the Act are now required to comply.
The PDPA applies to both private and government sectors (with certain exemptions). It is overseen by the Personal Data Protection Committee (PDPC), supported by the Office of the PDPC.
Enforcement Has Intensified
The most important recent development is the shift from awareness to active enforcement. The transition became visible in 2024 when a leading e-commerce company was fined THB 7 million in connection with a personal data breach — the first high-profile administrative penalty under the PDPA. Reported findings in that case included insufficient security measures and failure to appoint a Data Protection Officer.
Enforcement intensified further in 2025. On 1 August 2025, the PDPC publicly announced eight administrative fines across five non-compliance cases involving both public and private entities, totalling approximately THB 21.5 million. Notably, enforcement extended to data processors — not only data controllers — and repeatedly targeted deficiencies in security controls, breach reporting, and DPO appointment as core failures.
A Telling Case
One announced case is particularly instructive for security: a cyberattack on a state-run web application led to the leak of around 200,000 records containing personal data. Both the agency and its developer were fined for lacking privacy-by-design and breach-prevention protocols. This underscores that the PDPC considers inadequate security measures — not just policy gaps — to be enforceable failures.
Related Laws
The PDPA does not operate in isolation. Organisations must also consider the Cybersecurity Act B.E. 2562 (2019), which governs cyber threat response and critical infrastructure protection, along with regulations from the Ministry of Digital Economy and Society and, for financial entities, the Bank of Thailand. Thailand also strengthened criminal enforcement through an Emergency Decree on technology crimes effective 13 April 2025.
How Simuna Infosec Helps
The PDPC's enforcement pattern makes one thing clear: inadequate security measures lead to penalties. Our human-led security testing identifies and helps remediate the vulnerabilities — particularly the authorisation and business-logic flaws — that lead to the kind of data breaches the PDPC is now actively fining. We provide documented evidence of the security measures that the PDPA expects and that enforcement increasingly demands.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified Thai legal counsel for compliance decisions.*