Thailand PDPA: Enforcement Trajectory and Compliance Cost
PDPC announced 8 fines across 5 cases on Aug 1, 2025 totalling >THB 21.5M; THB 7M largest fine for customer-data leak. Civil fines up to THB 5M for serious violations under PDPA B.E. 2562 (2019). Enforcement extends to data processors (toy-seller case: THB 500K controller, THB 3M processor).
Key takeaways
- 1
PDPC publicly announced 8 administrative fines across 5 cases on 1 August 2025 totalling >; first major public-enforcement batch since the PDPA reached full enforcement in June 2022.
- 2
Largest single fine: for a customer-data leak that was subsequently exploited in call-centre scams per DLA Piper Lexology.
- 3
PDPA civil-fine ceiling: up to for serious violations. Sensitive-data violations carry imprisonment up to 6 months and / or fine, doubled when for undue commercial benefit.
- 4
Enforcement extends to data processors, not just controllers. August 2025 toy-seller case: controller fined and processor fined for failing to implement appropriate security measures.
- 5
Recurring compliance failures: inadequate security (weak passwords, no risk assessment), failure to appoint Data Protection Officer (DPO) when required, breach-notification failures, sensitive-data handling violations.
- 6
Enforcement trajectory: PDPA enacted 2019, full enforcement deferred to 1 June 2022, first fines 2023-2024, escalation in 2025 marks structural shift from awareness-building to active enforcement per HSF Kramer.
Questions this report answers
What changed in 2025? Per DLA Piper, Mondaq, and Lexology: PDPC publicly announced 8 administrative fines across 5 non-compliance cases on 1 August 2025 β the first major public-enforcement batch since PDPA full enforcement in June 2022. Total fines exceeded . The largest single fine was for a customer-data leak that was subsequently exploited in call-centre scams. The structural signal: PDPC moved decisively from awareness-building to active enforcement, transitioning the regulatory tone from compliance-coaching to compliance-enforcement.[, , ]
What's the penalty structure? Per the Personal Data Protection Act B.E. 2562 (2019) and Chambers practice guides: civil fines up to for serious violations is the headline ceiling. Sensitive-data violations carry imprisonment up to 6 months and / or fine up to , doubled if undertaken for undue commercial benefit (12 months / ). The Aug 2025 fines exceeded the ceiling in the leak case β likely combining penalties for multiple violations or entities under the controller-and-processor extension.[, ]
Does PDPA reach data processors as well as controllers? Yes β and the August 2025 toy-seller case made this explicit. Per Lexology and AustChamThailand: a collectible-toy seller (data controller) was fined and its data processor was fined for failing to implement appropriate security measures. The structural implication for Thai outsourcing vendors and SaaS providers is significant: PDPA-compliance is no longer just the customer's problem; the processor faces direct exposure. This brings Thai data-protection enforcement closer to GDPR's controller-and-processor co-liability framework.[, ]
What are the most-common compliance failures? Per Hogan Lovells and DLA Piper: (1) inadequate security measures β weak passwords, no risk assessment, poor system oversight; (2) failure to appoint a Data Protection Officer (DPO) when required by sector or processing-volume threshold; (3) failure to notify PDPC and affected individuals of data breaches within the statutory timeframe; (4) poor handling and destruction of sensitive data. These four categories accounted for the majority of August 2025 fines. The compliance-cost implication is that PDPA programmes need budget for technical security, DPO hiring, breach-response process, and sensitive-data lifecycle management.[, ]
Executive summary
Thailand's PDPA enforcement is now live. After multiple deferrals between 2019 and 2022, the Personal Data Protection Act B.E. 2562 reached full enforcement on 1 June 2022. The Personal Data Protection Committee (PDPC) operating under the Ministry of Digital Economy and Society spent 2022-2024 in awareness-building mode; 2025 marks the structural shift to active enforcement. Per HSF Kramer's six-year enforcement timeline, the August 1 2025 PDPC announcement β 8 administrative fines across 5 cases totalling over β is the inflection point. Foreign and Thai businesses operating in Thailand should now treat PDPA compliance with the same operational seriousness as GDPR.[, ]
Penalty structure: civil fines up to for serious violations; sensitive-data violations carry imprisonment up to 6 months and fines (doubled for undue commercial benefit). The August 2025 fine for the customer-data leak case (which was subsequently exploited in call-centre scams) demonstrates PDPC's willingness to combine penalties or apply per-entity fines that exceed individual ceilings. Enforcement reaches data processors, not just controllers β the toy-seller case (controller , processor ) confirmed this explicitly per Lexology, with structural implications for Thai SaaS vendors, outsourcing providers, and any entity processing personal data on behalf of controllers.[, ]
Common compliance failures across the August 2025 enforcement batch: inadequate security measures (weak passwords, no risk assessment, poor oversight), failure to appoint Data Protection Officers, failure to meet breach-notification timeframes, and poor sensitive-data handling. The compliance-budget implication for Thai operators is structural: PDPA programmes require investment in technical security, DPO hiring or outsourcing, breach-response capability, and sensitive-data lifecycle management. For foreign operators, the practical posture should align with global GDPR-compliant infrastructure where feasible, plus Thai-specific elements (Thai-language privacy notices, PDPC-recognised legal bases for processing, local DPO presence where required).[, ]
PDPA penalty structure and August 2025 enforcement
PDPA effective date
Value
1 June 2022
Notes
After multiple deferrals from 2019 enactment.
Civil-fine ceiling for serious violations
Value
$144,928
Notes
Per PDPA B.E. 2562 (2019).
Sensitive-data criminal fine
Value
Up to $14,493
Notes
Plus up to 6 months imprisonment; doubled for undue commercial benefit ($28,986 / 12 months).
August 2025 PDPC enforcement batch
Value
8 fines / 5 cases
Notes
Total > $623,188; first major public-enforcement announcement.
Largest single fine
Value
$202,899
Notes
Customer-data leak case; subsequently exploited in call-centre scams.
Toy-seller controller fine
Value
$14,493
Notes
Failure to implement appropriate security measures.
Toy-seller processor fine
Value
$86,957
Notes
Confirmed processor-level enforcement extension.
Breach-notification timeframe
Value
Statutory
Notes
Failure to notify PDPC and affected individuals is a recurring compliance failure.
| Metric | Value | Notes |
|---|---|---|
| PDPA effective date | 1 June 2022 | After multiple deferrals from 2019 enactment. |
| Civil-fine ceiling for serious violations | $144,928 | Per PDPA B.E. 2562 (2019). |
| Sensitive-data criminal fine | Up to $14,493 | Plus up to 6 months imprisonment; doubled for undue commercial benefit ($28,986 / 12 months). |
| August 2025 PDPC enforcement batch | 8 fines / 5 cases | Total > $623,188; first major public-enforcement announcement. |
| Largest single fine | $202,899 | Customer-data leak case; subsequently exploited in call-centre scams. |
| Toy-seller controller fine | $14,493 | Failure to implement appropriate security measures. |
| Toy-seller processor fine | $86,957 | Confirmed processor-level enforcement extension. |
| Breach-notification timeframe | Statutory | Failure to notify PDPC and affected individuals is a recurring compliance failure. |
Analyst framing
Why this report matters
Unlock the full report
Need more than the web report? Ask for a scoped export or source appendix.
Every report keeps visible citations and source metadata. Terms.
Related reports
Thai Cyber Security: Public-Private Build-Out and PDPA Enforcement
Thailand's National Cyber Security Agency (NCSA) logged 1,002 cyber incidents in the first 5 months of 2025 per Nation Thailand. 63% of Thai organisations experienced data breaches in 2025 and 52% admitted to paying ransom per Chiang Rai Times. Breach costs ranged USD 430K to USD 1.4M, prompting a structural surge in corporate demand for cyber insurance. The 2025 NCSA notification expanded the Critical Information Infrastructure (CII) classification to include cloud platforms, data centres, and managed IT services per Lexology, materially extending the regulatory perimeter beyond traditional public-sector entities. CII operators face mandatory NCSA-approved cyber-control standards, periodic risk assessments and technical audits, statutory incident-reporting timeframes, and cooperation with investigations. The Cybersecurity Act and PDPA now operate as a coordinated enforcement stack β PDPC issued more than THB 21.5M in fines across five cases in 2025 for security and breach-notification failures. The structural compliance question for Thai operators is no longer awareness; it is execution capacity (technical controls, DPO, MSSP partnerships, cyber-insurance, breach-response capability).
Open report β
Data-Centre Investment: AWS, Google Cloud, and the Power-Grid Constraint
Bangkok has become Southeast Asia's second-largest data-centre market with total IT capacity above 2.5 GW. BOI approved THB 521.2B (USD 16.13B) across 28 data-centre projects in H1 2025 alone; full-year 2025 reached 36 projects worth USD 23B. Capacity is set to triple from 350 MW (2024) to 1 GW by 2027 backed by a USD 6.5B infrastructure push. AWS Asia-Pacific (Bangkok) launched early 2025 (USD 5B); Google Cloud opened Bangkok with a USD 1B Chonburi facility (2025-2029); Microsoft launched its first Thailand cloud region; TikTok is deploying USD 3.8B across three provinces; Beijing Haoyang Cloud is building a THB 72.7B / 300 MW first-international campus at WHA Eastern Seaboard 4 in Rayong. Province concentration: Rayong 33%, Chonburi 32%, Samut Prakan 12%. The binding constraint is no longer demand or BOI eligibility β it is grid power, water, and Tier-III construction labour.
Open report β
Thai AI Adoption: Enterprise Pilots and the Data-Centre Build
Thai enterprise AI adoption reached 17.8% in 2024 (up from 15.2% in 2023) per the AI Readiness Measurement 2024 report; 73.3% of organisations plan future adoption with Thailand at #2 ASEAN after Indonesia. Major hyperscaler commitments anchor the data-centre build: AWS USD 5B with the Bangkok region launched early 2025, Google Cloud USD 1B Chonburi facility, and Microsoft's first Thailand cloud region. AI workloads reached 28% of total Thai data-centre capacity in early 2025 (up from 20% the prior year); 1H 2025 BOI data-centre approvals totalled THB 521.2B (USD 16.13B) across 28 projects. Thailand targets tripling data-centre capacity from 350 MW (2024) to 1 GW by 2027 backed by a USD 6.5B infrastructure push.
Open report β
Thai Food Delivery: Grab-LINE-Foodpanda Economics and the Restaurant Take-Rate Squeeze
Thai food delivery is structurally a three-platform race between Grab, LINE MAN Wongnai, and Foodpanda β with Robinhood (SCB-launched 2020, divested 2024) historically a domestic zero-commission challenger that compressed take-rates briefly before retrenching. Restaurant take-rates run 25-35% on platform GMV across the three majors, squeezing independent-restaurant operating margins; tiered commission structures and platform-funded promotions partially offset the bite for high-volume brands. LINE MAN Wongnai, backed by Bualuang Ventures (BBL), is the structural Thai-domestic incumbent leveraging the near-universal LINE messenger app for restaurant discovery and order placement β a cross-platform funnel Grab cannot replicate. Grab leverages its super-app ride-hailing and financial-services flywheel for cross-sell economics. Foodpanda (Delivery Hero) operates as the third pillar with structural cost-pressure dynamics. Rider gig-labour structure (per-trip payouts, no-employee classification, regulatory pressure on minimum-payout rules) is the structural watch-item for 2026-2028. The structural-investor read: Thai food delivery is a duopoly-leaning-three-way market with embedded restaurant take-rate ceiling at 30-35% (regulatory and survival-pressure cap). Watch LINE MAN Wongnai gross-merchandise-value disclosures, restaurant churn rates, and rider-payout regulation as 2026-2028 leading indicators.
Open report β