Reference
·Supporting source
PDPA enforcement actions by PDPC (2020-2024)
~30+ formal actions (2024)
The Personal Data Protection Committee (PDPC), Thailand's PDPA regulator, ramped enforcement materially after the law's June 2022 effective date. PDPC formal enforcement actions (warnings, administrative orders, fines) grew from a handful in 2022 to approximately 30+ in 2024 per PDPC published decisions, with the first multi-million baht administrative fine landing in 2024 against a covered entity for breach-notification and data-subject-rights violations. PDPA fines are capped at THB 5 million per offence, but multi-offence stacking and recidivist enforcement are emerging. The Office of the PDPC publishes anonymised enforcement summaries; vendors, law firms (Baker McKenzie, Tilleke and Gibbins, Allen and Overy / Linklaters), and the Thai Bar's data-protection practice track the underlying caseload.
Figure in context
The Personal Data Protection Committee (PDPC), Thailand's PDPA regulator, ramped enforcement materially after the law's June 2022 effective date. PDPC formal enforcement actions (warnings, administrative orders, fines) grew from a handful in 2022 to approximately 30+ in 2024 per PDPC published decisions, with the first multi-million baht administrative fine landing in 2024 against a covered entity for breach-notification and data-subject-rights violations. PDPA fines are capped at THB 5 million per offence, but multi-offence stacking and recidivist enforcement are emerging. The Office of the PDPC publishes anonymised enforcement summaries; vendors, law firms (Baker McKenzie, Tilleke and Gibbins, Allen and Overy / Linklaters), and the Thai Bar's data-protection practice track the underlying caseload.
Interpretation notes
What this tells you
The Personal Data Protection Committee (PDPC), Thailand's PDPA regulator, ramped enforcement materially after the law's June 2022 effective date. PDPC formal enforcement actions (warnings, administrative orders, fines) grew from a handful in 2022 to approximately 30+ in 2024 per PDPC published decisions, with the first multi-million baht administrative fine landing in 2024 against a covered entity for breach-notification and data-subject-rights violations. PDPA fines are capped at THB 5 million per offence, but multi-offence stacking and recidivist enforcement are emerging. The Office of the PDPC publishes anonymised enforcement summaries; vendors, law firms (Baker McKenzie, Tilleke and Gibbins, Allen and Overy / Linklaters), and the Thai Bar's data-protection practice track the underlying caseload.
What not to do with it
Values in count of formal PDPC enforcement actions. PDPA effective from June 2022.
Related figures
Adjacent numbers that add context without drowning the value.
Thailand cybersecurity end-user spending (2020-2025)
IDC Thailand Security Spending Guide, Gartner Asia-Pacific Information Security tracker, National Cyber Security Agency
Thailand cybersecurity spend by sector (2024)
IDC Thailand Security Spending Guide, NCSA sector outlook, Bank of Thailand IT-risk supervision data
Publicly disclosed major Thai breaches (2024-2025)
ThaiCERT advisories, NCSA, Bangkok Post Tech, Group-IB Asia threat intelligence reports
Identity and access management platform adoption
IDC Thailand Identity and Access Management tracker, Okta, Microsoft Entra ID Thailand channel disclosures, Bank of Thailand IT-risk guidance
AI and ML-driven security tooling spend share
IDC Thailand Security Spending Guide, Gartner AI-augmented security tracker, NCSA and Bank of Thailand technology supervision
Post-quantum cryptography readiness investment
NCSA, NIST Post-Quantum Cryptography standardisation, Bank of Thailand IT-resilience guidance, IBM and Thales Thailand channel
Report context
Atlas actors in this figure's reports
Profiles covered in the report that cite this number.