Key penalties for non-compliance with PDPA

Personal data is any information relating to a natural person which enables the identification of such natural person, whether directly or indirectly. Thailand's Personal Data Protection Act B.E. 2562 (2019) (PDPA) regulates how a data controller^*1 or a data processor^*2 collects, uses, discloses, and/or transfers personal data in order to safeguard against any violation of the right to privacy of a natural person as a data subject. The PDPA came into  full effect on 1 June 2022, so current non-compliance with the PDPA could result in civil penalties, criminal penalties, and administrative penalties. 

Civil penalties may be enforced when the data controller or the data processor who holds the personal data of the data subject fails to comply with the PDPA’s requirements, either intentionally or negligently, which respectively causes damage to the data subject. The data subject can claim actual compensation from the data controller or the data processor for such damage, including all actual expenses spent by the data subject to prevent or suppress such damage. 

The specialty of civil penalties is that in addition to the aforesaid actual compensation, the court has power to sentence the data controller or data processor to pay punitive damages to the data subject in addition to the actual compensation. However, the punitive damages must not exceed two times the amount of the actual compensation. For example, if the actual compensation is one million Baht, the court can order punitive damages for up to two million Baht. The total amount of damages in this example would be up to three million Baht. 

The prescription period for claiming civil compensation under the PDPA is three years from acknowledgement of  the occurrence of damage and the identity of offenders by the data subject, or ten years from a wrongful act by the data controller or data processor.

Criminal penalties may apply when an offender violates a law which interferes with normal operations of society. Where there is a violation of the PDPA, criminal penalties can be brought against the data controller, or other persons who perform duties relating to personal data protection according to the PDPA, as follows:

• If the data controller 

i. uses or discloses personal data without the consent of the data subject where consent is legally required, or 

ii. receives personal data from another data controller and uses or discloses this personal data for purposes other than the purposes previously informed to the disclosing data controller, or 

iii. sends or transfers sensitive personal data^*3 to a foreign country that does not have an adequate data protection standard without other legal exceptions.

If the above are conducted in a manner that is likely to cause the data subject or any other person to suffer any damage, impair the person’s reputation, or expose the person to be scorned, hated, or humiliated, the data controller may be punished with imprisonment up to six months, or fine up to 500,000 Baht, or both. If the data controller performs any of these acts with the intention of receiving unlawful benefits (or to secure benefits for others), the data controller may be punished with imprisonment up to one year, or fine up to one million Baht, or both. 

• If any persons obtain the personal data of the data subject as a result of performing duties under the PDPA and disclose this personal data to any other person, the violator may be punished with imprisonment up to six months, or fine up to 500,000 Baht, or both. However, this will not apply when a person is required to disclose personal data in certain circumstances. For example, where the disclosure is in the interest of investigation procedures or proceedings by the courts, or the data subject’s written consent is granted for a specific disclosure.

If the offender is a juristic person, and the PDPA violation is a result of instructions or omission from the juristic person’s responsible person (e.g., director, manager, or other persons responsible for the juristic person’s operations), the said person may also be punished with criminal penalties as mentioned above, together with the juristic person. 

Administrative penalties may apply to the data controller or the data processor, or any persons violating the PDPA’s provisions. Administrative penalties may be in form of a monetary fine up to five million Baht. Under the PDPA, the expert committee has power to render the penalty as an administrative fine by taking into consideration the level of severity of non-compliance, the business size of the data controller or the data processor, or other circumstances according to the rules to be issued by the Personal Data Protection Committee. 

Administrative penalties may be enforced for breaches of the PDPA, including:

• An administrative fine up to one million Baht where, for example; 
  • the data controller does not inform the data subject prior to, or at the time of the collection of his or her personal data of the details of the collection as required by the PDPA (e.g., purpose of the collection, retention period, categories of persons to whom the collected personal data may be disclosed to);
  • the data controller does not record details required by the PDPA in the record of processing activities (ROPA); or
  • the data controller or the data processor does not appoint the data protection officer (DPO) where it is required by the PDPA. 
• An administrative fine up to three million Baht where, for example; 
  • the data controller processes personal data other than for the purpose informed to the data subject; 
  • the data controller collects, uses, and/or discloses personal data without the legally required consent of the data subject;
  • the data controller does not inform the personal data breach incident, which may risk the right and freedom of the data subject, to the Office of Personal Data Protection Committee within 72 hours of becoming aware of the incident; or
  • the data processor does not inform the personal data breach incident to the data controller.
• An administrative fine up to five million Baht where, for example; 
  • the data controller collects, uses, and/or discloses sensitive personal data without the explicit consent from the data subject or without another applicable legal basis; or
  • the data controller or the data processor sends or transfers the sensitive personal data to a foreign country that does have adequate data protection standard without the legally required consent of the data subject. 

An offender can be liable to civil penalties, criminal penalties, and administrative penalties. If large numbers of PDPA breach incidents occur, penalties could therefore be multiplied. 

Given the severe penalties of the PDPA, we suggest full legal compliance with the PDPA. If you are not sure how to get  started or need help regarding PDPA issues, KPMG Law is here to assist you.

With our experience of the PDPA, we can provide PDPA compliance supporting services including PDPA practical training, PDPA gap analysis, customize PDPA documents and PDPA day-to-day advisory, etc. For more information, please feel free to contact us.