If 2022 was the year Thailand's Personal Data Protection Act (PDPA) was born, and 2023-2024 were the toddler years of stumbling and learning, then 2025 is undeniably the year the law grew up, and started handing out punishments.
For the past few years, many businesses in Thailand have operated under a comfortable assumption: as long as we try, we won't get into too much trouble. Regulators seemed focused on education rather than prosecution. But as we look back at the landscape of 2025, that sentiment has officially expired. The Personal Data Protection Committee (PDPC) has shifted gears from "awareness building" to "active enforcement," resulting in fines totalling over THB 21.5 million issued in 2024/25.
As we reflect on this year's events, it's clear that data privacy is no longer just a box to check for the IT department; it is a critical business risk. Here is a summary of what happened in 2025 regarding the PDPA and what it means for us moving forward.
The August Wake-Up Call
The defining moment of 2025 came on August, when the PDPC announced administrative fines across five major cases. These weren't small warnings; they were significant financial penalties targeting both the public and private sectors.
The most shocking story, and the one that likely grabbed your attention on social media, was the incident. A major private hospital had hired a contractor to destroy old medical records. Instead of shredding them, the contractor reused the paper to bag snacks sold on the street. Patient names and medical histories ended up in the hands of hungry customers.
The fallout? The hospital was fined THB 1.21 million, and the contractor was fined roughly THB 17,000. This case shattered the myth that you can just outsource your data disposal and forget about it. It proved that under the PDPA, you are responsible for your data until the very end of its lifecycle, even after it leaves your building.
Big Fines for Big Mistakes (2024)
While the snack bag incident was bizarre, other cases were more traditional but equally damaging. A technology retailer was hit with a massive THB 7 million fine, the largest single fine to date. Their offenses were a "triple threat" of non-compliance:
- They had weak security measures that allowed hackers to steal customer data.
- They failed to appoint a Data Protection Officer (DPO), which is mandatory for companies handling large amounts of data.
- Worst of all, they stayed silent. They didn't report the breach to the PDPC or their customers.
This sends a crystal-clear message: Ignoring a problem will cost you more than fixing it. The regulator is showing zero tolerance for companies that try to sweep data breaches under the rug.
Another notable case involved a popular collectible toy company. Their reservation system was hacked, compromising 200,000 records. Interestingly, the regulator fined the company THB 500,000, but fined the third-party vendor who built the system a whopping THB 3 million. This is a game-changer. It shows that software developers and vendors (Data Processors) are now directly in the firing line. You can no longer just build a system and wash your hands of the security flaws.
Trends We Saw in 2025
Beyond the headlines, several subtle but important trends emerged this year:
1. Government Agencies: Poor Security Is Not Acceptable
A government agency was fined more than THB 150,000 after a cyberattack exposed 200,000 records on the Dark Web. The investigation found that the agency used weak passwords and had never conducted a risk assessment.
Although Section 4 of the PDPA grants certain exemptions to government agencies (such as for national security or judicial functions), developments in 2025 made it clear that these exemptions do not extend to basic failures in data security.
2. The Rise of the DPO In late 2025, we saw a push to make Data Protection Officers (DPOs) mandatory for all state agencies, with expectations that this will be strictly enforced in the private sector too. If your company processes a lot of data and you still don't have a DPO, you are driving without insurance.
3. "Zero Data Leakage" Policy The PDPC has coined the phrase "Zero Data Leakage" as their new standard. While technically difficult to guarantee, this slogan indicates their mindset. They are not looking for "good enough" security; they are looking for "robust" security.
What This Means for You
If you are reading this as a business owner, a manager, or just an employee handling customer files, the takeaway from 2025 is simple: The grace period is over.
You need to look at your vendors. If you hire a marketing agency, a cloud provider, or a document shredding service, you need to vet them. If they mess up, you could be the one paying the fine.
You also need to look at your internal culture. Are your passwords complex? Do you have Two-Factor Authentication (2FA)? Do your employees know what to do if they see a suspicious email? The fines in 2025 were mainly due to basic negligence, weak passwords and lack of training, rather than sophisticated cyber-espionage.
Conclusion
2025 will be remembered as the year Thailand's digital law started biting back. The fines we saw this year, totalling millions of baht, were not just punishments for specific companies; they were a billboard for the rest of us.
We can no longer view the PDPA as a pile of paperwork to be filed and forgotten. It is a living, breathing standard of operation. As we move into 2026, the question is no longer "Are we compliant?" but rather "Are we secure?" Because as we've seen, the cost of answering "no" is getting higher every day.
Contact our team for more insights and support for your business.