PDPA's Penalties | What are the sanctions for PDPA's non-compliance?

PDPA's Penalties: Penalties in civil law

Civil fines may be imposed where the data controller or data processor that possesses the data subject’s personal data fails to comply with the PDPA’s standards, either intentionally or negligently, causing damage to the data subject. The data subject may seek actual compensation for such harm from the data controller or data processor, including all actual expenditures incurred by the data subject to avoid or suppress such damage.

The unique feature of civil penalties is that, in addition to the aforementioned real compensation, the court has the authority to order the data controller or data processor to pay punitive damages to the data subject.
However, PDPA’s Penalties cannot be more than twice the amount of real compensation. If the real compensation is one million Baht, the court can award punitive damages of up to two million Baht. In this case, the total amount of damages might be up to three million Baht.

The prescription time for demanding civil compensation under the PDPA is three years from the data subject’s recognition of the occurrence of harm and the name of offenders, or ten years from the data controller’s or data processor’s unlawful act.

PDPA's Penalties: Penalties for crime

When an offender breaks a statute that interferes with the regular functioning of society, criminal sanctions may be imposed. When the PDPA is violated, the following criminal penalties can be imposed on the data controller or other people who execute personal data protection responsibilities under the PDPA:

1. If the data controller:

➤ Uses or discloses personal data without the data subject's consent in situations where consent is legally needed

➤ Obtains personal data from another data controller and uses or discloses the personal data for purposes other than those previously disclosed to the disclosing data controller

➤ Without additional legal exclusions, transmits or transfers sensitive personal data to a foreign jurisdiction that lacks an effective data protection standard

2. If any of the foregoing is done in a way that is likely to cause the data subject or any other person harm, impair the person’s reputation, or expose the person to ridicule, hatred, or humiliation, the data controller may face imprisonment for up to six months or a fine of up to 500,000 Baht, or both. If the data controller commits any of these activities with the goal of gaining illegal advantages (or securing benefits for others), the data controller faces imprisonment for up to a year, a fine of up to one million Baht, or both.

3. If any individual obtains the data subject’s personal data as a result of fulfilling responsibilities under the PDPA and discloses this personal data to another person, the offender may face imprisonment for up to six months, a fine of up to 500,000 Baht, or both. This does not apply, however, when a person is forced to reveal personal information under specific conditions. For example, whether the disclosure is in the interest of investigative processes or judicial proceedings, or where the data subject has provided written approval for a specific disclosure.

4. If the offender is a juristic person and the PDPA violation is the result of instructions or omissions from the juristic person’s responsible person (e.g., director, manager, or other persons responsible for the juristic person’s operations), the said person, along with the juristic person, may face criminal penalties.

PDPA's Penalties: Administrative sanctions

Administrative sanctions for PDPA violations may be imposed, including:

1. A fine of up to one million Baht, if

➤ The data controller fails to inform the data subject, as required by the PDPA, of the contents of the collection (e.g., the purpose of the collection, the retention duration, the categories of individuals to whom the gathered personal data may be shared)

➤ The data controller fails to record the PDPA-required elements in the record of processing activities (ROPA)

➤ Where the PDPA requires it, the data controller or data processor does not designate the data protection officer (DPO)

2. A fine of up to three million Baht, if

➤ The data controller processes personal data for purposes other than those disclosed to the data subject

➤ The data controller collects, uses, and/or reveals personal data without the data subject's legally necessary consent

➤ The data controller fails to report a personal data breach event that may jeopardize the data subject's rights and freedom to the Office of Personal Data Protection Committee within 72 hours of becoming aware of the occurrence

➤ The data processor fails to notify the data controller of the personal data breach

3. A fine of up to five million Baht, if

➤ The data controller collects, utilizes, and/or exposes sensitive personal information without the data subject's explicit consent or another appropriate legal basis

➤ The data controller or data processor submits or transfers confidential personal data to a foreign jurisdiction that does not have acceptable data protection standards without the data subject's legally necessary consent

Civil, criminal, and administrative fines can all be imposed on an offender. Penalties might be increased if a substantial number of PDPA violations occur.

Given the PDPA’s Penalties, we recommend complete compliance with the law with the PDPA.

Make sure you comply with the PDPA Act

310 client reviews (4.8/5) ⭐⭐⭐⭐⭐