2. If any of the foregoing is done in a way that is likely to cause the data subject or any other person harm, impair the person’s reputation, or expose the person to ridicule, hatred, or humiliation, the data controller may face imprisonment for up to six months or a fine of up to 500,000 Baht, or both. If the data controller commits any of these activities with the goal of gaining illegal advantages (or securing benefits for others), the data controller faces imprisonment for up to a year, a fine of up to one million Baht, or both.
3. If any individual obtains the data subject’s personal data as a result of fulfilling responsibilities under the PDPA and discloses this personal data to another person, the offender may face imprisonment for up to six months, a fine of up to 500,000 Baht, or both. This does not apply, however, when a person is forced to reveal personal information under specific conditions. For example, whether the disclosure is in the interest of investigative processes or judicial proceedings, or where the data subject has provided written approval for a specific disclosure.
4. If the offender is a juristic person and the PDPA violation is the result of instructions or omissions from the juristic person’s responsible person (e.g., director, manager, or other persons responsible for the juristic person’s operations), the said person, along with the juristic person, may face criminal penalties.
Administrative sanctions for PDPA violations may be imposed, including:
|➤ The data controller fails to inform the data subject, as required by the PDPA, of the contents of the collection (e.g., the purpose of the collection, the retention duration, the categories of individuals to whom the gathered personal data may be shared)|
|➤ The data controller fails to record the PDPA-required elements in the record of processing activities (ROPA)|
|➤ Where the PDPA requires it, the data controller or data processor does not designate the data protection officer (DPO)|
|➤ The data controller processes personal data for purposes other than those disclosed to the data subject|
|➤ The data controller collects, uses, and/or reveals personal data without the data subject's legally necessary consent|
|➤ The data controller fails to report a personal data breach event that may jeopardize the data subject's rights and freedom to the Office of Personal Data Protection Committee within 72 hours of becoming aware of the occurrence|
|➤ The data processor fails to notify the data controller of the personal data breach|
|➤ The data controller collects, utilizes, and/or exposes sensitive personal information without the data subject's explicit consent or another appropriate legal basis|
|➤ The data controller or data processor submits or transfers confidential personal data to a foreign jurisdiction that does not have acceptable data protection standards without the data subject's legally necessary consent|
Civil, criminal, and administrative fines can all be imposed on an offender. Penalties might be increased if a substantial number of PDPA violations occur.
Given the PDPA’s Penalties, we recommend complete compliance with the law with the PDPA.