The Office of the Personal Data Protection Committee (PDPC) Imposes a Fine on a Major Private Company for Data Breach
On August 21, 2024, Mr. Prasert Chantrarawongthong, the Minister of Digital Economy and Society (DE), announced that the PDPC has imposed a fine of 7 million baht on a major private company for allowing a significant data breach. This breach exposed personal data to criminal gangs, marking the first instance of a private company being penalized under the Personal Data Protection Act (PDPA).
The PDPC’s Expert Committee, which handles complaints related to technology and other matters, found that the company, which engages in online sales, had allowed a large amount of personal data to leak to call center gangs. The company failed to implement adequate security measures as required by the PDPA and did not appoint a Data Protection Officer (DPO) in a timely manner. Additionally, the company neglected to notify the PDPC of the data breach within the legally mandated timeframe.
The Expert Committee imposed the maximum administrative fine of 7 million baht, with the following details:
- The company collected personal data from over 100,000 customers and used this data for its core business operations. However, it failed to appoint a DPO as required by law, resulting in an inability to address the data breach effectively. This action violated Section 41 of the PDPA.
- The company did not implement appropriate security measures as mandated by the PDPA, leading to the data leak to criminal gangs, causing widespread damage. This action violated Section 37(1) of the PDPA.
- When the data breach occurred, the company ignored complaints from data subjects and delayed notifying the PDPC, preventing timely remediation. This action violated Section 37(4) of the PDPA.
In addition to the fine, the Expert Committee ordered the company to improve its security measures to prevent future data breaches. The company is also required to train its staff and update its security measures to keep pace with technological advancements. The company must report these improvements to the PDPC within seven days of receiving the order.
This administrative fine is the first of its kind imposed on a major private company by the Expert Committee since the PDPA came into effect. The fine aims to protect citizens from data breaches and illegal activities, such as those conducted by call center gangs, and to encourage stricter adherence to the PDPA.
The Minister of Digital Economy and Society emphasized that this fine serves as a warning to both public and private sectors to comply with PDPA regulations. The fine also aims to raise awareness about the importance of data protection and to prevent criminal activities that exploit personal data.
Furthermore, the measures ordered by the Expert Committee will help mitigate the damage caused by the data breach and restore public confidence in the use of personal data in online transactions by both public and private sectors.
PKF offers comprehensive services to assist organizations in complying with the Personal Data Protection Act (PDPA) and preventing data breaches. Our PDPA compliance review service includes evaluating existing documentation and procedures, providing expert advice and recommendations for compliance, and reviewing and enhancing data privacy policies. Additionally, we conduct thorough data analysis and gap analysis to identify potential vulnerabilities. We also offer specialized training programs to ensure that your staff understands the general concepts of PDPA law and the importance of data protection. By partnering with PKF, you can enhance your data security measures, safeguard personal data, and avoid significant fines and reputational damage.
citation: เอกชนรายใหญ่ปล่อยข้อมูลรั่ว ประเดิมโทษตามกฎหมาย PDPA รายแรก (2024, August 21). ประชาชาติธุรกิจ. https://www.prachachat.net/ict/news-1635231