+44 (0) 121 582 0192 [email protected]


The period of leniency in enforcing Thailand’s Personal Data Protection Act (PDPA) has concluded. Recent actions by the Personal Data Protection Committee (PDPC) have indicated a decisive shift towards stringent enforcement of the PDPA. This change is significant for businesses and organisations handling personal data, marking the end of the previously observed ‘softly softly’ approach. On October 18, 2023, the PDPC published its first decision by the Expert Committee under the Notification of the PDPC Re: Rules for the Consideration of the Imposition of Administrative Penalties. This was a clear signal that the PDPC is now prepared to take robust actions against non-compliance. In this Article, Thailand PDPC Tightens PDPA Enforcement: A Signal for Companies to Step Up Compliance, we delve into what this means for the  Thailand Business community.


Recent PDPC Decisions: A Wake-Up Call

The cases adjudicated by the PDPC in October 2023 offer valuable insights into its enforcement priorities:

  1. Case Against an Insurance Company: The company was found to have collected personal data without consent and failed to provide opt-out options in marketing communications. The PDPC’s directives included compliance with PDPA obligations, data deletion, and implementation of measures to prevent future breaches.
  2. Mobile Banking Application: This case was resolved amicably after the provider amended its consent request format, demonstrating the PDPC’s willingness to consider corrective actions taken by organisations.
  3. Data Controller and Former Employee: The PDPC highlighted the importance of clear, explicit, unconditional consent, ordering amendments to the consent form, and prohibiting the use of consent to suspend other rights.


Implications for Businesses

These decisions mark a crucial turning point. Companies must now be more vigilant in their PDPA compliance efforts. The growing awareness among individuals of their rights under the PDPA increases complaints to the Expert Committee. Non-compliance risks are escalating, not only in terms of legal penalties but also in potential reputational damage.


Formiti’s Role in Navigating PDPA Compliance

In this environment, Formiti’s PDPA services emerge as a critical resource for organisations seeking to navigate these complexities. Our comprehensive service, Formiti PDPA Service, is specifically designed to assist businesses in achieving and maintaining compliance with the PDPA.

Our tailored service, Formiti PDPA Service for International Schools, offers bespoke solutions for international schools that deal with sensitive student data. This service ensures that educational institutions not only comply with the PDPA but also safeguard the privacy and rights of their student body.



The PDPC’s recent actions indicate that Thai authorities are serious about data protection. It is no longer sufficient for companies to have a superficial understanding or implementation of PDPA guidelines. As the data protection landscape evolves, so must the strategies businesses employ to ensure compliance.

Formiti’s expertise and tailored solutions provide a beacon of guidance for organisations navigating the complexities of the PDPA. By partnering with experts like Formiti, businesses can ensure that they are compliant and at the forefront of data protection and privacy practices, thereby securing their reputation and the trust of their customers and stakeholders.