Medical facility penalized for utilizing patient files as food storage
In the heart of Southeast Asia, Thailand's Personal Data Protection Committee (PDPC) is making waves in the digital landscape. The committee, established under the Personal Data Protection Act (PDPA) that came into effect in 2022, is enforcing strict rules on the collection, use, and disclosure of personal data.
Recently, a major private hospital in Thailand found itself in hot water. The hospital was fined 1.2 million baht for an unusual breach of patient confidentiality. It was discovered that the hospital's patient registry files were being used as pouches for crispy crepes, known locally as khanom Tokyo. This flagrant disregard for data protection principles concerning confidentiality and appropriate use of sensitive personal data is a clear violation of the PDPA.
The PDPC, demonstrating its commitment to upholding these regulations, fined the hospital 1.21 million baht. The disposal business owner, who was entrusted with the document disposal process, was also penalised, receiving a fine of 16,940 baht.
The PDPC's recent enforcement actions are not limited to this incident. Since 2024, the committee has concluded six cases of personal data violations, totalling 21.5 million baht in fines. Inadequate security measures, including weak passwords and lack of risk assessment, were found in several investigations.
The PDPC's crackdown on data breaches is not just focused on private entities. A state agency leaked the personal information of over 200,000 citizens due to a cyber-attack on its web application. This incident was one of five major cases reported by the PDPC on Friday.
Thailand's data protection framework, modelled closely after the European Union’s GDPR, imposes strict rules on the handling of personal data. The PDPA requires data minimization, informed consent, and respect for data subject rights. The PDPC has shown its willingness to issue fines and take enforcement actions against breaches, signalling serious regulatory oversight in the country.
The recently enacted Data (Use and Access) Act 2025 updates some aspects of data protection and access controls, reinforcing the regulatory framework and potentially expanding state oversight and data governance measures. Social media and online platforms also face complementary rules that require content takedown within 24 hours if notified of illegal or harmful content, illustrating Thailand’s broader move to regulate digital and data-related activities strictly.
In summary, Thailand’s data protection laws now provide strong legal mechanisms to protect personal and sensitive data, enforce restrictions on data misuse, and impose fines and penalties on offenders. The PDPA, combined with recent amendments and active enforcement by the PDPC, constitutes the current legal basis for personal data protection in Thailand.
- The enforcement of strict rules on the collection, use, and disclosure of personal data by Thailand's Personal Data Protection Committee (PDPC) extends to medical-conditions, health-and-wellness, finance, technology, and general-news, as demonstrated by the fines issued for breaches of personal data in various industries.
- The PDPA, a law that closely mirrors the European Union’s GDPR, requires data minimization, informed consent, and respect for data subject rights, thereby protecting sensitive information related to science, medical-conditions, health-and-wellness, finance, technology, and general-news.
- The PDPC's expanding jurisdiction under the Data (Use and Access) Act 2025 may lead to increased scrutiny and regulation of social media and online platforms, potentially impacting the handling and disclosure of data related to science, medical-conditions, health-and-wellness, finance, technology, and general-news.
