On 15 December 2022, the Notification of the Personal Data Protection Committee (the "PDPC") Re: Criteria and Means on Personal Data Breach Notification (the "PDPC Notification") was published on the Thailand's royal gazette and takes effect on the same day. This sets out more elaborated requirements on one of the key data controller's obligations – personal data breach notification. Failure to comply with such requirements may incur an administrative fine of up to Baht 3 million (approx. USD 86,000).
As a legislative background, Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") requires a data controller to inform any personal data breach without delay and within 72 hours to (i) the PDPC, and (ii) the data subjects (only when there is any risk highly inclined to impact data subject's rights and liberties), unless it can be proved that such risk is none.
As noted above, the PDPC Notification further elaborates the detailed requirements on personal data breach notification. Set out below are noteworthy issues from the PDPC Notification:
| Questions: | Answers: |
| What to notify? | Any personal data breach –
|
| What to do? | Three key things to do:
1. Inspect and assess the level of risk first: Upon becoming aware of personal data breach, a data controller must access the creditability and inspecting the details of personal data breach without any delay, as well as assess the level of risk and its impact on data subject's rights and liberties (where the criteria on risk assessment are also provided). 2. Notify: o Notify the PDPC if there is any breach: If there is any reason to believe that such breach is occurred, the data controller must notify the PDPC without delay and within 72 hours after becoming aware of the breach, irrespective of the level of risk. o Notify the data subject (only) if the risk is high: If such risk is high, the data controller must also inform the data subjects impacted by such breach. o No risk, no notification required: No notification required if the data processor can prove that such risk is none. 3. Take action: The data controller must, to its fullest, implement measures to rectify or mitigate such breach and to prevent any respective similar breach. During the inspection in 1., in high-risk cases, the data controller is required to do so immediately and procure its relevant data processor(s) to do the same. |
| Any required minimum details to be notified? | Yes. Certain required minimum details including description, impacts, mitigating measures of such breach as well as contact details is required. |
| How to notify? |
|
| What if a data controller cannot notify in time? | If there is any reasonable cause, a data processor may request for a waiver of liability (see above) from the PDPC within 15 days from the date becoming aware of the breach. |
| Data processors, are they involved? | Yes. A data controller must:
|
Should you have any further question, please contact our team below.
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.