On 24^th June 2020, the Ministry of Digital Economy and Society (“MDES”) issued its Notification on Personal Data Security Standards B.E. 2563 (A.D. 2020) (“Notification”) effective from 18^th July 2020 to 31^st May 2021.

The Notification defines the “personal data security” as the maintenance of  the confidentiality, integrity and availability of the personal data for preventing any loss of the personal data and any unauthorized access, use, modification, alteration or disclosure of the personal data.

The Notification requires each data controller to notify its personal, staff, employees or related persons of its personal data security measures and to promote their awareness of the importance of the personal data.

The data controller must also provide personal data protection measures which should consist of the administrative, technical and physical safeguards for the purposes of personal data access control consisting of at least the followings:-

(1)   the access control for the personal data and the data storage and processing devices;

(2)   the authorization or rights to access the personal data;

(3)   the user access management measure to limit the personal data access to only the authorized persons;

(4)   the user responsibilities control to prevent an unauthorized access, disclosure, knowing or copying of the personal data and stealing of data storage and processing devices; and

(5)   the tracking system to trace the access, alteration, deletion, or transfer of personal data;

The data controller can choose to use personal security standards which are different from the standards required under the Notification provided that such standards consist of personal data security measures not lower than those specified under the Notification.

To see the archive of our past newsletters and articles please click here.