PDPC Notification on Notifying Personal Data Breach to the PDPC Office

On 6th December 2022, the Personal Data Protection Committee (PDPC) issued its Notification on Criteria and Procedures for Notifying Personal Data Breach B.E. 2565 (2022) effective from 15th December 2022.  We discussed the key provisions of this notification below.

1.   The data controller must notify the PDPC Office and the data subject of any of the following personal data breaches:

(1)   a confidentiality breach as personal data is accessed or disclosed without authorization or by mistake, or as a result of an error, defect, or accident;

(2)   an integrity breach as an unauthorized change or correction is made to personal data, or when an error, defect, or accident causes personal data to be inaccurate or incomplete; and

(3)   an availability breach as personal data is inaccessible or destroyed, prevented from being normal use.

2.   When the data controller becomes aware of a personal data breach or a potential breach, the data controller must assess and audit the breach immediately.  If it is determined that the breach poses a risk to the data subject’s rights and freedoms, the data controller must take immediate action to prevent, suspend, or rectify the breach, and notify the PDPC Office of the breach within 72 hours of becoming aware of the breach.

3.   If the data controller finds that the breach is likely to have a significant impact on the data subject’s rights and freedoms (taking into account the factors listed under this notification), the data controller must (1) immediately notify the data subject of the breach and other facts as listed in this notification, (2) provide the data subject with a guidelines of remedy measures to be taken by the data controller, and (3) take all necessary and appropriate measures to suspend, respond to, correct, or recover from that personal data breach and to prevent a future breach.

4.   The data controller must notify the PDPC Office of the breach in writing by electronic means or any other means specified by the PDPC Office. If the data controller fails to notify the breach to the PDPC Office within 72 hours due to an unavoidable situation, the data controller must notify the PDPC Office within 15 days of becoming aware of the breach and explain the reason for the delay.

5.   The data controller must specify in the data processing agreement with the data processor that the data processor is obligated to notify the data controller of a personal data breach immediately and within 72 hours of the data processor becoming aware of the breach.

6.   If the data breach is involved with several data subjects, the data controller may notify the data breach to such data subjects specifically or generally to the public via public media, social media or electronic means or any other means accessible to the data subjects or the general public.

To see the archive of our past newsletters and articles please click here.


The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.