The Personal Data Protection Act B.E. 2562 (A.D. 2019) of Thailand (PDPA) requires data controllers to notify the Personal Data Protection Committee (PDPC) and the data subjects if a data breach has occurred.  The PDPC Notification on Criteria and Procedures for Notifying Personal Data Breach B.E. 2565 (A.D. 2022) sets out the criteria and procedures for data controllers to comply when they notify the data breach to the PDPC and the affected data subjects in Thailand.

Notice to the PDPC

If the breach is likely to result in risks to the rights and freedoms of the data subjects / persons, the data controller must file a data breach notice with the Personal Data Protection Committee (PDPC) without delay within 72 hours of becoming aware of the breach.  The notice must state the details of the breach, the contact details of the contact person or the data protection officer of the data controller, the possible consequences of the breach, and the measures taken or to be taken by the data controller to mitigate the potential adverse effects against the data subjects.

Notice to Data Subjects

If the data breach is likely to result in high risks to the rights and freedoms of the data subjects / persons, the data controller must also give a data breach notice to each of the affected data subjects without delay.  The notices must list the nature of the breach and other details mentioned in the previous paragraph plus remedial measures already taken or to be taken by the data controller.

Determining High Risks

The “high risks” factors consist of:

•  the nature and type of the data breach;
•  the nature or the type and the quantity of the personal data involved (based on the number of data subjects or the number of records of personal data involved);
•  the nature, type, or status of the data subjects affected (such as minors, persons with disabilities, persons with incapacity, persons with limited capacity, or vulnerable persons who lack the ability to protect their rights and interests due to various limitations);
•  the severity of the impact and damage that have occurred or may occur to data subjects;
•  the effectiveness of the measures taken or to be taken by the data controller to prevent, stop, or correct the cause of the breach, or to compensate for the damage or mitigate the impact and the damage that have occurred or may occur to data subjects;
•  the broad impact of the data breach on the business or operations of the data controller or the public;
•  the nature of the personal data storage system involved with the breach and the relevant security measures (including organizational measures, technical measures, and physical measures) of the data controller; and
•  the legal status of the personal data controller and the size and nature of the controller’s business.

Means of Filing and Giving Notices

The notice to the PDPC must be made in the Thai language and filed by hand delivery, post or email.  The PDPC has the power to ask for clarification or additional information after the PDPC officer in charge has reviewed the data breach notice.

The data breach notice to the data subjects can be given to each of them by post, email or any other electronic means or announced to the public in the main stream media of the social media or any other electronic means accessible to the data subjects.

To see the archive of our past newsletters and articles please click here.