On 15 December 2022, the Notification of the Personal Data Protection Committee re: Rules and Methods for Notification of the Personal Data Breach B.E. 2565 (2022) dated 6 December 2022 (“Notification”) was published in the Government Gazette and became immediately effective thereafter.
One of the obligations of the data controller under the Personal Data Protection Act (“PDPA”) is to make a notification of any personal data breach (“Personal Data Breach”)1 to the Office of the Personal Data Protection Committee (“PDPC Office”) and/or the data subject2. The Notification therefore elaborates on the definition of a Personal Data Breach and the details of the Personal Data Breach notification, which we aim to provide a summary thereof in this article.
The data controller has the duty to notify the PDPC Office when a Personal Data Breach incident as defined in the Notification occurs due to an action of the data controller, data processor, or a staff, employee, contractor, representative, or related person of the said data controller or the data processor, or any other persons, or any other factors (“Data Breach Incident”). Such Data Breach Incident may occur in various forms, as follows:
In the case of a Data Breach Incident, the data controller must:
(1) assess the credibility of such information and preliminarily investigate the Personal Data Breach without undue delay, which includes assessing the risk level of such Personal Data Breach;
(2) prevent, cease, or rectify the Personal Data Breach if the data controller finds that such Personal Data Breach poses a high risk of impacting the rights and freedom of a person;
(3) notify the PDPC Office of the cause of the Data Breach Incident without undue delay and within 72 hours from the time that it becomes aware of the cause, unless such breach does not pose a risk of impacting the rights and freedom of a person;
(4) notify the data subject of the cause of the Data Breach Incident together with the remedy approach without undue delay in the case of such breach posing a high risk of impacting the rights and freedom of a person; and
(5) proceed with the necessary and appropriate measures to cease, response, rectify, or remedy the condition resulting from the Personal Data Breach, and to prevent and reduce the impacts of any similar Personal Data Breach in the future, which includes the review of security measures to ensure their effectiveness.
To supplement the obligations in item 2.2 (3) and (4) above, the details of the notification of the Data Breach Incident shall be as follows:
(1) A notification of the Data Breach Incident to the PDPC Office shall be performed in accordance with the following details:
The data controller may rely on an exemption not to make a notification to the PDPC Office if the data controller can prove, for example, that such Data Breach Incident does not pose a risk of affecting the rights and freedom of a person, etc. In this regard, to rely on such an exemption, the data controller has the duty to provide information or evidence for the PDPC Office to consider.7 However, the method and timeline of the provision of information and evidence in relation to such exemption is not stipulated in the Notification.
(2) Notification of the Data Breach Incident to the data subject shall be performed in accordance with the following details:
In the case where the data controller enters into an agreement with the data processor with respect to an entrustment of data processing, the data controller shall stipulate in such agreement the obligation of the data processor to notify the data controller of the Data Breach Incident without delay within 72 hours from the time which the data processor becomes aware of the cause.9
For the assessment of risk of the Personal Data Breach regarding its impact on the rights and freedom of a person, the data controller may take into account factors as itemized in the Notification, such as the category of the breach, personal data that has been compromised, number and status of affected data subjects, security measures that have been taken or will be taken by the data controller, and the impact of the breach on the public, etc.10
The notification of the Data Breach Incident to the PDPC Office and the data subject is one of the key obligations of the data controller and/or data processor in the perspective of the personal data protection.
To enhance the understanding of the said obligation, the PDPC also published the Manual on Guideline for Assessment of Risk and the Notification of the Personal Data Breach Version 1.0, dated 15 December 2022.
If the data controller fails to make a notification of the Data Breach Incident as required under the PDPA and the Notification, it shall be liable for an administrative fine not exceeding THB 3,000,000 (Three Million Baht).11 Therefore, any person who is considered as a data controller and/or data processor should ensure that they duly comply with the obligation related to the Data Breach Incident under the PDPA and the Notification.
Footnotes
1. Clause 3 of the Notification. In this Notification,
“Personal Data Breach” means a breach of security measures that causes loss, unauthorized or unlawful access, use, alteration, editing, or disclosure of personal data, whether it is intentional, willful, negligent, an unauthorized or unlawful act, computer crime, cyber threat, error or accident, or other causes.
2. Section 37(4) of the PDPA.
3. Clause 4, Paragraph One of the Notification. A Personal Data Breach of which the data controller has the duty to notify the Office or the data subject…may involve a breach of one or more categories as follows:
4. Clause 6 of the Notification.
5. Clause 6 of the Notification.
6. Clause 7 of the Notification.
7. Clause 9 of the Notification.
8. Clause 11 of the Notification.
9. Clause 8 of the Notification.
10. Clause 12 of the Notification. For an assessment of risk that the Personal Data Breach poses in relation to the degree of impact on the rights
and freedom of a person, the data controller may take into account the following factors:
11. Section 83 of the PDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2023. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.
Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
Leave a Reply