Personal Data Protection Laws Update: Thailand’s New Notification regarding Criteria and Method for Reporting Personal Data Breaches

After completion of the public hearing period for considering the Draft Notification on 20 November 2022, the Personal Data Protection Committee (the “PDPC”) issued the Notification regarding Criteria and Method for Reporting Personal Data Breaches B.E.2565 (2022) (“Notification”). Such Notification was published in the Government Gazette on 15 December 2022 and has already been enforced.

This Notification provides obligations of the Data Controller to report a Personal Data breach under Section 37 (4) of the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) in further detail, including methods, criteria, time frame and exemption. We have summarised some key details as follows:

Personal Data Breach

Personal data breach refers to a breach of security measures which leads to the loss, access, use, change, alteration or disclosure of personal data without authorisation or that is unlawful, regardless of whether it may be caused by intentional acts, willful acts, negligent acts, unauthorised or unlawful acts, computer crimes, cyber threats, mistakes, accidents or any other reasons. The Notification also classifies personal data breaches into three specific types: Confidentiality Breach, Integrity Breach and Availability Breach.

Personal data breach under this Notification seems to have a broad interpretation that covers both human and/or system errors, as well as cyber attacks. Accidents, such as sending an e-mail to non-related recipients, a software error resulting in inaccessibility to the user database and loss of a flash drive containing personal data, may also be considered as personal data breaches under this Notification, subject to other factors which will be further explained below. 

Step-by-step Processes

When the Data Controller is notified or is aware that there is or is likely to be a personal data breach, the Data Controller shall take the following actions:

1. Evaluate and verify the credibility of such information, and preliminarily investigate the facts of the personal data breach, as well as assess the level of risk;

2. If such personal data breach may cause a high risk of affecting the rights and freedoms of individuals, the Data Controller must take any necessary actions to stop, prevent or take remedial measures in order to end such personal data breach, or prevent further impacts, as soon as is practicable;

3. Once it has been confirmed that the personal data breach has occurred, the Data Controller must notify the PDPC Office of such personal data breach without delay and within 72 hours. The personal data breach report to the PDPC Office must be in a written form or via electronic means, or by other measures as specified by the PDPC Office, with the following details included therein:

i. Brief information about the nature and type of personal data breach;
ii. Name, contact address and contact method of the Data Protection Officer, or of the contact person designated by the Data Controller;
iii. Information about potential impacts from the personal data breach; and
iv. Information about measures the Data Controller has taken or will use to correct such personal Data breach or to remedy such incident.

4. If such personal data breach may cause a high risk of affecting the rights and freedoms of individuals, in addition to the notification to be made to the PDPC Office, the Data Controller must also notify the affected data subject of such personal data breach together with the remedial measures, without delay. Such notification to the affected data subject must contain the following details:

i. Brief information about the nature and type of personal data breach;
ii. Name, contact address and contact method of the Data Protection Officer, or of the contact person designated by the Data Controller; 
iii. Details on the potential impacts on the data subject; and
iv. Remedial measures for the damage incurred on the data subject and brief information about measures the Data Controller has taken or will use to prevent, restrain or correct such personal data breach, including recommendations on measures that the data subject may take in order to prevent further damage.

5. Take any necessary actions to restrain and prevent any further personal data breach, as well as to alleviate the impact.

Risk Assessment

When assessing the level of risk arising from the personal data breach in order to see whether it may affect rights and freedom of an individual, the Data Controller may take the following factors into consideration:

1. Nature and type of the personal data breach;
2. Nature and type of the personal data relating to such breach;
3. Quantity of the personal data being breached;
4. Nature, type or status of the data subject being affected (e.g. whether or not the data subject is a vulnerable person);
5. Severity of the impact and the damage occurred, as well as the effectiveness of the measures the Data Controller has taken or will use to prevent, restrain or correct such personal data breach;
6. Wide-ranging impact on the business or operations of the Data Controller or on the general public;
7. Nature of the data records system and the related security measures related to the personal data breach; and
8. Legal status of the Data Controller (i.e. individual or corporate) as well as the size and nature of the business of the Data Controller.

Delayed Report

If the Data Controller cannot report the personal data breach within 72 hours after becoming aware of it, the Data Controller may request the PDPC Office to waive the penalties from the delayed report, by notifying the reasons and details demonstrating the unavoidable necessity for such delay. Such clarification must be notified to the PDPC Office by no later than 15 days from the date of becoming aware of the personal data breach. 

Exemption of Reporting Obligation

Unless the personal data breach results in no risk to the rights and freedoms of individual, the Data Controller is obligated to report the personal data breach to the PDPC Office. Failure to comply may result in penalties. 

If the personal data breach results in no risk to the rights and freedoms of an individual, which includes a case where the personal data breached is not personally identifiable or not in a normally available condition due to sufficient technology measures or other reliable reasons; the Data Controller will be exempted from the reporting obligation explained in the previous paragraph. However, the Data Controller is still obligated to provide information or deliver documents or evidence concerning its justifications for such exemption, including details of the security measures of personal data or other information, for the PDPC’s consideration, as and when necessary. 

Currently, there is no official English translation of the Notification provided by the authority. However, as this Notification may help Data Controllers have a clearer comprehension of personal data breaches and related legal obligations, our lawyer has, therefore, unofficially translated the Notification from Thai into English, which we can provide you with for your reference, upon request.

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this matter, please do not hesitate to contact our Personal Data Protection team at pdpa_bkk@eml.nishimura.com, and our team would be pleased to assist.

Chanakarn Boonyasith
Partner

Pimsiri Harnpanicharoen
Associate

Terapat Laopatarakasem​
Associate