The Thailand (PDPC) issued the “Criteria and Means on Personal Data Breach Notification” on December 15, 2022. This notification was published in Thailand’s Royal Gazette and took effect on the same day. It outlines more detailed requirements for data controllers to notify individuals and the PDPC of any personal data breaches. Failure to comply with these requirements may result in an administrative fine of up to THB 3 million (approximately USD 86,000).
Under the Personal Data Protection Act B.E. 2562 (2019) (PDPA), data controllers are required to promptly inform the PDPC and affected individuals (if there is a high risk of harm to their rights and freedoms) of any personal data breaches within 72 hours, unless it can be proven that there is no risk of harm.
The PDPC Notification provides further details on the requirements for personal data breach notification. Some noteworthy issues include:
When and What To Report to the Thailand PDPC.
Data Breaches that arise out of –
- wilful misconduct or negligence, whether by the data controller or data processor, including their employees, contractors, and agents.
- Any data breaches that arise out of the CIA Triad Confidentiality, Integrity and Availability.
-
- confidentiality breaches, which involve unauthorized access to or disclosure of personal data;
- integrity breaches, which result in incorrect or inaccurate personal data; and
- availability breaches, which lead to personal data being unavailable
What Actions Should Be Carried Out
-
- Conduct a risk assessment: As soon as they become aware of the breach, the data controller must promptly evaluate the credibility and inspect the details of the personal data breach. They must also assess the level of risk and determine its impact on the affected individuals’ rights and freedoms. The criteria for risk assessment are also provided
- Notify: In the event of a breach, the data controller must notify the PDPC immediately if they have reason to believe that a breach has occurred. Regardless of the level of risk, notification must be provided within 72 hours of becoming aware of the breach.
- The data controller must inform the affected data subjects only if the risk associated with the breach is deemed high.o No risk, no notification required: No notification required if the data processor can prove that such risk is none.
- Mitigate and Rectify: The data controller must take all necessary measures to rectify or mitigate the breach and prevent any future similar breaches to the fullest extent possible. In high-risk cases identified during the risk assessment in step 1, the data controller must take immediate action and ensure that its relevant data processor(s) also take appropriate measures.
What Details Need To Be Included in a breach Report:
To the Individual Affected:
You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
-
- the name and contact details of any data protection officer you have, or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects.
If possible, you should give specific and clear advice to individuals on the steps they can take to protect themselves, and what you are willing to do to help them. Depending on the circumstances, this may include such things as:
-
- forcing a password reset;
- advising individuals to use strong, unique passwords; and
- telling them to look out for phishing emails or fraudulent activity on their accounts.
To the PDPC:
When reporting a breach, you must provide:
-
- a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
- a description of the nature of the personal data breach including, where possible:
How to Submit your PDPC Notification
The notification to the Thailand PDPC must be provided in writing or through electronic means as specified by the PDPC. The notification to the affected data subjects must be in writing or through electronic means specifically addressed to each individual. In cases where it is not possible to address each individual, the data controller may notify a group of data subjects (if they are not individually identifiable) through public or social media or any other means that are accessible to the data subjects.
What if the Breach is complex can you apply for additional time?
If there is reasonable cause, a data processor may request a waiver of liability (as mentioned above) from the Thailand PDPC within 15 days of becoming aware of the breach
Are data Processors also affected?
The data controller is required to include a contractual obligation in the relevant data processing agreements to notify the data controller of any personal data breach within 72 hours of becoming aware of the breach. Additionally, in high-risk cases, the data controller must also ensure that its data processor takes measures to prevent and mitigate the breach, as discussed above.
Click here to find out more