Shunsuke Minowa Shunsuke Minowa
Partner
Bangkok
NO&T Thailand Legal Update
On 15 December 2022, the Notification of the Personal Data Protection Committee re: Rules and Methods for Notification of the Personal Data Breach B.E. 2565 (2022) dated 6 December 2022 (“Notification”) was published in the Government Gazette and became immediately effective thereafter.
One of the obligations of the data controller under the Personal Data Protection Act (“PDPA”) is to make a notification of any personal data breach (“Personal Data Breach”)※1 to the Office of the Personal Data Protection Committee (“PDPC Office”) and/or the data subject※2. The Notification therefore elaborates on the definition of a Personal Data Breach and the details of the Personal Data Breach notification, which we aim to provide a summary thereof in this article.
The data controller has the duty to notify the PDPC Office when a Personal Data Breach incident as defined in the Notification occurs due to an action of the data controller, data processor, or a staff, employee, contractor, representative, or related person of the said data controller or the data processor, or any other persons, or any other factors (“Data Breach Incident”). Such Data Breach Incident may occur in various forms, as follows:
In the case of a Data Breach Incident, the data controller must:
(1) assess the credibility of such information and preliminarily investigate the Personal Data Breach without undue delay, which includes assessing the risk level of such Personal Data Breach;
(2) prevent, cease, or rectify the Personal Data Breach if the data controller finds that such Personal Data Breach poses a high risk of impacting the rights and freedom of a person;
(3) notify the PDPC Office of the cause of the Data Breach Incident without undue delay and within 72 hours from the time that it becomes aware of the cause, unless such breach does not pose a risk of impacting the rights and freedom of a person;
(4) notify the data subject of the cause of the Data Breach Incident together with the remedy approach without undue delay in the case of such breach posing a high risk of impacting the rights and freedom of a person; and
(5) proceed with the necessary and appropriate measures to cease, response, rectify, or remedy the condition resulting from the Personal Data Breach, and to prevent and reduce the impacts of any similar Personal Data Breach in the future, which includes the review of security measures to ensure their effectiveness.
To supplement the obligations in item 2.2 (3) and (4) above, the details of the notification of the Data Breach Incident shall be as follows:
(1) A notification of the Data Breach Incident to the PDPC Office shall be performed in accordance with the following details:
| Method of notification | The notification shall be made in writing, or through an electronic method, or any other method prescribed by the PDPC.※4 |
| Timeline of notification | Within 72 hours from the time that the data controller becomes aware of the cause of the Data Breach Incident, as early as practicable |
| Details to be provided upon notification |
|
| Delay of notification | If the notification of the Data Breach Incident is delayed for more than 72 hours from the time that the data controller becomes aware of the cause of the Data Breach Incident due to any reason of necessity, the data controller may request the PDPC to consider exempting it from the liability related to the delayed notification of the Data Breach Incident. The data controller shall clarify the reason of necessity and relevant details thereof to show that there was a reason of necessity that caused the notification of the Data Breach Incident to be delayed. Such details shall be notified to the PDPC Office immediately; moreover, such notification shall be made no later than 15 days from the time that the data controller becomes aware of the cause of the Data Breach Incident.※6 |
The data controller may rely on an exemption not to make a notification to the PDPC Office if the data controller can prove, for example, that such Data Breach Incident does not pose a risk of affecting the rights and freedom of a person, etc. In this regard, to rely on such an exemption, the data controller has the duty to provide information or evidence for the PDPC Office to consider.※7 However, the method and timeline of the provision of information and evidence in relation to such exemption is not stipulated in the Notification.
(2) Notification of the Data Breach Incident to the data subject shall be performed in accordance with the following details:
| Method of notification |
|
| Timeline of notification | As soon as practicable without undue delay |
| Details to be provided upon notification |
|
In the case where the data controller enters into an agreement with the data processor with respect to an entrustment of data processing, the data controller shall stipulate in such agreement the obligation of the data processor to notify the data controller of the Data Breach Incident without delay within 72 hours from the time which the data processor becomes aware of the cause.※9
For the assessment of risk of the Personal Data Breach regarding its impact on the rights and freedom of a person, the data controller may take into account factors as itemized in the Notification, such as the category of the breach, personal data that has been compromised, number and status of affected data subjects, security measures that have been taken or will be taken by the data controller, and the impact of the breach on the public, etc.※10
The notification of the Data Breach Incident to the PDPC Office and the data subject is one of the key obligations of the data controller and/or data processor in the perspective of the personal data protection.
To enhance the understanding of the said obligation, the PDPC also published the Manual on Guideline for Assessment of Risk and the Notification of the Personal Data Breach Version 1.0, dated 15 December 2022.
If the data controller fails to make a notification of the Data Breach Incident as required under the PDPA and the Notification, it shall be liable for an administrative fine not exceeding THB 3,000,000 (Three Million Baht).※11 Therefore, any person who is considered as a data controller and/or data processor should ensure that they duly comply with the obligation related to the Data Breach Incident under the PDPA and the Notification.
*1
Clause 3 of the Notification. In this Notification,
“Personal Data Breach” means a breach of security measures that causes loss, unauthorized or unlawful access, use, alteration, editing, or disclosure of personal data, whether it is intentional, willful, negligent, an unauthorized or unlawful act, computer crime, cyber threat, error or accident, or other causes.
*2
Section 37(4) of the PDPA.
*3
Clause 4, Paragraph One of the Notification. A Personal Data Breach of which the data controller has the duty to notify the Office or the data subject…may involve a breach of one or more categories as follows:
*4
Clause 6 of the Notification.
*5
Clause 6 of the Notification.
*6
Clause 7 of the Notification.
*7
Clause 9 of the Notification.
*8
Clause 11 of the Notification.
*9
Clause 8 of the Notification.
*10
Clause 12 of the Notification. For an assessment of risk that the Personal Data Breach poses in relation to the degree of impact on the rights
and freedom of a person, the data controller may take into account the following factors:
*11
Section 83 of the PDPA.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
(March 2025)
Yoshinobu Koyama, Masato Kumeuchi, Masanori Tosu (Co-author)
Patricia O. Ko
(February 2025)
Keiji Tonomura, Minh Thi Cao Koike, Akira Komatsu, Yuki Matsumiya (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Rashmi Grover
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yoichi Maekawa
Kara Quek, Kennosuke Muro (Co-author)
Rashmi Grover
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yoichi Maekawa
Kara Quek, Kennosuke Muro (Co-author)
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yothin Intaraprasong, Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
(January 2025)
Shunsuke Minowa, Yothin Intaraprasong, Ponpun Krataykhwan, Nopparak Yangiam, Salin Kongpakpaisarn, Poonyisa Sornchangwat (Co-author)
