On 15 December 2022, new provisions were issued to clarify how data breach incidents should be notified, with such requirements taking immediate effect. The clarification was provided by Thailand's Personal Data Protection Committee ("PDPC") when it issued the Notification of the Personal Data Protection Committee re: Rules and Methods for the Notification of Personal Data Breach Incident, B.E. 2565 (2022) ("Notification").
In essence, the Notification set out the following key details:
- Definition of ‘Personal Data Breach'
In the Notification, ‘Personal Data Breach' means the breach of security measures arising from an intentional, deliberate, negligent, unauthorized or unlawful action, computer-related offense, cyber threat, error or accident, or other causes that result in unauthorized or unlawful loss,
access to, use, alteration, modification or disclosure of personal data; - Characteristics of personal data breach incidents which the data controller is required to notify the Office of the PDPC and/or the data subject, and which may involve confidentiality, integrity or availability breaches. The breaches may result from the actions of the data controller itself, the data processor, or the employees, staff, contractors, agents or any relevant persons of such data controller or data processor;
- Procedures that the data controller must follow after it has become aware of a personal data breach incident or potential occurrence of such incident;
- Methods to notify the Office of the PDPC of a personal data
breach incident, and the required information which must be
presented in the notification
In brief, the required information includes:
- a description of the personal data breach including the type of breach, the nature and number of data subjects and personal data records concerned;
- the name and contact details of the data protection officer (where applicable) or other contact point where more information can be obtained;
- information on the likely consequences of the personal data breach; and
- information on measures taken or to be taken to protect, suppress or rectify the personal data breach or to mitigate the damages;
- A request for penalty relief for the delay in notification of the personal data breach incident may be accepted where there is unavoidable necessity which causes the delay in notification of the personal data breach incident; however, such request must be made to the Office of the PDPC within 15 days from the date the party making the notification is aware of the incident;
- The data controller has an obligation to have in place a contractual clause that requires its data processor to notify a personal data breach incident to the data controller, where feasible, within 72 hours after the data processor has become aware of such incident;
- Exemption from the personal data breach notification obligation in the case where the incident is unlikely to result in a risk to the rights and freedoms of a person;
- Information and details which must be notified to the data
subjects in the case where a personal data breach incident is
likely to result in a high risk to the rights and freedoms of a
person, which include:
- a description in brief and the nature of personal data breach;
- the name and contact details of data protection officer or other contact point;
- information on the likely consequences of the personal data breach which may affect the data subjects; and
- remedial measures, information on measures which the data controller has taken or will take, as well as recommendations on measures which the data subjects may additionally take in order to protect, suppress or rectify the personal data breach or to mitigate the damage; and
- Factors to consider when assessing the level of risk of the personal data breach which may affect the rights and freedoms of the data subjects.
It is expected that there will be many more regulations to come into effect next year to clarify certain current issues, such as, adequate data protection standards for cross-border data transfer, criteria to consider if a data protection officer and a local representative (a local representative may be required if a data controller is in the foreign country) must be appointed. We will keep you posted when there are any updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
