Criteria and procedures for breaches of personal data

The Personal Data Protection Committee (“the PDPC”) recently issued a Notification on the Criteria and Procedures for Personal Data Breaches (“the Notification”) under Sections 16(4) and 37(4) of the Personal Data Protection Act, 2019 (“the PDPA”)

Keywords: Mazars, Thailand, Personal data, Data breach, PDPA, Data controller

13 February 2023

A breach of ‘Personal Data’ (as defined in the PDPA) refers to a violation of security measures that leads to unauthorized or illegal loss, access, use, alteration, amendment, or disclosure of Personal Data which can be caused by intentional, wilful, negligent, unauthorized, or unlawful acts, or acts related to computer crimes, cyber threats, flaws, accidents, or any other incidents.

The Notification outlines the procedures that a ‘Data Controller’ (as defined in the PDPA) must take upon becoming aware of incidents that may have resulted in a breach of Personal Data. The key criteria and procedures are as follows: 

1)  After having received notification of a breach

•  assess and inspect the reliability of the information, and investigate the breach without delay, including inspecting organizational measures, technical measures, and physical measures related to Personal Data;

•  investigate if there are any grounds to presume that the breach has occurred;

•  perform a risk assessment to determine whether the breach is likely to result in a risk to the rights and freedoms of ‘Data Subjects’ (as defined in the PDPA); and

•  implement measures, processes, or technology to mitigate the breach or retrieve the Personal Data and to prevent similar breaches.

2)  If the breach is likely to result in a risk to the rights and freedoms of Data Subjects           

•  notify the Office of the PDPC without delay, within 72 hours of becoming aware of the breach. 

3)  If the breach is likely to result in the risk to the rights and freedoms of Data Subjects being a high one 

•  notify the Data Subject of the breach and the remedial measures taken without delay; and

•  take necessary and appropriate measures to prevent and respond to such a breach and any similar breaches, and to retrieve and restore the Personal Data.

The Data Controller is also required to include provisions in its agreement with ‘Data Processors’ (as defined in the PDPA) specifying that Data Processors must notify the Data Controller of any breach of Personal Data within 72 hours of becoming aware of such a breach.

In the event that the Data Controller is unable to provide notification within the timeframe set out, it may ask the PDPC to waive any penalties for the delay, provided that it can furnish a satisfactory explanation for the delay and notifies the PDPC of the breach within 15 days of becoming aware of it.