On 15th December 2022, the Office of the Personal Data Protection Committee (the “Office”) issued a new Notification on the regulation and procedures for notification of a personal data breach (the “Notification”). This Notification provides supplementary details on the controller’s duty in the case of a personal data breach as prescribed by the Personal Data Protection Act (the “Act”) as follows.

1. This Notification is applicable in the case of a personal data breach (the “Breach”), which is broadly defined as an unauthorized or unlawful breach of a security measure leading to damage to, access to, use of alteration to or disclosure of personal data information, cyber threat, cyber failure, cyber accident or other events. According to this Act, the Breach may be categorized into three types, i.e. a confidentiality breach, an integrity breach, and an availability breach.

2. In a case of the Breach, the data controller shall notify the Office within 72 hours after becoming aware of the Breach. In addition, the data subject is required to notify the data subject of the relevant information and the proposed remedy plan if the breach is likely to result in a risk to the person’s rights and freedom.

3. The data breach means the unauthorized or unlawful breach of security measures by the data controller, data processor, or any parties resulting in a confidentiality breach, integrity breach, or an availability breach.

4. Whenever the data controller receives any information which might lead to a personal data breach (in any way), it is obligated to do the following.
   • Evaluate and examine the credibility of the information and assess the degree of risk to the rights and freedom of the person affected.
   • Prevent, suspend, and correct to end or contain the breach.
   • If the risk to the rights and freedom of the person is expected, notify the Office within 72 hours after having become aware of the breach.
     • The notification can be implemented in writing, via electronic channels, or any methods pursuant to the Office’s regulation.
     • The notification must at least include information and details of the breach, the name and address of the contact person, affection of the risk, and details of security prevention and correction of the breach, along with the compensation.

5. In a case where the breach is likely to result in a risk to the rights and freedom of the person, the data controller is obligated to do the following.
   • Without delay, notify the incident to Data Subject with the compensation procedure.
     • The notification can be implemented in writing or via electronic channels.
     • In a case where it is not possible to make contact, or any necessary incident occurs, the notification can be implemented through public media, online social media, or any electronic channels along with assurance that the data subject would not be suffered from any damages or affection.
     • The notification must at least include information and details of the breach, name and address of the contact person, affection of the risk, and details of security prevention and correction of the breach, along with the compensation.
   • There are eight varied factors for assessing the degree of the risk under this notification.

Failing to perform the duties under this notification would result in civil compensation to the Data Subject and an administrative fine of up to THB 3,000,000. Thus, establishing an internal process in your organization to properly perform this duty is highly recommended.

If you need further information on this or on any other issue regarding this new notification, please contact us at nathapong@dsb.co.th and nutthakarn@dsb.co.th.