You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

December 23, 2022

Thailand PDPC Notification on Data Breaches

Subscribe to Updates

On December 15, 2022, Thailand’s Personal Data Protection Committee (PDPC) issued the Notification on the Criteria and Procedures for Handling Personal Data Breaches.

What Constitutes a “Data Breach”?

A “personal data breach” refers to a breach of security measures that causes unlawful or unauthorized loss, access, use, modification, or disclosure of personal data, resulting from an intentional, willful, negligent, accidental, unauthorized, or unlawful act, or an act related to computer crimes, cyber threats, mistakes or accidents, or any other act. The notification also classifies personal data breaches into three categories: confidentiality breach, integrity breach, and availability breach.

Upon being informed of an actual or suspected personal data breach, a data controller must take the following actions:

  • To the extent possible, assess the reliability of the information and investigate the facts related to the personal data breach, including all aspects concerning security measures, such as organizational measures, technical measures, and physical measures;
  • Conduct a data breach assessment to consider whether the personal data breach is likely to result in a risk to an individual’s rights and freedom;
  • Notify the Office of the PDPC, any affected data subjects, or both as required; and
  • Take necessary and appropriate action to prevent further consequences resulting from the personal data breach.

Breach Assessment

When conducting a data breach assessment, the following factors must be taken into account if there is a risk to an individual’s rights and freedom.

  • Nature and the type of data breach;
  • Nature, type, and volume of personal data involved;
  • Nature, type, and status of the affected data subject;
  • Severity of the consequences of the personal data breach for any affected data subjects, and the effectiveness of the measures taken to prevent the data breach;
  • Impact of the data breach on the operation of the business or on the public;
  • Storage systems of the personal data involved and the relevant security measures, including organizational measures, technical measures, and physical measures; and
  • Legal status of the data controller (i.e., individual or a corporate entity) and the scale and nature of its business.

Assessment Guidelines

The PDPC issued its Guidelines on Data Breach Assessments and Personal Data Breach Notifications (Version 1.0), dated December 15, 2022, which provides samples of risk assessments to determine whether the Office of the PDPC and/or the data subject has to be notified of a personal data breach. While the PDPC Notification on the Criteria and Procedures for Handling Personal Data Breaches is binding on data controllers, the guidelines are merely aimed at providing guidance to data controllers when assessing the risk associated with the personal data breach.

Notifying the Office of the PDPC

When a personal data breach occurs, the data controller must notify the Office of the PDPC “without delay”—that is, within 72 hours of becoming aware of the breach—unless the personal data breach does not have any risk of affecting the rights and freedom of an individual (such as a lost USB drive with encrypted personal data or a temporary suspension of a call center system causing a brief service interruption). Although there is no mandated notification form, the notification must include the information required by the PDPC Notification mentioned above, such as nature of the breach, type and volume of records of personal data involved, the data protection officer’s contact information, possible impacts, and remedial actions.

It is also permissible to notify the Office of the PDPC of the breach by letter, in person, or via an electronic channel (to be further specified by the PDPC).

Notifying Data Subjects

Where the data breach has a high risk of affecting the rights and freedoms of an individual, the data controller must also notify the data subject without undue delay after becoming aware of the personal data breach. The information contained in the notification must be at least as required by the notification (e.g., nature of the breach, data protection officer’s contact information, possible impacts, remedial actions, and any other additional actions that the data subjects should undertake to prevent or control further damage, if any).

If it is not possible for the data controller to notify the affected data subjects individually in writing or via electronic means. Alternatively, the breach notification may be made by other means, such as a public notification.

Data Processor Obligations

Data processors must notify the data controller of the personal data breach without undue delay after becoming aware of the breach. The data controllers must set in its agreement with data processors a stipulation that the data processor is to notify the data controller within 72 hours of becoming aware of a personal data breach.

Punitive Damages and Possible Class Action Lawsuits

Under the Personal Data Protection Act B.E. 2562 (2019), data controllers and data processors can be ordered to pay actual damages plus punitive damages of up to two times the court-awarded actual damages. The amount of punitive damages depends on the severity of the breach, personal gain or benefit, and the financial status of the controller or processor. The court will also consider the steps the controller or processor took after the breach occurred, and whether the data subject contributed to the breach.

As a data breach, by its nature, may affect many individuals, class actions or mass litigation are possible. If a data subject can satisfy the court of the prerequisites, such as the number of members, the commonality and typicality of the matter, and his or her ability to adequately represent the class members, the data subject can request that the complaint represent other data subjects as well. A judgment rendered in a class action case could provide every class of member the right to claim without being initially involved as a party in the case. Alternatively, data subjects could potentially gather and jointly file complaints for damages. This potentially magnifies the possibility of litigation for data breach matters.

For more information about mitigating the risks posed by personal data breaches, responding to breaches, or any other aspect of data protection laws and regulations in Thailand, please contact Tilleke & Gibbins data protection and cybersecurity team at [email protected], [email protected], [email protected], and [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice