November 2022
By John Formichella & Naytiwut Jamallsawat
The obligation to report a personal data breach in Thailand under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“) is subject to the risk and impact on the owner of the personal data (“Data Subject“) following the breach. Suppose the personal data breach can be considered high risk or high impact on the rights and freedoms of the Data Subjects. In that case, the data controller is required to notify the breach and the remedial measures to the (i) data subject and (ii) the Personal Data Protection Committee (“PDPC“), Ministry of Digital Economy and Society (“MDES“) without delay. Regarding the notification, the data controller must notify the PDPC of any personal data breach within 72 hours of becoming aware of the breach unless such breach has no risk or impact on the rights and freedoms of the Data Subjects.
For the purposes of this article, some definitions prescribed by the PDPA are necessary:
- Data processing
There is no specific definition of ‘data processing’ in the Personal Data Protection Act (PDPA). However, it can be assumed that ‘data processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction.
- Data processor
The PDPA defines a ‘data processor’ as a natural or legal person that undertakes the collection, use, or disclosure of personal data according to orders given by or on behalf of a data controller, whereby such person is not the data controller.
- Data controller
The PDPA defines a ‘data controller’ as a natural or legal person with the power and duties to make decisions regarding collecting, using, or disclosing personal data.
- Data subject
There is no specific definition of a ‘data subject’ in the PDPA. However, it can be assumed that a ‘data subject’ is any individual who owns personal information and can be identified, directly or indirectly:
- via such personal information, such as a name, an ID number, or location data; or
- via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
In other words, a ‘data subject’ is an end user whose personal data can be collected.
- Personal data
The PDPA defines ‘personal data’ as information that:
- directly or indirectly relates to an individual;
- stipulates specific requirements relating to certain types of data; and
- applies to the collection, use, or disclosure of personal data.
- Sensitive personal data
There is no specific definition of ‘sensitive data’ in the PDPA. However, it can be assumed that ‘sensitive data’ is any data relating to race; ethnic origin; political view; doctrinal, religious, or philosophical beliefs; sexual behavior; criminal record; health record; and biometric information.
- Consent
There is no specific definition of ‘consent’ in the PDPA. However, it can be assumed that ‘consent’ means permission from a data subject allowing a data controller to collect his or her personal data. In addition, under the PDPA, a data controller must obtain the data subject’s explicit consent, either in writing or electronically, to collect his or her personal data.
As mentioned above, the obligation to report a personal data breach in Thailand under the PDPA is subject to the risk and impact on the owner of the data subject’s personal data following the breach. As an example of a breach considered high risk/high impact, consider the following reasons:
- A data processor or controller does not encrypt Personal Data.
- A Data Subject’s full name, date of birth, and nationality are exposed on the dark web due to non-encryption.
The MDES would consider the above as high risk/high impact.
Furthermore, the penalties which may be applicable as a direct consequence(s) of failure to notify of a high-risk/high-impact breach include the following (not to be confused with consequences of the breach itself):
- Under section 83 of the PDPA, if a data controller fails to submit a notification by 72 hours after being aware of a personal data breach, the data controller shall be subject to an administrative fine of up to 3,000,000 (three million) Thai Baht. Note that this is a capped fine and may be lower.
The above is for general purposes only and should not be relied upon as legal advice.
For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at [email protected]