Personal Data Breach Notifications – Thailand Personal Data Privacy

November 2022

By John Formichella & Naytiwut Jamallsawat

The obligation to report a personal data breach in Thailand under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“) is subject to the risk and impact on the owner of the personal data (“Data Subject“) following the breach. Suppose the personal data breach can be considered high risk or high impact on the rights and freedoms of the Data Subjects. In that case, the data controller is required to notify the breach and the remedial measures to the (i) data subject and (ii) the Personal Data Protection Committee (“PDPC“), Ministry of Digital Economy and Society (“MDES“) without delay. Regarding the notification, the data controller must notify the PDPC of any personal data breach within 72 hours of becoming aware of the breach unless such breach has no risk or impact on the rights and freedoms of the Data Subjects.

For the purposes of this article, some definitions prescribed by the PDPA are necessary:

Data processing

There is no specific definition of ‘data processing’ in the Personal Data Protection Act (PDPA). However, it can be assumed that ‘data processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction.

Data processor

The PDPA defines a ‘data processor’ as a natural or legal person that undertakes the collection, use, or disclosure of personal data according to orders given by or on behalf of a data controller, whereby such person is not the data controller.

Data controller

The PDPA defines a ‘data controller’ as a natural or legal person with the power and duties to make decisions regarding collecting, using, or disclosing personal data.

Data subject

There is no specific definition of a ‘data subject’ in the PDPA. However, it can be assumed that a ‘data subject’ is any individual who owns personal information and can be identified, directly or indirectly:

via such personal information, such as a name, an ID number, or location data; or
via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

In other words, a ‘data subject’ is an end user whose personal data can be collected.

Personal data

The PDPA defines ‘personal data’ as information that:

directly or indirectly relates to an individual;
stipulates specific requirements relating to certain types of data; and
applies to the collection, use, or disclosure of personal data.

Sensitive personal data

There is no specific definition of ‘sensitive data’ in the PDPA. However, it can be assumed that ‘sensitive data’ is any data relating to race; ethnic origin; political view; doctrinal, religious, or philosophical beliefs; sexual behavior; criminal record; health record; and biometric information.

Consent

There is no specific definition of ‘consent’ in the PDPA. However, it can be assumed that ‘consent’ means permission from a data subject allowing a data controller to collect his or her personal data. In addition, under the PDPA, a data controller must obtain the data subject’s explicit consent, either in writing or electronically, to collect his or her personal data.

As mentioned above, the obligation to report a personal data breach in Thailand under the PDPA is subject to the risk and impact on the owner of the data subject’s personal data following the breach. As an example of a breach considered high risk/high impact, consider the following reasons:

A data processor or controller does not encrypt Personal Data.
A Data Subject’s full name, date of birth, and nationality are exposed on the dark web due to non-encryption.

The MDES would consider the above as high risk/high impact.

Furthermore, the penalties which may be applicable as a direct consequence(s) of failure to notify of a high-risk/high-impact breach include the following (not to be confused with consequences of the breach itself):

Under section 83 of the PDPA, if a data controller fails to submit a notification by 72 hours after being aware of a personal data breach, the data controller shall be subject to an administrative fine of up to 3,000,000 (three million) Thai Baht. Note that this is a capped fine and may be lower.

The above is for general purposes only and should not be relied upon as legal advice.

For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at info@fosrlaw.com

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Related Posts

Telecommunications Licensing and Data Centers in Thailand

Foreign Satellite Services in Thailand