While Thailand's Personal Data Protection Act continues to shape the country's data protection landscape since it took effect in June 2022, the Personal Data Protection Committee issued clarifications on data breach reporting obligations in response to a company-led public consultation.
Referencing the PDPC's Notification on the Criteria and Procedures for Handling Personal Data Breaches, the clarifications offer essential guidance for organizations striving to meet the PDPA's breach notification requirements.
Clarifying the obligation to notify the PDPC in low-risk breaches
The PDPC clarified data controllers are exempt from notifying it of a personal data breach if the event poses no risk to the rights and freedoms ofindividuals.
It explained, under Section 37(4) of the PDPA and Section 5(3) of the notification, data controllers are required to notify the PDPC of a personal data breach without undue delay and, when feasible, within 72 hours of becoming aware of the breach. However, this obligation does not apply if the breach is assessed as posing no risk to the rights and freedoms of individuals. In such cases, data controllers are not required to notify the PDPC.
To justify this exemption, data controllers must conduct a risk evaluation based on the criteria specified in Section 12 of the notification. If the evaluation determines the breach has no potential to impact individuals' rights or freedoms, the obligation to report the breach is waived.
Examples include minor administrative errors — for example, a misdirected email that does not expose sensitive information. However, organizations must document these incidents and retain the related risk assessments as evidence of compliance in case of future inquiries or complaints.
Are exemption support documents restricted to PDPC requests?
When a data controller becomes aware of an actual or potential personal data breach, whether through external notification or their own discovery, they are required to promptly assess the credibility of the information and conduct a preliminary investigation, the PDPC clarified. This process must be carried out without undue delay to establish whether there are reasonable grounds to believe a breach has occurred.
Under Section 12 of the notification, several factors should be considered when assessing a personal data breach, including the nature and type of breach, the categories and volume of personal data affected, and the profile of impacted data subjects — particularly if they include vulnerable groups such as minors, individuals with disabilities or those unable to protect their rights due to certain limitations.
The severity of the impact and potential damage to data subjects, the effectiveness of measures taken to prevent or mitigate the breach, and the broader consequences for the data controller's business or the public are also critical.
Additionally, the characteristics of the personal data storage system and associated security measures — organizational, technical and physical — should be reviewed, along with the legal status, size and nature of the data controller's operations.
Following this determination, the data controller must adhere to the steps specified in the PDPC's notification. If the breach is assessed as posing no risk to the rights and freedoms of individuals, the data controller is not obligated to notify the PDPC or submit any related documents. However, the controller is required to retain all records of their risk assessment, investigation and findings as these documents may become critical to justify their decision in the event of complaints, regulatory inquiries or inspections initiated by the PDPC, expert committees or officials. This includes presenting evidence, supporting documentation or information on data security measures, if requested.
It is important to note the ultimate responsibility for demonstrating compliance with the PDPA lies with the data controller, emphasizing the importance of thorough record-keeping and compliance with established procedures.
Determining the start of the 72-hour notification period
The PDPC clarified the determination of whether a data controller must notify the PDPC of a personal data breach and the commencement of the 72-hour notification period depend on specific conditions.
The notification period begins only after the data controller becomes aware of a confirmed or likely breach and has conducted a preliminary assessment to evaluate the credibility of the information and verify the facts of the breach. This process, as outlined in Section 5(1) of the notification, ensures the data controller reasonably believes a breach has occurred, as defined in Section 5(3).
The timeline for notification begins when there is a confirmed breach or a reasonably certain likelihood of one. The exact start of this period must be assessed on a case-by-case basis. In some instances, breaches may be immediately apparent, such as when personal data is accidentally sent to the wrong recipient via email. In other cases, more time may be required to confirm the breach, like when investigating a reported data leak caused by a cyberattack or unauthorized disclosure.
Data controllers are expected to use discretion to determine when there are reasonable grounds to believe a breach exists. Additionally, if a breach is assessed as posing a high risk to the rights and freedoms of individuals, data controllers must act swiftly to mitigate the impact. This includes taking immediate steps to prevent further harm while addressing the breach and fulfilling notification obligations.
These actions should be carried out alongside the obligation to notify the PDPC. However, notification timing remains contingent on establishing reasonable certainty that a breach has occurred.
Additionally, data controllers are expected to implement appropriate measures to respond to, address and recover from the breach, as well as to prevent and reduce the likelihood of similar breaches occurring in the future.
Phased notification and exceptions for late reporting
For breaches posing a high risk, the PDPC allows for notification in phases. Data controllers can provide an initial notification to the PDPC as soon as possible and submit additional details after further investigation is complete. The notification process is considered finalized when the report includes all essential information as specified in Section 6 of the PDPC's notification.
In situations where unavoidable circumstances prevent a data controller from notifying the PDPC within the 72-hour timeframe, the controller must notify the committee as soon as possible but no later than 15 days from becoming aware of the breach. In such cases, the data controller must provide a valid explanation and relevant details to the PDPC, demonstrating the delay was due to unavoidable reasons. The PDPC will review these justifications to determine their validity.
Conclusion
The PDPC's clarifications provide essential clarity on data breach notification requirements under Thailand's PDPA. The adoption of a risk-based approach allows data controllers to allocate resources efficiently, prioritizing the management and reporting of high-risk incidents while minimizing unnecessary administrative tasks.
At the same time, the emphasis on robust documentation ensures accountability for all breaches, regardless of their severity.
For businesses operating in Thailand, these clarifications from the public consultation reflect a more nuanced and well-balanced regulatory framework. Data controllers are encouraged to implement comprehensive incident response plans that align with the PDPC's criteria, timelines and documentation expectations.
In an era of increasingly complex data breaches, this guidance empowers organizations to handle incidents effectively while remaining compliant with PDPA obligations.
Piyatida Pavasutti, CIPP/E, CIPM, FIP, is a data protection officer at MyData-TRUST.
