Thailand's PDPC clarifies data breach notification requirements

While Thailand's Personal Data Protection Act continues to shape the country's data protection landscape since it took effect in June 2022, the Personal Data Protection Committee issued clarifications on data breach reporting obligations in response to a company-led public consultation.

Referencing the PDPC's Notification on the Criteria and Procedures for Handling Personal Data Breaches, the clarifications offer essential guidance for organizations striving to meet the PDPA's breach notification requirements.

Clarifying the obligation to notify the PDPC in low-risk breaches

The PDPC clarified data controllers are exempt from notifying it of a personal data breach if the event poses no risk to the rights and freedoms of individuals.

It explained, under Section 37(4) of the PDPA and Section 5(3) of the notification, data controllers are required to notify the PDPC of a personal data breach without undue delay and, when feasible, within 72 hours of becoming aware of the breach. However, this obligation does not apply if the breach is assessed as posing no risk to the rights and freedoms of individuals. In such cases, data controllers are not required to notify the PDPC.

To justify this exemption, data controllers must conduct a risk evaluation based on the criteria specified in Section 12 of the notification. If the evaluation determines the breach has no potential to impact individuals' rights or freedoms, the obligation to report the breach is waived.

Examples include minor administrative errors — for example, a misdirected email that does not expose sensitive information. However, organizations must document these incidents and retain the related risk assessments as evidence of compliance in case of future inquiries or complaints.

Are exemption support documents restricted to PDPC requests?