The Notification of the Personal Data Protection Commission re: the criteria and process for reporting a personal data violation B.E. 2565 (A.D. 2022) (the “Notification”) has been enforceable on 15th December B.E.2565 (A.D.2022) onwards, which consists of the main issues as follows:
The data controller shall notify the Office of the Personal Data Protection Commission (the “Office”), or the data subject, in event of the violation of the security measures resulting in loss, access, use, modification, amendment or disclosure of the personal data without authority, which critically affects the rights and the freedom of the data subject, regardless of considering cause of such violation. Any violation of personal data occurred can be a result of confidential breach, integrity breach, or availability breach. In any case of the violation of personal data, the data controller shall notify the violation to the Office within 72 hours from acknowledgement of such violation, unless the violation does not affect the rights and freedom of the data subject.
In addition, in case the violation has been identified, the data controller shall undertake its responsibilities to preliminarily assess the reliability of such report, and measure the potential risk affecting rights and freedom of the data subject. If it is regarded as a high potentiality of risk, the data controller shall immediately implement protection, suspension, or solving such violation. Moreover, the data controller shall notify the data subject together with the measures for the remedy from the damage caused by such violation.
In the event that a report is notified after 72 hours, the data controller may request the Office for consideration of exclusion from faults concerning the delay, by declaring the important reasons causing such delay, by not exceeding 15 days. Nonetheless, by declaring such violation to the Office by the data controller, it is not considered as an excuse of the exclusion of duties or liabilities of the data controller, under any other special laws. However, the responsibility of the data controller to notify the Office regarding the violation of personal data may be exempted, only if the data controller can prove that the violation of personal data does not affect the right and the freedom of the data subject, or the violated personal data cannot identify the data subject, or the personal data is not in the condition that is ready to be used due to sufficient technological measures.
In certain businesses, if the data processor acts on behalf of the data controller, or have the common agreement with the data controller, to operate its business pursuant to the personal data protection law, the data controller shall identify in the agreement that the data processor must undertake the responsibility to notify the data controller of the violation of the personal data within 72 hours since the data processor acknowledges such violation