Thailand: Adopted PDPC criteria and procedures for reporting personal data breaches B.E. 2565

On 6 December 2022, the Personal Data Protection Committee (PDPC) adopted criteria and procedures for reporting personal data breaches B.E. 2565, which outlines the responsibilities and protocols for reporting personal data breaches under the Personal Data Protection Act B.E. 2562. It defines a personal data breach as unauthorised or unlawful loss, access, use, alteration, or disclosure of personal data. Data controllers must assess, verify, and mitigate breaches, notifying the Office of the Personal Data Protection Committee within 72 hours if a breach occurs if it poses high risks to individuals' rights and freedoms. Detailed information must be provided, and exceptions to the 72-hour rule can be requested with valid justification. Data processors are also required to report breaches to data controllers promptly. The announcement mandates informing affected individuals and stipulates measures to prevent future breaches, considering various risk factors.