Thailand: Implemented PDPC criteria and procedures for reporting personal data breaches B.E. 2565

On 15 December 2022, the Personal Data Protection Committee’s (PDPC) criteria and procedures for reporting personal data breaches B.E. 2565 entered into force. The order defines a personal data breach as unauthorised or unlawful loss, access, use, alteration, or disclosure of personal data. Data controllers must assess, verify, and mitigate breaches, notifying the Office of the Personal Data Protection Committee within 72 hours if a breach occurs if it poses high risks to individuals' rights and freedoms. Detailed information must be provided, and exceptions to the 72-hour rule can be requested with valid justification. Data processors are also required to report breaches to data controllers promptly. The announcement mandates informing affected individuals and stipulates measures to prevent future breaches, considering various risk factors.