The US Internal Revenue Service has developed an IDES platform for International Financial Institutions to file under FATCA
Foreign Account Tax Compliance (“FATCA”) is a rule implemented by the United States with the goal of preventing tax avoidance by US taxpayers using foreign accounts. As the United States collects taxes on a worldwide basis, FATCA requires financial institutions all over the world to transmit accounting records of US taxpayers to the Internal Revenue Service (“IRS”). This information is used by the IRS to identify taxpayers who may be evading their US tax obligations by hiding assets overseas. FATCA also requires US taxpayers to report certain offshore assets and income on their US tax returns.
To comply with FATCA’s objective, the US government enters into intergovernmental agreements (“IGA”) with other country governments to make it possible for taxpayers’ accountant information exchange to occur without violating those contracting parties’ internal regulations and for both parties to mutually assist in taxation benefits.
The IGA includes the following models:
Model 1: IGA in which the party gathers information on US citizens from financial institutions inside its jurisdiction and reports it to another party via an automated system. Model 1 is divided into two systems;
Model 1 A (Reciprocal): Both parties agree to transfer information back and forth via the automated system.
Model 1 B (Non-Reciprocal): The parties agree to provide the information to the US government in exchange for none in return.
Model 2: IGA in which the state parties agree to implement legislation permitting and compelling financial institutions to communicate information via an automated system.
Thailand has chosen International Data Exchange Service (IDES) as a tool for financial institutions information collecting in Thailand, and this method is known as M1O2.
Currently, from 5 June through 30 June 2023 (Eastern Standard Time in the United States), the US Internal Revenue Service (IRS) will provide the IDES system for Thai financial institutions to trial receiving and transferring simulated data to the IRS. Financial institutions which did not register in the IDES system may register to participate by 1 June 2023 at 5:00 p.m. (Eastern Standard Time in the United States). Additionally, there is no need to re-register if the financial institutions have already registered in the IDES system. However, the new password must be validated before 1 June 2023 to ensure that it does not expire during the test. Also, ensure that the certificate used to send and receive data is valid for the length of the test, as financial institutions will be unable to modify their passwords or upload certificates during the test.
The USTR keeps Thailand on the Watch list, yet appreciates Thailand’s progress
On April 26th, 2023, the Director General of Thailand’s Department of Intellectual Property (“DIP”) revealed that the United States Trade Representative (“USTR”) announced the annual status review of Intellectual Property (“IP”) protection of the United States trading partners or the Special 301 Report published under Section 301 of the Trade Act of 1974. Thailand is still on the Watch List (“WL”) this year, along with 21 other nations.
USTR has recognized Thailand’s progress in IP protection and enforcement, particularly the amendment of the Copyright Act to include a notice and takedown procedure, allowing the copyright owner to inform the platform and have the counterfeit items removed. Thailand also updates the Technological Protection Measure (“TPM”) to extend the expiration date of photoprotection.
Furthermore, Thailand has entered into bilateral cooperation with the World Intellectual Property Organization Copyright Treaty (“WCT”) to preserve licenses in the digital era. USTR has also applauded Thai intra-agency efforts in IP protection and enforcement, such as the Thai Customs IPR Recordation System (“TCIRs”) and the signing of memorandums of understanding (MOUs) with e-commerce platforms to report online counterfeit goods.
Apart from DIP’s progressive operations such as Smart DIP, Fast Track System for Trademark Registration, and so on, DIP also contributes to ASEAN’s protection and enforcement against IP infringement by nominating themselves to be the president of the ASEAN Network of Intellectual Property Enforcement Experts (ANIEE). The objective of being president is to drive economic growth through IP by establishing appropriate standards between Thailand and trading partners and protecting Thai entrepreneurs’ IP, to make ASEAN aware of the importance of IP protection and enforcement so that Thai products can be properly and timely protected, to provide opportunities and trade fairness under modern technology, as well as to improve ASEAN’s general IP image and ensure that Thai products exported to ASEAN will be protected and capable of competing without facing IP infringement. Thailand has been promoting experiences, knowledge, and success paths to the ASEAN region such as by associating with the ASEAN e-Commerce platform and creating the Protection and Enforcement against IP Infringement handbook and increasing the operational capacity of law enforcement agencies.
However, the USTR remains concerned with unauthorized film recordings, online counterfeit and pirated goods, impersonation royalty collection rights, and delays of criminal and civil proceedings, causing Thai to stay on the WL. To solve these concerns, Thailand is in the process of developing an IP Work plan with the US to shift out of WL. Thailand has proposed the idea to the United States, and the current procedure is for the United States to examine it. DIP will work as promptly as possible to bring Thailand out of the WL of the USTR annual status review in the future.
PDPC’s Guideline for Data Controller and Data Processor
The Personal Data Protection Committee (“PDPC“) has announced the Guidelines for Data Controller and Data Processor
Re: Case studies extracted from this discussion on the enforcement of the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA“) includes sample actions of each specific case as a scenario for all relevant parties under PDPA, including the Data Controller, Data Processor, Data Subject, and other relevant persons to consider and apply. This guideline also aims to put in place effective remedial measures for Data Subjects whose personal data and rights must be protected as well as to prevent any data breach by the PDPA, with the samples of scenarios as follows:
Does the bank need to obtain consent from minors aged 7 to 20 in order to collect and/or use their facial recognition for mobile banking transactions? As we all know, face recognition is classified as sensitive personal data in a type of biometric data in which its data arises from the use of technics or technology related to the physical or behavioral dominance of the person under Section 26 of the PDPA, in which consent is required only if other legal bases such as Contract, and Legal Obligation cannot be applied. Furthermore, the procedure for obtaining minor consent must be in accordance with PDPA sections 19 and 20.
Is consent required when a bank introduces new products to a minor for marketing purposes? If this is the case, can minors freely consent on their own behalf? Since the collection of personal data for marketing purposes is not considered an activity under the legal basis of a contract for opening a bank account, and if such personal data was not collected for the purpose under Sections 24(1) – 24(6) of PDPA, such as Vital interest and Legal obligation then the consent of the minor must be obtained, and the consent of the holder of parental responsibility over the child may also be required as the case by case according to Section 20 of PDPA.
If the limited company operates its trading and service business and enters into an agreement with an individual business partner. Furthermore, that company would like to collect personal data such as the name, phone number, and other information of a business partner’s employee in order to contact him/her directly for matters related to operating in accordance with an agreement. In this case, the Data Controller cannot apply the legal basis of “Contract” to such an employee, but the legal basis of “Legitimate interest” might be applied if the data processing does not override the fundamental rights of the said employee, as a Data Subject.
What are the advantages and disadvantages of appointing an outsourced Data Protection Officer (“DPO”)? Is it necessary for the company to set up a separate department to handle this specific task? The Data Controller might appoint the DPO depending on its suitability and necessity of the Data Controller complying and responsible with the duty as mentioned in Section 42 of the PDPA. Furthermore, DPO cannot be dismissed or terminated due to his/her performing duty under PDPA, plus, DPO should be a person who can report directly to executives of the Data Controller or Data Processor. As a result, it is the internal matter of the company to select the DPO as they deemed appropriate.
In conclusion, to assist the government agencies and private companies in answering all concerns and questions regarding PDPA compliance, the PDPC has assigned the Sub-Committee to gather all such questions and concerns and propose the same, along with the recommended answer, to the PDPC for further consideration, and later provide those correct answers and consultations to the government agencies and private companies. In the future, all of those inquiries may be published as sample scenarios, just as they were in this guideline.
Official Fees Exempted for the Digital Civil Registration Service
The Ministry of Interior has proposed the draft Ministerial Regulation Prescribing on the Operation of Digital Civil Registration System. This draft is to exempt service fees for the digital civil registration service system to lighten the cost load for citizens.
Currently, the Department of Provincial Administration has provided services on the digital civil registration system via D. DOPA application and BORA Web Portal (thportal.bora.dopa.go.th). Fee exemption has been granted from the past year until 12 March 2023 for certain services, such as notification of relocation, certifying a copy of house registration, registration record and birth registration.
To provide public services effectively, conveniently and appropriately under the current situation, it is appropriate to exempt service fees for two types of services as follows:
1) Services according to the Ministerial Regulation Prescribing Fees and Exempting Fees Related to Civil Registration B.E. 2562 (2019) such as providing and certifying a copy of house registration, birth and death registration which currently charge at the rate of 10 THB per copy and notification of birth, death and relocation which currently charge at the rate of 20 THB per copy.
2) Services according to the Ministerial Regulation Prescribing Non-Thai Citizens to Comply with Civil Registration B.E. 2562 (2019) such as notification of birth, death and relocation which currently charge at the rate of 20 THB per copy.
Now the cabinet has given its approval and the draft will soon become effective.
The Personal Data Protection Act B.E. 2562 (2019) (“PDPA“), which became effective on 1 June 2022, specifies the rules and restrictions that Data Controller and Data Processor must adhere to. One important rule and regulation regarding the Data Protection Officer (“DPO“) is specified in Section 41 of PDPA that “The Data Controller and the Data Processor shall designate a data protection officer…” Therefore, many organizations might wonder, what is a DPO? What is its responsibility? And what qualifications are required to become one?
A DPO is a person who is responsible for the data protection of all personal data collected, used and disclosed by a legal entity, whether it is internal personal data or third-party personal data collected by the legal entity. Section 42 of the PDPA specifies the duties of the DPO as follows:
Providing advice to the Data Controller and Data Processor, as well as all employees and service providers of those parties involved in the data processing, in order to ensure PDPA compliance, such as providing them with PDPA information and training sessions, particularly to those who directly operate with data processing, in order to ensure adherence to the legal entity’s privacy policy and follow the rules and regulations pertaining to the personal data protection.
Monitoring the operation and the performance of the parties mentioned in item 1 regarding personal data collection, use and disclosure to be in accordance with the PDPA.
Coordinating with the regulator, the Personal Data Protection Committee (“PDPC”) on any issues that arise in relation to item 2 such as a data breach.
Maintaining the confidentiality of personal data known and acquired while performing the duties.
There are no officially announced sub-regulations governing DPO qualification; the PDPA only specifies the duties of the DPO as mentioned above. As a result, the following is only a guideline by Thailand Data Protection Guidelines regarding this such matter, which Data Controller and Data Processor should consider.
Having background knowledge of the PDPA and other applicable laws
Understanding of technologies, IT, and data security measures. The DPO may need to fully understand this matter because the IT system and technological capabilities may be involved in personal data collection, use, disclosure and processing in order to perform its obligations in terms of technology under the PDPA.
DPO should not be a person who directly benefits from collecting personal data, and DPO shall not be able to audit its own actions involving the collection, use or disclosure of personal data. As a result, the duties of the DPO and those who process personal data should not overlap.
Good communication and collaboration skills with internals, externals and regulators because the DPO must collaborate with all departments within the organization and the PDPC pertaining to PDPA matters. Furthermore, the DPO should be the person who has direct access to the executives because many aspects of PDPA compliance may need to be taken urgently.
DPO is not required to be an employee of the legal entity for which he or she works.
After the designation of a DPO by legal entities, the Data Controller and the Data Processor are also required by Section 41 paragraph 5 of the PDPA to inform the PDPC and Data Subject of the information, i.e. DPO’s information, contact address and contact channels. Plus, Any Data Controllers and Data Processors who are in the same affiliated business or group of undertakings and designate the same jointly DPO must also provide a list of all Data Controllers and/or Data Processors with whom such DPO works for. For the contact channel for informing the said information, it can be sent to PDPC via an email and telephone number as specified in the Announcement of the Office of the Personal Data Protection Committee Concerning Electronic Channels for Contacting the Office of Personal Data Protection Committee B.E. 2562 (2019) For an obligation to inform the Data Subject of the DPO’s information as mentioned above, this can be included in the privacy notice or privacy policy published by the Data Controller and Data Processor, as the same matter is also required by Section 23 (5) of the PDPA. Despite the fact that no sub-regulation regarding DPO qualifications has been announced, all Data Controllers, Data Processors, DPOs and other relevant parties should keep an eye on these upcoming regulations in order to comply with the PDPA and designate an appropriate DPO for your legal entity because DPO shall play an important role and directly affect your legal entity’s compliance with PDPA.
A call center scam is a type of fraud that occurs when a caller, posing as a representative from a legitimate business or government agency, attempts to trick the person on the receiving end into giving away personal information and/or money. The scammer may claim to be providing a service such as a customer service, technical support, or debt collection. They may also offer products or services at a discounted rate in order to convince the person to provide payment information. The scammer may also request additional personal details such as social security numbers or bank account information by claiming that this is necessary for the transaction to be completed. In some cases, the scammer may even ask for money to be wired directly to a “Horse Account”. Once the person has provided the requested data or money, the scammer typically disappears without providing any of the promised services or products. The Horse Account is usually opened for the purpose of receiving money from the victim. The money will stay in the Horse Account only for a few seconds or so, then it will be transferred to another account of scammer.
Online threats that come in the form of call centers, deceiving them to click on various links to steal money from bank accounts are considered a cybercrime. Seriously, many people were affected and caused damage to the country’s economy. According to the statistics of scams online in the period of March 2022 – October 2020, deceiving the public online by transferring money costs around 22,000 billion baht which averages 800 cases a day.
Recently, the cabinet has approved in principle of draft Royal Decree on Measures for Prevention and Suppression of Technology Crime (“Draft Royal Decree”) which was proposed by the Ministry of Digital Economy and Society.
This draft Royal Decree serves the purpose to prevent and suppress the public from defrauding by transferring funds and also to penalize the offenders by having a “Crime Prevention and Suppression Technology Committee” mechanism in order to determine the prevention guideline, stipulating the authorized institution to access the exchange information, authorize the power to the financial institutions and entrepreneurs to exchange the information on accounts and transactions of clients including authorizing the power to telecommunication services to exchange the services information among the Royal Thai Police, Anti-Money Laundering Office and the authorized institutions. Moreover, this draft Royal Decree stipulates an exemption from Personal Data Protection Act B.E. 2562 (2019) regarding transferring data and accessing data in order that government institutions, financial institutions or entrepreneurs can order the National Broadcasting and Telecommunications Commission to establish a database system regarding registration information, messages and logfile from Mobile Network Operator for investigation. It is worthwhile to note that not only Thailand suffers from telephone scams but also other countries like the US. In 2019, President Trump signed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to become enforced. Telephone companies will now be required to use a system called SHAKEN/STIR, which helps protect people from scam calls. If a call is potentially suspicious, it will be marked as “scam likely” or “spam likely”, enabling consumers to quickly recognize and ignore robocalls.
Thai people can now access government services with their digital ID. Thanks to Section 14 of the Digital Public Service Act B.E. 2565 (2022). To use this service, you are required to present a physical ID card to the registrar at any registration division of district office for verifying the information and then you need to download the application namely “D. DOPA”. The following is required to do:
Select “self-registration” and accept the terms and conditions of the service;
Submit a front and back of a physical ID card, verify the information and confirm;
Take a selfie of your full face and confirm;
Set the password; and
Consent to upload the information and fill out a consent form under Personal Data Protection Act B.E. 2562(2019.).
The digital ID card is a useful and innovative way to verify a person’s identity quickly and securely. It eliminates the need for physical identification cards, which can easily be lost or stolen and keeps personal information safe from unauthorized access. With the digital ID card, users can authenticate their identity with a simple scan of their phones or other devices using biometric authentication such as facial recognition or fingerprint scanning. The system is also secure and reliable with data stored in an encrypted format that prevents tampering or manipulation. With this technology, businesses can quickly and efficiently verify one’s identity and streamline their operations. Additionally, the digital ID card can be used to improve customer services by providing quick and seamless access to information.
Digital Platform Service Operation to Be Regulated
With the rise of modern technology and the spread of COVID-19, businesses are increasingly turning to online platforms as a way to operate without needing to travel. These platforms cover a wide range of services, such as online marketplaces, social commerce and food delivery. In general, terms of use imposed by service operators should be transparent with their users. They should provide clear information about their policies, pricing, data usage and other relevant information. They should also give users the opportunity to make decisions about how their data is used and how they are served by the service. This will ensure that users are aware of how their data is being used and that they are not being taken advantage of.
The regulation of digital platform services to be imposed by the government should be based on a set of fair and transparent rules that are applicable to all parties. These rules should ensure the safety of users, ensure data privacy and security, protect against anti-competitive practices and ensure that the user experience is not compromised. Additionally, government should take an active role in monitoring the digital platform services and enforcing these regulations, as well as providing a framework for dispute resolution between users, companies and government.
The regulation should also consider the innovative nature of digital platform services and allow room for experimentation and innovation. Additionally, the government should also provide incentives for companies to innovate and create new services. This will ensure that digital platform services remain competitive and continue to innovate in order to provide the best user experience possible.
As for Thailand, the Royal Decree on Supervision of Digital Platform Services Operation Requiring a Notification (“Royal Decree”) was announced on 23 December 2022 and will be effective 240 days after the announcement (i.e., 20 August 2023) in order to govern this matter.
Digital Platform Services shall refer to the provision of electronic platform services as a medium with data management that connects Digital Platform Service Operators (“Platform Operator”), consumers or users via a computer network in order to enable electronic transactions, whether or not a service charge is charged. Digital Platform Service under this Royal Decree excludes the Digital Platform Services that are intended to be used to offer such Platform Operator’s or its affiliates’ goods or services, regardless of whether such goods or services are offered to third parties or its affiliates.
The Platform Operator under the Royal Decree must report its operations to the Electronic Transactions Development Agency (“ETDA”) and examples of qualifications are as follows:
A natural person who operates digital platform service in Thailand and earns more than 1,800,000 THB per year or more than 50,000,000 THB if the Platform Operator is a legal entity; and
Digital platform service with average monthly users in Thailand over 5,000 users.
As the Royal Decree’s main objective is to protect consumers within Thailand, regardless of Platform Operators operating outside of Thailand, this Royal Decree determines that the digital platform services that operate outside Thailand and provide services with one of the following characteristics shall be deemed to provide services to users in Thailand, namely, (1) Thai language digital platforms, (2) digital platforms with the domain name “.th” or “.ไทย” (3) digital platforms that accept payment in Thai baht, (4) Digital platforms governed by laws of Thailand and subject to the exclusive jurisdiction of the courts of Thailand and others as specified in this Royal decree.
Platform Operators who will operate digital platform services must report the following information and evidence to ETDA:
Platform Operator’s information such as name, surname or legal entity’s name, identification number or company registration number, address, accounting period and contact channel;
Digital platform service information such as platform’s name, type of the platform, platform service channel (i.e., URL or application), value of transaction made on digital platform service (if any), etc.; and
Users’ information such as user type (i.e. person who offers goods or services to consumer through digital platform service, customers and etc.), the total number of user and the total amount for each type of user, service provider’s information (i.e. freight forwarder and warehouse service provider), the total number of service provider and the total amount for each type of service provider, information and type of complaint, along with the handling of the complaint and the settlement of such dispute, the information of representative in Thailand (for the Platform Operator who operates inside Thailand) and the Platform Operator’s consent to for ETDA to access such reported information.
The Platform Operator will be issued a registered receipt and will be able to begin operating the digital platform services once ETDA receives the aforementioned report and evidence. Any major change must be reported to ETDA within 30 days as specified in this Royal Decree. Furthermore, ETDA will provide a channel for publicizing the digital platform services’ list and status (for example, the current list of Platform Operators and those whose receipt has been revoked). Please note that the information and evidence listed above must be reported annually within 60 days from the end of the calendar year (Natural Person Platform Operator) or fiscal year (Legal Entity Platform Operator).
Platform Operators may also be required to provide users with terms and conditions of service, assess risk, prepare risk management measure, system security measure, mitigation measure and other duties as specified in the Royal Decree in order to compensate or remedy those damaged by the use of digital platform services. Plus, the ETDA shall consider announcing the rules, procedures and conditions governing the period for business termination, the transfer of digital platform services to another licensee, the management and collection of data relating to digital identity proofing and authentication and any other matters deemed appropriate in order to prevent damage, protect users and ensure that users can use the services continuously.
Platform Operators whose qualifications are required to report ETDA may continue to operate their businesses only if they report their digital platform business operations to ETDA within 90 days of the Royal Decree’s effective date. On the other hand, those who wish to discontinue such operations must notify ETDA within 90 days of the Royal Decree’s effective date as well.
There are also other details regarding the types of digital platform services, duties and various procedures which should be studied further by Platform Operators. Please note that if any law specifically governs over a specific type of digital platform services, the Platform Operator must comply with such law only if it practices in accordance with and in a manner that does not fall below the provisions of this Royal Decree.
Data Privacy Breaches: Duty to Report to the Regulator
A data privacy breach refers to the unauthorized access, use, disclosure or destruction of personal data, either by an individual or by an organization. Data privacy breaches can occur in a variety of ways, including hacking, malware attacks, insider threats or simply human error.
Data privacy breaches can have serious consequences for both individuals and organizations. For individuals, a data privacy breach can lead to the theft of personal information, such as financial data or identity information, which can be used for fraud or identity theft. For organizations, data privacy breaches can lead to legal and regulatory consequences, as well as damage to their reputation and financial losses.
Under the General Data Protection Regulation (GDPR), a data privacy breach is defined as any unauthorized access, use, disclosure or destruction of personal data. This includes both accidental and intentional breaches. If an organization experiences a data privacy breach, it is required to notify the relevant supervisory authority and the individuals whose personal data has been breached. In Thailand, Personal Data Protection Committee (“PDPC”) has officially announced on how to report an incident of personal data breach to the Office of Personnel Data Protection (“Announcement”) which describes Data Controller’s duty to notify of data breach under Section 37(4) of Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) where this Announcement shall come into force and effect since this date of the announcement, i.e. 15 December 2022.
As we all know, the Data Controller is required to notify the Office of PDPC of any personal data breach without delay and, where feasible, within 72 hours. A data breach shall have the meaning as a breach of security measures that results in unauthorized or illegal loss, access, use, amendment, alteration or disclosure of personal data, whether committed intentionally, negligently, unauthorizedly, unlawfully, through computer crime, cyber threat, flaw or other means occurred by the act of the Data Controller, Data Processor, employee, staff, contractor, agent, any related person or any other factors resulting in the Confidentiality Breach, Integrity Breach and/or Availability Breach.
When Data Controller becomes aware of or is informed of a personal data breach, the Data Controller shall evaluate the reliability of such breach without delay, whether the breach has occurred or reasonably being suspected by taking into account of organizational, technical and physical measures to confirm that a personal data breach has actually occurred. The Data Controller must conduct a risk assessment of all potential consequences for the Data Subject. For a high-risk case, the Data Controller must act independently or instruct the Data Processor to take preventive, suspending or corrective actions to ensure that the data breach is terminated or has no further impact. Furthermore, if a confirmed or reasonably suspected data breach is considered to jeopardize the Data Subject’s rights and liberties, the Data Controller must notify the Office of PDPC without delay and, where feasible, within 72 hours of becoming aware of it. Plus, the Data Controller must notify such high-risk data breaches and the remedial measures of the Data Subject as well.
Since 72 hours may be insufficient for the Data Controller and Data Processor to collect all data resulting in an inability to notify the Office of PDPC in time, in this case, the Data Controller shall prepare a reason clarification along with all documents mentioned in this Announcement and submit the same to the Office of PDPC within 15 days of becoming aware of such breach in order to have Office of PDPC consider exempting the Data Controller from liability under Section 37(4) of the PDPA, respectively.
As a result, Data Controllers and Data Processors should thoroughly read the Announcement in order to comply with the PDPA and protect the personal data that are being collected.
What the Data Controller needs to do when a Personal Data Breach occurs
The Personal Data Protection Committee (“PDPC”) is currently considering issuing a Personal Data Protection Announcement on how to report an incident of personal data breach to the Office of PDPC and whether it needs to report to the Data Subject.
According to Section 37(4) of Personal Data Protection Act B.E. 2562 (“PDPA”), a Data Controller has to notify the Office once there is a data breach without delay or within 72 hours after having become aware of the data breach. The data breach may be occurred by the Data Controller, Data Processor, Representative, any related person, or any other factors, such as an accidental, technological and computer processing system, computer crime, or cyber threat, who acts willfully, negligently, unauthorizedly, or unlawfully, affecting the completeness and accuracy of the personal data and the rights of the Data Subject. The Data Breach Category is divided into three types which are the leak of confidential personal data (Confidentiality Breach), the personal data misfiling (Integrity Breach), and inaccessibility of personal data, which can result in permanent inaccessibility or destruction (Availability Breach).
At the same time, the Data Controller is required to check its security measures in all aspects, including Organizational Measures, Technical Measures, and Physical Measures. And conduct a risk assessment of all possible effects on the Data Subject considering whether the data breach is likely to result in a high risk to the Data Subject’s rights and freedoms, the risk assessment factors as stated in the Announcement, if so, Data Controller is required to notify the Data Subject without delay, along with the remedial measures. In case where Data Controller cannot contact Data Subject for any reason, the data breach notification to Data Subject can be carried out on a public platform, such as social media or any other means by which the public can become aware of such notification. However, Data Controller is not required to notify the Office if such data breach is unlikely to result in a risk to the rights and freedoms of the Data Subject due to the reasons such as personal data being anonymous information that cannot be used to identify the Data Subject, unusable personal data due to adequate technological security measures or other reliable reasons according to the law.
Furthermore, the Data Controller must take immediate remedial action against the cause of such data breach either by restricting access to personal data or by any other means as necessary.
The data breach notification submitted to the Office must be included the details such as the number of personal data that has been leaked or violated, the name and address to contact the Data Protection Officer, consequences of a data breach, security measures that the Data Controller or Data Processor have to prevent data breach together with the remedial action in all respects, including personal, procedure and technology. In the event that the Data Controller fails to notify the Office in due time, the Data Controller must clarify reasons and details regarding the inevitability of such an offense to the Office within 15 days of becoming aware of the data breach in order for the Office to consider exempting so. The failure to comply with all of the above is an offense under the PDPA penalized by Administrative Liability with a fine of not exceeding three million Baht.
The Announcement also contains details and sample cases on data breach notification, which will guide Data Controllers in determining which cases must be reported and who must be notified. Therefore, Data Controllers should study this Announcement in order to prepare themselves in case that the data breach occurs and to be in compliance with the PDPA.
