Talk To An Expert

+66 (0) 2285 6240-9

Data Breach Reporting Under the Thailand PDPA

Global Data Privacy Regulations

Thailand PDPA

A data breach is often the last thing on the minds of organisations. Still, the shock waves they create throughout organisations can tear through any business plan, profit forecast and brand reputation.

According to the 2021 Security Report by Check Point, every 10 seconds, a new organization fell victim to ransomware attacks in 2020.

A great research study conducted by Business Trends found 43 per cent of all cyber-attacks are aimed at small businesses, and half of these companies will go out of business within six months as a result.

When reading the Thailand PDPA law section 37 (4) states notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Persons.


But many organisations do not plan for the worst-case scenario and underestimate what is required to populate the report and understand the internal effort impact on their teams.

Here we will outline what actions organisations need to complete and the information needed.

Your first action is to evaluate the size of the data breach and, more importantly, the impact on the affected data subjects.

If the data breach is not likely to result in a risk to the rights and freedoms of data subjects, a full record of the incident and the decisions taken to not to report the breach to the PDPC on an internal data breach record so that it can be audited at a future date.

If the data breach IS likely to result in a risk to the rights and freedoms of data subjects, then the controller must report the breach to the PDPC within 72 hours of becoming aware of it.

It is worth noting that it is unlikely you will have the full details of how the breach happened, how many data subjects are at risk etc. The important thing is to submit an interim report if a full report is not read. A Breach report should contain the following.

  1. Describe what happened.

Please provide a summary of the incident. This initial overview should enable the PDPC to gain a general understanding of the breach’s nature.

  1. Describe how the incident occurred.

Provide a high level of the root use of phishing attack, human error, system malfunction etc.

  1. How did the organisation discover the breach?

Employee report, customer report, system configuration report.

  1. What preventative measures did you have in place?

Clear policies and processes, system configuration, employee training

  1. When did the breach happen?

Give an estimate of when the breach occurred.

  1. When did you discover the breach?

This was when the organisation was made reasonable aware.

  1. Categories of personal data included in the breach.

Consider the nature of the personal data that has been impacted and document in this section. Please note that addresses of data subjects are considered to be ‘basic personal identifiers’                 while coordinates are classed as ‘location data.

  1. Several personal data records concerned.

When assessing the number of data records, consider the nature of the incident and how many records may be accessible to third parties. In some cases, this could duplicate the same record (e.g., email, spreadsheet).

  1. How many will data subjects be affected?

This relates to data subjects whose data has been impacted.

  1. Categories of data subjects affected.

Expand, customers, employees, etc.

  1. Potential consequences of the breach

describe the possible impact on data subjects as a result of the breach. Please state if there has been any actual harm to data subjects. For example, could there be a potential risk of identity theft?

  1. Is the personal data breach likely to result in a high risk to data subjects?

Please detail your overall assessment of the risk concerning your breach notification.

  1. Had the staff member involved in this breach received data protection training in the last 2 years?

This could include online e-learning or face to face classroom training.

  1. If there has been a delay in reporting this breach, please explain why.

Why was the report not submitted within the 72-hour time frame? Please provide your rationale behind this delay.

  1. Describe the actions you have taken, or propose to take as a result of the breach

What short term and long-term remedial measures have been implemented to help prevent a reoccurrence? What can the organisation do differently to go forward?

  1. Have you taken actions to contain the breach? Please describe these remedial actions.

This could include successful attempts to recover the information or confirmation you may have received from incorrect recipients that the data has been deleted/destroyed. Alternatively, if an electronic device has been lost/stolen, confirmation that the contents have been wiped to prevent further access by unauthorised individuals.


  1. Have you told data subjects about the breach?

Whether you have notified data subjects affected.

  1. Have you told, or are you planning to tell any other organisations about the breach?

Police, other controllers, processors etc

  1. Appointed Representative

Section 37 (5) states in the event of being the Data Controller according to section 5 paragraph two, the Data Controller shall designate in writing a representative of the Data Controller who              must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability concerning the collection, use or disclosure of the Personal                    Data according to the purposes of the Data Controller.

  1. Your Full Company details.


Having an expert team on your side can mean you can make the difference.


[button link=”” type=”big” color=”green”] Our Service[/button]

Share This :

Recent Posts

Have Any Question?

The world of data privacy laws and compliance can be a complex maze. We’re here to offer competitive data privacy protection and regulatory services to help you deal with day-to-day data privacy compliance and maintenance challenges.