Security Requirements and Breach Notification | Thailand | Global Data and Cyber Handbook

Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: January 2025

Yes

☒ appropriate technical, physical and/or organizational security controls
☒ reasonable security controls

Do other laws or regulations impose obligations to protect systems from cyberattack?

☒ public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒ health regulatory requirements

☒ telecommunication requirements

☒ providers of critical infrastructure

☒ digital or connected (IoT) products

☒ other

banking and financial regulatory requirements
insurance

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: January 2025

☒ Data privacy
☒ telecommunications

In July 2024, the PDPC, in collaboration with the National Research Council of Thailand (NRCT) and NCSA, convened to discuss strategic cooperation aimed at promoting and advancing technological and innovative solutions in the area of cybersecurity and personal data protection. This initiative sought to tackle significant national challenges, particularly the increasing incidents of cyber scams. From a telecommunications perspective, in November 2024, the NBTC convened to clarify the application of FM licenses and raise awareness among local entities.

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: January 2025

Yes.

Personal data breach is defined as any breach of security measures resulting in unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data, whether caused by intent, willfulness, negligence, or an unauthorized or unlawful act, a computer crime, a cyber threat, an error or accident, or any other cause.

Controllers/Owners have to notify:

Last review date: January 2025

☒ The data controller is required to notify the Office of the Personal Data Protection Committee of the personal data breach without delay and, where feasible, within 72 hours after having become aware of it, unless an exception applies.

☒ affected individuals

In case the personal data breach is likely to result in a high risk to the rights and freedoms of the person, the data controller is required to notify the data subject of the breach incident and the remedial measures without undue delay and pursuant to the criteria to be prescribed by the Personal Data Protection Committee.

Processors/Agents have to notify:

Last review date: January 2025

☒ controller

The data processor must notify the data controller of the breach incident.

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: January 2025

Yes.

☒        public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)
☒        telecommunication requirements
☒        providers of critical infrastructure
☒        other

Banking regulatory requirements
Insurance

Details regarding the identified data security breach notification requirements

A public company must notify its regulator of security incidents that may materially affect an investor's decision without undue delay

Non-compliance may result in imprisonment of up to two years, or a fine not exceeding THB 500,000 (approximately USD 14,400), or both.

A telecommunications operator must notify affected users without delay in case of a breach of the data subject's rights in relation to personal information, privacy, or the right to communicate through telecommunications

Non-compliance may result in administrative enforcement. The regulator may order the telecommunications operator to cease the violation, carry out rectification and improvement, or perform the action correctly or appropriately within a specified period of time. If the telecommunications operator continues to violate the order, it could be subject to a daily fine of THB 20,000 (approximately USD 570) or a revocation of the telecommunications license.

The Organization of Critical Information Infrastructure must inform cyber threats to the Office of the National Cybersecurity Committee and its Supervising or Regulating Organization without delay.

Non-compliance may result in the imposition of a fine not exceeding THB 200,000 (approximately USD 5,770).

Payment system service providers must notify the Bank of Thailand in the event of any significant issues or incidents involving the use of information technology that impact the provision of services, work systems, or the payment system provider’s reputation. This includes situations where substantial information technology has been attacked or threatened by a cyber threat.

Non-compliance may result in the imposition of a fine not exceeding THB 2,000,000 (approximately USD 57,700).

Financial institutions must notify the Bank of Thailand in the event of any significant issues or incidents involving the use of information technology that impact the provision of services, work systems, or the financial institution’s reputation. This includes situations where substantial information technology has been attacked or threatened by a cyber threat.

Non-compliance may result in the imposition of a fine not exceeding THB 500,000 (approximately USD 14,400), and a fine not exceeding THB 5,000 (approximately USD 140) per day until compliance.

Insurance companies must notify the Office of Insurance Commission where there is a data breach and IT security breach.

Global Data and Cyber Handbook

Thailand

Select a Topic