Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Sector-specific laws and regulatory notifications govern the security of personal data held by parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. For example, regulations issued under the Computer Crimes Act impose requirements on service providers (as defined therein) in relation to retaining service users’ personal data, setting out the specific types of personal data that must be retained and how it should be stored. Another example is regulations issued under the Royal Decree on Electronic Payments. As part of the licensing process, an applicant for an electronic payment licence must explain how it will protect service users’ information, including how such information will be stored. Once approved, this effectively becomes a licence condition.

There are no specific regulations governing the protection of personal data held by private sector companies operating outside the specially regulated sectors. 

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

No law requires private sector companies operating outside the specially regulated sectors to notify individuals in respect of data security breaches. Nevertheless, it would be advisable to do so if a breach occurs and losses or damages to the data subject can be mitigated by making such notification. Such a requirement may apply to parties operating within the specially regulated sectors and government agencies, depending on the sector and the applicable provisions. For example, as part of the licence application process under the Securities and Exchange Act, applicants must address how they will protect clients’ information, which could include notifying affected clients when a breach occurs. Once the licence application has been approved, it effectively becomes a licence condition. Similar obligations exist for electronic payment licensees under the Royal Decree on Electronic Payments.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no central data protection regulator that must be notified in the event of a breach. However, parties operating within the specially regulated sectors and government agencies may have to (or it may be appropriate to) notify a regulatory body in that sector – such as the Bank of Thailand (in the case of a financial institution) or the Securities and Exchange Commission (in the case of a securities company).

Click here to view the full article.