The Personal Data Protection Commission ('PDPC') announced, on 15 December 2022, the publication, in the Government Gazette, of its Notification on the Criteria and Procedures for Handling Personal Data Breaches, which entered into force on the same date. In particular, the Notification, among other things, provides for a definition of 'personal data breach' under the Personal Data Protection Act 2019 ('PDPA'), and outlines three categories of personal data breaches, namely confidentiality breaches, integrity breaches, and availability breaches. In addition, the Notification specifies the actions that a data controller shall take when suspecting that a personal data breach has occurred, and the factors that must be taken into consideration when conducting a breach assessment.

In addition, the PDPC published, on 16 December 2022, Guidelines on Data Breach Assessments and Personal Data Breach Notifications, to aid data controllers when reporting personal data breaches under the PDPA.

You can read the Notification here and the Guidelines here, both only available in Thai.