Data Breach Notification Measures under the Personal Data Protection Laws
Keywords:
Personal Data Breach, Notification of a Personal Data Breach, Become Aware of the Personal Data BreachAbstract
This article aims to study issues related to the notification of personal data breaches under the Personal Data Protection Act B.E. 2562, with a particular focus on determining when it can be considered that the data controller has become aware of the breach. The author conducted a study of the Personal Data Protection Act of Thailand alongside the General Data Protection Regulation (GDPR) of the European Union. This study includes an examination of the notification guidelines provided by the European Data Protection Board (EDPB), as well as the guidelines for interpretation by personal data protection supervisory authorities of the European Union regarding the determination of the timeframe for considering when the data controller becomes aware of a personal data breach.
The purpose of this study is to analyze and advocate for the establishment of clear guidelines regarding the timeframe for data controllers to become aware of personal data breaches, enabling them to notify such breaches within the legally specified timeframe. Furthermore, it also aims to protect the rights of data subjects by ensuring they receive appropriate and accurate notifications of personal data breaches in accordance with the law.
References
คณาธิป ทองรวีวงศ์, คำอธิบายหลักกฎหมายคุ้มครองข้อมูลส่วนบุคคล (พิมพ์ครั้งที่ 2, สำนักพิมพ์นิติธรรม 2565) 372-373.
ไทยรัฐ, ‘รมว.ดีอี คุมเข้ม สั่งปรับเอกชน 7 ล้าน ทำข้อมูลรั่วถึงแก๊งคอลเซ็นเตอร์’ (ไทยรัฐออนไลน์, 21 สิงหาคม 2567) <https://www.thairath.co.th/news/politic/2809484> สืบค้นวันที่ 9 กันยายน 2567.
ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล เรื่อง หลักเกณฑ์และวิธีการในการแจ้งเหตุการละเมิดข้อมูลส่วนบุคคล พ.ศ. 2565
European Data Protection Board, ‘European Data Protection Board, Guidelines 9/2022 on Personal Data Breach Notification under GDPR Version 2.0 Adopted 28 March 2023’<https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_
notification_v2.0_en.pdf> accessed 6 June 2023.
European Data Protection Board, ‘Guidelines, Recommendations, Best Practices’ <https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en> 7 June 2023
European Data Protection Board, ‘Penalty Notice Section 155, Data Protection Act 2018’ <https://edpb.europa.eu/decision-nr-154_en> accessed 11 October 2023.
European Data Protection Board, ‘Polish DPA & WARTA: Failure to Notify a Personal Data Breach Without Undue Delay as a Reason for Imposing a Fine’ <https://edpb.europa.eu/news/national-news/2021/polish-dpa-warta-failure-notify-personal-data-breach-without-undue-delay_en> accessed 11 October 2023.
European Data Protection Board, ‘Polish SA Fines Controller EUR 4500 for Failure to Notify a Personal Data Breach’ <https://edpb.europa.eu/news/national-news/2023/polish-sa-fines-controller-eur-4500-failure-notify-personal-data-breach_en> accessed 9 November 2023.
European Data Protection Board, ‘Polish SA Imposed Fine on Telecom Operator for Failure to Notify the Personal Data Breach’ <https://edpb.europa.eu/news/national-news/2023/polish-sa-imposed-fine-telecom-operator-failure-notify-personal-data-breach_en> accessed 9 November 2023 .
European Data Protection Board, ‘Romanian Supervisory Authority Fines Enel Energie Muntenia S.A. for Breaching Article 32 GDPR’ <https://edpb.europa.eu/news/national-news/2022/romanian-supervisory-authority-fines-enel-energie-muntenia-sa-breaching_en> accessed 23 October 2023.
Information Commissioner’s Office, ‘A Guide to the Data Protection Principles’ <https://ico.org.uk/about-the-ico/> accessed 9 May 2023.
Walter Rocchi, Cybersecurity and Privacy Law Handbook: A Beginner’s Guide to Dealing with Privacy and Security While Keeping Hackers at Bay (Packt Publishing 2022) 53-54.
