3. Security Measures of the Data Controller B.E. 2565 (2022)
Under the PDPA, the data controller is required to provide the appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data.
Such measures are subject to review if and when necessary, or when the technology has changed. These mandatory reviews are required in order to efficiently maintain the appropriate level of security and safety.
This notification provides a detailed minimum standard of the required security measures.