Page 1

Page 12
Government
Gazette
Volume 137, Special Section 164
N.

17 July 2020

Announcement of the Ministry of Digital Economy and Society
Subject: Security Standards for Personal Data Security B.E.

Whereas Section 3 paragraph two of the Royal Decree Determine the units and activities that the controller
Personal data is not subject to the Personal Data Protection Act B.E.
stipulates that the data controller who is an agency or business under the list annexed to such Royal Decree
Security measures of personal data in accordance with the standards set by the Ministry of Digital
for the economy and society
By virtue of Section 3 paragraph two of the Royal Decree specifying an agency
and businesses in which the Personal Data Controller is not subject to the Personal Data Protection Act
2019, the Minister of Digital Economy and Society has issued an announcement.
as follows
Article 1 This announcement is called “Notification of the Ministry of Digital Economy and Society on Standards
Maintaining the Security of Personal Data, B.E.
Clause 2 This Notification shall come into force from the day following the date of its publication in the Government Gazette until the date of
May 31, 2021
Article 3 in this announcement
“Personal Data Controller” means a Personal Data Controller which is an agency.
or business according to the list annexed to the Royal Decree Determine the agencies and businesses that the personal data controller
Not subject to the Personal Data Protection Act B.E. 2562 B.E. 2563
“Security of personal data” means maintaining confidentiality.
(confidentiality), accuracy, completeness (integrity) and condition for use (availability)
of personal data in order to prevent loss, access, use, alteration, correction or disclosure
Misrepresentation of personal data
Article 4 The personal data controller must notify the measures to maintain the security of the data.
personal according to this announcement to personnel, employees, employees or related persons, including
raising awareness of the importance of It is important to protect personal information for such groups of people.
Strictly follow the measures set forth.
Article 5 The Data Controller must provide measures to maintain the security of the data.
personal, which should include administrative protection measures (administrative safeguard)
Technical safeguards and physical protection measures

Page 2

Page 13
Government
Gazette
Volume 137, Special Section 164
N.

17 July 2020

safeguard) in regard to access or control of the use of personal data (access control), at least
Must consist of the following actions:
(1) Controlling access to personal data and data storage and processing equipment
personal with regard to use and security
(2) the determination of permission or the determination of the right to access personal data;
(3) user access management to control
Access to personal data only for authorized persons
(4) Determination of user responsibilities to prevent
Unauthorized access to personal information, disclosure, knowing or smuggling of copies.
Personal, theft of devices for storing or processing personal data
(5) the provision of means to enable retrospective review of access, change, deletion;
or transfer personal information in accordance with the methods and media used for collection, use
or disclose personal information
Article 6 The Data Controller may choose to use security standards.
of personal information that is different from this announcement If such standards have measures to maintain
Security not less than those specified in this announcement.
Article 7 The Minister of Digital Economy and Society shall take charge of this Notification.
and have the power to interpret and diagnose problems arising from the compliance with this announcement
Announced on the 24th day of June B.E. 2563
Puttipong Punnakan
Minister of Digital Economy and Society

