On December 15, 2022, Thailand’s Personal Data Protection Committee (PDPC) issued the Notification on the Criteria and Procedures for Handling Personal Data Breaches. What Constitutes a “Data Breach”? A “personal data breach” refers to a breach of security measures that causes unlawful or unauthorized loss, access, use, modification, or disclosure of personal data, resulting from an intentional, willful, negligent, accidental, unauthorized, or unlawful act, or an act related to computer crimes, cyber threats, mistakes or accidents, or any other act. The notification also classifies personal data breaches into three categories: confidentiality breach, integrity breach, and availability breach. Upon being informed of an actual or suspected personal data breach, a data controller must take the following actions: To the extent possible, assess the reliability of the information and investigate the facts related to the personal data breach, including all aspects concerning security measures, such as organizational measures, technical measures, and physical measures; Conduct a data breach assessment to consider whether the personal data breach is likely to result in a risk to an individual’s rights and freedom; Notify the Office of the PDPC, any affected data subjects, or both as required; and Take necessary and appropriate action to prevent further consequences resulting from the personal data breach. Breach Assessment When conducting a data breach assessment, the following factors must be taken into account if there is a risk to an individual’s rights and freedom. Nature and the type of data breach; Nature, type, and volume of personal data involved; Nature, type, and status of the affected data subject; Severity of the consequences of the personal data breach for any affected data subjects, and the effectiveness of the measures taken to prevent the data breach; Impact of the data breach on the operation of the business or on the public; Storage

On November 11, 2022, Myanmar’s Ministry of Commerce (MOC) announced a pilot period for importing electric vehicles into Myanmar, which came into force with MOC Order No. 62/2022, issued under the Import and Export Law. A separate order (No. 61/2022) issued on the same day specifies rules for importation of motorcycles by companies that do not have a certificate to open a showroom, as well as rules for opening motorcycle showrooms. Electric Vehicle Importation According to the order, which takes effect January 1, 2023, “electric vehicles” includes only battery electric vehicles (BEVs) for both personal use and passenger use. In order to import electric vehicles into Myanmar without having a certificate to open a showroom, companies must: Be registered as a company, either wholly owned by nationals or a joint venture, at the Directorate of Investment and Company Administration (DICA); Be able to present the purchase and sales agreement for each brand of imported electric vehicles; Receive approval from the National Steering Committee for Development of Electric Vehicles and Associated Businesses, and import according to the quality and quantity of electric vehicles permitted by the committee; Arrange the necessary warranty, spare parts availability, and after-sales service for the imported electric vehicles; Deposit a bank guarantee of MMK 50 million at a bank recognized by the Central Bank of Myanmar; and Apply for a purchase permit at the MOC, for the purpose of registering the imported vehicles with the Road Transport Administration Department. BEV Tax Exemption Following MOC Order No. 62/2022, BEVs and their batteries are now exempted from commercial tax and special goods tax, which came into force with the Law Amending the Union Tax Law 2022 (State Administrative Council Law No. 48/2022) dated November 17, 2022. These tax exemptions will be effective from October 1, 2022, to March

Lawyers from Tilleke & Gibbins in Cambodia, Laos, Myanmar, Thailand, and Vietnam have contributed to the new Multilaw Global Checklist for Monitoring Staff Data, which compiles essential information on regulations related to collection of data on employees. Such collection of data is an increasingly important concern for employers and entrepreneurs as the world pays closer attention to diversity, equality, and antidiscrimination in the workplace. The checklist contains fundamental information for each jurisdiction on legal considerations pertaining to employment diversity surveys and what can and cannot be asked. The table-style list is global in scope, with a separate line for each jurisdiction. The jurisdictional entries are grouped by region, allowing the reader to quickly compare how various countries treat different issues in each part of the world. In each column is a common question about how employers can monitor staff data in full compliance with the law, covering issues such as: Requesting data from employees; Type and format of data captured; Data storage and access; Retention of data; Intra-group cross-border data transfers; and Specific considerations for each jurisdiction. Multilaw, of which Tilleke & Gibbins is a member, is a global network of carefully selected, independent law firms consisting of over 10,000 commercial lawyers in more than 100 countries, able to provide expert legal advice in complex environments around the globe. The full checklist is available for free on the Multilaw website.

Background Thailand’s Personal Data Protection Act 2019 (‘PDPA’) is the country’s first unified data privacy legislation for personal data protection. Coming at a time when people around the world are increasingly aware of the risks and negative consequences of their personal data being compromised, the PDPA seeks to align with international standards, such as the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Prior to the enactment of the PDPA, privacy rights were recognised in the Constitution of the Kingdom of Thailand. Beyond this, the handling of personal data was governed by specific regulations for a handful of sectors, such as telecommunications, financial institutions, securities, and life sciences. The PDPA was announced in the Royal Gazette of the Kingdom of Thailand on 27 May 2019, with an exemption for the enforcement of its requirements in relation to the collection, use, disclosure, and transfer (‘process’ or ‘processing’) of personal data, as well as its provisions on data subjects rights. After some delays caused by the impact of the COVID-19 pandemic over the past two years, the PDPA finally came fully into force on 1 June 2022. Unlike most legislation in Thailand, the PDPA has an extraterritorial aspect whereby data controllers and data processors outside Thailand may be subject to the PDPA if the processing activities they undertake fall under the criteria prescribed in the PDPA. The basics The PDPA defines personal data as any data pertaining to a living natural person that enables the identification of that person, whether directly or indirectly, such as phone number, address, email address, or anything else that might enable the data subject’s identification. The PDPA applies to personal data in any form, whether digital or otherwise. The PDPA introduces two main roles relating to the handling of others’ personal data: the data controller and the