Thailand’s Personal Data Protection Committee (PDPC) has issued a regulation establishing procedures for filing and processing data subjects’ complaints under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Regulation Re: Complaint Filing, Rejection, Termination, Consideration, and the Period for the Consideration of the Complaint B.E. 2565 (2022) was issued in July 2022 and took effect on July 12, 2022. The PDPA entitles data subjects to file complaints against data controllers, data processors, and employees or service providers of either whose operations fail to comply with the PDPA. This article lays out the various requirements and procedures for the filing and processing of such a complaint. Complaint Submission The body designated by the PDPA to be responsible for handling complaints and imposing administrative penalties is called the “Expert Committee.” Data subjects who would like to make a complaint can submit it to the Expert Committee directly at the Office of PDPC, send it to the office by post, or submit the complaint electronically. The written or electronic complaint must use clear, plain, polite, and appropriate language, and must not give an impression of being directly or indirectly extorting or intimidating. The complaint must include at least the following information: Name, address, and telephone number or email address of the complainant (or an authorized representative), together with identification card, passport, or other official identification document (plus a power of attorney if submitted by a representative); Details and facts of the noncompliance with or violation of the PDPA; Details of resulting damages or impact; Supporting evidence (e.g., documentary evidence, physical evidence, witness statements); and Action desired of the offender. The complaint must include a statement certifying its veracity, and must be signed by the complainant or the authorized representative. Complaint Consideration When a complaint is submitted, the receiving official will

While much attention has been paid to the data localization requirements for foreign enterprises under Vietnam’s 2018 Cybersecurity Law (“CSL”) and the recently issued Decree 53 guiding its implementation, the corresponding requirements for domestic enterprises are often overlooked, despite being potentially more troublesome. Under Decree 53, “domestic enterprises” are defined to mean enterprises established or registered for establishment under Vietnamese law and having their head offices in Vietnam (Article 2.11), so this designation includes not only Vietnamese companies, but foreign-invested enterprises as well. Background Before analyzing the stipulations in Articles 26 and 27 of Decree 53 further guiding the data localization/storage requirements, it is worth restating the very problematic Article 26.3 of the CSL, which reads: “Domestic and foreign enterprises providing services on telecommunication networks or the internet or value-added services in cyberspace in Vietnam with activities of collecting, exploiting, analyzing, and/or* processing personal information data, data on the relationships of service users, or data generated by service users in Vietnam must store such data in Vietnam for the period prescribed by the government. Foreign enterprises mentioned in this clause must open branches or representative offices in Vietnam.” [* Note: The Vietnamese text simply uses a comma here, without specifying whether this should be “and” or “or,” leading to additional problems in interpretation.] Because of this very broad and ambiguous wording, Article 26.3 of the CSL required further guidance from the government and remained unenforced for more than three years after the CSL took effect on January 1, 2019. Decree 53 guiding the implementation of the CSL was finally issued on August 15, 2022, and provides additional clarity on this matter. But does Decree 53 provide sufficient guidelines for implementation with regard to domestic enterprises? Scope of Application With regard to foreign enterprises, although there remains some ambiguity, Decree

The Thai National Cybersecurity Committee (NCSC), as required by the Cybersecurity Act, reported to the cabinet in mid-August on trends and developments regarding cyber incidents in Thailand. According to the NCSC, the top five most common cyber incidents involve website phishing, website defacement, data leakage, data security vulnerabilities, and ransomware. Reported incidents of cyberattacks have increased in recent years. The report stated that affected organizations primarily responded to cyber incidents and attacks by notifying the NCSC about the incident and the remedial actions planned or taken, and conducting internal training to increase awareness of cyber threats. Only two organizations chose to conduct IT risk assessments and vulnerability tests as preventive measures against future cyber threats. The NCSC report also showed that aside from telecom infrastructure, energy and utilities, and education operators falling victim to cyberattacks, healthcare, webhosting, and data center operators have also become “more common victims” of cyber incidents. The NCSC recommended that all organizations prepare for inevitable future cyber incidents. This includes ensuring that businesses and organizations comply with international standards, which includes measures that are recognized and incorporated in Thailand’s Personal Data Protection Act (PDPA) and Cybersecurity Act. Conducting internal training for employees as well as directors and officers is also recommended by the NCSC, as this can help prevent cyber incidents and ensure that businesses comply with the minimum required security standards issued by the Personal Data Protection Committee (PDPC) in their Notification Re: Security Measures of the Data Controller B.E. 2565 (2022), which came into effect on June 21, 2022. Industry-specific minimum required security standards (e.g., those regulated by the Bank of Thailand, Office of Insurance Commission, etc.) should also be considered in conjunction with those in this PDPC notification—particularly when sectoral requirements are more stringent than the PDPC’s recommended measures. PDPA statutory penalties

Vietnam’s Cybersecurity Law was promulgated on June 12, 2018, and came into effect on January 1, 2019, with a majority of its provisions enforceable from the effective date. However, certain provisions of the law, including the very concerning data localization requirements, still awaited further guidance from implementing regulations. After more than three years of being drafted and submitted back and forth to the government for consideration and approval, Decree No. 53/2022/ND-CP to implement certain articles of the Cybersecurity Law (Decree 53) was finally promulgated on August 15, 2022, with an effective date of October 1, 2022. Key provisions of Decree 53 include the following. 1. Data localization requirements (Articles 26 & 27) Decree 53 retains most of the data localization requirements of the last accessible version of the draft decree dated August 21, 2019 (Draft Decree), clearly extends the scope of requirements to cover both domestic and foreign enterprises, adds regulations on force majeure events, and amends the timeline to implement data localization requirements for business facilitation. (i) Data subject to data localization: Data (information in the form of symbols, writing, numbers, images, sounds, or similar forms) which must be stored in Vietnam (“regulated data”) includes: Data on personal information of service users in Vietnam: Data used to identify an individual. Data generated by service users in Vietnam: Data reflecting the process of participating in, operating and/or using cyberspace by service users and information about network equipment and services used in order to connect with cyberspace in the territory of Vietnam. This includes the account name for use of services, duration of use of services, credit card information, email address, IP addresses for the latest login and logout, and registered telephone number attached to the account or data. Data on the relationships of service users in Vietnam: Data reflecting