Section 37

The Data Controller shall have the following duties:

(1)provide appropriate security measures for preventing the unauthorized or

unlawful loss, access to, use, alteration, correction or disclosure of Personal Data,
and such measures must be reviewed when it is necessary, or when the technology
has changed in order to efficiently maintain the appropriate security and safety.
It shall also be in accordance with the minimum standard specified and announced by the Committee;

(2)in the circumstance where the Personal Data is to be provided to other Persons or legal persons,

apart from the Data Controller, the Data Controller shall take action to prevent such person
from using or disclosing such Personal Data unlawfully or without authorization;

(3)put in place the examination system for erasure or destruction of the Personal

Data when the retention period ends, or when the Personal Data is irrelevant or
beyond the purpose necessary for which it has been collected, or when the data subject
has request to do so, or when the data subject withdraws consent, except where the
retention of such Personal Data is for the purpose of freedom of expression,
the purpose under section 24
(1) or (4) or section 26 (5) (a) or (b) , the purpose of the establishment,
compliance or exercise of legal claims, or defense of legal claims,
or the purpose of compliance with the law. The provision in section 33 paragraph
five shall be used to govern the erasure or destruction of Personal Data mutatis mutandis;

(4)notify the Office of any Personal Data breach without delay and, where feasible,

within 72 hours after having become aware of it, unless such Personal Data breach
is unlikely to result in a risk to the rights and freedoms of the Persons.
If the Personal Data breach is likely to result in a high risk to the rights
and freedoms of the Persons, the Data Controller shall also notify the Personal
Data breach and the remedial measures to the data subject without delay.
The notification and the exemption to the notification shall be made in
accordance with the rules and procedures set forth by the Committee;

(5)in the event of being the Data Controller pursuant to section 5 paragraph two,

the Data Controller shall designate in writing a representative of the Data Controller
who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data
Controller without any limitation of liability with respect to the collection,
use or disclosure of the Personal Data according to the purposes of the Data Controller.