Guidelines on key compliance requirements for the Personal Data Protection Act in Thailand

After several years of delays the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") came into force in Thailand on 1 June 2022. Since then, on 20 June 2022, subordinate legislation (the "Notifications") under the PDPA was issued by the Personal Data Protection Committee ("PDPC") and published in the Royal Thai Government Gazette.

These Notifications are intended to set out the various criteria and rules, as well as much needed guidance and clarification, of some key requirements under the PDPA.

Summary of Notifications

Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022) (the "ROPA Exemption") [1]

Under the PDPA, data controllers are required to prepare and maintain a record of processing activities ("ROPA") consisting of information stipulated under section 39. These records include (for example), what personal data is collected, the purpose of processing personal data and retention periods. Under this Notification which came onto force on 20 June 2022, data controllers who are small businesses will be exempt from the ROPA requirements set out in section 39 of the PDPA, if its business is a:

  • Small or medium-sized enterprise according to the law on small and medium-sized enterprise promotion being:
Small Enterprise Medium Enterprise Maximum number of employees OR Annual Maximum Annual Revenue
Product Manufacturer - 50 THB 100 million
- Product Manufacturer 50 - 200 THB 100 million - THB 500 million
Service Provider, Wholesaler, Retailer - 30 THB 50 million
- Service Provider, Wholesaler, Retailer 30 - 100 THB 50 million - THB 300 million
  • Community enterprises and networks of community enterprises registered under the community enterprise promotion law;
  • Social enterprises and social enterprise groups registered under the social enterprise promotion law;
  • Cooperatives, cooperative federations, or a farmers' association under the cooperatives law;
  • Foundations, associations, religious or non-profit organisations; and
  • Home industries or other similar businesses.

However, the ROPA Exemption will not apply to small or medium sized businesses where:

  • The processing of personal data is required by under the Computer-Related Crime Act 2550 (2007) to retain computer traffic data, unless the business is an internet café;
  • When it involves a risk that the personal data may affect the rights and freedom of an individual; or
  • When the data controller processes the personal data on a regular basis.

Notification of the PDPC Re: Rules and Methods for Preparing and Maintaining Records of Processing Activities for the Data Processor B.E. 2565 (2022) (The "Data Processor Notification") [2]

The PDPA requires data processors to prepare and maintain a ROPA, however the PDPA did not set out any detail on what specific information was required in the ROPA. The Data Processor Notification now provides that a data processor must ensure that its ROPA will include the following as a minimum:

  • Name and information of the data processor and its representative (if any);
  • Name and information of the relevant data controller and its representative (if any);
  • Name and information, including contact address and method, of the data protection officer (if any);
  • Types or nature of collection, use or disclosure of personal data; including personal data and purposes of the collection, use or disclosure of such personal data, as assigned by the data controller;
  • Types of persons or entities that receive personal data in case of transmitting or transferring personal data abroad; and
  • Description of security measures.

A ROPA must be maintained in written or electronic form and must be easily accessible and made available for inspection by the Office of the PDPC, the data controller, or their designated person, when requested.

This Notification will come into force 180 days from the date of its publication in the Government Gazette, namely on 17 December 2022. This is to allow data processors a period of grace by which to ensure their ROPAs comply with this Notification.

Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022) (the "Security Measures Notification") [3]

Under the PDPA, a data controller is obliged to provide a minimum of security measures to prevent the unauthorised or unlawful loss, access to, use, alteration, correction, or disclosure of personal data (in any form whatsoever). Such measures must be reviewed when necessary, or when the technology has changed in order to efficiently maintain the appropriate level of security and safety.

The previous Notification on this issue ceased to be effective as of 31 May 2022 and the Security Measures Notification is intended to replace that Notification; the provisions of the Security Measures Notification are generally similar.

This Notification (which came into force on 20 June 2022) provides a detailed minimum standard of security measures, including access control of personal data and key information system components, identity proofing and authentication, the appropriate authorisation of access and use.

Notification of the PDPC Re: Rules for Consideration of Issuing Order to Impose Administrative Fines by the Expert Committee B.E. 2565 (2022) ("Administrative Fines Notification") [4]

This Notification (which came into force on 20 June 2022) sets out the process for the Expert Committee (to be appointed under the PDPA) is to adopt when considering issuing an administrative fine or other relevant administrative enforcement measure where there has been a breach of the PDPA or an order of the Expert Committee.

This includes, for example, seizure, confiscation and sale by auction of assets where any person fails to make the correct and full payment of administrative fines after receiving written warning from the Expert Committee.

Failure to comply with the requirements and obligations under any sub-regulations issued under the PDPA could result in the penalties specified under the PDPA, i.e. fines up to THB 5 million.

Any failure to comply with the requirements under these Notifications may lead to the data controller or data processor being subject to penalties specified under the PDPA, depending on the breach.

Whilst it remains to be seen how these Notifications will impact on businesses, operators should review their current PDPA compliance status to ensure that they are not inadvertently in breach of the PDPA or Notifications, or indeed, whether or not they may qualify for the ROPA exemption.

If you have any further enquiries on the issues raised in this article, please do not hesitate to contact us.

[1] Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022)
(the "ROPA Exemption")

[2] Notification of the PDPC Re: Rules and Methods for Preparing and Maintaining Records of Processing Activities for the Data Processor B.E. 2565 (2022) (The "Data Processor Notification")

[3] Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022) (the "Security Measures Notification")

[4] Notification of the PDPC Re: Rules for Consideration of Issuing Order to Impose Administrative Fines by the Expert Committee B.E. 2565 (2022) ("Administrative Fines Notification")

Services

Sectors