First Set of Regulations issued under the PDPA

On 20 June 2022, the Personal Data Privacy Commission (“PDPC”) had four notifications published in the Government Gazette to clarify certain issues under the Personal Data Protection Act (“PDPA”) which became fully effective on 1 June 2022 following two years of postponement.

1.) Exemption on Record-Keeping Duties of SMEs

The first notification titled the PDPC Notification re Exemption on Record-Keeping Duties of SMEs B.E. 2565, dated 10 June 2022 and became effective on 21 Jun 2022, generally exempts SMEs from certain record-keeping duties, also known as “Record of Processing Activities or ROPA”. The term SME as used in this notification refers to:

• companies in manufacturing business that has a maximum of 200 employees or maximum annual revenue of THB 500 million; and
• companies in trading or service business that has a maximum of 100 employees or maximum annual revenue of THB 300 million.

The exemption also applies to community enterprises, social enterprises, cooperatives, foundations, associations, religious organizations, non-profit organizations, and household activities.

However, there are certain exemptions to the notification. For example, SMEs that process sensitive data under Section 26 of the PDPA are still required to maintain data processing records in respect of such sensitive data.

2.) Criteria and Methods for Maintenance of Data Processing Records

The second notification titled the PDPC Notification re Criteria and Methods of Record Keeping and Maintenance with respect to Personal Data Processing by Data Processors B.E. 2565, dated 10 June 2022, requires data processors to create and maintain certain records concerning its data processing activities. Such records must include, for example, details of the data processor, data controller, data privacy officer (if appointed), nature of data processed, recipients of data outside Thailand (if any), and descriptions of the security measures that the data processor has in place, etc. This notification will be effective around mid-December after a lapse of 180 days grace period.

3.) Criteria and Methods for Maintenance of Data Processing Records

The third notification titled the PDPC Notification re Security Measures of Data Controllers B.E. 2565, dated 10 June 2022 and became effective on 21 Jun 2022, sets forth some general requirements concerning data security measures that data controllers must have in place under the PDPA.

4.) Criteria and Methods for Maintenance of Data Processing Records

The fourth notification titled the PDPC Notification re Criteria for Imposition of Administrative Fines by the Expert Committee B.E. 2565, dated 14 June 2022 and became effective on 21 Jun 2022, allows the expert committee appointed by the PDPC to issue warnings and administrative orders prohibiting data controllers and data processors from engaging in certain data processing activities which are in violation of the PDPA in cases of non-serious violations (instead of imposing administrative fines on such parties right away). In other words, this notification suggests that, at this early stage of enforcement of the PDPA, administrative fines would only be imposed on data controllers and data processors in cases of serious or repeated violations. Written warnings would be issued to those who commit non-serious and first-time violations.

Other Notifications

It is expected that more than 20 notifications will be gradually issued by the PDPC and published in the coming months.

Written by Wayu Suthisarnsuntorn (wayu@pisutandpartners.com) and Panasda Sairat (panasda@pisutandpartners.com).

First published on 23 June 2022. ©

Disclaimer: The information provided on this website is for general informational purposes only and does not constitute legal advice and is not intended to be relied on as such.