Exploring the 4 new Data Protection sub-regulations
Following the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) coming into full effect on 1 June 2022, four sub-regulations were introduced by the Personal Data Protection Committee (PDPC). These notifications become effective as of the 21st of June 2022.
In this article, we will provide a more detailed breakdown of the criteria and rules, relating to these new notifications.
Summary of the new notifications
1. Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022)
As part of the duties imposed on data controllers under the PDPA, the preparation and maintenance of a record of processing activities (“ROPA”) is required. However, under this notification, data controllers who are from small businesses will be exempt from the ROPA requirements.
Examples of the types of business excluded include:
- small or medium enterprises according to the law on small and medium-sized enterprise promotion
‒ Product manufacturing business operators which hire no more than 200 employees, and have annual revenue not exceeding Baht 500 million,
‒ Service providers, wholesalers or retailers which hire no more than 100 employees, and have
- annual revenue not exceeding Baht 300 million.
community enterprises and networks of community enterprises registered under the community enterprise promotion law;
- social enterprises and social enterprise groups registered under the social enterprise promotion law;
cooperatives, cooperative federations, or a farmer’s groups under the cooperatives law;
- foundations, associations, religious or non-profit organisations; and
- family businesses or other similar businesses.
However, following businesses will not be able to reply upon the exemption:
- a service provider that is required to maintain computer traffic data under the Computer-Related Crime Act B.E. 2550 (2007), unless it is an internet cafe;
- a data controller collecting, using, or disclosing personal data that is likely to result in a risk to the rights and freedoms of data subjects;
- a data controller whose business is not the business that the collection, use or disclosure of the personal data is occasional; or
- a data controller involved in the collection, use or disclosure of the sensitive personal data under the PDPA.
2. Rules and Methods for Preparing and Maintaining Records of Processing Activities for the Data Processor B.E. 2565 (2022)
This notification has been introduced as a way to determine the minimum information that the data processor is required to include in its ROPA. Such information includes:
- name and information of the data processor and its representative (if any);
- name and information of the relevant data controller and its representative (if any);
- name and information, including contact address and method, of the data protection officer (if any);
- types or nature of collection, use or disclosure of personal data; including personal data and purposes of the collection, use or disclosure of such personal data, as assigned by the data controller;
- types of persons or entities that receive personal data in case of transmitting or transferring personal data abroad; and
- description of security measures.
Please note, this notification will come into force on the 17th of December 2022.
3. Security Measures of the Data Controller B.E. 2565 (2022)
Under the PDPA, the data controller is required to provide the appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data.
Such measures are subject to review if and when necessary, or when the technology has changed. These mandatory reviews are required in order to efficiently maintain the appropriate level of security and safety.
This notification provides a detailed minimum standard of the required security measures.
4. Rules for Consideration of Issuing Order to Impose Administrative Fines by the Expert Committee B.E. 2565 (2022)
This notification relates to the rules and procedures for the Expert Committee (which will be appointed under the PDPA) when issuing an order to impose administrative fines or other relevant administrative enforcement measures against those who do not comply with the PDPA.
Considerations include: seizure, confiscation, and sale by auction of assets where any person fails to make the correct and full payment of administrative fines after receiving written warning from the Expert Committee.
What happens if companies do not comply with these notifications?
Failure to comply with the requirements and obligations of these new regulations could result in the penalties specified under the PDPA being imposed on the company. For example, a fine of up to THB 5 million.
For more information relating to the penalties for breaching the PDPA, please take a look at our blog post on the subject here.
What else do I need to know about the PDPA?
The PDPA has far reaching implications for many companies and is a complex piece of legislation. For more information about the PDPA please check out our following blog posts.
How can our team of experts help?
These new announcements highlight the fact that the Thai government is placing a lot of emphasis on the PDPA. By making these announcements so soon after the PDPA was launched, it is clear that the government is willing to change and adapt the PDPA quickly and accordingly to make it as effective as possible.
If you need more information about the PDPA and how to ensure full compliance, you can book a consultation with one of our PDPA experts.
Please note that this article is for information purposes only and does not constitute legal advice.
Our consultations last for a period of up to 1 hour and are conducted by expert Lawyers who are fluent in English, French and Thai.
Consultations can be hosted via WhatsApp or Video Conferencing software for your convenience. A consultation with one of our legal experts is undoubtedly the best way to get all the information you need and answer any questions you may have about your new business or project.
Up to 1 hour
Online payment (Paypal or Credit card)
Legal consultation can be conducted in English, French or Thai
Legal consultations are handled by experienced lawyers from the relevant fields of practice
Frequently asked questions
What is Thailand Personal Data Protection Act?
The PDPA is a law that prevents the infringement of a data subjects personal information. The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand. However, when a data controller or data processor is located outside of Thailand, the PDPA will still apply if the data subject whose data is collected, used or disclosed is located in Thailand.
Does GDPR apply in Thailand?
The GDPR applies to organisations that have a presence in the EU, notably entities that have an ‘establishment’ in the EU. The GDPR also applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods, or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU.
Which countries have the best data protection?
Denmark, Norway and Canada are considered to have the best Data Protection laws along with the EU.
What is the difference between PDPA and GDPR?
The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation. The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
Who does Thai PDPA cover?
The PDPA covers all uses or disclosure of personal data obtained by a data controller or data processor within Thailand. Data controller and processors is located outside of Thailand, the PDPA will still apply.
What is personal data protection?
Personal data protection refers to how both public and private entities receive consent from data subjects. Data protection also covers the correct methods for processing, collecting or disclosing personal data.
What flag is Thailand?
The Thai flag is made up of 5 horizontal stripes of red, white, blue, white and red. The middle stripe twice as wide as the others
Did you know facts about Thailand?
Thailand was never colonized by European countries.
What is the capital of Thailand?
The capital of Thailand is Bangkok
Who are exempted from PDPA?
The only exemptions to the PDPA is where the disclosure of the information is in the interest of investigation procedures, proceedings by the courts, or the data subject provided written consent.
Who is subject to PDPA?
The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand.
Does PDPA apply to individuals?
The PDPA applies to both individuals and companies alike.
To our newsletter for all the latest legal news
in South East Asia, Belaws updates and
special promotions on our services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
We are open: Monday – Friday
9 am – 6 pm (UTC+7)