The Thailand PDPA entered into law on the 1st of June 2022 and is already following the trends of other global data protection laws in its first year with PDPA amendments and notifications. Three have already come into force, and companies and PDPA service providers should revisit their initial PDPA documentation to ensure that they and their clients meet the new amendment standard.
Overview of new PDPA Notifications
- Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022)
Under the PDPA, data controllers were required to document and maintain a record of processing activities ( ROPA), capturing the minimum information mandated under Section 39
Under this new notification that came into force on 21st June 2022, data controllers classed as small businesses will be exempt from these ROPA requirements. These exemptions affect the following SME organisations:
1: The below Businesses
| Type Of Business | Small Business | Medium Sized Business | ||
| Employees | Annual Revenue | Employees | Annual revenue | |
| Manufacturer | 50 or less | THB 100m or less | 51-200 | THB 100-500m |
| Service | 30 or less | THB 50m or less | 31-100 | THB 50-300km |
| Wholesale/Retail | 30 or less | THB 50m or Less | 31-100 | THB 50-300m |
- A community enterprise community Social Enterprise that is registered under the community enterprise promotion law.
- Social Cooperative groups that are registered under the social enterprise promotion law.
- cooperatives, cooperative federations, or farmer’s groups under the cooperatives law.
- foundations, associations, religious or non-profit organisations; and
- family businesses or other similar businesses.
Exemption to the Notification
However, the exempt businesses shall not apply to:
- a service provider must maintain computer traffic data under the CAmputer-Related Crime Act B.E. 2550 (2007) unless it is an internet cafe.
- a data controller collecting, using or disclosing persoAal data that is likely to risk the rights and freedoms of data subjects.
- a data controller whose business is not the business that the collection, use or disclosure of the personal data is occasional; or
- a data controller involved in collecting, using or disclosing sensitive personal data under the PDPA.
Formiti International has extensive expertise in achieving and a completing PDPA compliance and complimentary services. We have a full catalogue of PDPA services from global PDPA assessment, outsourced DPO service, PDPA compliance within 15 days. We also provide PDPA support such as online pDPA eLearning, PDPA polony-hourmentation review and DPO advisory services.
Book a free one hour consultation
Formiti Data International have a full range of global data privacy services please visit our website at https//formiti.com.
