+44 (0) 121 582 0192 [email protected]

Introduction

 

Thailand’s Personal Data Protection Act (PDPA), effective from June 1, 2022, is a comprehensive law designed to protect individual rights and privacy in the digital era. A key element of the PDPA is the obligation for organizations to keep a Record of Processing Activities (ROPA), which is essential for proving compliance with the legislation. However, not every entity is mandated to maintain a ROPA, and data processors have particular responsibilities. This article delves into the Thailand PDPA: Exemptions  and the duties of data processors in relation to the ROPA.

Exemptions from Maintaining a ROPA

 

Thailand PDPA: Exemptions Notification for Small Business Data Controllers by the PDPC. Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses B.E. 2565 (2022) (“ROPA Exemption Notification”)

Under the PDPA, data controllers must prepare and maintain a record of processing activities (ROPA) containing the information specified in Section 39 of the PDPA, including the personal data collected, the purposes of processing the personal data, the retention period, etc.

Small or medium-sized businesses, according to the law on small and medium-sized enterprise promotion, are defined as follows:

 

Exemptions From Preparing and Maintaining  a Record of Processing Activities (ROPA)

Type Of Business
Small Business
Medium-Sized Business
Employees
Annual Revenue
Employees
Annual Revenue
Manufacturer 50 or Less Up to 100 Million THB 51 to 200 >100 Mullion THB to 500 Million THB
Service Provider 30 or Less Up to 50 Million THB 31 to 100 >50 Million THB to 300 Million THB
Wholesale / Retail 30 or Less Up to 50 Million THB 31 to 100 >50 Million THB to 300 Million THB
 

However, in the  ROPA Exemption Notification, a data controller will not apply   information related to the recording of a request from a data subject to exercise their rights under the PDPA

  • right of access;
  • right to data portability;
  • right to object; and
  • right to rectification

 

Obligations of Data Processors in Maintaining a ROPA

 

Data processors play a vital role in the data processing ecosystem and have distinct responsibilities under the Thailand PDPA. When it comes to maintaining a ROPA, data processors have the following obligations:

  1. Collaboration with Data Controllers: Data processors must cooperate with data controllers to maintain an accurate and up-to-date ROPA. This collaboration involves providing the necessary information and documentation to the data controller to fulfil their ROPA obligations effectively.
  2. Record-Keeping: While the primary responsibility for creating and maintaining the ROPA rests with data controllers, data processors should maintain their own internal records of processing activities. This information should be made available to data controllers to ensure compliance.
  3. Compliance with Instructions: Data processors are required to process personal data in accordance with the instructions provided by the data controller. This includes adhering to the scope and purposes of data processing activities outlined in the ROPA.
  4. Security Measures: Data processors must implement appropriate security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. These measures should align with the data controller’s obligations outlined in the ROPA.
  5. Notification of Data Breaches: Data processors must promptly inform the data controller of a personal data breach. The data controller, in turn, must assess the breach and take necessary actions, including notifying the authorities or affected data subjects.

 

Conclusion

 

The Thailand PDPA’s requirement for maintaining a Record of Processing Activities (ROPA) is fundamental to data protection compliance. While some entities are exempt from this obligation, data processors are crucial in ensuring that the ROPA is accurate and up-to-date. Their collaboration with data controllers, record-keeping, compliance with instructions, implementation of security measures, and reporting data breaches are essential to maintaining data protection standards. Understanding these obligations and exemptions is vital for all organisations operating under the PDPA to ensure that personal data is handled with care and in compliance with the law.

Formiti Data International UK Ltd. provide a range of professional Thailand PDPA Services