+44 (0) 121 582 0192 [email protected]



Thailand’s Personal Data Protection Act (PDPA), which came into effect on June 1, 2022, is a comprehensive data protection law aimed at safeguarding the rights and privacy of individuals in the digital age. One crucial aspect of the PDPA is the requirement for organisations to maintain a Record of Processing Activities (ROPA). This record serves as a critical tool for demonstrating compliance with the law. However, not all entities are required to maintain a ROPA, and data processors, in particular, have specific obligations. In this article, we’ll explore who is exempt from holding an ROPA under the Thailand PDPA and go into the responsibilities of data processors concerning this record.


Exemptions from Maintaining a ROPA


ROPA Exemption Notification for Small Business Data Controllers by the PDPC. Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses B.E. 2565 (2022) (“ROPA Exemption Notification”)

Under the PDPA, data controllers must prepare and maintain a record of processing activities (ROPA) containing the information specified in Section 39 of the PDPA, including the personal data collected, the purposes of processing the personal data, the retention period, etc.

Small or medium-sized businesses, according to the law on small and medium-sized enterprise promotion, are defined as follows:


Exemptions From Preparing and Maintaining  a Record of Processing Activities (ROPA)

Type Of Business
Small Business
Medium-Sized Business
Annual Revenue
Annual Revenue
Manufacturer 50 or Less Up to 100 Million THB 51 to 200 >100 Mullion THB to 500 Million THB
Service Provider 30 or Less Up to 50 Million THB 31 to 100 >50 Million THB to 300 Million THB
Wholesale / Retail 30 or Less Up to 50 Million THB 31 to 100 >50 Million THB to 300 Million THB

However, in the  ROPA Exemption Notification, a data controller will not apply   information related to the recording of a request from a data subject to exercise their rights under the PDPA

  • right of access;
  • right to data portability;
  • right to object; and
  • right to rectification


Obligations of Data Processors in Maintaining a ROPA


Data processors play a vital role in the data processing ecosystem and have distinct responsibilities under the Thailand PDPA. When it comes to maintaining a ROPA, data processors have the following obligations:

  1. Collaboration with Data Controllers: Data processors must cooperate with data controllers to maintain an accurate and up-to-date ROPA. This collaboration involves providing the necessary information and documentation to the data controller to fulfil their ROPA obligations effectively.
  2. Record-Keeping: While the primary responsibility for creating and maintaining the ROPA rests with data controllers, data processors should maintain their own internal records of processing activities. This information should be made available to data controllers to ensure compliance.
  3. Compliance with Instructions: Data processors are required to process personal data in accordance with the instructions provided by the data controller. This includes adhering to the scope and purposes of data processing activities outlined in the ROPA.
  4. Security Measures: Data processors must implement appropriate security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. These measures should align with the data controller’s obligations outlined in the ROPA.
  5. Notification of Data Breaches: Data processors must promptly inform the data controller of a personal data breach. The data controller, in turn, must assess the breach and take necessary actions, including notifying the authorities or affected data subjects.




The Thailand PDPA’s requirement for maintaining a Record of Processing Activities (ROPA) is fundamental to data protection compliance. While some entities are exempt from this obligation, data processors are crucial in ensuring that the ROPA is accurate and up-to-date. Their collaboration with data controllers, record-keeping, compliance with instructions, implementation of security measures, and reporting data breaches are essential to maintaining data protection standards. Understanding these obligations and exemptions is vital for all organisations operating under the PDPA to ensure that personal data is handled with care and in compliance with the law.

Formiti Data International UK Ltd. provide a range of professional Thailand PDPA Services