+44 (0) 121 582 0192 [email protected]

Introduction

 

Thailand’s Personal Data Protection Act (PDPA), which came into effect on June 1, 2022, is a comprehensive data protection law aimed at safeguarding the rights and privacy of individuals in the digital age. One crucial aspect of the PDPA is the requirement for organisations to maintain a Record of Processing Activities (ROPA). This record serves as a critical tool for demonstrating compliance with the law. However, not all entities are required to maintain a ROPA, and data processors, in particular, have specific obligations. In this article, we’ll explore who is exempt from holding an ROPA under the Thailand PDPA and go into the responsibilities of data processors concerning this record.

 

Exemptions from Maintaining a ROPA

 

ROPA Exemption Notification for Small Business Data Controllers by the PDPC. Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses B.E. 2565 (2022) (“ROPA Exemption Notification”)

Under the PDPA, data controllers must prepare and maintain a record of processing activities (ROPA) containing the information specified in Section 39 of the PDPA, including the personal data collected, the purposes of processing the personal data, the retention period, etc.

Small or medium-sized businesses, according to the law on small and medium-sized enterprise promotion, are defined as follows:

 

Exemptions From Preparing and Maintaining  a Record of Processing Activities (ROPA)

Type Of Business
Small Business
Medium-Sized Business
Employees
Annual Revenue
Employees
Annual Revenue
Manufacturer 50 or Less Up to 100 Million THB 51 to 200 >100 Mullion THB to 500 Million THB
Service Provider 30 or Less Up to 50 Million THB 31 to 100 >50 Million THB to 300 Million THB
Wholesale / Retail 30 or Less Up to 50 Million THB 31 to 100 >50 Million THB to 300 Million THB
 

However, in the  ROPA Exemption Notification, a data controller will not apply   information related to the recording of a request from a data subject to exercise their rights under the PDPA

  • right of access;
  • right to data portability;
  • right to object; and
  • right to rectification

 

Obligations of Data Processors in Maintaining a ROPA

 

Data processors play a vital role in the data processing ecosystem and have distinct responsibilities under the Thailand PDPA. When it comes to maintaining a ROPA, data processors have the following obligations:

  1. Collaboration with Data Controllers: Data processors must cooperate with data controllers to maintain an accurate and up-to-date ROPA. This collaboration involves providing the necessary information and documentation to the data controller to fulfil their ROPA obligations effectively.
  2. Record-Keeping: While the primary responsibility for creating and maintaining the ROPA rests with data controllers, data processors should maintain their own internal records of processing activities. This information should be made available to data controllers to ensure compliance.
  3. Compliance with Instructions: Data processors are required to process personal data in accordance with the instructions provided by the data controller. This includes adhering to the scope and purposes of data processing activities outlined in the ROPA.
  4. Security Measures: Data processors must implement appropriate security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. These measures should align with the data controller’s obligations outlined in the ROPA.
  5. Notification of Data Breaches: Data processors must promptly inform the data controller of a personal data breach. The data controller, in turn, must assess the breach and take necessary actions, including notifying the authorities or affected data subjects.

 

Conclusion

 

The Thailand PDPA’s requirement for maintaining a Record of Processing Activities (ROPA) is fundamental to data protection compliance. While some entities are exempt from this obligation, data processors are crucial in ensuring that the ROPA is accurate and up-to-date. Their collaboration with data controllers, record-keeping, compliance with instructions, implementation of security measures, and reporting data breaches are essential to maintaining data protection standards. Understanding these obligations and exemptions is vital for all organisations operating under the PDPA to ensure that personal data is handled with care and in compliance with the law.

Formiti Data International UK Ltd. provide a range of professional Thailand PDPA Services 

 

On this website we use first or third-party tools that store small files (cookie) on your device. Cookies are normally used to allow the site to run properly (technical cookies), to generate navigation usage reports (statistics cookies) and to suitable advertise our services/products (profiling cookies). We can directly use technical cookies, but you have the right to choose whether or not to enable statistical and profiling cookies. Enabling these cookies, you help us to offer you a better experience.