The PDPA Thailand Law entered into law on the 1st of June 2022 and is already following the trends of other global data protection laws in its first year with PDPA amendments and notifications. Three have already come into force, and companies and PDPA service providers should revisit their initial PDPA documentation to ensure that they and their clients meet the new amendment standard.
Overview of new PDPA Notifications
- Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022)
Under the PDPA, data controllers were required to document and maintain a record of processing activities ( ROPA), capturing the minimum information mandated under Section 39
Under this new notification that came into force on 21st June 2022, data controllers classed as small businesses will be exempt from these ROPA requirements. These exemptions affect the following SME organisations:
1: The below Businesses
| Type Of Business | Small Business | Medium Sized Business | ||
| Employees | Annual Revenue | Employees | Annual revenue | |
| Manufacturer | 50 or less | THB 100m or less | 51-200 | THB 100-500m |
| Service | 30 or less | THB 50m or less | 31-100 | THB 50-300km |
| Wholesale/Retail | 30 or less | THB 50m or Less | 31-100 | THB 50-300m |
- A community enterprise community Social Enterprise that is registered under the community enterprise promotion law.
- Social Cooperative groups are registered under the social enterprise promotion law.
- cooperatives, cooperative federations, or farmer’s groups under the cooperatives law.
- foundations, associations, religious or non-profit organisations; and
- family businesses or other similar businesses.
Exemption to the Notification
However, the exempt businesses shall not apply to:
- a service provider who must maintain computer traffic data under the Computer-Related Crime Act B.E. 2550 (2007) unless it is an internet cafe.
- a data controller collecting, using or disclosing personal data that is likely to risk the rights and freedoms of data subjects.
- a data controller where the collection, processing and storing of data is occasional, or
- a data controller involved in collecting, using or disclosing sensitive personal data under the PDPA.
Formiti International has extensive expertise in achieving and completing PDPA compliance and complimentary services. We have a full catalogue of Thailand PDPA services from Global PDPA assessment, Outsourced DPO service, and PDPA compliance within 15 days. We also provide PDPA support such as online PDPA eLearning, PDPA audit review and DPO advisory services.
Book a free one-hour consultation
Formiti Data International have a full range of global data privacy services please visit our website at https//formiti.com.