+44 (0) 121 582 0192 [email protected]

The PDPA  Thailand Law entered into law on the 1st of June 2022 and is already following the trends of other global data protection laws in its first year with PDPA amendments and notifications. Three have already come into force, and companies and PDPA service providers should revisit their initial PDPA documentation to ensure that they and their clients meet the new amendment standard.


Overview of new PDPA Notifications

  1. Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022)

Under the PDPA, data controllers were required to document and maintain a record of processing activities ( ROPA), capturing the minimum information mandated under Section 39

Under this new notification that came into force on 21st June 2022, data controllers classed as small businesses will be exempt from these ROPA requirements. These exemptions affect the following SME organisations:

1: The below Businesses

Type Of Business Small Business Medium Sized Business
Employees Annual Revenue Employees Annual revenue
Manufacturer 50 or less THB 100m or less 51-200 THB 100-500m
Service 30 or less THB 50m or less 31-100 THB 50-300km
Wholesale/Retail 30 or less THB 50m or Less 31-100 THB 50-300m
  1. A community enterprise community Social Enterprise that is registered under the community enterprise promotion law.
  2. Social Cooperative groups are registered under the social enterprise promotion law.
  3. cooperatives, cooperative federations, or farmer’s groups under the cooperatives law.
  4. foundations, associations, religious or non-profit organisations; and
  5. family businesses or other similar businesses.

Exemption to the Notification

However, the exempt businesses shall not apply to:

  • a service provider who must maintain computer traffic data under the Computer-Related Crime Act B.E. 2550 (2007) unless it is an internet cafe.
  • a data controller collecting, using or disclosing personal data that is likely to risk the rights and freedoms of data subjects.
  • a data controller where the collection, processing and storing of data is occasional, or
  • a data controller involved in collecting, using or disclosing sensitive personal data under the PDPA.

Formiti International has extensive expertise in achieving and completing PDPA compliance and complimentary services. We have a full catalogue of  Thailand PDPA services from Global PDPA assessment, Outsourced DPO service, and PDPA compliance within 15 days. We also provide PDPA support such as online PDPA eLearning, PDPA audit review and DPO advisory services.

Book a free one-hour consultation

Formiti Data International have a full range of global data privacy services please visit our website at  https//formiti.com.