You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
November 8, 2024

Thailand Seeks Public Comments on Draft Amendments to ROPA Exemptions

Subscribe to Updates

On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notifications—one directed at data controllers and another at data processors—regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA).

The draft notification for data controllers aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses.

The draft notification for data processors is new and does not replace any prior notification.

The criteria under both draft notifications exempt certain data controllers and data processors from the obligation to maintain ROPAs, but exempted data controllers are not free from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few key takeaways from the notifications, as detailed below.

Types of Exempted Parties

The draft notification on data controllers adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list. The new draft notification for data processors mirrors the corresponding list in the draft notification for data controllers.

The complete list of parties eligible for ROPA exemptions under the draft notifications is as follows:

  • SMEs according to the law on SME promotion, defined as follows:

  • Community or social enterprises, as referred to under the law on community enterprise promotion.
  • Social enterprises, as referred to under the law on social enterprise promotion.
  • Cooperatives, cooperative unions, or agriculturist groups under the law on cooperatives.
  • Foundations, associations, religious bodies, or nonprofit organizations.
  • Household businesses or other businesses of the same nature.
  • Condominium or housing estate juristic persons as defined by the laws on condominiums or housing estates, respectively.
  • Individual data controllers.

Carve-Outs from the ROPA Exemption

Parties exempted from the ROPA requirement under the draft notifications for data controllers and data processors must not be obligated to appoint a data protection officer (DPO) under the PDPA. In addition, exempted parties must still prepare and maintain a ROPA when the collection, use, or disclosure of personal data:

  • Poses a risk to the rights and freedoms of data subjects.
  • Is not occasional collection, use, or disclosure of personal data.
  • Involves special categories of personal data as specified in section 26 of the PDPA—for example, health data, biometric data, religious information, and so on.

Under the June 2022 ROPA exemption notification, data controllers who are service providers required to retain computer traffic data under the law related to computer crime are not eligible for the exemption. The draft notification for data controllers, however, does not currently include this stipulation.

The consultation period for both draft notifications is open until November 14, 2024, and the drafts may be subject to additional revisions before being finalized and made legally binding.

For more details on this draft notification, or on any aspect of compliance with the PDPA, please contact Nopparat Lalitkomon at [email protected], Napassorn Lertussavavivat at [email protected], or Wilin Somya at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More
March 27, 2024
Two notifications on the cross-border transfer of personal data, issued by Thailand’s Personal Data Protection Committee (PDPC), came into effect on March 24, 2024. These notifications, which we detailed in a previous update, set out the criteria governing the cross-border transfer of personal data offshore, specifically focusing on situations where appropriate personal data protection standards are in place. Of particular importance is the role of binding corporate rules (BCRs) in enabling the cross-border transfer of personal data among affiliated businesses or within the same group of undertakings. The implementation of BCRs requires a comprehensive review and approval process by the Office of the PDPC, strictly in accordance with the criteria set out in one of the two notifications. With the notifications now fully enforceable, the Office of the PDPC has begun accepting BCRs for review. Data controllers and data processors intending to adopt BCRs as a means for transferring data to offshore affiliates or group companies must initiate the BCR submission process promptly. Failure to comply with PDPA requirements concerning the cross-border transfer of personal data could result in substantial penalties. Organizations involved in cross-border personal data transfers should be proactive in complying with the prescribed criteria to avoid these regulatory penalties and maintain the data protection standards mandated by the PDPA. For more information on these cross-border personal data transfer regulations, or on any aspect of complying with Thailand’s data protection laws, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice