On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notifications—one directed at data controllers and another at data processors—regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA).
The draft notification for data controllers aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses.
The draft notification for data processors is new and does not replace any prior notification.
The criteria under both draft notifications exempt certain data controllers and data processors from the obligation to maintain ROPAs, but exempted data controllers are not free from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few key takeaways from the notifications, as detailed below.
Types of Exempted Parties
The draft notification on data controllers adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list. The new draft notification for data processors mirrors the corresponding list in the draft notification for data controllers.
The complete list of parties eligible for ROPA exemptions under the draft notifications is as follows:
- SMEs according to the law on SME promotion, defined as follows:
- Community or social enterprises, as referred to under the law on community enterprise promotion.
- Social enterprises, as referred to under the law on social enterprise promotion.
- Cooperatives, cooperative unions, or agriculturist groups under the law on cooperatives.
- Foundations, associations, religious bodies, or nonprofit organizations.
- Household businesses or other businesses of the same nature.
- Condominium or housing estate juristic persons as defined by the laws on condominiums or housing estates, respectively.
- Individual data controllers.
Carve-Outs from the ROPA Exemption
Parties exempted from the ROPA requirement under the draft notifications for data controllers and data processors must not be obligated to appoint a data protection officer (DPO) under the PDPA. In addition, exempted parties must still prepare and maintain a ROPA when the collection, use, or disclosure of personal data:
- Poses a risk to the rights and freedoms of data subjects.
- Is not occasional collection, use, or disclosure of personal data.
- Involves special categories of personal data as specified in section 26 of the PDPA—for example, health data, biometric data, religious information, and so on.
Under the June 2022 ROPA exemption notification, data controllers who are service providers required to retain computer traffic data under the law related to computer crime are not eligible for the exemption. The draft notification for data controllers, however, does not currently include this stipulation.
The consultation period for both draft notifications is open until November 14, 2024, and the drafts may be subject to additional revisions before being finalized and made legally binding.
For more details on this draft notification, or on any aspect of compliance with the PDPA, please contact Nopparat Lalitkomon at [email protected], Napassorn Lertussavavivat at [email protected], or Wilin Somya at [email protected].
