On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notifications—one directed at data controllers and another at data processors—regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The draft notification for data controllers aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses. The draft notification for data processors is new and does not replace any prior notification. The criteria under both draft notifications exempt certain data controllers and data processors from the obligation to maintain ROPAs, but exempted data controllers are not free from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few key takeaways from the notifications, as detailed below. Types of Exempted Parties The draft notification on data controllers adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list. The new draft notification for data processors mirrors the corresponding list in the draft notification for data controllers. The complete list of parties eligible for ROPA exemptions under the draft notifications is as follows: SMEs according to the law on

On October 1, 2024, the Thai cabinet acknowledged the recommendations proposed by the National Anti-Corruption Commission (NACC) to prevent corruption related to online gambling. The Ministry of Digital Economy and Society (MDES) has been assigned as the lead agency to collaborate with various relevant agencies to reach a consensus on the necessary amendments and updates to laws related to online gambling. In assigning the MDES this role, the cabinet emphasized the importance of the following key items: Establishment of a national committee. The national committee will be chaired by a minister and will comprise relevant agencies, including policymaking bodies, technology agencies, frequency management agencies, law enforcement agencies, and other experts. The committee’s primary responsibility will be to consider amending and updating laws related to online gambling. Urgent action on online gambling. As online gambling has been deemed a serious issue requiring urgent action, joint policies will be developed among relevant agencies such as the Royal Thai Police, the Bank of Thailand, and the Anti-Money Laundering Office to elevate the importance of online gambling issues. Public awareness and law enforcement. Public awareness campaigns are to be conducted to educate the public about the risks and legal consequences of online gambling, and laws against online gambling and related financial crimes are to be strictly enforced. Compliance with the Cybersecurity Act. It is necessary to ensure strict compliance with the Cybersecurity Act B.E. 2562 (2019). At the same time, government data systems are to be moved to cloud computing for enhanced data security. Next Steps The MDES is tasked with summarizing the results of the related discussions, actions taken, and overall opinions and submitting the summary to the cabinet secretariat for further presentation to the cabinet. These measures aim to address and mitigate the risks associated with online gambling and related corruption.

On August 13, 2024, Thailand’s Personal Data Protection Committee (PDPC) published a notification on the Criteria for Personal Data Deletion, Destruction, and De-identification in the Government Gazette, taking effect on November 11, 2024. Most of the content remains unchanged from the June 2024 draft of the legislation that was released for public comment. Only minor amendments have been made, as outlined below: Data controllers must respond to data subjects’ requests to delete, destroy, or de-identify personal data, including any copies or backups, without delay and within 90 days of receiving the request. This timeframe has been extended from the previous draft, which allowed only 60 days. In deleting, destroying, or de-identifying personal data, the data controller must ensure that no one is able to recover or reverse personal data to enable the direct or indirect identification of the data subject by any means that could reasonably be expected. If the data controller cannot fulfill the request within the 90-day period, it must take measures to ensure that the personal data is made difficult to collect, use, or disclose until the personal data can be deleted, destroyed, or de-identified according to the notification. In such cases, appropriate organizational, technical, and physical measures must be implemented to protect the data, meeting the criteria set forth by the notification. One newly added provision allows data controllers to delete, destroy, or de-identify a data subject’s personal data using a different method than the one requested by the data subject, provided they inform the data subject of the alternative method. However, this is not allowed when the data subject exercises this right on the grounds that the personal data has been unlawfully collected, used or processed, and there are no grounds to reject the request. In relation to the de-identification or anonymization of personal

The Personal Data Protection Committee (PDPC) of Thailand’s Ministry of Digital Economy and Society (MDES) has announced the first administrative fine under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). A major private company was fined THB 7 million for noncompliance with specific PDPA requirements, resulting in the unauthorized disclosure of personal data to a call center gang (phone scam fraudsters). Key Findings of Noncompliance The PDPC determined that there were three key violations of specific requirements of the PDPA: Failure to appoint a data protection officer (DPO): Despite processing personal data for over 100,000 individuals as part of its core operations, the company did not appoint a DPO. Inadequate security measures: The company lacked the required security measures, leading to a data breach involving a call center gang, causing widespread damage. Delayed data breach notification: The company did not notify authorities of the data breach within the required timeframe and failed to address the breach promptly, making it impossible to remedy the situation. In addition to the monetary fine, the PDPC, along with the PDPA’s Expert Committee, issued a corrective order requiring the company to undertake the following actions and notify the Office of the PDPC of the relevant correction measures within seven days of receiving the order: Implement up-to-date security measures: The company must improve its current security measures to prevent future breaches and ensure that the security measures are up-to-date with changing technologies. Raise awareness of personnel: The company must provide training to relevant personnel to ensure awareness of data compliance and protection practices. This significant administrative action establishes a precedent for addressing data breaches in both governmental and commercial sectors in Thailand. It also confirms the importance of PDPA compliance, particularly the need for robust security measures, timely breach notifications, and the appointment of