Exploring the 4 new Data Protection sub-regulations

Following the Personal Data Protection Act B.E. 2562 (2019) (PDPA) coming into full effect on 1 June 2022, four sub-regulations were introduced by the Personal Data Protection Committee (PDPC). These notifications become effective as of the 21st of June 2022.

Are you finding it troubling to be compliance to the new regulation: PDPA? Is your business compliance to the new PDPA regulation and their sub-regulations which was recently rolled out.

This article will provide you with summary of new sub-regulations and keep your mind free from all the confusion. Specially written by the law firms who investigates, understands, and provides information worth your morning.

Summary of the new notifications

1. Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565  (2022)

As part of the duties imposed on data controllers under the PDPA,  the preparation and maintenance of a record of processing activities (“ROPA”) is required. However, under this notification, data controllers who are from small businesses will be exempt from the ROPA requirements.

Examples of the types of business excluded include:

1. small or medium enterprises according to the law on small and medium-sized enterprise promotion
   ‒ Product manufacturing business operators which hire no more than 200 employees, and have annual revenue not exceeding Baht 500 million,
   ‒ Service providers, wholesalers or retailers which hire no more than 100 employees, and have
2. annual revenue not exceeding Baht 300 million.
   community enterprises and networks of community enterprises registered under the community enterprise promotion law;
3. social enterprises and social enterprise groups registered under the social enterprise promotion law;
   cooperatives, cooperative federations, or a farmer’s groups under the cooperatives law;
4. foundations, associations, religious or non-profit organisations; and
5. family businesses or other similar businesses.

However, following businesses will not be able to reply upon the exemption:

• a service provider that is required to maintain computer traffic data under the Computer-Related Crime Act B.E. 2550 (2007), unless it is an internet cafe;
• a data controller collecting, using, or disclosing personal data that is likely to result in a risk to the rights and freedoms of data subjects;
• a data controller whose business is not the business that the collection, use or disclosure of the personal data is occasional; or
• a data controller involved in the collection, use or disclosure of the sensitive personal data under the PDPA.

2. Rules and Methods for Preparing and Maintaining Records of Processing Activities for the Data Processor B.E. 2565 (2022)

This notification has been introduced as a way to determine the minimum information that the data processor is required to include in its ROPA. Such information includes :

1. name and information of the data processor and its representative (if any);
2. name and information of the relevant data controller and its representative (if any);
3. name and information, including contact address and method, of the data protection officer (if any);
4. types or nature of collection, use or disclosure of personal data; including personal data and purposes of the collection, use or disclosure of such personal data, as assigned by the data controller;
5. types of persons or entities that receive personal data in case of transmitting or transferring personal data abroad; and
6. description of security measures

Please note, this notification will come into force on the 17th of December 2022.

3. Security Measures of the Data Controller B.E. 2565 (2022)

Under the PDPA, the data controller is required to provide the appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data.

Such measures are subject to review if and when necessary, or when the technology has changed. These mandatory reviews are required in order to efficiently maintain the appropriate level of security and safety.

This notification provides a detailed minimum standard of the required security measures.

4. Rules for Consideration of Issuing Order to Impose Administrative Fines by the Expert Committee B.E. 2565 (2022)

This notification relates to the rules and procedures for the Expert Committee (which will be appointed under the PDPA) when issuing an order to impose administrative fines or other relevant administrative enforcement measures against those who do not comply with the PDPA.

Considerations include : seizure, confiscation, and sale by auction of assets where any person fails to make the correct and full payment of administrative fines after receiving written warning from the Expert Committee.

What happens if companies do not comply with these notifications?

Failure to comply with the requirements and obligations of these new regulations could result in the penalties specified under the PDPA being imposed on the company. For example, a fine of up to THB 5 million.

Ref. https://www.belaws.com/thailand/exploring-4-new-data-protection-updates/