SCROLL

TOP

Publications

Download full text (PDF)

Newsletters January 2025

Exemption on the Record of Processing Activities (RoPA) for Data Controllers and Data Processors (Thailand)

NO&T Thailand Legal Update

Author

Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)

Publisher

Nagashima Ohno & Tsunematsu

Journal / Book

NO&T Thailand Legal Update No.34(January, 2025)

Reference

Practice Areas

*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

On 8 January 2025, with respect to the Personal Data Protection Act of 2019 (“PDPA”), the Personal Data Protection Committee (the “PDPC”) announced regulations concerning a record of personal data and processing activities (“RoPA”). New regulations stipulate the exemption of RoPA for certain types of data controllers and data processors. We will provide key summary of such new regulations in this article.

1. Background

Before going into detail, let us introduce the background of these regulations.

One of the key duties of data controllers and data processors under the PDPA, as we summarized in our past article which can be accessed through following link (NO&T Asia Legal Review (June, 2022) “Checklist of Requirements for Data Controller under the Personal Data Protection Law (Thailand)”), is to prepare RoPA containing the particulars as prescribed under the PDPA etc.※1

In this regard, certain data controllers and data processors which are small enterprises as prescribed by the PDPC (the “Small Enterprises etc.”) will be exempted from the duty to prepare the RoPA.※2※3

As for the subordinate regulation, in 2022, the regulation regarding the exemption for data controllers from preparing the RoPA was announced (“Sub-Regulation for Data Controller”).

On 8 January 2025, the PDPC announced further subordinate regulations in the Royal Gazette the following:

the amendment to the said Sub-Regulation for Data Controller, i.e., the Notification of Personal Data Protection Committee Re: Exemption from Preparing Records of Data Controller who is a Small Enterprise of 2024 dated 26 December 2024 (“Amended Sub-Regulation for Data Controller”); and
Notification of Personal Data Protection Committee Re: Exemption from Preparing and Maintaining Records of Personal Data Processing Activities of Data Processor who is a Small Enterprise of 2024 dated 26 December 2024 (“Sub-Regulation for Data Processor”, collectively “Sub-Regulations on Exemption from RoPA”).

The Amended Sub-Regulation for Data Controller will come into effect on 8 April 2025, while the Sub-Regulation for Data Processor has been in effect since 9 January 2025.

2. Key Summary of the Sub-Regulations on Exemption from RoPA

The criteria and details regarding the exemption under each of the Amended Sub-Regulation for Data Controller and the Sub-Regulation or Data Processor are almost the same and can be summarized as follows:

2.1 The characteristics of data controllers and data processors who are exempted from preparing the RoPA

In order to be exempted from preparing the RoPA, data controllers and data processors must be a small enterprise as prescribed by the PDPC and have any one of the following characteristics:
1. being a small or medium-sized enterprise under the law on the promotion of small and medium-sized enterprises;※4
2. being a community enterprise or community enterprise network under the law on the promotion of community enterprises;
3. being a social enterprise or group of social enterprises under the law on the promotion of social enterprises;
4. being a cooperative, cooperative assembly, or farmers group under the law on cooperatives;
5. being a foundation, association, religious organization, or non-profit organization;
6. being a condominium juristic person under the law on condominium or a developed housing juristic person under the law on land development;
7. being a family business or other business in the same characteristic; and
8. being a business operated by the data controller, who is an individual.
The data controller and the data processor which are exempted from preparing the RoPA must not be the data controller and the data processor who have the duty to designate a data protection officer (DPO).※5

2.2 Cases where the exemption from preparing the RoPA shall not apply

Although data controllers and data processors are small enterprises and have the characteristics as specified in item 3.1, the exemption under the Sub-Regulations on Exemption from RoPA shall not apply in cases where the collection, use, or disclosure of personal data has one of the following characteristics:

posing a risk of impacting the rights and freedom of the data subject;
being not a business where the collection, use, or disclosure of personal data is occasional; and/or
being the personal data under Section 26 of the PDPA.

3. Amendment to the Sub-Regulation for Data Controller

The Sub-Regulation for Data Controller was repealed by the Amended Sub-Regulation for Data Controller. The significant changes can be summarized in the comparison table below.

No.	Key matters of amendment	Sub-Regulation for Data Controller	Amended Sub-Regulation for Data Controller
1.	Type of data controllers exempted from RoPA	being a small or medium-sized enterprise under the law on the promotion of small and medium-sized enterprises; being a community enterprise or community enterprise network under the law on the promotion of community enterprises; being a social enterprise or group of social enterprises under the law on the promotion of social enterprises; being a cooperative, cooperative assembly, or farmers group under the law on cooperatives; being a foundation, association, religious organization, or non-profit organization; and being a family business or other business in the same characteristic	being a small or medium-sized enterprise under the law on the promotion of small and medium-sized enterprises; being a community enterprise or community enterprise network under the law on the promotion of community enterprises; being a social enterprise or group of social enterprises under the law on the promotion of social enterprises; being a cooperative, cooperative assembly, or farmers group under the law on cooperatives; being a foundation, association, religious organization, or non-profit organization; [newly added] being a condominium juristic person under the law on condominium or a developed housing juristic person under the law on land development; being a family business or other business in the same characteristic; and [newly added] being a business operated by the data controller, who is an individual.
2.	Eligibility of service providers required to retain computer traffic data for the exemption from RoPA	Data controller being a small enterprise which is exempted under paragraph one shall not be a service provider who is required to store computer traffic information under the law on offences related to computer, unless it is a service provider category internet cafe service provider. In such case, such data controller shall be exempted under paragraph one.※6	-Condition removed- Hence, a service provider who (a) is required to store computer traffic information under the law on offences related to computer and (b) falls under the Small Enterprises etc., can also be eligible for the exemption from RoPA.

4. Conclusion

A business operator which is in the position of a data controller and/or a data processor should be mindful of the criteria for the exemption under the Sub-Regulations on Exemption from RoPA. As a result of the Sub-Regulations on Exemption from RoPA, certain data controllers and data processors which are Small Enterprises etc. are released from their obligation to prepare RoPA.

Notably, such exemption from RoPA is practically reasonable and favorable for data controllers and data processors considering various factors, for example, the size of data controllers and data processors which are the Small Enterprises etc., the degree of involvement with the personal data by the Small Enterprises etc. comparing to the larger enterprises, and the obligation to prepare RoPA which can be burdensome comparing to the size of their businesses.

Endnotes

*1
Section 39, paragraph 1 and Section 40(3) of the PDPA.
Notification of the Personal Data Protection Committee re: Criteria and Methods for Preparing and Maintaining the Record of Processing Activities of Data Processor of 2022 dated 10 June 2022.

*2
Section 39, paragraph 3 and Section 40, paragraph 4 of the PDPA.

*3
Please note that, although data controllers falling under the Small Enterprises etc. is exempted from most of items, such date controllers are still required to record the rejection of request or objection to the exercise of rights by the data subjects (under Section 30, paragraph 3, Section 31, paragraph 3, Section 32, paragraph 3, and Section 36, paragraph 1), according to Section 39, paragraph 3 and Section 39, paragraph 1 (7) of the PDPA.

*4
According to Section 4 of the Small and Medium Enterprises Promotion Act of 2000 and the Ministerial Regulation Prescribing the Characteristics of Small and Medium Enterprises of 2019, small and medium enterprises shall have the following characteristics:

Type of businesses	Characteristics of Small and Medium Enterprises
Type of businesses	Small Enterprise	Medium Enterprise
Manufacturing	Having 50 employees or less; or Having the annual revenue of not more than THB 100,000,000	Having 51 – 200 employees; or Having the annual revenue of not more than THB 100,000,001 – 500,000,000
Service	Having 30 employees or less; or Having the annual revenue of not more than THB 50,000,000	Having 31 – 100 employees; or Having the annual revenue of not more than THB 50,000,001 – 300,000,000
Wholesale
Retail

Type of businesses	Characteristics of Small and Medium Enterprises
Type of businesses	Small Enterprise	Medium Enterprise
Manufacturing	Having 50 employees or less; or Having the annual revenue of not more than THB 100,000,000	Having 51 – 200 employees; or Having the annual revenue of not more than THB 100,000,001 – 500,000,000
Service	Having 30 employees or less; or Having the annual revenue of not more than THB 50,000,000	Having 31 – 100 employees; or Having the annual revenue of not more than THB 50,000,001 – 300,000,000
Wholesale
Retail

*5
Section 41 of the PDPA.

*6
Clause 3, paragraph 2 of the Sub-Regulation for Data Controller.

January 29, 2025

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Exemption on the Record of Processing Activities (RoPA) for Data Controllers and Data Processors (Thailand)

1. Background

2. Key Summary of the Sub-Regulations on Exemption from RoPA

2.1 The characteristics of data controllers and data processors who are exempted from preparing the RoPA

2.2 Cases where the exemption from preparing the RoPA shall not apply

3. Amendment to the Sub-Regulation for Data Controller

4. Conclusion

Lawyers

Shunsuke Minowa Shunsuke Minowa

Poonyisa Sornchangwat Poonyisa Sornchangwat

Data Protection and Privacy Related Publications

Artificial Intelligence and Data Privacy (Philippines)