On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notification regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA).
This draft notification aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses.
The criteria under the draft notification exempt certain data controllers from the obligation to maintain ROPAs, but not from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few notable amendments to certain issues, as detailed below.
Types of Exempted Parties
The draft notification adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list.
The complete list of parties eligible for ROPA exemptions under the draft notification is as follows:
- SMEs according to the law on SME promotion, defined as follows:
- Community or social enterprises, as referred to under the law on community enterprise promotion.
- Social enterprises, as referred to under the law on social enterprise promotion.
- Cooperatives, cooperative unions, or agriculturist groups under the law on cooperatives.
- Foundations, associations, religious bodies, or nonprofit organizations.
- Household businesses or other businesses of the same nature.
- Condominium or housing estate juristic persons as defined by the laws on condominiums or housing estates, respectively.
- Individual data controllers.
Carve-Outs from the ROPA Exemption
Parties exempted from the ROPA requirement must not be data controllers obligated to appoint a data protection officer (DPO) under the PDPA. In addition, exempted parties must still prepare and maintain a ROPA when the collection, use, or disclosure of personal data:
- Poses a risk to the rights and freedoms of data subjects.
- Is not occasional collection, use, or disclosure of personal data.
- Involves special categories of personal data as specified in section 26 of the PDPA—for example, health data, biometric data, religious information, and so on.
Under the June 2022 ROPA exemption notification, service providers required to retain computer traffic data under the law related to computer crime are not eligible for the exemption. The draft notification, however, does not currently include this stipulation.
The consultation period will be open until November 14, 2024, and the draft may be subject to additional revisions before it is finalized and made legally binding.
For more details on this draft notification, or on any aspect of compliance with the PDPA, please contact Nopparat Lalitkomon at nopparat.l@tilleke.com, Napassorn Lertussavavivat at napassorn.l@tilleke.com, or Wilin Somya at wilin.s@tilleke.com.