New Sub-regulations under the Personal Data Protection Act

Anuwat Ngamprasertkul and Piniti Chomsavas

On 20 June 2022, the Personal Data Protection Committee (“PDPC”) announced 4 new sub-regulations pursuant to the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) in the Royal Gazette. The PDPA was fully enforced on 1 June 2022 after it was postponed for 3 years to provide more time to all business operators to prepare for compliance.

The new sub-regulations are as follows:

  1. PDPC Notification RE: Exception to the Record of Data Processing Activities for Small-Sized Organizations

This regulation provides an exemption from maintaining a full Record of Data Processing Activities (“ROPA”) to small-sized organizations as follows:

  • Small and medium enterprises
  • Community enterprises
  • Social enterprises
  • Household enterprises
  • Cooperatives
  • Foundations, Associations, Religious Organizations and NGOs

However, such small-sized organizations will not be exempt if they are:

  • a service provider that is required to record computer traffic under the Computer Crime Act; or
  • those who collect, process or disclose personal data as follows:
    • personal data that affects the rights and freedom of data subjects;
    • personal data that is not collected, processed or disclosed temporarily; or
    • sensitive personal data under Section 26 of the PDPA.

This sub-regulation will reduce the cost of preparing and maintaining the ROPA for small-sized organizations. However, small and medium enterprises are highly recommended to have a data inventory to explore the personal data lifecycle which flows inside and outside their organization in order to determine the proper lawful bases, safeguards, policies, documentation and other measures for compliance with the PDPA.

This regulation is effective from 21 June 2022 onwards.

  1. PDPC Notification RE: Data Security Measures of Data Controllers

This regulation sets out the minimum requirements for data controllers to implement adequate technical, physical and organizational data security measures to prevent the unauthorized or unlawful loss, access, use, change, amendment or disclosure of personal data.

Data controllers are required to raise the awareness of employees and related persons to understand and ensure compliance with internal policies and procedures, for example, by arranging training on the PDPA.

Also, data controllers are required to ensure that the data processor has adequate measures to protect data security. Data controllers should add clauses on this to the Data Processing Agreement with the data processor.

This regulation is effective from 21 June 2022 onwards.

  1. PDPC Notification RE: Criteria for Rendering Administrative Penalties by Specialist Committee

This regulation sets out the administrative authority granted by the PDPC to the Specialist Committee in its review of administrative penalties for violations of the PDPA.

The Specialist Committee shall review the administrative penalties based on the criteria as follows:

  • Details of the violation, especially in the case of intentional and willful misconduct, gross negligence or lack of reasonable care;
  • Severity of the violation;
  • Business size of the data controller or data processor;
  • Result of mitigation or reduction of damage to the data subject from administrative penalties that will be enforced;
  • Impact of administrative penalties on the data subject, data controller, data processor, offender and related business or third party operators broadly;
  • Severity of violations and amount of damages;
  • Standard of administrative fines and enforcement measures previously used on other data controllers or data processors in similar offenses (if any);
  • Previous administrative penalties enforced against data controllers and data processors including relevant persons of the juristic entity;
  • Standard of responsibilities of the data controller at the time of violation;
  • Code of ethics, business practice and standard of data security implemented by the data controller or data processor at the time of violation;
  • Remedy and mitigation of damage by the data controller or data processor when they have knowledge of a violation;
  • Compensation paid to a data subject; and
  • Other related facts.

The administrative penalties or measures are ranked from a warning to orders to take corrective action, refrain from non-compliance, prohibit specific actions and limit personal data processing as well as a fine. A failure to pay a fine within the specified period will lead to a seizure, attachment or auction sale.

This regulation is effective from 21 June 2022 onwards.

  1. PDPC Notification RE: Criteria and Methodology to Prepare and Maintain the ROPA for Data Processors

Data processors are required to record and maintain in the ROPA at least the details as follows:

  • Name and information of the data processor and sub-data processor (if any);
  • Name and information of the data controller who engages the data processor and its agent (if any);
  • Name and information, contact details and method to contact the data protection officer (if any);
  • Category and information of collection, process and disclosure of personal data which is processed under the instruction or on behalf of the data controller, including details of the personal data and purpose which is designated by the data controller;
  • Category of the person or organization who will receive the cross-border transfer of personal data (if any); and
  • Details of security measures pursuant to Section 40 paragraph 1 (2) of the PDPA.

The ROPA may be in written or electronic form and is required to be kept in the event of an inspection by the Data Controller or PDPC. Also, it must be easily accessible at the request of a designated person.

The Data Processor’s ROPA has fewer elements compared to the Data Controller’s requirements, but there may be cases where the company has both roles when processing personal information for different purposes. Therefore, it is recommended for the data processor to determine which personal data they collected, processed and disclosed beyond the responsibility as a data processor under any other lawful basis, or as a data controller for their own personal data usage, for the details to be recorded in their own ROPA.

This regulation will be effective in 180 days after 20 June 2022 which is 17 December 2022 onwards.

In the event you have any questions regarding the above regulations or PDPA compliance, please contact Anuwat Ngamprasertkul, Partner as well as Head of Litigation and Dispute Resolution and Co-Head of Tech-Media-Telecoms (TMT) at Blumenthal Richter & Sumet, at [email protected] or +662-022-1022.

Contributing Advisors