You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 30, 2022

First Set of Subordinate Regulations Enacted for Thailand’s PDPA

Subscribe to Updates

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) became fully effective and enforceable on June 1, 2022. To ensure that the PDPA will be smoothly and efficiently enforced, the Personal Data Protection Commission (PDPC) is issuing various subordinate regulations. On June 20, 2022, the first set of these regulations was issued and published in the Government Gazette, and according to the Ministry of Digital Economy and Society (MDES), another set of subordinate regulations is expected to be issued by the end of June 2022.

The first set consists of the following four subordinate regulations:

 

1) Notification of the PDPC Re: Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses B.E. 2565 (2022) (“ROPA Exemption Notification”)

Under the PDPA, data controllers are obligated to prepare and maintain a record of processing activities (ROPA) containing information specified in Section 39 of the PDPA, including the personal data collected, the purposes of the processing of the personal data, the retention period, etc.

However, under this ROPA Exemption Notification, a data controller will be exempted from the obligation to prepare and maintain a record of such required information (except information related to the rejection of a request from a data subject to exercise (i) right of access; (ii) right to data portability; (iii) right to object; and (iv) right to rectification), if its business falls within the scope of any of the following:

  • Small or medium-sized business according to the law on small and medium-sized enterprise promotion, defined as follows:

  • Community enterprise or social enterprise, as referred to under the law on community enterprise promotion.
  • Social enterprise, as referred to under the under the law on social enterprise promotion.
  • Cooperative, cooperative union, or agriculturist’s group under the law on cooperatives.
  • Foundation, association, religious body, or non-profit organization.
  • Household business or other business of the same nature.
  • Internet cafe service provider.

This exemption will not apply to small businesses in certain circumstances, such as when the processing of personal data is required by law related to a computer crime to retain computer traffic data, when it involves personal data having a risk of affecting the rights and freedom of an individual, or when the data controller processes the personal data on a regular basis.

The ROPA Exemption Notification came into force on June 21, 2022.

 

2) Notification of the PDPC Re: Rules and Procedures for the Preparation and Maintenance of the Record of Processing Activities by the Data Processor B.E. 2565 (2022) (“Data Processor Notification”)

The PDPA also imposes an obligation on data processors to prepare and maintain a ROPA, without further explanation. With the enactment of the Data Processor Notification, it is now clear that the data processor must ensure that its ROPA will include at least the following information:

  • Information on the data processor;
  • Information on the local representative of the data processor (if any);
  • Information on and contact details of the data protection officer (if any);
  • Information on the data controller on whose behalf or pursuant to whose instruction the data processor acts, and on the local representative of the data controller (if any);
  • Types or characteristics of the collection, use, or disclosure of personal data conducted by the data processor on behalf of or pursuant to the instruction of the data controller, including the category of personal data and purpose of the collection, use, or disclosure;
  • If personal data is transferred outside of Thailand, the category of the person or entity receiving the personal data; and
  • A description of the security measures implemented by the data processor.

The ROPA must be maintained in written or electronic form, and must be easily accessible and promptly available for inspection by the Office of the PDPC, the data controller, or their designated person, when requested.

The Data Processor Notification will only become enforceable 180 days after the date of publication in the Government Gazette, i.e., December 17, 2022. Therefore, data processors are given a grace period to prepare themselves to be in compliance with this ROPA requirement.

 

3) Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022) (“Security Measures Notification”)

The minimum required security standards prescribed by the Security Measures Notification are generally in alignment with the previous Notification of the MDES on Security Measures which ceased effectiveness on May 31, 2022 (“MDES Notification”). Data controllers who have prepared themselves to be in compliance with the MDES Notification will therefore find it easy to comply with the Security Measures Notification, which took effect on June 21, 2022.

The key requirements under the Security Measures Notification include the following:

  • Data controllers must ensure that security measures will be applied to personal data in any form whatsoever.
  • Data controllers must ensure that security measures consist of appropriate organizational measures and technical measures, which may also include physical measures, if necessary, whereby the level of risk and possibility of occurrence of data breach incidents and the consequences of data breach incidents are taken into consideration.
  • When preparing the security measures, the data controller must consider the identification of possible risk to significant information assets, prevention of the occurrence of significant risk, monitoring of threats and data breach incidents, encounters with threats and data breach incidents, risk treatment, and recovery, as appropriate and in accordance with the level of risk.
  • Data controllers must be able to maintain the confidentiality, integrity, and availability of personal data as appropriate and in accordance with the level of risk, taking into account technological factors, context, circumstances, and standards accepted by similar types of businesses.
  • Security measures for personal data in electronic form must cover the components of the relevant information system such as servers, clients, storage system and devices, software, etc., as appropriate and in accordance with the level of risk.
  • Security measures in relation to the access, use, alteration, modification, deletion, or disclosure of personal data are substantially similar to the requirements under the MDES Notification – for example, access control, user access management, user responsibilities, audit trails, etc. However, the Security Measures Notification sets forth further requirements.

Apart from the above, the Security Measures Notification also requires the data controller to: (i) build privacy and security awareness for its personnel and users; (ii) review security measures when necessary or when there is a change in technology or a data breach incident; and (iii) set requirements on security measures for its data processor.

 

4) Notification of PDPC Re: Rules for the Consideration of the Imposition of Administrative Penalties by the Expert Committee B.E. 2565 (2022) (“Administrative Penalties Notification”)

In addition to imposing administrative fines on the offender, the Expert Committee which will be appointed under the PDPA will also be empowered to issue orders on the enforcement of administrative penalties, including seizure, confiscation, and sale by auction.

The key points of the Administrative Penalties Notification, which took effect on June 21, 2022, are as follows:

  • In determining the administrative fine or administrative measure, the Expert Committee is to consider certain factors such as whether the offense was committed willfully or out of gross negligence, the severity of the offense, the size of the business, the benefits which the data subject will receive if the administrative measures are enforced against the offender, the value of damages, the level of responsibility and standards at the time of commission of the offense, etc. One of the crucial factors that will be considered by the Expert Committee is the record of administrative fines or administrative measures already imposed or enforced on the offender and, if the offender is a legal entity, on the person associated with such legal entity.
  • The Administrative Penalties Notification categorizes offenses into two categories, non-serious offenses and serious offenses, which are treated differently by the Expert Committee.

Non-Serious Offense:

The Expert Committee may issue the following orders to the data controller, data processor, or other related person:

– Warning or order to the offender to rectify, cease, suspend, refrain or abstain from the violation or non-compliance with the PDPA within the time specified.

– Order to prohibit the offender from causing any damage to the data subject, or to perform any act to remedy the damages.

– Order to restrict the collection, use, or disclosure of personal data upon which an offense has been committed in order to remedy damages within the time specified.

In addition to the above, the Expert Committee may set forth conditions or procedures for the improvement of personnel, process, or technology to ensure its efficacy and suitability as the Expert Committee deems appropriate.

Serious Offense:

The Expert Committee shall impose administrative penalties on the data offender by taking into account the severity of the offense and other circumstances as deemed appropriate.

The Expert Committee may also issue orders similar to those for the non-serious offense.

  • If an administrative fine has been imposed on the offender and the offender failed to make payment within the time specified, the Expert Committee may issue a warning to the offender to make such payment within a period of not less than seven days, and if the offender still fails to make such payment in full, the provisions of the administrative procedures law will be applied.

It is vital to note that any failure to comply with the requirements under these subordinate regulations may lead to the data controller or data processor being subject to penalties specified under the PDPA, depending on the violation.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice