The Personal Data Protection Committee (PDPC) proposed drafts of two Notifications regarding ROPA under the Personal Data Protection Act B.E. 2562 (PDPA) for public hearings from 31st October 2024 to 14th November 2024.
The PDPC may soon issue these Notifications and publish them in the Royal Gazette for 90 days before they come into force.
We summarized the key provisions of the draft Notifications (as tabled for the public hearings) as follows.
Exemptions of Recording / Creating ROPA
The new ROPA Notification on exemptions of recording / creating ROPA will repeal and replace its 2022 predecessor. The new ROPA Notification will exclude SME data controllers from the obligations of recording / creating the ROPA required for data controllers under Section 39, paragraph one (1), (2), (3), (4), (5), (6), and (8) of the PDPA if they are or have at least one of the following characteristics:
• an SME under the law on promotion of small and medium-sized enterprises;
• a community enterprise or a community enterprise network under the law on promotion of social enterprises;
• a social enterprise or social enterprise group under the law on promotion of social enterprises;
• a cooperative, cooperative union, or farmer group under the law on cooperatives;
• a foundation, association, religious organization, or non-profit private organization;
• a juristic person of a condominium under the Condominium Act or a juristic person of a housing estate under the Land Development Act;
• a household business or other business of similar nature; or
• a business operated by a data controller who is a natural person.
Exemptions of Maintaining ROPA
The second new ROPA Notification will exclude SME data controllers from the obligations to maintain the ROPA required for data controllers under Section 40, paragraph one (3) of the PDPA if they are or have one of the 8 characteristics mentioned above.
Exemptions of the Exemptions
The SME data controllers who are exempt from the ROPA obligations under the two Notifications summarized above must not be the data controllers who are required to appoint their own data protection officer under Section 41(1), (2), or (3) of the PDPA.
The SME data controllers who are exempted from the ROPA obligations under the two Notifications summarized above are still required to record, create and maintain the ROPA as required under Section 39, paragraph one (1) to (8) and Section 40, paragraph one (3) of the PDPA if they collect, use or disclose the personal data which:
• poses risks that will affect the rights and freedoms of data subjects;
• is not occasional collection, use, or disclosure of personal data; or
• is the sensitive personal data under Section 26 of the PDPA.
To see the archive of our past newsletters and articles please click here.
AUTHOR
Senior Partner | bangkok
Partner | bangkok
The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.
