IN BRIEF

The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) exempted small enterprises from the obligation to create, record, and retain a Record of Processing Activities (“RoPA”) under Sections 39 and 40.This exemption applied to both data controllers and data processors. However, while the main law has been enacted, the specific criteria for qualifying for this exemption have not yet been clearly defined in detailed regulations.

On January 8, 2025, the Personal Data Protection Committee (“PDPC”) issued guidelines clarifying the specific characteristics of the Small Enterprises eligible for the exemption. These guidelines are outlined in:

    • The Notification of the PDPC on the Exemption from the Creation and Retention of a RoPA for Small Enterprises Data Processors B.E. 2567 (2024); and
    • The Notification of the PDPC on the Exemption from Recording of a RoPA for the Small Enterprises Data Controllers B.E. 2567 (2024).

The notification for Small Enterprises Data Processors took effect on January 9, 2025, while the notification for Small Enterprises Data Controllers will take effect on April 8, 2025 (90 days after its publication in the Royal Thai Government Gazette), collectively referred to as the “RoPA Exemption for Small Enterprises”.

KEY PROVISIONS

Key Provisions under the RoPA Exemption for Small Enterprises:

A. Characteristics of Small Enterprises

The RoPA Exemption for Small Enterprises defines eligible entities as:

    1. Small and Medium Enterprises (SMEs) under the law on SME Promotion.
    2. Community Enterprises or Community Enterprise Networks under the law on Community Enterprise Promotion.
    3. Social Enterprise or Group of Social Enterprise under the law on Social Enterprise Promotion.
    4. Cooperatives, Cooperative Unions, or Farmer Groups under the law on
    5. Foundations, Associations, Religious Organizations, or Non-profit Private Organizations.
    6. Juristic Condominium Entities or Housing Estate Juristic Entities under the laws governing condominiums and housing estates.
    7. Household Businesses.
    8. Sole businesses operated by individual data controllers.

For example, the definition of SMEs is as follows:

  • Manufacturing businesses with no more than 200 employees or annual revenue not exceeding THB 500 million.
  • Service, wholesale, or retail businesses with no more than 100 employees or annual revenue not exceeding THB 300 million.

If an enterprise’s employee count does not exceed the criteria but its revenue does, revenue will be the primary consideration.

However, small enterprises will not qualify for the exemption if they are required by law to appoint a Data Protection Officer (DPO) as per section 41 of PDPA. This requirement applies to:

    1. Government Agencies.
    2. Businesses Engaged in Core Activities of Personal Data Processing.
    3. Organizations Handling Sensitive Personal Data (SPI).

Examples include hospitals, banks, credit service providers, schools, law firms, and audit firms. (These examples of business types are for illustrative purposes only.)

B. Exemptions Not Applicable in Certain Cases

Even if an entity qualifies as a small enterprise, certain circumstances may still necessitate the creation, recording, and retention of a RoPA if collection, use, or disclosure of personal data involves:

    • Personal data with high risks to the rights and freedoms of data subjects; or
    • Personal data as a regular business activity; or
    • Processing sensitive personal data as defined by section 26 of PDPA (such as health data, religious beliefs, biometric data)

CONCLUSION

Understanding the exemptions from the Record of Processing Activities (RoPA) obligations is crucial for small enterprises to ensure compliance with Thailand’s Personal Data Protection Act (PDPA) while effectively managing their legal responsibilities. Although exemptions may apply in certain cases, businesses must carefully evaluate their data processing activities to avoid unintended non-compliance.

It is important to note that exemptions do not apply universally. Organizations processing high-risk personal data or engaging in regular personal data processing activities may still be required to comply with RoPA obligations. While these guidelines provide relief for many small enterprises, a thorough assessment is necessary to determine whether the exemption criteria are genuinely met.

At ILAWASIA, we offer expert legal counsel on PDPA compliance, helping businesses navigate their regulatory obligations with confidence. If you require guidance on RoPA exemptions or any other PDPA-related matters, please feel free to contact us for further consultation.

AUTHOR

  • Somphob Rodboon, Managing Partner;
  • Nannapas Phatcharakeatkanok, Senior Associate;
  • Wachinorot Siladet, Associate.

More from ILAWASIA CO.,LTD.