On 8 January  2025, the Thai Government Gazette published a royal decree introducing  a Notification on Exemption from Keeping a Record of Processing Activities for Data Controllers who are Small or Medium-Sized Enterprises B.E. 2567 (2024) and a Notification on Exemption from Keeping a Record of Processing Activities for Data Processors who are Small or Medium-Sized Enterprises B.E. 2567 (2024) (collectively, “Notifications”) issued by the Thai Personal Data Protection Committee (“PDPC”). The Notifications exempts small or medium-sized enterprise (“SME”) data controllers (“Data Controller”) and data processors (“Data Processor”) from maintaining a Record of Processing Activities (“RoPAs”) under the Personal Data Protection Act 2019 (“PDPA”).

The Exemption for SME Data Controllers will take effect on 8 April 2025, whereas the Exemption for SME Data Processors will take effect from 9 January 2025.

Under the PDPA, a Data Controller is defined as an individual or legal entity with the authority to make decisions regarding the collection, use, or disclosure of personal data. A Data Processor is defined as an individual or legal entity that processes personal data on behalf of a Data Controller. It is to be noted that the Notifications only applies to Data Controllers from Small or Medium-Sized enterprises (SMEs).

Definition of Small or Medium-Sized Enterprises (SMEs)

The requirements to be considered as a SME under the Ministerial Regulations on Designation of the Characteristics of SME Promotion Act B.E. 2562 (2019) are as follows:

Type of Enterprise Sector Annual Revenue Workforce
Small Enterprises Manufacturing ≤ THB 100M ≤ 50 headcounts
Wholesale, Retail, and Service ≤ THB 50M ≤ 30 headcounts
Medium Enterprises Manufacturing > THB 100M ≤ THB 500M > 50 headcounts ≤ 200 headcounts
Wholesale, Retail, and Service > THB 50M ≤ THB 300M > 30 headcounts ≤ 100 headcounts

Currently under the PDPA, other businesses exempt from RoPAs requirements include:

    • Community or social enterprises as per related laws.
    • Cooperatives, cooperative unions, or agriculturist’s groups under the law on cooperatives.
    • Foundations, associations, religious bodies, or non-profit organizations.
    • Household businesses or similar enterprises.
    • Internet cafe service providers.

The new Notifications exempts SMEs data controllers from the need to maintain the ROPAs under PDPA. This significant change not only cuts down on business operational costs but also saves valuable time, allowing SMEs to focus more on growth and innovation instead of administrative tasks.

It is important to note that SMEs are not exempt from complying with other duties under the PDPA, such as those that promote awareness of data protection and security matters among a company’s personnel and those that periodically review the company’s security measures and policies.

We recommend all our clients who may qualify as a SMEs to review these new Notifications, alongside existing PDPA laws and updated regulations carefully to ensure that your data protection practices align with the latest legal requirements and exemptions.

 

More from PDLegal LLC