News and developments
New Sub-regulations under the Personal Data Protection Act
The new sub-regulations are as follows:
-
PDPC Notification RE: Exception to the Record of Data Processing Activities for Small-Sized Organizations
- Small and medium enterprises
- Community enterprises
- Social enterprises
- Household enterprises
- Cooperatives
- Foundations, Associations, Religious Organizations and NGOs
- a service provider that is required to record computer traffic under the Computer Crime Act; or
- those who collect, process or disclose personal data as follows:
-
PDPC Notification RE: Data Security Measures of Data Controllers
-
PDPC Notification RE: Criteria for Rendering Administrative Penalties by Specialist Committee
- Details of the violation, especially in the case of intentional and willful misconduct, gross negligence or lack of reasonable care;
- Severity of the violation;
- Business size of the data controller or data processor;
- Result of mitigation or reduction of damage to the data subject from administrative penalties that will be enforced;
- Impact of administrative penalties on the data subject, data controller, data processor, offender and related business or third party operators broadly;
- Severity of violations and amount of damages;
- Standard of administrative fines and enforcement measures previously used on other data controllers or data processors in similar offenses (if any);
- Previous administrative penalties enforced against data controllers and data processors including relevant persons of the juristic entity;
- Standard of responsibilities of the data controller at the time of violation;
- Code of ethics, business practice and standard of data security implemented by the data controller or data processor at the time of violation;
- Remedy and mitigation of damage by the data controller or data processor when they have knowledge of a violation;
- Compensation paid to a data subject; and
- Other related facts.
-
PDPC Notification RE: Criteria and Methodology to Prepare and Maintain the ROPA for Data Processors
- Name and information of the data processor and sub-data processor (if any);
- Name and information of the data controller who engages the data processor and its agent (if any);
- Name and information, contact details and method to contact the data protection officer (if any);
- Category and information of collection, process and disclosure of personal data which is processed under the instruction or on behalf of the data controller, including details of the personal data and purpose which is designated by the data controller;
- Category of the person or organization who will receive the cross-border transfer of personal data (if any); and
- Details of security measures pursuant to Section 40 paragraph 1 (2) of the PDPA.