OUR LAW TALKS 2022

TAX ALERT 2: Personal Data Protection Committee Announcements

Written by Dr. Anuphan Kitnitchiva
Image
On 20 June 2022, the Personal Data Protection Committee issued the following Announcements regarding:
  1. Exemption from Recording Processing Activities for Small Business Enterprise as Data Controller, B.E. 2565 (effective as from 21 June 2022);
  2. Criteria and Methods for Preparing and Maintaining Records of Processing Activities by a Data Processor, B.E. 2565 (effective as from 17 December 2022);
  3. Security Measures by the Data Controller, B.E. 2565 (effective as from 21 June 2022); and
  4. Expert Committee's Criteria to Determine Administrative Fines, B.E. 2565 (effective as from 21 June 2022.)
Details of each announcement are provided below (in an order enumerated by DRKI.)

Announcement Re: Exemption from Recording Processing Activities for SME as Data Controller

A data controller is exempt from recording processing activities under Section 39 of the Personal Data Protection Act (“PDPA”) where it is a:
  1. Small or medium-sized enterprise (SME); or
  2. Community enterprise or community enterprise network under the law on community enterprise promotion; or
  3. Social enterprise or a group of social enterprises under the law on social enterprise promotion; or
  4. Cooperative, cooperative union or a group of agriculturists under the law on cooperatives; or
  5. Foundation, association, religious organization or non-profit organization; or
  6. Household business or other business of the same nature.
Exceptions Apply

1. Such data controller will not qualify for exemption under this announcement where:
  1. It is a service provider who must keep computer traffic data under the law on offenses related to computers (excluding internet cafe service providers);
  2. It collects, uses, or discloses personal data in a manner that risks impairing the data subject's rights and freedoms;
  3. It is not an entity that only occasionally collects, uses or discloses personal data; or
  4. It has collected, used, or disclosed sensitive data.
2. The data controller is still obligated to record instances where it refuses to recognize the data subject’s lawful requests according to Section 39 Paragraph 1 (7).

Announcement Re: Criteria and Methods for Preparing and Maintaining Records of Processing Activities by a Data Processor

Records of Processing Activities (ROPAs) maintained by a data processor must include at least the following details:
  1. Name and information about the data processor, data controller, their representative and data protection officer (if any);
  2. Type and purpose of personal data processing and details of the personal data;
  3. Person or agency receiving personal data in the event of international data transfers; and
  4. Details about security measures;
Announcement Re: Security Measures by the Data Controller

This announcement establishes a minimum security standard by which the data controller must abide in order to maintain confidentiality, integrity, and availability of personal data, including security issues that that data processing agreements must address.

Minimum Security Standard Applies

Security measures must consist of appropriate organizational, technical, and physical measures.
1. Security measures must include following processes:
  1. Identification of key risks that may occur with important information assets;
  2. Prevention of significant risks that may arise;
  3. Investigation and surveillance of threats and personal data breaches;
  4. Response mechanisms when threats and personal data breach are detected;
  5. Restorative mechanisms when damage is caused by threats or personal data breaches; and
  6. Security measures for personal data processed in electronic form extend to: personal data storage systems and devices; servers; clients; and other devices that use a network software and applications.
2. Security measures during personal data processing must include the following:
  1. Access control over personal data, including identity proofing and authentication;
  2. Access authorization on a need-to-know basis and according to the principle of least privilege;
  3. Proper user access management;
  4. Clear user responsibilities to prevent unauthorized and unlawful personal data processing; and
  5. Retrospective reviews of personal data processing.
Required Terms in Data Processing Agreements

Data processing agreements between a data processor and data controller must contain the following elements:
  1. Data processor must implement appropriate security measures that meet the minimum security standards stated in this announcement.
  2. When a personal data breach is detected, the data processor must immediately notify the data controller.
Announcement Re: Expert Committee's Criteria to Determine Administrative Fines

The Expert Committee will consider the following factors when imposing administrative fines or enforcement measures against the data controller, data processor, or any person violating or failing to comply with the personal data protection laws or orders of the Expert Committee:
  1. Amount and severity of damage caused by the offending behavior;
  2. Degree of administrative fines and enforcement measures previously imposed against those committing similar offenses;
  3. Offender’s remedial and mitigating measures upon cognizance of its offending behavior; and
  4. Compensation for damages to the data subject.
Administrative fines must be proportionate to the offense.

Author’s Note

Personal data protection laws are relatively new in Thailand, since the PDPA has been effective for only one month. The announcements, it is believed, intend to establish benchmarks for personal data protection processes, e.g., constitution of ROPAs, minimum standard security measures to protect personal data, and administrative fines for violations.

Those to whom Thailand’s personal data protection laws apply should be aware of these announcements to make the needed administrative and internal corporate cultural changes, among other reforms, in order to comply. Penalties will be imposed for non-compliance.

On 18 January 2022, appointment of the Personal Data Protection Committee, consisting of ten members, was published in the Royal Gazette, effective as from January 11, 2022.
I
Questions and Answers

If you have any inquiry or question, please complete the form below. For information about what we do with your personal data see our Privacy Policy.