First Batch of Sub-Regulations under the Personal Data Protection Act of Thailand published for Public Hearing

On 10 May 2022, the Personal Data Protection Committee (“PDPC”) published their first batch of sub-regulations to be issued under the Personal Data Protection Act of Thailand B.E. 2562 ( 2019) (“PDPA”) for the public hearing during 10-19 May 2022. The summary of the three draft notifications as published is  as follows:-

1. Draft Notification of the Personal Data Protection Committee Re: Rules and Methods for Preparing and Maintaining Records of Personal Data Processing Activities for Personal Data Processor

This Draft Notification sets the rules and methods regarding the data processor’s obligation under the PDPA to prepare and maintain records of personal data processing activities of each category of processing activity. Under this Draft Notification the record shall contain at least the following details:-

• (1) Name and information about the data processor and the representative (if appointed);
• (2) Name and information about the relevant data controller and the representative (if appointed);
• (3) Name and information about the data protection officer (if appointed);
• (4) Categories or nature of collecting, using or disclosing personal data, including personal data and purposes of processing as assigned by the data controller;
• (5) Categories of person or organisation receiving personal data, in case of the transfer of personal data to a foreign country; and
• (6) Description of security measures.

The data processor shall prepare and maintain a record of the personal data processing activities . This may be in writing or in electronic form. Such records of personal data processing activities must be easily accessible and enable the Office of the PDPC , the data controller or persons entrusted by the Office of the PDPC or the data controller to check promptly upon request.

2. Draft Notification of the Personal Data Protection Committee Re: Exemption of Records of Personal Data Controller for Small Organisations

This Draft Notification sets the criteria for exemption of the obligations of data controllers of small organisation to maintain records of the personal data processing activities in order to enable the data subject and the Office of the PDPC to easily check. Under this Draft Notification, to be eligible for the said exemption, a data controller must have one of the following characteristics :

• (1) Being a small or medium-sized enterprise (“SME”) under the law on promotion of SMEs;
• (2) Being a community enterprise or community enterprise network under the law on promotion of community enterprises;
• (3) Being a social enterprise or a group of social enterprises under the law on promotion of social enterprises;
• (4) Being a cooperative, cooperative union, or a farmer's group under the law on cooperatives;
• (5) Being a foundation, association, religious organisation or non-profit organisation; and
• (6) Being a household business or other business of the same nature.

However, even in a case where the data controller is exempted from its obligations to maintain a record of processing activities, the data controller is still required to maintain records regarding the rejection of request or objection by a data subject to exercise their rights under the PDPA.

3. Draft Notification of the Personal Data Protection Committee Re: Security Measures for Data Controller

This Draft Notification sets the minimum standard for appropriate security measures for prevention of an unauthorised or unlawful loss, access to, use, alteration, correction or disclosure of personal data which the data controller is required to implement under the PDPA.

Under the Draft Notification, security measures shall cover both organisational measures and technical measures, which may also include necessary physical measures by taking into account the level of risk according to the nature and purpose of the collection, use, and disclosure of personal data, as well as the likelihood and impact of personal data breaches.

For security measures with respect to access, use, alteration, correction, deletion or disclosure of personal data, the measures shall  consist of personal data access control, proper user access management, assignment of user responsibilities and provision of audit trail tools at the very least.

These three Draft Notifications are open for public hearing during 10-19 May 2022. After the public hearing, the PDPC will  consider the opinions derived from the public in order to finalise the Notifications to be issued.  Each Notification shall come into force as of the day following the date of its publication in the Government Gazette.

The above highlights the significant steps taken by the government towards the enforcement of the personal data protection law. However, there appears to be a noticeable delay in considering the effective date of the law, which has already been  extended to 1^st June 2022.

Furthermore,  other sub-regulations that required for compliance with the law are yet to be issued, including, a sub-regulation relating to the  consent form. In April 2022, the Joint Standing Committee on Commerce, Industry and Banking sent a letter to the government in order to raise concerns on the unreadiness of the businesses to comply with PDPA, particularly SME . Everyone is now eagerly waiting for the official announcement whether or not there will another postponement of this law.      

Authors