On 20 June 2022, the Personal Data Protection Committee (“PDPC”) enacted subordinate laws complementing the data protection obligations of Data Controllers and Data Processors pursuant to the Thai Personal Data Protection Act (“PDPA”). This article highlights the following notifications:
- Notification of the Personal Data Protection Committee Re: Criteria for Preparation and Maintenance of Records of Personal Data Processing Activities B.E. 2565 (2022);
- Notification of the Personal Data Protection Committee Re: Security Measures of the Data Controller B.E. 2565 (2022); and
- Notification of the Personal Data Protection Committee Re: Exemption on Record-Keeping Obligations of Data Controllers who are SMEs B.E. 2565 (2022).
In this respect, the notifications in (1.) shall come into force as of 17 December 2022, and the notifications in (2.) and (3.) came into force as of 21 June 2022.
1. Notification of the Personal Data Protection Committee Re: Criteria for Preparation and Maintenance of Records of Personal Data Processing Activities B.E. 2565 (2022)
The Data Processor is obliged under Section 40 (3) of the PDPA to prepare and maintain records of personal data processing activities in accordance with the standard specified and announced by the PDPC.
This Notification further requires that such records shall include minimum particulars including; (i) name and details of the Data Processor; (ii) name and details of the Data Controller on whose behalf the Data Processor has processed data; (iii) name and details of the Data Protection Officer (if any); (iv) categories of processing activities the Data Processor has carried out, including a list of personal data and objectives of such processing activities; (v) categories of persons or entities who obtain personal data in case of cross-border transfer; and (vi) description of standards for security measures following Section 40 Paragraph 1 (2) of the PDPA.
The Data Processor may prepare such records in written or electronic form. The data processing records shall be easily accessible and be maintained in methods that could readily be presented to the PDPC, the Data Controller or any authorized person upon request.
2. Notification of the Personal Data Protection Committee Re: Security Measures of the Data Controller B.E. 2565 (2022)
The Data Controller is obliged under Section 37 (1) of the PDPA to provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of personal data in accordance with the standards specified and announced by the PDPC.
This Notification establishes that the minimum standards of the security measures shall include the following conditions:
- The measures shall cover all processing activities of personal data, whether in form of physical documents, electronic data or any other form;
- The measures shall consist of necessary organizational measures, technical measures and physical measures in accordance with risk levels as evaluated from nature, objective and potential damages that could be incurred from relevant data processing;
- The measures must concern necessary details including identification of information assets risks, risk prevention, monitoring and risk management in accordance with risk levels;
- The measures shall uphold the importance of confidentially, integrity, and availability of personal data;
- For the collection, use, and disclosure of personal data in electronic from, the measures shall extend to govern any and all IT equipment used in such processing activities and incorporate multiple layers of security controls to decrease the risk in case of security limitations;
- For measures relating to any access, use, alteration, correction, or disclosure of personal data, such measures shall at least consist of processes such as access control, identify proofing and authentication, user access management, determination of user responsibilities and arrangement of audit trails; and
- The measures shall include policies to raise awareness of privacy and security control for personnel in the organization.
The Data Controller shall re-evaluate the security measures when necessary, including upon any data breach incidents, or when the technology has changed to efficiently maintain the appropriate security and safety.
The Data Controller shall require the Data Processor, upon the conclusion of a data processing agreement, to provide security measures in accordance with the standard set out by this Notification and to notify the Data Controller of any data breaches.
Any data security measure requirements as imposed on the Data Controller by other laws shall not be at a standard lower than as is set out in this Notification.
3. Notification of the Personal Data Protection Committee Re: Exemption on Record-Keeping Obligations of Data Controllers who are SMEs B.E. 2565 (2022)
Section 39 Paragraph 3 of the PDPA provides exemption to the Data Controller who is a small organization from compliance with the obligation to prepare and maintain records of personal data processing activities, unless the records of any rejection to data subject’s request to exercise rights under the PDPA.
This Notification further prescribes that the Data Controllers who are categorized as a small organization shall be qualified as either of the following:
- Small and Medium Enterprises under the laws relating to small and medium enterprise promotion;
- Community Enterprises under the laws relating to community enterprise promotion;
- Social Enterprises or Social Business under the laws relating to social enterprise promotion;
- Cooperatives, federations of cooperatives or farmers associations under the laws relating to cooperatives;
- Foundations, associations, religious organizations or non-profit organizations; or
- Family businesses or other businesses of similar nature.
In order to qualify for the exemption, the Data Controller who are identified as either of the above shall additionally be exempted from obligations to collect computer traffic data in accordance with laws relating to computer crimes, unless they are an internet cafe service provider.
The exemption under this Notification does not include any processing activities of personal data that may affect the rights and freedom of the data subject, or not being data processing which is done in an occasional manner or involve any collection, using or disclosing of personal data under Section 26 of the PDPA.
The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.