Data Privacy – Thailand Draft Exemption for Small Organizations Acting as Data Processors

The Thailand Personal Data Protection Act B.E. 2562 (“PDPA“) governs personal data processing and defines the roles and responsibilities of parties involved in such activities. Under the PDPA, a “Data Processor” is defined as a person or entity that processes personal data on behalf of another party. Since Data Processors do not have authority over processing activities, the Personal Data Protection Committee (“PDPC“) has determined it necessary to reduce certain regulatory burdens for smaller entities. Consequently, the draft Announcement on the Exemption for Small Organizations Acting as Data Processors (“Draft“) has been prepared and is undergoing public consultation through 14 November 2024.

Data Processor obligations are prescribed under Section 40 of the PDPA. Specifically, Section 40 (3) requires Data Processors to record personal data processing activities according to PDPC – prescribed criteria and methods. The Draft exempts the following types of organizations from this obligation:

• Small and medium enterprises, as defined by the Small and Medium Enterprise Promotion Act B.E. 2543 (2000)
• Community enterprises, as defined by the Community Enterprise Promotion Act B.E. 2548 (2005)
• Social enterprises, as defined by the Social Enterprise Promotion Act B.E. 2562 (2019)
• Cooperatives, as defined by the Cooperative Act B.E. 2542 (1999)
• Foundations, associations, religious organizations, and non-profit organizations
• Condominium associations, as defined by the Condominium Act B.E. 2522 (1979)
• Individuals conducting household activities in a non-commercial capacity
• Individual data processors (as distinct from organizations or larger entities)

(collectively referred to as “Small Size Data Processors“).

However, this Draft exemption does not apply to personal data processing activities that:

• Pose risks to the rights and freedoms of data subjects
• Involve regular or systematic collection, use, or disclosure of personal data (as opposed to occasional processing)
• Involve the processing of sensitive personal data

Additionally, the exemption does not apply to any Small Size Data Processor that is required to appoint a Data Protection Officer, also known as, DPO.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

• Proposed Amendments to Anti-Corruption Legislation to Align with OECD Standards
• Notification of the Competent Officer on Exchange Control (No. 38) — Draft Amendment
• Thailand’s Proposed Updates to the Non-Preferential Certificate of Origin Framework for Exports to the United States and the European Union
• Thailand’s Expanding Trade Network: Key Updates on FTAs with Partner Countries
• Thailand FDA — Proposed Food Labelling Rules for Prepackaged Foods
• U.S. Tariff Developments Post Supreme Court Ruling