Record of Processing Activities: A crucial document for personal data protection management

InsightsDoing Business in ThailandLegal

Record of Processing Activities

The Record of Processing Activities (“RoPA”) is a document that both data controllers and data processors are required to maintain in compliance with Thailand’s Personal Data Protection Act, 2565 B.E. (“the PDPA”), specifically Section 39. The RoPA is created to document personal data processing activities within a company, showing clearly how each type of personal data is used, by whom, in which processes, for how long, and with whom it is shared or transferred. The activities recorded should include the collection and usage of data by each department, as well as the legal basis for such.

The RoPA is instrumental in verifying the proper handling of personal data and preventing data breaches. It serves as a checklist for reviewing the activities of individuals involved with personal data within the company, including the assignment of responsibilities at each processing stage. Any processing activity that deviates from the RoPA suggests that the organization’s data handling practices could be at risk of failing to comply with the PDPA. Moreover, the RoPA is an essential document for demonstrating to the Personal Data Protection Office (“the PDPO”) that the company is adhering to data protection standards. 

 

Thailand’s PDPA mandates that the RoPA contain the following information:  

  1. The types of data collected  
  2. Information about data custodians and data protection officers  
  3. The purpose of data collection  
  4. The data retention period  
  5. The conditions for accessing data  
  6. The conditions for data transfer to third parties or for cross-border data use, along with the legal bases or consent for such  
  7. The reasons for rejecting requests or objections by data subjects  
  8. Security measures taken, as set out in Sections 37 and 40 of the PDPA  

 

The data controller must compile the RoPA, while the data processor is required to notify the PDPO of the controller’s name in additional.  

 

When preparing the RoPA, it is crucial to understand that it is not only an internal document. It is also used for communications with PDPO officials. Therefore, the company should state what measures it takes to protect personal data when third parties receive data from the company. This serves as proof of compliance with the law on the proper usage of such data. In addition, companies should review and update their processes regularly to ensure continued compliance.  

 

Failure to maintain a RoPA could lead to administrative fines of up to THB 1 million under Section 82 of the PDPA. More importantly, the company would lack legal grounds for proving compliance with the PDPA should any data breaches occur, which would be an indication of extreme negligence in regard to managing and securing the personal data in its custody. 

Want to know more?

Contact us

+66 2 670 1100
Meet our local team
Discover our offices
Or use our contact form