Small enterprises exempt from preparing certain records of processing activities as set out in the Personal Data Protection Act
Keywords: Mazars, Thailand, Legal, PDPA, Small enterprises, Government Gazette
14 July 2022
We set below a summary of important issues listed in the notification, which became effective on 21 June 2022.
1. List of records of processing activities which small enterprises are not required to prepare
- the collected personal data;
- the purpose for which the personal data in each category is collected;
- details of the data controller;
- the length of time that the personal data will be stored;
- the access rights and methods of access to the personal data, including the conditions related to the person having the right to access the personal data and the conditions for accessing the personal data;
- the use or disclosure of personal data to which the consent of the data subject is not required under Sections 24 and 26 of the PDPA; and
- an explanation of the appropriate security measures taken pursuant to Section 37 (1) of the PDPA.
2. Characteristics of the small enterprise
- must be a small or medium enterprise as defined in the law on providing investment incentives to small and medium enterprises;
- must be a community enterprise or community enterprise network as defined in the law on providing investment incentives to community enterprises;
- must be a social enterprise or social enterprise group as defined in the law on providing investment incentives to social enterprises;
- must be a cooperative, cooperative federation, or agricultural group as defined in the law on cooperatives;
- must be a foundation, association, religion organization, or non-profit organization; or
- must be a household business or similar type of business.
- The data controller, as referred to above, must not be a logfile service provider (except an internet shop service provider) as defined in the law on computer crimes
3. Entities to which the exemption is not applicable
The exemption from preparing certain records of processing activities as set out in Section 39, paragraph 1 of the PDPA does not apply to the data controller of a small enterprise that collects, uses, and discloses personal data:
- which may place the rights of the data subject at risk;
- regularly, not just from time to time; or
- which is considered sensitive data under Section 26 of the PDPA.
Reference: Government Gazette (in Thai) dated on 10 June 2022