Four new sub-regulations of the Personal Data Protection Act of Thailand(“PDPA”)

On 21 July 2022, Thailand represented by the Personal Data Protection Commission (“PDPC”), released the four new sub-regulations of the Personal Data Protection Act B.E.2562 (2019) (“PDPA”) which are enforceable in order to establish certain measures in details for further understanding. These sub-regulations are as follows:

  1. Notification of the Personal Data Protection Committee (“PDPC”) re: the security measures of the Data Controllers

          This Notification set forth the minimum standard for security measures provided by data controllers in relation to prevent the access, use, amendment and disclosure of personal data without authority. The data controller shall provide organization measures, technical measures and physical measures including prediction of risks and preventive measures as well as remedial measures after damage occurred. Such measure shall be analyzed and modified up to date and consistent with the technological advances. In addition, the data controllers shall arrange such measures to be carried by the data processor as well.

          2. Notification of PDPC re: the exemption from maintaining records of the Data Controllers that are small businesses.

            Due to intention to relax burdens for SMEs and community enterprises, non-profit foundations and associations, this Notification exempts duty of maintaining activity records regarding the collection, use and disclosure of the personal data lied under their responsibility. However, the exemption of this Notification excludes the collection, use and disclosure of the data having impact on rights and liberty of the data subject or sensitive personal data.

            3. Notification of PDPC re: criteria for the consideration of the issuance of administrative fines of the Expert Committee

            The Notification set forth criterions for the Expert Committee in relation to administrative penalties for example, the notice of allegation shall be in form of writing or reliable electronic means, the consideration of penalties shall include severity of violation, value of damages, size of business, preventive measures level and remedies given to the data subject etc. In addition, the administrative penalties shall be assessed base upon level of severity. Moreover, the order issued by the Expert Committee is deemed final.

            4. Notification of PDPC re: guidelines and procedures for the preparation and maintenance of records of personal data processing activities for the Data Processor

            This Notification sets forth the data which the data processors shall maintain records of personal data processing activities in accordance with section 40 (3) of the PDPA. For example, name and details of data processers, data controllers who give instruction and data protection officer (“DPO”) as well as types of collection, use and process etc. the records shall be in form of writing or reliable electronic means.