Principally, the Personal Data Protection Act B.E. 2562 (PDPA) generally imposes an obligation on provision of records of processing activities (RoPA) to data controllers and data processors. However, this obligation requires lots of efforts from both to be in compliance with for small organizations and to ease the data controllers and the data processors who are small organizations, the PDPA provides exemption from the RoPA obligation for the small organizations to certain extent.
To clarify a question on criteria of those qualified small organizations, the PDPC, therefore, announced two notifications, namely, (i) a notification regarding exemption from recording activities of data controllers who are small organizations; and (ii) a notification regarding exemption of provisions and maintenance of RoPA of data processors who are small organizations.
Particularly, the small organizations that are eligible for the exemption from the RoPA obligation pursuant to the aforesaid notifications shall have any of the following characters:
1) Being a Small or Medium Enterprise (SME) under the Law on the Promotion of Small and Medium Enterprises;
2) Being a Community Enterprise or a Community Network Enterprises under the Law on the Promotion of Community Enterprises;
3) Being a Social Enterprise or a Social Business Group under the Law on the Promotion of Social Enterprises;
4) Being a Cooperative, Cooperative Federation, or Group of Farmers under the Law on Cooperatives;
5) Being a Foundation, Association, Religious Organization, or Non-Profit Private Organization;
6) Being a Condominium Juristic Person under the Condominium Law or a Housing Estate Juristic Person under the Land Allocation Law;
7) Household businesses or other similar businesses; or
8) A business operated by a data controller or data processor who is an individual.
However, the RoPA exemption shall not be applicable to the eligible small organizations who are subject to a requirement to appoint a data protection officer and the following conditions:
a. the collection, use, or disclosure of such personal data is likely to result in a risk to the rights and freedoms of data subjects; or
b. the collection, use, or disclosure of such personal data is not on occasion; or
c. the processed personal data shall not be sensitive data.
The Notification (i) will become in effect on 8 April 2025; while the Notification (ii) has been in force since 9 January 2025.