Thailand Personal Data Protection Act: Exception for SMEs to Record of Processing Activities (RoPA)

June 2024

Thailand’s Personal Data Protection Act (PDPA) imposes RoPA requirements. Just as we discussed exceptions to Legitimate Interest rules under the PDPA in our previous article, it’s crucial to understand the significance of the Notification (a “Notification” in Thailand is akin to a regulation) titled Exemption to the Record of Processing Activities Requirement for Data Controllers that are Small Businesses B.E. 2565 (2022) (RoPA Exemption Notification). This notification directly impacts the compliance obligations of small and medium-sized businesses under the PDPA.

According to the RoPA Exemption Notification, a Data Controller considered a “small or medium size business” is exempt from the obligation to prepare and maintain a Record of Processing Activities (RoPA) under Section 39 of the PDPA (with some exceptions). The authority overseeing the PDPA, the Personal Data Protection Committee (PDPC), borrows the definition of a small business from an unrelated law, but this is a common practice.

The RoPA exemption applies to any small or medium-sized enterprise as defined under the Ministerial Regulations on Designation of the Characteristics of SME Promotion Act B.E. 2562 (2019) (Ministry Regulation on SME) as follows:

I) Small Enterprises  

• Manufacturing sector
• Annual revenue: not more than 100 million baht.
• Employment: not more than 50 employees.

• Wholesale, Retail, and Service sectors
• Annual revenue: not more than 50 million baht.
• Employment:  not more than 30 employees.

II) Medium Enterprises

• Manufacturing sector
  • Annual revenue: more than 100 million baht, but not more than 500 million.
  • Employment: more than 50 employees, but not more than 200.

• Wholesale, Retail, and Service sectors
  • Annual revenue: more than 50 million baht, but not more than 300 million baht.
  • Employment: more than 30 employees, but not more than 100 employees.

Other businesses not subject to RoPA requirements under the PDPA are as follows:

1. Community enterprise or social enterprise, as referred to under the law on community enterprise promotion.
2. Social enterprise, as referred to under the law on social enterprise promotion.
3. Cooperative, cooperative union, or agriculturist’s group under the law on cooperatives.
4. Foundation, association, religious body, or non-profit organization.
5. Household business or other business of the same nature.
6. Internet café service providers.

For more articles on Thailand’s laws on data privacy, technology, and telecommunications, please see the Fosrlaw Blog.

The above is for informational purposes only and is not legal advice, nor should it be relied upon as legal advice. For any further information, don’t hesitate to contact us at [email protected].

© Formichella & Sritawat Attorneys at Law