Exemption for SMEs on preparation of records of processing activities (RoPAs) under Thai privacy laws

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) came into full force on 1 June 2022. One of the mandatory obligations under the PDPA is to require each data controller or data processor in Thailand to prepare its own records of processing activities (“RoPAs”). The requirement to maintain RoPAs has become a significant concern as it is often a significant operational burden on Thai business operators. Failure to maintain RoPAs can be subject to an administrative fine of up to THB 1 million (approximately USD 30,000) for a data controller or THB 3 million (approximately USD 89,000) for a data processor.

Both data controllers and data processors in Thailand are required to maintain RoPAs (setting out details as prescribed in the PDPA). Such records can be in a written or electronic form, and must be readily available for verification by relevant data subjects and officers of the Personal Data Protection Commission (“PDPC”). Data controllers must also ensure their data processors maintain RoPAs.

To alleviate compliance burden on smaller businesses, in January 2025, the PDPC issued two notifications to set out certain exemptions from the requirement to maintain RoPAs. The two notifications are for data controllers and data processors respectively. They exempt, among others, small and medium enterprises (“SMEs”) from the obligation to maintain RoPAs. SMEs should be reminded that they remain obliged to maintain records on any rejection or objection made to requests of data subjects when they exercise their data subject rights under the PDPA.

Qualifying as an SME

To qualify for the RoPAs exemption for SMEs under the PDPA, an enterprise first needs to determine whether it is an SME. SME has been defined under the laws of SMEs promotions as follows:

The above thresholds should be considered based on audited financial statements submitted to the Ministry of Commerce and lists of employees submitted to the Ministry of Labour.

Carve-outs

Not all SMEs are exempted from maintaining RoPAs even if they meet the above thresholds. SME businesses must further ensure that they are not obliged to appoint a data protection officer, and when collecting, using and disclosing personal data, they do not (i) pose risks to the rights and freedom of data subjects; (ii) collect, use or disclose personal data on an occasional basis (e.g., if a SME conducts a lucky draw event as part of its marketing business, the PDPC views that such SMEs must maintain the RoPAs for that occasional purpose); and (iii) involve sensitive data as defined under the PDPA.

Businesses which do not meet the requirements above are still required to maintain RoPAs.

Businesses may also check if they are qualified as SMEs by checking the database of the Department of Business Development.

Importance of data law compliance in Thailand

The PDPA brings Thai data privacy law requirements for the collection, use, and disclosure of personal data in line with the EU GDPR standard in most aspects. Non-compliance with PDPA may result in significant legal and financial penalties, including fines and potentially imprisonment for serious breaches. The requirement to maintain RoPAs is just one of the mandatory compliance obligations introduced by PDPA on businesses in Thailand.

HSF’s Asia data protection team are best placed to advise our clients on their cross-jurisdictional privacy compliance projects. We are familiar with data law compliance approaches adopted by MNCs and regional businesses as well as local law requirements with on-the-ground support from our Thai local team.