The PDPC Enacts Four PDPA Enforcement Rules

On 10th June 2022 and 14th June 2022 the Personal Data Protection Committee (PDPC) issued its first four subordinate legislations under the Data Protection Act B.E. 2562 (PDPA) as listed below.  The Government Gazette published them on 20th June 2022.  The notification under No. 1 below will come into force on 17th December 2022.  The other three notifications came into force on and from 21st June 2022.

1.   PDPC Notification Re: Criteria and Procedures for Preparing and Maintaining Record of Processing Activities (ROPA) by Data Processors B.E. 2565 dated 10th June 2022

The data processor is required to prepare and maintain the ROPA (in writing or in an electronic format) of its processing (collecting, using, disclosing) of personal data in compliance with the minimum requirements prescribed under this Notification.  The ROPA must be easy to access and can be easily shown to the PDPC, the data controller, or any person designated by the PDPC or the data controller.

2.   PDPC Notification Re: Exemption of Record of Processing Activities (ROPA) for Small Businesses B.E. 2565 dated 10th June 2022

Under this Notification, data controllers who are small businesses as listed below are exempt from the obligations to prepare and maintain the ROPA under Section 39 of the PDPA:

(1)  small or medium-sized enterprises (such as factories with no more than 200 employees or with annual income of no more than THB500 million, or retail/wholesale businesses with no more than 100 employees or revenue of no more than THB300 million)
(2)  community enterprises or networks of community enterprises
(3)  social enterprises or groups of social enterprises
(4)  cooperatives, networks of cooperative, or farmer groups
(5)  foundations, associations, religious or non-profit organizations
(6)  household businesses or other similar businesses.

3.   PDPC Notification Re: Security Measures of Data Controllers B.E. 2565 dated 10th June 2022

This Notification sets out 7 minimum / appropriate security measures for the data controller and the data processor to comply in order to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of personal data (both in writing and a digital format) under Section 37 (1) of the PDPA.

These security measures include the organizational measures, the technical / physical measures, the determination of the major risks that may occur to information assets, the capability to maintain confidentiality, integrity and availability of personal data.

4.   PDPC Notification Re: Criteria for Issuing Orders of Administrative Fines by the Expert Committee B.E. 2565 dated 14th June 2022

This Notification sets out 13 criterions for the Expert Committee to take into consideration when the Expert Committee issues an administrative order to impose a fine on the data controller or the data processor or any other person who violates or fails to comply with the PDPA or the order of the Export Committee.  These 13 criterions also apply to issuance of the order for seizure, attachment or auction sales of properties of the person who is subject to the administrative sanction for the purpose of administrative enforcement of the order of the Expert Committee.

To see the archive of our past newsletters and articles please click here.


The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.