SMEs are obligated to meet the various security requirements under Thailand’s Personal Data Protection Act (PDPA) which was enforced in June 2022 by the Personal Data Protection Committee. Though in effect, the committee recently made an announcement declaring that SMEs, social and community enterprises, cooperatives, and foundations would be exempt from certain requirements imposed on data controllers under certain conditions. This exemption, however, does not extend to service providers that collect computer traffic data or those whose collection of data may be considered an infringement on the rights and freedoms of their users.

According to Ministerial Regulations on Designation of the Characteristics of SME Promotion Act B.E. 2562 (2019), as well as the Announcement of the Office of SME Promotion, an SME is a business that employs anywhere between five to 200 employees and earns between THB 1.8 million to THB 300 million annually. Since these types of businesses have been most affected by recent political and economic shocks, it is likely that Thai regulators opted to exempt them from certain PDPA requirements to alleviate the financial and technical burdens the legislation may impose.

What is Thailand’s Personal Data Protection Act?

With businesses digitizing the way they provide goods and services, acquiring customer data has become one of the main priorities for businesses. As a result, regulators in Thailand enacted the PDPA to protect users who provide personal data to such businesses.

Like the European Union’s General Data Protection Regulation (GDPR), the PDPA requires all companies in Thailand that handle personal data, regardless of whether they physically operate in the country, to ensure that their data policies reflect the need to collect explicit consent prior to collection. It also requires that companies make a user’s personal data accessible upon their request, have adequate security measures in place, and allocate personnel and resources for handling such data.

Though the PDPA was approved by Thailand’s Cabinet in 2020, its enforcement was delayed by two years as a result of the COVID-19 pandemic.

What activities are they exempted from?

One of the notifications released by the Personal Data Protection Committee (PDPC) pertains to SMEs considered to be data controllers being exempt from preparing and maintaining a record of processing activities (ROPA) which lists certain information such as the type of personal data collected, the purpose of collecting such data, as well as the retention period, among others. This exemption, however, does not extend to instances where a user asks to access their data, delete their data, or correct their data, in which case the SME will be required to record such incidents.

This provides SMEs significant relief from the long list of information they would otherwise be required to record. However, it is worth noting that it is unclear whether the same exemption would apply to SMEs considered to be data processors which, under the PDPA, falls under a separate definition. For example, if an SME that is considered to be a data controller were to outsource the processing of the data they collected and/or control to another SME, it is clear from the announcement by the PDPC that the former will not be obligated to prepare a ROPA; however, whether the latter is exempt from needing to do so has not been made clear by the PDPC’s announcements.

Nonetheless, what is clear is that SMEs will not be exempt from enacting security measures which data controllers have to comply with. According to the Security Measures Notification issued by the PDPC, which aligns with the notification issued by the Ministry of Digital Economy and Society (MDES) in July 2020, data controllers are required to implement organizational and technical measures to respond to breaches and identify possible risks to user data. It also requires data controllers to build awareness of privacy and security matters among personnel and review security policies when changes in technology take place.

Does the exemption mean SMEs should forget about the PDPA?

While the ROPA exemption for data controllers aims to relieve SMEs of additional burdens, they should be mindful of misleading headlines from the media claiming that SMEs are unilaterally exempt from the provisions of the PDPA. The fact that the PDPC also released a notification on administrative penalties highlights its intention of making sure that businesses handling personal data comply with the PDPA.

While the scope of the exemption is limited, it may be of relief to SMEs that remedial actions under the PDPA are not necessarily as severed as previously thought. The Administrative Penalties Notification states that fines or penalties are determined by certain factors such as the severity of the offence, whether they were done wilfully or out of negligence, as well as the value of the damages caused. It also splits offenses into those considered to be non-serious and those which are considered serious. Those found to have committed the former may simply be issued a warning, though it is advisable for SMEs to ensure they comply with the provisions of the legislation to prevent issues with regulators.

While complying with data regulations in Thailand may involve navigating complex and unclear legislation, SMEs should understand the objectives and purposes behind why they need to collect personal data. If SMEs do not already have the technical capabilities to enact sufficient data policies, they should contact professionals who can help them formulate the right approach towards creating one in order to prevent fines or charges.

Contact us to learn more about the PDPA and how to stay compliant with the regulation.