On June 20, 2022, the Personal Data Protection Committee announced the four notifications regarding the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The intention of the notifications is to avoid the creation of a too large burden to small and medium size businesses and also lays down rules for execution of the Act.
Following, a summary of the notifications:
- the Notification of the PDPC Re: Rules and Procedures for the Preparation and Maintenance of the Record of Processing Activities by the Data Processor B.E. 2565 (2022), which grants 180-day grace period and thus will be effective by the end of the year, establishes guidelines for Data Processors to create, organize and maintain the records of their activities concerning data processing;
- the Notification of the PDPC Re: Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses B.E. 2565 (2022) provides an exemption from recording the data processing activities as prescribed by the PDPA and it applies to small and medium size enterprises (defined as) companies in the manufacturing industry having no more than 200 employees or less than THB 500 million in annual revenue; and b) companies operating in the service or trading sectors having no more than 100 employees or less than THB 300 million in annual revenue), as well as to community enterprises, social enterprises, cooperatives, foundations, associations, religious organizations, non-profit organizations, and household activities, except certain services and activities that are not exempted;
- the Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022) establishes general requirements Data Controllers must put in place with regard to data security measures. In particular, it requires the data controller to make its personnel and users aware of privacy and security measures, to review the implemented security measures whenever it is necessary, or when there is a change in technology, or if a data breach incident happens, and to set security measures requirements for its data processor; and
- the Notification of PDPC Re: Rules for the Consideration of the Imposition of Administrative Penalties by the Expert Committee B.E. 2565 (2022) is set procedure for the issuance of administrative fines to Data Controllers and Data Processors at the early stage of the PDPA enforcement. As such, administrative fines will be issued only in cases of serious or repeated violations, while in cases of non-serious violations Data Controllers and Data Processors may receive warnings and administrative orders to cease and desist from the activities in breach of the regulation.
As the Expert Committee which will be appointed under the PDPA has the power to impose the penalty as an administrative fine by taking into consideration the level of severity of non-compliance, the business size of the data controller or the data processor, or other circumstances, the Notification on the Criteria for issuing Administrative fines and orders of the Expert Committee is therefore meant to limit the consequences on SMEs which are not ready to comply, as the administrative penalties are quite severe and may apply to the data controller or the data processor, or any juristic or natural persons violating the PDPA’s provisions, in the form of a monetary fine up to five million Baht.
In this context, it is useful to mention that failure to comply with the requirements under these subordinate regulations may, apart from the administrative penalties, lead to the imposition of other penalties on natural or juristic persons, including:
- Criminal penalties, which may apply when an offender violates a law which interferes with normal operations of society. Where there is a violation of the PDPA, criminal penalties can be imposed against the data controller if the data subject or any other person suffers any damage, its reputation is impaired, or such person becomes the subject of scorn, hatred, or humiliation, in the measure of imprisonment up to six months, or a fine up to 500,000 Baht, or both. If any of these acts is performed with the intention of receiving unlawful benefits, punishment increases to imprisonment up to one year, or a fine up to one million Baht, or both. Criminal penalties can also be brought against other persons who perform duties relating to personal data protection according to the PDPA, in the measure of imprisonment up to six months, or a fine up to 500,000 Baht, or both;
- Civil penalties, which may be enforced when the data controller or the data processor who holds the personal data of the data subject causes damages to the latter as a consequence of their failure to comply with the PDPA, either intentionally or negligently. The data subject can claim actual compensation from the data controller or the data processor for such damage, including all actual expenses spent by the data subject to prevent or suppress such damage. In addition, the court shall also sentence the data controller or data processor to pay punitive damages to the data subject not exceeding twice the amount of the actual compensation proved.
According to the Minister of Digital Economy and Society, another four subordinate regulations are expected to be issued soon.
For any inquiries related to PDPA compliance and related secondary regulations, we invite you to contact ILCT Ltd. via email at email@example.com.
The Personal Data Protection Committee issues notifications regarding enforcement of the PDPA and its penalties Download