Following the full effectiveness of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) on 1 June 2022, four sub-regulations in the form of notifications under the PDPA were issued by the Personal Data Protection Committee (“PDPC”) and published in the Royal Thai Government Gazette on 20 June 2022. These provide detailed criteria and rules, as well as clarification of some key requirements under the PDPA.

Summary of Notifications

1. Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022)

In principle, data controllers are required to prepare and maintain a record of processing activities (“ROPA”) consisting of the minimum information required under Section 39 of the PDPA. Under this notification, data controllers who are small businesses will be exempt from the aforesaid ROPA requirements: 

  1. small or medium enterprises according to the law on small and medium-sized enterprise promotion 
    ‒ Product manufacturing business operators which hire no more than 200 employees, and have annual revenue not exceeding Baht 500 million,
    ‒ Service providers, wholesalers or retailers which hire no more than 100 employees, and have annual revenue not exceeding Baht 300 million.
  2. community enterprises and networks of community enterprises registered under the community enterprise promotion law;
  3. social enterprises and social enterprise groups registered under the social enterprise promotion law;
  4. cooperatives, cooperative federations, or a farmer’s groups under the cooperatives law;
  5. foundations, associations, religious or non-profit organizations; and
  6. family businesses or other similar businesses.

However, the exempt businesses shall not apply to: 

  • a service provider that is required to maintain computer traffic data under the Computer-Related Crime Act B.E. 2550 (2007), unless it is an internet cafe;
  • a data controller collecting, using, or disclosing personal data that is likely to result in a risk to the rights and freedoms of data subjects;
  • a data controller whose business is not the business that the collection, use or disclosure of the personal data is occasional; or 
  • a data controller involving in the collection, use or disclosure of the sensitive personal data under the PDPA. 

This notification came into force on 21 June 2022.

2. Notification of the PDPC Re: Rules and Methods for Preparing and Maintaining Records of Processing Activities for the Data Processor B.E. 2565 (2022)

This notification has been issued to determine the minimum information that the data processor is required to include in its ROPA:

  1. name and information of the data processor and its representative (if any);
  2. name and information of the relevant data controller and its representative (if any);
  3. name and information, including contact address and method, of the data protection officer (if any);
  4. types or nature of collection, use or disclosure of personal data; including personal data and purposes of the collection, use or disclosure of such personal data, as assigned by the data controller;
  5. types of persons or entities that receive personal data in case of transmitting or transferring personal data abroad; and
  6. description of security measures.

This notification will come into force on 17 December 2022.

3. Notification of the PDPC Re: Security Measures of the Data Controller B.E. 2565 (2022)

Under the PDPA, the data controller shall provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data. Such measures must be reviewed when necessary, or when the technology has changed in order to efficiently maintain the appropriate level of security and safety.

This notification has been issued to provide a detailed minimum standard of the aforementioned security measures. For example, access control of personal data and key information system components that include identity proofing and authentication, the appropriate authorization of access and use, taking into account the need-to-know basis.

This notification came into force on 21 June 2022.

4. Notification of the PDPC Re: Rules for Consideration of Issuing Order to Impose Administrative Fines by the Expert Committee B.E. 2565 (2022)

This notification specifies rules and procedures for the Expert Committee (which will be appointed under the PDPA) when considering issuing an order to impose administrative fines or other relevant administrative enforcement measures where any person does not comply with the PDPA or the order of the Expert Committee. This includes for example seizure, confiscation, and sale by auction of assets where any person fails to make the correct and full payment of administrative fines after receiving written warning from the Expert Committee. 

This notification came into force on 21 June 2022.

Failure to comply with the requirements and obligations under any sub-regulations issued under the PDPA could result in the penalties specified under the PDPA, e.g., fines up to THB 5 million.

Accordingly, it is recommended that business operators should revisit their current PDPA compliance status to ensure that they remain in compliance with the PDPA and the aforementioned PDPA’s sub-regulations. 

KPMG Law has extensive experience with PDPA compliance and supporting services. We provide full PDPA services from the data identification stage to completion of PDPA implementation. Our services include subsequent PDPA support such as training, PDPA document review, ad-hoc advisory services, Data Protection Officer support and advisory services. 

We welcome any opportunity to discuss the relevance of the above matters to your business.

KPMG Thailand’s Legal Services Team offers a wide range of practical legal solutions. For more information, please visit

Key contacts

Connect with us