Congratulations if your company already collects data privacy consent from your customer/users. But do your company have ROPA in place?
ROPA is required under Section 39 of the PDPA as Data controllers are required to prepare and maintain a record of processing activities (“ROPA”) consisting of the minimum information required as follows in order to enable the data subject and the Office of the Personal Data Protection Committee to check upon:
(1) the collected Personal Data;
(2) the purpose of the collection of the Personal Data in each category;
(3) details of the Data Controller;
(4) the retention period of the Personal Data;
(5) rights and methods for access to the Personal Data, including the conditions regarding the Person having the right to access the Personal Data and the conditions to access such Personal Data;
(6) the use or disclosure;
(7) the rejection of request or objection; and
(8) explanation of the appropriate security measures.
ROPA is not required for the Data Controller who is
a) a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or
b) not a business where the collection, use, or disclosure of the Personal Data is occasional, or
c) involving in the collection, use, or disclosure of the Personal Data pursuant to sensitive personal data.
Under Notification of the PDPC Re: Exemption of the Record of Processing Activities Requirement for Data Controllers who are Small Businesses B.E. 2565 (2022), data controllers who are small businesses will be exempt from the aforesaid ROPA requirements:
1) small or medium enterprises according to the law on small and medium-sized enterprise promotion
– Product manufacturing business operators which hire no more than 200 employees, and have annual revenue not exceeding Baht 500 million
– Service providers, wholesalers or retailers which hire no more than 100 employees, and have annual revenue not exceeding Baht 300 million
2) community enterprises and networks of community enterprises registered under the Community Enterprise Promotion law;
3) social enterprises and social enterprise groups registered under the social enterprise promotion law;
4) cooperatives, cooperative federations, or a farmer’s groups under the cooperatives law;
5) foundations, associations, religious or non-profit organizations; and
6) family businesses or other similar businesses.
However, the exempt businesses shall not apply to: a data controller involves in the collection, use or disclosure of the sensitive personal data under the PDPA, a service provider that is required to maintain computer traffic data under the Computer-Related Crime Act B.E. 2550 (2007), a data controller collecting, using, or disclosing personal data that is likely to result in a risk to the rights and freedoms of data subjects, and a data controller whose business is not the business that the collection, use or disclosure of the personal data is occasional.
PDPA Regulator can request a ROPA from business operator to see a full picture of your data processing. It allows regulator to see details of how personal information is processed, why, what you do with it, and how you manage it.
Data Controller must have record of processing activities as in accordance with the Notification of the PDPC Re: Rules and Procedures for the Preparation and Maintenance of the Record of Processing Activities by the Data Processor B.E. 2565 (2022), issued on 10 June 2022 and is effective on 17 December 2022. The ROPA must be maintained in written or electronic form, and must be easily accessible and promptly available for inspection by the Office of the PDPC, the data controller, or their designated person, when requested.