The Personal Data Protection Committee has issued an announcement regarding the exemption from record-keeping requirements for small-scale personal data controllers. This measure aims to support and facilitate small business operators under the Personal Data Protection Act, B.E. 2562 (2019). The announcement became effective on June 11, 2022.
Small-scale entities eligible for this exemption must meet one of the following criteria:
- Small or Medium Enterprises (SMEs) as defined by the law on the promotion of small and medium enterprises.
- Community Enterprises or networks of community enterprises as defined by the law on the promotion of community enterprises.
- Social Enterprises or groups of social enterprises as defined by the law on the promotion of social enterprises.
- Cooperatives, cooperative unions, or agricultural groups as defined by the law on cooperatives.
- Non-profit Organizations, such as foundations, associations, or religious organizations.
- Household Businesses or similar small-scale operations.
However, this exemption does not apply to service providers required to retain computer traffic data under the Computer-Related Crime Act, except for internet café operators, who are eligible for the exemption. Additionally, the exemption does not cover the collection, use, or disclosure of personal data that poses significant risks to the rights and freedoms of data subjects or cases involving regular data processing activities.
This announcement emphasizes that small-scale operators must adhere to personal data protection principles without undue burden while promoting compliance with legal and ethical standards for personal data.