ข้ามไปยังเนื้อหาหลัก

Record of Processing Activities (Art. 30 GDPR · PDPA ม.39)

Art. 30 GDPR + PDPA Section 39 · For Annual compliance audit · DPA inspection prep · M&A privacy DD

From 55,000-185,000 บาท14-45 working days
083-249-4999 Chat on LINE

Any organisation processing personal data (controller/processor) needs Record of Processing Activities (Art. 30 GDPR · PDPA ม.39) — NYC Legal's Privacy Counsel team holds CIPP/E + CIPM credentials and runs end-to-end.

Certifications: CIPP/E, CIPP/A, CIPM, CIPT (IAPP), ISO/IEC 27001 Lead Auditor, ISO/IEC 27701 Lead Implementer, FIP.

Record of Processing Activities (Art. 30 GDPR · PDPA ม.39) takes 14-45 working days at 55,000-185,000 บาท — includes gap analysis + drafting + implementation + training + ongoing support.

We coordinate with PDPC Thailand, EDPB and destination DPAs across Schrems II adequacy jurisdictions.

Privacy program coverage: PDPA Pack · GDPR Pack · CCPA · DPO · DPIA · ROPA · SCC/BCR · Breach · CMP · DSAR · Privacy Policy · ISO/IEC 27701.

72-hour breach response SLA — 38 incidents handled in 2024-2025 (ransomware, vendor breach, insider) — every case notified PDPC/DPA/customer within window.

Coverage

🇹🇭 For Thailand (PDPA)
PDPA B.E. 2562
🇪🇺 For European Union (GDPR)
Regulation 2016/679
🇬🇧 For United Kingdom (UK GDPR + DPA 2018)
UK GDPR + Data Protection Act 2018
🇺🇸 For California (CCPA/CPRA)
CCPA 2018 + CPRA 2020
🇸🇬 For Singapore (PDPA 2012)
Personal Data Protection Act 2012
🇦🇺 For Australia (Privacy Act 1988)
Privacy Act 1988 + APP
🇯🇵 For Japan (APPI)
Act on Protection of Personal Information (APPI)
🇰🇷 For South Korea (PIPA)
Personal Information Protection Act (PIPA)
🇨🇳 For China (PIPL)
Personal Information Protection Law 2021
🇧🇷 For Brazil (LGPD)
Lei Geral de Proteção de Dados
🇦🇪 For UAE (Federal PDPL 2021)
Federal Decree-Law No. 45 of 2021
🇮🇳 For India (DPDPA 2023)
Digital Personal Data Protection Act 2023

How it works

  1. 1

    Data discovery + mapping

    System audit + data-owner interviews + identification of processing activities + data-flow diagram.

  2. 2

    Gap analysis + risk

    Map against PDPA/GDPR/CCPA + risk register + DPIA for high-risk processing.

  3. 3

    Drafting + controls

    Draft policies + procedures + DPA + consent + security controls per NIST SP 800-53 / ISO 27001.

  4. 4

    Implementation + training

    Roll out CMP/DSAR portal + train DPO + staff awareness + privacy-by-design checklist.

  5. 5

    Audit + ongoing support

    Annual audit + monthly DPO report + breach drills + ROPA refresh + DPA inspection prep.

Frequently asked questions

Who needs Record of Processing Activities (Art. 30 GDPR · PDPA ม.39)?

Annual compliance audit, DPA inspection prep, M&A privacy DD and any organisation processing personal data.

Total cost?

55,000-185,000 บาท, scaling with size and number of processing activities.

Timeline?

14-45 working days — faster if ISO 27001 baseline exists.

Is a DPO mandatory?

PDPA Sec. 41 mandates DPOs for public authorities, large processors, and sensitive data — GDPR Art. 37 mirrors the trigger.

Can we notify PDPC within 72 hours?

Triage likelihood + severity within 24h → notify decision within 72h — Tier-1 incident runbook included.

What is required for cross-border transfers?

PDPA Sec. 28: SCC, BCR, adequacy, consent, or derogation — we draft SCC + TIA.

DSAR SLA?

GDPR 30 days (extend 60) · PDPA 30 days · CCPA 45 days (extend 90) — DSAR portal tracks all.

Does ISO 27701 require ISO 27001?

Yes — 27701 is an extension of 27001 (combined implementation 9-12 months).

Related services

Thailand PDPA Compliance Pack (PDPA B.E. 2562) EU GDPR Compliance Pack (Regulation 2016/679) CCPA/CPRA Compliance (California Consumer Privacy Act) DPO Appointment Service (PDPA & GDPR) DPIA (Data Protection Impact Assessment) SCCs + BCRs (International Data Transfer) IP Rights Citizenship