Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand: PDPC publishes draft notification on criteria for deletion or destruction of personal data or de-identifying personal data

On June 13, 2024, the Personal Data Protection Committee (PDPC) released a draft notification for public consultation on criteria for deletion or destruction of personal data or de-identifying personal data.

Background

The PDPC clarified that the draft notification is set to clarify the criteria for the application of Section 33 of the Personal Data Protection Act 2019 (PDPA) regarding the right to request that the data controller delete, destroy, or de-identify personal data.

Deletion, destruction, or de-identification

The draft notification outlined, among other things:

  • the request to delete, destroy, or de-identify personal data must be processed without delay but not later than 60 days from the date of receipt of the request;
  • the request must cover copies and backups of personal data (if any), and the data controller must ensure, using any means reasonably necessary, that no one can recover personal information, reverse the deletion, or identify, directly or indirectly, the person who owns the personal data;
  • if the deletion, destruction, or de-identification is not immediately possible, the controller must put in place organizational, technical, and physical measures to ensure that the personal information:
    • will not be accessed, used, or disclosed by the data controller or anyone else, even if it is still available;
    • cannot be used by the data controller to provide services, influence decisions, or take any action regarding the owner of the personal data; and
    • is protected appropriately according to the level of risk; and
  • if deletion, destruction, or de-identification is not possible due to technical reasons, the data controller must justify and document these reasons.

De-identification and anonymization

The draft notification stated that to de-identify or anonymize the personal information, the data controller must, among other things:

  • erase any direct identifiers of the owner of personal data, including name, national identification numbers, telephone number, pictures, and biometric data; 
  • ensure that the owner of personal data cannot be re-identified by keeping the information at a low level, using pseudonymization, or providing indirect identifiers; and
  • consider the technological factors, context, environment, and the nature or type of personal information concerned.

The draft notification also confirmed that the data controllers cannot legally refuse deletion, destruction, or de-identification requests and must notify the owner of the personal data that the request has been carried out.

What's next?

Comments may be submitted via the dedicated portal here until June 27, 2024. The draft will come into force from the day following the date of its publication in the Royal Gazette.

You can read the press release here and the draft announcement here, both only available in Thai.