The Personal Data Protection Committee (PDPC) of Thailand has issued the PDPC Notification on Criteria for Deletion, Destruction or Anonymization of Personal Data B.E. 2567 (2024) dated 31st July 2024 (“Notification”). The Notification was published in the Royal Gazette on 13th August 2024. It will become effective on and from 11th November 2024. We summarized the key provisions of the Notification as follows:
1. Subject to the exceptions provided under the Personal Data Protection Act B.E. 2562 (PDPA), the Data Controller (DC) must delete, destroy, or anonymize personal data, including their copies and backups, without delay and within 90 days of receiving a request from the data subject. The DC must ensure that no person can, by any reasonably foreseeable means, recover or re-identify the personal data, either directly or indirectly, to identify the data subject. If the DC cannot fulfill the request of the data subject within the deadline, the DC must implement interim measures to make it difficult for the personal data of the requesting data subject to be collected, used or disclosed. Such measures may include appropriate organizational and technical / physical measures.
2. If the data subject requests the DC to delete, destroy, or anonymize their personal data by a specific method, the DC may choose a method that differs from the specific method requested by the data subject, provided that the chosen method complies with the criteria specified in the Notification and the DC has informed the data subject of such method. If the data subject files a request because his / her personal data was unlawfully processed under Section 33(4) under the PDPA and no exemption applies, the DC must delete or destroy such personal data instead of anonymization.
3. If it is not feasible to delete, destroy, or anonymize personal data due to significant necessity reasons, such as doing so may negatively affect the personal data rights or interests of other individuals, the DC must notify the data subject who filed the request and explain or demonstrate these significant necessity reasons to the data subject.
4. To proceed with anonymization of personal data, the DC must (1) establish a process to delete or de-identify any data that directly identifies the data subject; and (2) implement additional procedures to ensure that the personal data cannot be indirectly re-identified and that the risk of re-identification is sufficiently low. This may include adoption of pseudonymization of, or taking any other actions for, all or part of the personal data.
5. The DC must inform the data subject of the completion of the request or the inability to fulfill the request, plus the reason of such inability as appropriate.
6. The DC must establish a system to verify and proceed with deletion or destruction of personal data in compliance with Section 37(3) of the PDPA and the provisions of Clauses 3 (paragraphs 2 and 3), 4, 5, and 6 of the Notification.
To see the archive of our past newsletters and articles please click here.
AUTHOR
Partner | bangkok
Associate | bangkok
The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.
