On August 13, 2024, Thailand’s Personal Data Protection Committee (PDPC) published a notification on the Criteria for Personal Data Deletion, Destruction, and De-identification in the Government Gazette, taking effect on November 11, 2024.
Most of the content remains unchanged from the June 2024 draft of the legislation that was released for public comment. Only minor amendments have been made, as outlined below:
- Data controllers must respond to data subjects’ requests to delete, destroy, or de-identify personal data, including any copies or backups, without delay and within 90 days of receiving the request. This timeframe has been extended from the previous draft, which allowed only 60 days. In deleting, destroying, or de-identifying personal data, the data controller must ensure that no one is able to recover or reverse personal data to enable the direct or indirect identification of the data subject by any means that could reasonably be expected. If the data controller cannot fulfill the request within the 90-day period, it must take measures to ensure that the personal data is made difficult to collect, use, or disclose until the personal data can be deleted, destroyed, or de-identified according to the notification. In such cases, appropriate organizational, technical, and physical measures must be implemented to protect the data, meeting the criteria set forth by the notification.
- One newly added provision allows data controllers to delete, destroy, or de-identify a data subject’s personal data using a different method than the one requested by the data subject, provided they inform the data subject of the alternative method. However, this is not allowed when the data subject exercises this right on the grounds that the personal data has been unlawfully collected, used or processed, and there are no grounds to reject the request.
- In relation to the de-identification or anonymization of personal data, the notification uses the term “possibility” instead of the term “risk,” which was used in the draft. This appears to provide more clarity and certainty on this requirement. Regarding such de-identification or anonymization, there must be a process to remove or eliminate all direct identifiers linked to the data subject. Following that, additional measures must ensure that this data cannot indirectly identify the data subject. The “possibility” of identifying the data subject must be low enough to prevent the data subject’s reidentification. The data controller may consider pseudonymizing the data or carrying out any other action toward the data that would reduce the possibility of a data subject being identified by indirect identifiers to a sufficiently low level.
- The June 2024 draft stated that the requirements described in items 1 and 2 above did not apply to personal data that could not be deleted, destroyed, or de-identified due to technical reasons. However, the published notification stipulates that these requirements are exempt not only for technical reasons but also when there are grounds of necessity, such as when deleting, destroying, or de-identifying the data could adversely affect the personal data rights or interests of another person.
- Besides requiring data controllers to respond to data subjects’ requests to delete, destroy, or de-identify personal data, in relation to the data controllers’ obligation to implement monitoring systems to delete or destroy personal data pursuant to section 37(3) of the PDPA, the data controllers must also adhere to certain provisions of this notification.
Since the criteria for deletion, destruction, and de-identification of personal data specified in this notification apply not only when a data subject exercises their rights but also to the ongoing monitoring of personal data erasure, it is crucial for data controllers to ensure their systems are fully prepared to meet the upcoming requirements.