On 13th August 2024, Thailand’s Personal Data Protection Committee (PDPC) issued a Notification on the Deletion, Destruction, or De-Identification/Anonymization of Personal Data (“Notification”) effective from 11th November 2024. This Notification outlines criteria that data controllers must comply when handling data subjects’ requests to delete, destroy, or de-identify/anonymize personal data.
1. Data Subject Rights and Controller Obligations
The Notification mandates that data controllers must respond to deletion, destruction, or de-identification requests from data subjects within 90 days. If the request cannot be fulfilled within this time due to technical reasons, appropriate measures must be taken to make the personal data inaccessible.
2. De-Identification and Anonymization Process
De-Identification and Anonymization of personal data must include the removal of “direct identifiers” (e.g., Name & Surname, National Identification/Passport Number, Phone Number, Email Address, Biometric Data, Membership Number etc.) to prevent linking the data back to data subjects.
Additionally, data controllers must consider further appropriate measures (e.g. pseudonymization) on “indirect identifiers” (e.g., Birthday, Age, Work Position, IP Address etc.) to prevent “re-identification” of data subjects.
3. Exceptions
The Notification also specifies that de-identification or anonymization of personal data is not permitted if the data was unlawfully collected; in such cases, the personal data must be deleted or destroyed upon the data subject's request.
4. Notification and Reporting
Data controllers are required to notify data subjects once their requests to delete, destroy, or de-identify/anonymize personal data have been fulfilled. If such requests cannot be completed, data controllers must provide a formal explanation to the data subjects.
Conclusion
The Notification sets forth clear guidelines for data controllers in handling personal data requests under the PDPA. By outlining the responsibilities of data controllers, the notification strengthens data subjects' rights to have their data securely managed, deleted, or anonymized. With the introduction of specific procedures, timelines, and exceptions, it is essential for organizations to ensure compliance with these new requirements before the Notification takes effect in November 2024. This will not only safeguard personal data but also enhance trust in data protection practices across Thailand.
