The Personal Data Protection Committee (PDPC) has recently issued a draft notification on the criteria for deleting, destroying, or anonymising personal data. The hearing for the draft closed on 28 June 2024, and the results are being summarised. The draft notification is expected to take effect in the third or fourth quarter of this year.
According to the draft notification, when a data subject requests a data controller to delete, destroy or anonymise his/her personal data, the data controller must consider and comply with such request (subject to certain conditions under Section 33 of the Personal Data Protection Act B.E. 2562 (2019)) without delay and no later than 60 days after receiving it. The data controller must ensure that personal data cannot be retrieved, either directly or indirectly. If the data controller cannot immediately comply with the request, it must implement appropriate organisational and technical measures, which may include necessary physical measures to make the personal data difficult to collect, use, or disclose, and meet the criteria specified in the draft notification.
The draft notification also sets out two requirements for anonymising personal data, namely;
- The anonymisation process must include deleting or removing any direct identifiers of the data subject in the personal data (de-identification); and
- After the actions specified in (a) are carried out, there must be an additional review process to ensure that the data cannot indirectly identify the data subject, with a sufficiently low risk of re-identification. To prevent the data from being re-identified, consideration may be given to pseudonymisation or taking other actions on all or part of the data to reduce the risk that indirect identifiers can be used to re-identify the data subject.
It is worth noting that if personal data is unlawfully corrected, used, or disclosed, a data controller must only delete or destroy such personal data, and cannot use anonymisation.
