ARTICLE
30 October 2024

Thailand's Personal Data Protection Committee Issues Notification On The Deletion, Destruction, Or De-Identification/Anonymization Of Personal Data

GA
Global Advertising Lawyers Alliance (GALA)

Contributor

With firms representing more than 90 countries, each GALA member has the local expertise and experience in advertising, marketing and promotion law that will help your campaign achieve its objectives, and navigate the legal minefield successfully. GALA is a uniquely sensitive global resource whose members maintain frequent contact with each other to maximize the effectiveness of their collaborative efforts for their shared clients. GALA provides the premier worldwide resource to advertisers and agencies seeking solutions to problems involving the complex legal issues affecting today's marketplace.
On 13th August 2024, Thailand's Personal Data Protection Committee (PDPC) issued a Notification on the Deletion, Destruction, or De-Identification/Anonymization of Personal Data ("Notification") effective...
Thailand Privacy

On 13th August 2024, Thailand's Personal Data Protection Committee (PDPC) issued a Notification on the Deletion, Destruction, or De-Identification/Anonymization of Personal Data ("Notification") effective from 11th November 2024. This Notification outlines criteria that data controllers must comply when handling data subjects' requests to delete, destroy, or de-identify/anonymize personal data.

1. Data Subject Rights and Controller Obligations

The Notification mandates that data controllers must respond to deletion, destruction, or de-identification requests from data subjects within 90 days. If the request cannot be fulfilled within this time due to technical reasons, appropriate measures must be taken to make the personal data inaccessible.

2. De-Identification and Anonymization Process

De-Identification and Anonymization of personal data must include the removal of "direct identifiers" (e.g., Name & Surname, National Identification/Passport Number, Phone Number, Email Address, Biometric Data, Membership Number etc.) to prevent linking the data back to data subjects.

Additionally, data controllers must consider further appropriate measures (e.g. pseudonymization) on "indirect identifiers" (e.g., Birthday, Age, Work Position, IP Address etc.) to prevent "re-identification" of data subjects.

3. Exceptions

The Notification also specifies that de-identification or anonymization of personal data is not permitted if the data was unlawfully collected; in such cases, the personal data must be deleted or destroyed upon the data subject's request.

4. Notification and Reporting

Data controllers are required to notify data subjects once their requests to delete, destroy, or de-identify/anonymize personal data have been fulfilled. If such requests cannot be completed, data controllers must provide a formal explanation to the data subjects.

Conclusion

The Notification sets forth clear guidelines for data controllers in handling personal data requests under the PDPA. By outlining the responsibilities of data controllers, the notification strengthens data subjects' rights to have their data securely managed, deleted, or anonymized. With the introduction of specific procedures, timelines, and exceptions, it is essential for organizations to ensure compliance with these new requirements before the Notification takes effect in November 2024. This will not only safeguard personal data but also enhance trust in data protection practices across Thailand.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Privacy Law and Privacy Regulations

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More