ブログ
Notice re criteria for erasure or destruction or anonymizing the Personal Data
2024.09.17
Subject to Section 33 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), data subjects are entitled to request data controllers to erase, destroy, or anonymize personal data (“Request”). In this regard, the latest Notice of the Personal Data Protection Committee (PDPC) regarding criteria for erasing, destroying, or anonymizing personal data to become anonymous data that cannot identify data subjects B.E. 2567 (2024) (Notice) was published in the Royal Gazette on 13 August 2024. This Notice will come into force on 11 November 2024.
Please find the full original Thai version here.
Key points of the Notice are as follows:
A. Timeframe of the fulfillment of the request
When receiving the Request and there is no exemption under the PDPA, data controllers must fulfill the Request not exceeding 90 days from the date of receiving the Request.
B. Scope of the implementation
When receiving the Request, the data controller must
・erase, destroy, or anonymize the personal data, including any copies or backups of the personal data (if any) and
・ensure that nobody can do in any way that could reasonably be expected to recover personal data or re-identify personal data to identify data subjects directly or indirectly.
C. The implementation different from the request
In some occasions, data controllers may erase, destroy, or anonymize personal data using a method different from the one requested by data subjects, unless such request is based on grounds specified in F below.
In this regard, the data controller has an obligation to notify data subjects of the alternative implementation.
For example, when a data subject requests a data controller to erase his/her personal data, the data controller may consider anonymizing such personal data instead of erasure, provided such request must not fall into the requirements stipulated in this Notice.
D. Inability to fulfill the Request within the timeframe
If data controllers cannot erase, destroy, or anonymize personal data within the specified timeframe, due to technical or any other reasons, data controllers must make such personal data difficult to collect, use, or disclose until the completion of erasure, destruction, or anonymization.
The data controller must provide the appropriate organizational measures, technical measures, and required physical measures, taking into account the technological and other factors specified by the Notice.
E. Criteria for anonymization
The criteria for anonymizing personal data are as follows:
(1) must have the procedure for erasure or de-identification of direct identifiers, including identifiable information such as name, surname, identification numbers, personal account number or code, personal contact number, personal email address, personal vehicle registration number, face image, biometric data, personal account in various applications/online services, etc.;
(2) after implementing (1), an additional procedure is required to ensure that such personal data cannot be indirectly identified. In order to prevent the re-identification of such personal data, data controllers may pseudonymize the personal data or implement the personal data, whether in whole or in part, to diminish the possibility of identifying data subjects by using indirect identifiers, e.g. date of birth, age, work position, home or office address, IP address, etc., to an adequately low level, provided that taking into account the technological and other factors specified by the Notice.
F. Prohibition of anonymization
Data controllers are not permitted to anonymize or de-identify personal data when
(1) data subjects exercise their rights due to the illegal collection, use, or disclosure of personal data (Section 33(4)); and
(2) the illegal processing of personal data in (a) is not the case exempted from the application of provisions under the PDPA (Section 33 paragraph 2) or (b) is not any other case that data controllers may deny as permitted by laws.
Data controllers must erase or destroy personal data only in such cases.
G. Notification to data subjects
Data controllers must notify data subjects of the completion of the request. In case of anonymization or de-identification, data controllers must also inform the details of the implementation.
When the Request cannot be fulfilled, data controllers must notify data subjects of the refusal with reasons.
H. The exemption of the application of provisions
The provisions in A, B, and C will not be applied to personal data that is unable to be erased, destroyed, or anonymized because of the paramount necessary reasons, such as the erasure, destruction, or anonymization of the personal data may have an adverse effect on third person’s personal data rights or interests.
In such cases, data controllers have an obligation to notify data subjects of such paramount necessary reasons.
Authors:
Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)
Member
PROFILE
PROFILE