You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
August 26, 2024

Thailand Issues Criteria for Deletion, Destruction, and De-identification of Personal Data

Subscribe to Updates

On August 13, 2024, Thailand’s Personal Data Protection Committee (PDPC) published a notification on the Criteria for Personal Data Deletion, Destruction, and De-identification in the Government Gazette, taking effect on November 11, 2024.

Most of the content remains unchanged from the June 2024 draft of the legislation that was released for public comment. Only minor amendments have been made, as outlined below:

  1. Data controllers must respond to data subjects’ requests to delete, destroy, or de-identify personal data, including any copies or backups, without delay and within 90 days of receiving the request. This timeframe has been extended from the previous draft, which allowed only 60 days. In deleting, destroying, or de-identifying personal data, the data controller must ensure that no one is able to recover or reverse personal data to enable the direct or indirect identification of the data subject by any means that could reasonably be expected. If the data controller cannot fulfill the request within the 90-day period, it must take measures to ensure that the personal data is made difficult to collect, use, or disclose until the personal data can be deleted, destroyed, or de-identified according to the notification. In such cases, appropriate organizational, technical, and physical measures must be implemented to protect the data, meeting the criteria set forth by the notification.
  2. One newly added provision allows data controllers to delete, destroy, or de-identify a data subject’s personal data using a different method than the one requested by the data subject, provided they inform the data subject of the alternative method. However, this is not allowed when the data subject exercises this right on the grounds that the personal data has been unlawfully collected, used or processed, and there are no grounds to reject the request.
  3. In relation to the de-identification or anonymization of personal data, the notification uses the term “possibility” instead of the term “risk,” which was used in the draft. This appears to provide more clarity and certainty on this requirement. Regarding such de-identification or anonymization, there must be a process to remove or eliminate all direct identifiers linked to the data subject. Following that, additional measures must ensure that this data cannot indirectly identify the data subject. The “possibility” of identifying the data subject must be low enough to prevent the data subject’s reidentification. The data controller may consider pseudonymizing the data or carrying out any other action toward the data that would reduce the possibility of a data subject being identified by indirect identifiers to a sufficiently low level.
  4. The June 2024 draft stated that the requirements described in items 1 and 2 above did not apply to personal data that could not be deleted, destroyed, or de-identified due to technical reasons. However, the published notification stipulates that these requirements are exempt not only for technical reasons but also when there are grounds of necessity, such as when deleting, destroying, or de-identifying the data could adversely affect the personal data rights or interests of another person.
  5. Besides requiring data controllers to respond to data subjects’ requests to delete, destroy, or de-identify personal data, in relation to the data controllers’ obligation to implement monitoring systems to delete or destroy personal data pursuant to section 37(3) of the PDPA, the data controllers must also adhere to certain provisions of this notification.

Since the criteria for deletion, destruction, and de-identification of personal data specified in this notification apply not only when a data subject exercises their rights but also to the ongoing monitoring of personal data erasure, it is crucial for data controllers to ensure their systems are fully prepared to meet the upcoming requirements.

For more information on this notification, or any other aspect of data compliance in Thailand, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

August 23, 2024
Thailand’s Securities and Exchange Commission (SEC) amended its utility token supervisory framework by issuing seven notifications that came into effect on August 13, 2024. Ready-to-use utility tokens (tokens that can be used immediately to acquire specific goods or services), which were previously unregulated, are now subject to the supervisory scheme set forth by the seven new notifications in both primary and secondary markets. This is intended to provide an investor protection mechanism that responds to the characteristics, risks, and usage of the different types of ready-to-use utility tokens. Under the new notifications, ready-to-use utility tokens are categorized into two groups. These are detailed below. Group 1 Utility Tokens Group 1 utility tokens include ready-to-use utility tokens issued for consumption purposes or as a digital representation of a certificate. Examples include loyalty points, digital movie or concert tickets, NFTs, and carbon credits, among others. Principally, there is no change in the regulation of group 1 utility tokens under the new notifications. In the primary market, issuance of this type of token is not subject to the initial coin offering (ICO) requirements. In the secondary market, providing services related to group 1 utility tokens is not considered to be the same as operating a digital asset business with licensing requirements under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). Licensed digital asset operators (including exchanges, brokers, and dealers) are not permitted to list or trade group 1 utility tokens. To provide services in relation to group 1 utility tokens, these licensed digital asset operators must establish a separate entity to provide those services and must not use names or messages that could cause the public to misunderstand that the separate entity is engaged in a digital asset business under SEC supervision. Group 2 Utility Tokens Group 2 utility tokens
Read More
August 22, 2024
The Personal Data Protection Committee (PDPC) of Thailand’s Ministry of Digital Economy and Society (MDES) has announced the first administrative fine under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). A major private company was fined THB 7 million for noncompliance with specific PDPA requirements, resulting in the unauthorized disclosure of personal data to a call center gang (phone scam fraudsters). Key Findings of Noncompliance The PDPC determined that there were three key violations of specific requirements of the PDPA: Failure to appoint a data protection officer (DPO): Despite processing personal data for over 100,000 individuals as part of its core operations, the company did not appoint a DPO. Inadequate security measures: The company lacked the required security measures, leading to a data breach involving a call center gang, causing widespread damage. Delayed data breach notification: The company did not notify authorities of the data breach within the required timeframe and failed to address the breach promptly, making it impossible to remedy the situation. In addition to the monetary fine, the PDPC, along with the PDPA’s Expert Committee, issued a corrective order requiring the company to undertake the following actions and notify the Office of the PDPC of the relevant correction measures within seven days of receiving the order: Implement up-to-date security measures: The company must improve its current security measures to prevent future breaches and ensure that the security measures are up-to-date with changing technologies. Raise awareness of personnel: The company must provide training to relevant personnel to ensure awareness of data compliance and protection practices. This significant administrative action establishes a precedent for addressing data breaches in both governmental and commercial sectors in Thailand. It also confirms the importance of PDPA compliance, particularly the need for robust security measures, timely breach notifications, and the appointment of
Read More
August 15, 2024
On August 9, 2024, Thailand’s Electronic Transactions Development Agency (ETDA) opened a period for public feedback regarding the 2022 Royal Decree on Digital Platforms and its subregulations. To collect this feedback, the ETDA has prepared a 44-question survey on specific attributes of the royal decree and its requirements, covering issues such as the definition of digital platform services (DPSs), types of services that are subject to notification requirements, information that must be submitted annually, and the royal decree’s extraterritorial scope. Business operators that fall within the scope of the royal decree and wish to provide feedback on its effectiveness should prepare and submit the survey online to the ETDA by the end of August 2024. Royal Decree on Digital Platforms Thailand’s Royal Decree on Digital Platforms was published in the Government Gazette on December 22, 2022. It defines a DPS as any service that facilitates or mediates transactions between users through a digital platform, such as e-commerce, food delivery, ride-hailing, online travel agency, online payment provider, or social media platform. The decree requires DPS operators to notify the ETDA before commencing operations, with some limited exemptions. The decree also empowers the ETDA to issue notifications (i.e., subregulations) and guidelines for implementing the decree and to monitor and enforce compliance by DPS operators. The ETDA may impose administrative sanctions, such as warnings, fines, service suspension, or revocation of notification, for any violation of the royal decree or the ETDA’s subregulations. In-scope DPS operators should take this opportunity to provide comments to the ETDA in order to voice their opinions on the practicality of the requirements and support the regulator in shaping the requirements of the royal decree and its subregulations. For more information on this initiative from the ETDA, or on any aspect related to the Royal Decree on Digital
Read More
August 5, 2024
On June 28, 2024, Thailand’s Board of Investment (BOI) updated its list of promoted activities to include data hosting, which is listed as “Activity 8.2.4 Data Hosting Services.” Qualifying data hosting services are eligible for a corporate income tax exemption (capped) for eight years, along with other tax and nontax incentives, such as import duty exemption on imported machinery to be used in the project, the right for foreigners to own land, and work permit and visa facilitation for expats, among others. To be eligible for these BOI incentives, projects must: Provide services for leasing host servers for data storage (data hosting); Have at least two data centers located in Thailand that meet or exceed the ISO/IEC 27001 data center standards; and Have an investment amount (excluding cost of land and working capital) of at least THB 5 billion. Apart from the above specific criteria, projects also need to comply with the general BOI criteria, such as a debt-to-equity ratio no higher than 3:1, submission of a feasibility study report, and use of new machinery, among others. For more details on BOI incentives for software and data center activities, or on any aspect of investment promotion in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], or Napassorn Lertussavavivat at [email protected].
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice