On June 14, 2024, the Personal Data Protection Committee (PDPC) released a draft notification under the Personal Data Protection Act 2019 (PDPA), setting out criteria for how data controllers must delete, destroy, and de-identify personal data.

According to the PDPA, a data subject can request that a data controller delete, destroy, or de-identify their personal data in any of the following circumstances:

• The personal data is no longer necessary for the purposes for which it was collected, used, or disclosed.
• The data subject has withdrawn their consent for the processing of the personal data, and no other lawful basis for processing remains.
• The data subject has objected to the processing of their personal data on grounds of legitimate interests or official tasks, the data controller has no other compelling grounds to refuse the request, and the data is not needed for legal claims.
• The data subject objects to the processing of their personal data for direct marketing purposes.
• The processing of personal data is unlawful.

The draft stipulates that data controllers respond to a data subject’s request to delete, destroy, or de-identify personal data immediately, and within 60 days of receiving the request. If the data controller cannot fulfill the request immediately, they must take interim measures to ensure that the personal data is made difficult to collect, use, or disclose. This includes implementing measures such as preventing access to the data and applying appropriate security measures to protect the data from unauthorized use or disclosure.

De-identification or Anonymization of Personal Data

In certain circumstances, a data controller may opt to de-identify or anonymize personal data, rather than delete or destroy it. If doing so, the data controller must satisfy the following criteria:

• There must be a structured process to remove or eliminate all direct identifiers linked to the data subject, such as names, identification numbers, personal email addresses, biometric data, and so on.
• Additional measures must be implemented to ensure that this data cannot indirectly identify the data subject.  The risk of identifying the data subject must be sufficiently low in order to prevent the re-identification of personal data with the data subject. The data controller may consider pseudonymizing the data or carrying out any action toward the data, whether in whole or in part, that would result in the risk of a data subject being identified by indirect identifiers (such as date of birth, IP address, age, position, etc.) being reduced.

De-identification or anonymization is not permitted when a data subject exercises their right of erasure specifically because their personal data has been unlawfully processed by the data controller. In such cases, the data must be fully deleted or destroyed to comply with the data subject’s request.

The draft PDPC notification remains open for public feedback until June 28, 2024, and may undergo further revision before being issued and made legally binding.

For more details on this draft PDPC notification, or on any aspect of compliance with the PDPA, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].