On Jun. 14, Thai DPC proposed criteria about deleting personal data.
Thai DPC sought feedback on its draft notification regarding the criteria for deleting, destroying or making personal data unidentifiable as regards the owner of that data.
Relates to personal data controllers; personal data processors; personal data owners.
Follows Thai DPC Dec. 2023 issued rules for personal data controllers, see #201648.
Document dated Jun. 14, 2024, was received on Jul. 4, 2024 due to a new feed.
Draft Notification
This proposal provides the criteria for erasing, destroying, or alternatively anonymizing personal data, so that the owner of the personal data cannot be identified.
It outlines organizational measures and technical measures, which may include necessary physical measures as well; contains measures re risk of re-identification.
The proposal also specifies requirements on responding to a deletion/destruction/de-identification request from an individual and 60-day window/timing re the same.
It includes measures re cases where the data controller is unable to process a request.
The draft stipulates the notification will come into effect on the day after its gazettal.
Effectiveness
The comment period for this consultation closes on Jun. 28, 2024.
Aug. 2024 Finalized Notification
On Aug. 15, 2024, Thai DPC published a notification on the criteria for deleting, destroying or anonymizing personal data, to implement the proposals detailed above.
Section 2 provides that the notification shall be effective after ninety days from Aug. 13, 2024, which was the date of announcement in the Government Gazette.
Document dated Aug. 15, 2024, was added on Aug. 29, 2024 due to editorial backfill.