On 13 June 2024, the Personal Data Protection Committee (PDPC) opened a public consultation on the draft Criteria for Deletion or Destruction of Personal Data, or Making Personal Data Unidentifiable, until 27 June 2024. The draft aims to establish guidelines for data controllers on how to handle requests from data subjects to delete, destroy, or anonymize their personal data in compliance with Section 33 of the Personal Data Protection Act B.E. 2562 (2019). In particular, the data controllers are required to comply within 60 days of receiving a request from a data subject, ensuring that the data cannot be recovered or re-identified. The obligation includes all copies and backups of the personal data. If immediate action is not possible due to technical reasons, data controllers must implement appropriate measures to make the data difficult to access, use, or disclose, considering technological factors, context, and accepted standards. Data controllers must also ensure that no one can access or disclose the data, maintain data security measures according to the risk level, and notify the data subject upon fulfilling their request or provide reasons if unable to comply. Permanent deletion or anonymization must occur as soon as feasible within 60 days.
Original source