top of page

Key Compliance Requirements for Data Deletion and Anonymization in Thailand: What Companies Need to Know from the Latest Personal Data Protection Guidelines

Leo Watanabe

2024年8月16日

The Personal Data Protection Authority has set forth the criteria and obligations related to the deletion, destruction, or anonymization of personal data in the Royal Gazette.

The regulation addresses how personal data controllers must handle requests from data owners to delete, destroy, or make data non-identifiable within 90 days to ensure that data, including copies or backups, are completely irrecoverable. Data controllers are responsible for taking appropriate organizational and technical measures to prevent unauthorized access or re-identification if data remains accessible.

Key considerations include:


  1. Timely Action: Controllers must act without delay and ensure that the required actions are completed within 90 days from the request.

  2. Complete Erasure: This includes addressing copies and backups of the data.

  3. Technical Constraints: Appropriate security measures must be applied for data in electronic form temporarily awaiting overwriting.

  4. Organizational Measures: Controls must be in place to secure the data until complete deletion is possible.

  5. Transparency: Data controllers must inform data owners of any alternate measures taken (e.g., anonymization instead of deletion) and the reasons for these actions.


The announcement also emphasizes that anonymization must involve both direct and indirect identifiers to minimize re-identification risks:


  • Erasing Direct Identifiers: Removing data like names, ID numbers, and biometric data.

  • Mitigating Indirect Identifiers: Implementing measures like pseudonymization to prevent identification through related data, such as job titles, addresses, or IP addresses.


Special provisions will apply if data cannot be erased due to legal or other critical reasons:


  1. Transparency of Justification: Controllers must communicate the reasons to the data owner.

  2. Minimal Risk: Controllers must ensure that even if the data remains it cannot be used or disclosed in a manner that could impact the data owner.


Data controllers are responsible for having inspection systems in place for compliance monitoring. The Personal Data Protection Committee holds the enforcement authority over this regulation.


Source: Royal Gazette


bottom of page