On 14 June 2024, the Personal Data Protection Committee (“PDPC”) in Thailand released a draft notification for public consultation on criteria for deletion or destruction of personal data or de-identifying personal data.
2024 年 6 月 14 日,泰國個人資料保護委員會(“PDPC”)發布關於刪除或銷毀個人資料或去識別個人資料的標準的公眾諮詢通知草案。
The PDPC said that the draft notification is set to clarify the criteria for the application of Section 33 of Thai Personal Data Protection Act 2019 (PDPA) regarding the right to request that the data controller to delete, destroy, or de-identify personal data. Data subject can request data controller to delete, destroy, or de-identify his/her personal data in any of the following circumstances:
PDPC 表示,該通知草案旨在澄清《2019 年泰國個人資料保護法》(PDPA) 第 33 條關於要求資料控制者刪除、銷毀或去識別個人資料的權利的適用標準。如有下列情形之一,資料主體可以請求資料控制者刪除、銷毀或去識別化其個人資料:
Ø the personal data is no longer necessary for the purposes for which it was collected, used, or disclosed;
個人資料不再需要用於其收集、使用或揭露的目的;
Ø the data subject has withdrawn the consent for the processing of the personal data, and no other lawful basis for processing remains;
資料主體已撤回對個人資料處理的同意,且不存在其他合法的處理依據;
Ø the data subject has objected to the processing of his/her personal data on grounds of legitimate interests or official tasks, the data controller has no other compelling grounds to refuse the request, and the data is not needed for legal claims;
資料主體以合法利益或官方任務為由反對處理其個人資料,資料控制者沒有其他令人信服的理由拒絕該請求,且該資料不需要用於法律索賠;
Ø the data subject objects to the processing of his/her personal data for direct marketing purposes;
資料主體反對為直接行銷目的處理其個人資料;
Ø the processing of personal data is unlawful.
個人資料的處理是非法的。
The request to delete, destroy, or de-identify personal data must be processed without delay but not later than 60 days from the date of receipt of the request which must be carried out to cover copies or backups of personal data (if any). It must be ensured that no one can do so. By any means that could reasonably be expected to restore personal information or reverse it. Be able to identify the person who owns personal data, whether directly or indirectly. If the data controller cannot fulfill the request immediately, the controller must put in place in organizational, technical, and physical measures to ensure that the personal information:
刪除、銷毀或去識別個人資料的請求必須立即處理,但不得遲於收到請求之日起 60 天,必須執行該請求以涵蓋副本或個人資料(如果有)的備份必須進行,並且必須確保沒有人可以這樣做。以任何可以合理預期的方式。透過任何可以合理預期恢復或逆轉個人資訊的方式。能夠識別直接或間接擁有個人資料的人。如果資料控制者無法立即滿足請求,控制者必須採取組織、技術和實體措施,以確保個人資訊:
Ø will not be accessed, used, or disclosed by the data controller or anyone else, even if it is still available;
不會被資料控制者或任何其他人存取、使用或揭露,即使它仍然可用;
Ø cannot be used by the data controller to provide services, influence decisions, or take any action regarding the owner of the personal data;
資料控制者不能使用該資訊來提供服務、影響決策或對個人資料所有者採取任何行動;
Ø is protected appropriately according to the level of risk;
依風險程度進行適當的保護;
Ø if deletion, destruction, or de-identification is not possible due to technical reasons, the data controller must justify and document these reasons. For example, in the case of deletion or destruction or make personal data non-identifiable to the owner, personal information is available. It may have a similar negative impact on the personal data of others.
若因技術原因無法刪除、銷毀或去識別化,資料控制者必須證明並記錄這些原因。例如,在刪除或銷毀個人資料或使個人資料無法被所有者識別的情況,個人資訊可用。這可能會對他人的個人資料產生類似的負面影響。
In certain conditions, data controller may choose to de-identify or anonymize personal data, rather than delete or destroy it. The data controller must satisfy the following criteria:
在某些情況下,資料控制者可以選擇對個人資料進行去識別化或匿名化,而不是刪除或銷毀它。資料控制者必須符合以下標準:
Ø erase any direct identifiers of the owner of personal data, including name, national identification numbers, telephone number, pictures, biometric data and any other information that is personal to an individual and allows them to be identified;
刪除個人資料所有者的任何直接標識符,包括姓名、身分證號碼、電話號碼、圖片、生物識別數據和任何其他屬於個人且可識別其身份的資訊;
Ø ensure that the owner of personal data cannot be re-identified by keeping the information at a low level, using pseudonymization, or providing indirect identifiers;
確保個人資料的擁有者無法透過將資訊保持在較低水準、使用假名或提供間接識別碼來重新識別;
Ø consider the technological factors, context, environment, and the nature or type of personal information concerned.
考慮技術因素、背景、環境以及相關個人資訊的性質或類型。
The draft notification also confirmed that the data controllers cannot legally refuse deletion, destruction, or de-identification requests and must notify the owner of the personal data that the request has been carried out.
通知草案還確認,資料控制者不能合法地拒絕刪除、銷毀或去識別化請求,並且必須通知個人資料所有者該請求已被執行。
Comments