"The Right to Erasure", also known as "The Right to be Forgotten", allows individuals, as the data subjects, to request the removal of their personal data from storage or possession of the data controller, including both individuals or organizations. This can be achieved through deletion, destruction, or anonymization of the data, when the data subject no longer wishes their personal information to be used.
The right to erasure was initially recognised in the European Union's General Data Protection Regulation ("GDPR"), which is considered the foundational legislation that established recognition of the right to data erasure. According to Article 17 of the GDPR, individuals in the European Union (EU) are entitled to request that data controllers delete their personal data when qualifying circumstances set by law are met. Such erasure obligation encompasses not only direct personal data but also extends to other related data that may identify the data subject, such as hyperlinks published on public websites or copies of that personal data.
The Personal Data Protection Act B.E. 2562 (2019) ("PDPA"), Thailand's personal data protection legislation, has adopted various provisions from the GDPR, resulting in many similarities between the PDPA and GDPR provisions.
The provisions regarding the data subject's right to erasure appear in Section 33 of the Personal Data Protection Act, which specifies the circumstances under which data subjects can exercise their right to erasure, as follows:
1) When the personal data is no longer necessary to the purposes for which it was processed;
2) When the data subject withdraws consent on which the data processing is based, and where the data controller has no legal ground for continuing to process;
3) When the data subject objects to the processing of personal data for a public task or legitimate interest, and the data controller cannot reject such a request;
4) When the data subject objects to data processing for direct marketing purposes; and
5) When the personal data has been unlawfully processed.
Although the PDPA grants data subjects the right to request erasure of their personal data, the law also specifies exemptions where data controllers are not required to delete data despite receiving a deletion request, including:
1) Data processing to exercise freedom of expression;
2) Data processing for historical documentation, research, and statistics;
3) Data processing for a public interest or public task;
4) Data processing to comply with laws to achieve objectives related to preventive medicine or occupational medicine, medical diagnosis and treatment;
5) Data processing to comply with laws to achieve objectives related to public health interests; and
6) Data processing for legal claims or to comply with laws.
However, if the data controller fails to act on or declines a request to exercise the right to erasure without lawful justification, the data subject can file a complaint with the Expert Committee, Office of the Personal Data Protection Commission.
Providing channels for data subjects to exercise their rights and effectively handling such requests are essential responsibilities of data controllers. It is crucial to carefully assess and justify any denial of a rights request. If your organization has questions regarding data subject rights, Athentic Consulting Co., Ltd. has experts ready to provide guidance and support to ensure your organization remains fully compliant with personal data protection laws.
