On 31 July 2024, the Personal Data Protection Committee (“PDPC”) issued the Notification to clarify the responsibilities of Data Controllers. The Data Subjects have the right to request that the Data Controller delete or destroy their personal data, including copies that it can no longer identify the Data Subject. The Data Controller shall comply with the request of the Data Subject request within 90 days.
If the immediate deletion or destruction of personal data is not feasible due to any technical reason. For example, when electronic personal data is temporarily stored pending overwriting or replacement by other data, the Data Controller is required to implement appropriate measures to make the data inaccessible, unusable, or undisclosable. Nevertheless, once the Data Controller or the Data Processor is capable of deleting, destroying, or anonymizing the Personal Data such that it no longer identifies the individual, the Data Controller or the Data Processor shall execute this action without undue delay.
When anonymizing personal data or making it unidentifiable to the Data Subject, the Data Controller is required to remove or erase all direct identifiers, including first names, middle names, last names, national ID numbers, passport numbers, and any other identifiable information.
Subsequently, further measures shall be taken to ensure that the data cannot be indirectly linked to the Data Subject, thereby preventing re-identification. This may involve the process of pseudonymization to reduce the risk of the data being traced back to the individual.