PDPA and Hardware Disposal: What Thai Businesses Need to Know

PDPA Applies to Hardware Disposal

Most Thai businesses understand that PDPA governs how they collect and store personal data. Fewer realise that it also covers what happens when that data reaches end of life. If your organisation disposes of hardware without documenting data destruction, you are exposed to PDPA liability.

The Key Requirements

• Personal data must be destroyed or anonymised when no longer needed
• Destruction must be documented with an auditable trail
• The organisation remains liable until destruction is confirmed
• Penalties: up to ฿5 million administrative fine

Practical Checklist for IT Managers

1. Inventory all devices being decommissioned (serial numbers, types, locations)
2. Classify which devices stored personal data
3. Choose a destruction method: certified wipe or physical destruction
4. Obtain a Certificate of Data Destruction per device
5. Retain certificates for your compliance records
6. Document the process in your data protection policy

Common Mistakes

Formatting drives and calling it done. Formatting does not overwrite data and does not meet PDPA standards.

Donating old equipment without wiping. Good intentions, but your liability follows the data on the device.

No documentation. Without a certificate, you have no proof that data was destroyed.

Learn more about corporate IT asset disposal.