Personal Data refers to personal information that, directly or indirectly, is able to identify the data subject, but the information of the deceased is excluded.
Sensitive Personal Data refers to, under Section 26 of the PDPA, Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual orientation, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner.
Data Processing refers to the collection, use, or disclosure of the Personal Data.
Under the PDPA, the Company statutorily collects the Personal Data as necessary, within the relevant company’s objectives and scope only. In regard, the Company makes the data subject aware of and consent such in writing or electronically, in accordance with the requirements of the PDPA, subject to PDPA with regard to the collection of the Personal Data.
4.1 Types of Personal Data to be Collected
The types of personal data that may be collected by the Company are under the characteristics of the activities, locations and method of collection, which may include the followings: (1) the identifiable Personal Data such as name, surname, photograph, identification card number, passport number, driver’s license number, date of birth, occupation, position, name of workplace, nationality, gender, marital status, vehicle license plate, CCTV footage of the area under the Company’s control, username and password in the system; (2) the Sensitive Personal Data defined in clause 3.; (3) personal contact information i.e. home address or work place, phone number,E-mail, or social applications such as LINE, Whatsapp, or Facebook; (4) personal financial information such as bank accounts details or personal income tax information; (5) employment information such as job interviews, performance appraisals, positions, salaries, employment benefits, social security, provident fund; (6) other information i.e. technical information from the usage of the Company’s websites or applications, activity usage and access to Log files, IP address, Cookies.
4.2 Source of Personal Data Collection
Basically, the Company collects the Personal Data directly from the data subject. Nevertheless, the Company may collect the Personal Data from other sources, rather than directly from the data, i.e.:
(1) public sources;
(2) share or securities registrar;
(3) any communication method, either face-to-face or via any communication tools;
(4) related persons of the data subject.
If, however, the Company has to collect the Personal Data from other sources, it will do so in compliance with the PDPA.
The Company collects, uses or discloses the Personal Data for the following purposes:
The Company collects, uses, discloses and processes the Personal Data upon the prior or simultaneously express consent of the data subject in writing, or via electronic means, save it is not possible to obtain the consent accordingly. In the case that the Company collects, uses, or discloses the Sensitive Personal Data, it will obtain an explicit consent from the data subject, unless otherwise specified by laws. The consent of the data subject refers to the data subject’s consent to the Company to collect, use, disclose, or keep the Personal Data of the data subject by any person residing or juristic persons locating, either domestically or internationally as herein stated, unless otherwise specified by laws.
The consent of the Personal Data is a voluntary action of the data subject. The data subject may object to a consent requested by the Company. As a result, such objection may cause unable to enter into an agreement, obligation, or to give welfare, to grant to or accept any products or services from, the data subject, to proceed with the data subject’s requests, or to perform any contractual obligations, terms and conditions.
The Company will neither use nor disclose the Personal Data to a third party without the data subject’s consent. The Personal Data is disclosed for the purpose(s) the data subject has been informed prior to or at the time of collecting such Personal Data, unless exempted by the PDPA, or statutorily required to disclosure. However, for the purpose of the Company’s operations and rendering of services to the data subject, the Company may disclose the Personal Data of the data subject, in and outside the country, to the following person:
(1) shareholders or stakeholders;
(2) parties to the contracts, subcontractors, or service providers related to the operation of the Company;
(3) any person consented by the data subject to use or be disclosed the data subject’s Personal Data;
(4) person or government agency according to the law, or by the court order, or any other competent authority.
In addition, the Company procures that the above mentioned person treats the Personal Data as confidential and will not use it for any other purposes than stipulated herein.
The Company establishes the Personal Data collection, use or disclosure measures, as well as the security measures, which are in accordance with the PDPA, related regulations and guidelines, with which the Company’s employees and other related person have to comply so that the protection of Personal Data is efficient and of security standard required by laws. The standard of security measures is the compliance to the Personal Data Protection Act, regulations, rules, laws, and practices on the protection of data for the Company employees and related persons. In order to provide an effective and safe protection of personal data in accordance with the legal standards.
The Company will retain the Personal Data only for the necessary duration, and will collect, use and disclose the Personal Data, as defined in this Policy, in accordance with the duration criteria, namely the period during which the data subject is still related to the Company, and may still retain the Personal Data as required for the purpose of statutory compliance or as per legal prescription, for the establishment of legal claims, legal compliance or exercise of legal claims, or defense of legal claims, or for other purposes in accordance with policies and the internal regulations of the Company.
If it is not possible to specify the Personal Data retention period, the Company will retain the Personal Data as may be expected per data retention standards (such as the longest legal prescription of 10 years).
The data subject has the following rights under the laws:
(1) The right to access, request a copy, or request of disclosure on unconsented data;
(2) The right to correct the Personal Data;
(3) The right to request for deletion, destroying, or anonymization of the Personal Data;
(4) The right to withdraw the consent;
(5) The right to obtain or transfer the Personal Data;
(6) The right to request the suspension of the use of Personal Data;
(7) The right to object to the collection, use, or disclosure of the Personal Data;
(8) The right to complain to official or the regulatory authority for the protection of the Personal Data.
The request of any rights shall neither affect the processing of Personal Data for which the data subject has lawfully consented, nor violate any statutory requirements to be complied by the Company.
In case the data subject has any questions about the Personal Data Protection Policy, or wishes to exercise the rights as specified in Section 11, please contact [email protected].
The Company may review and update the Personal Data Protection Policy for the purpose of compliance with the applicable laws and regulations, and any comments or suggestions from any agencies, including personal data protection practices, and for the development of the Company’s Personal Data protection procedures, which should be in accordance with the change of operations and technology to provide effective security measures. In this respect, the Company will announce any changes in advance.
This Policy is effective from 17th May, 2022 onwards.
Date of Announcement: 17th May, 2022.