Personal Data Protection Policy
1.Background
Company aware for Personal Data Protection of our employee as a contracting party and being a product manufacturer for our company, including all related parties such business partners or customers. The company has a clear policy for collection, storage, retain, use and elimination of personal information in accordance with the established measures under relevant laws.
2.Purpose
- To ensure with all Business Partners and Stakeholders that the personal data provided to Company’s data controllers are carefully collected, stored and utilized.
- To prevent unauthorized access to personal data without consent from the personal data owners as well as other actions that may cause damage to the data owners.
- To comply with both Domestic and International law.
3.Concern persons, Definitions, Roles and Responsibilities
3.1 The persons related with the data protection process consist of 4 groups which are
- Data Owners
- Data Controllers
- Data Processors
- Third Parties
3.2 Definition
- “Personal Data” is data/information about an individual’s identity which can be used to identify that person whether directly or indirectly.
- “Personal Data Owner” is the person who owns that personal data/information and has legal relations with the company.
- “Personal Data Controller” is the person who responsible for Personal data receiving, collection, utilizing and disclosure.
- “Personal Data Processor” is the person who responsible for Personal data collection, processing, protection, editing, improving as well as establishing an electronic system for handling the data/information requested by the Data Controller
- “Personal Data Management Committee” is an executive or supervisor who overviews and supervises personal data controllers and personal data processors to comply with the regulatory guidelines of Personal Data Protection Act and other related laws.
3.3 Roles and Responsibilities
3.3.1 The Personal Data/Information management committee has roles as following;
- To create appropriate Personal Data Protection guidelines and Personal Data Protection practices for the Company’s business operations in accordance with law and International Business standards.
- To ensure that the Guidelines and its action are practical and concretely done according to the Policy.
- To set up an organization to specify responsible persons of Personal Data Protection implementation in order to comply with the guidelines.
- To monitor, develop and improve the guidelines and its process to enhance the effectiveness.
3.3.2 The Roles of Personal data controllers are as following;
- To collect, store, utilize and disclose information that received consent from Personal data owners by both hard copy and electronic methods under appropriate security measures. Also conduct a regular review in order to strictly maintain effectiveness of data control.
- In case that the Personal Data controllers need to provide any personal data/information to another person, the Data controllers must have process to prevent that person from misusing or disclosure of such personal data/information.
- In order to process any personal data/information, the consent from the Data owner is required and Data Controller must notify the Data owner about the conditions, rights of Data owner.
3.3.3. The Roles of Personal Data Processor are as following;
- To create an electronic systems for data collection, utilization or disclosure per Personal Data controllers’ request. The Data processor can reject the request if there is a designated law or court orders to do so or it might affect the rights and freedoms of others. In that case the Data Processors shall record the reject reason.
- To establish the systems for supporting data security, data access and information disclosure to prevent any data loss, unauthorized access, utilize, modify or disclose of Personal Data/information without permission. Also Data processor needs to review those measures when necessary or if there are any technology changes.
- In case of any attempt to breach the right of data owner through that electronic system, the Data processor must notify the data controller or data owner immediately.
4.Implementation guideline
4.1 Personal Data collection
- To obtain consent from the Personal Data owner explicitly, either in writing or via electronic systems, before collecting, using, or disclosing, unless the consent cannot be sought by above method. If the Personal Data owner requests to cancel the consent, the Personal Data controllers must be aware of the effect that might occurs from that cancellation.
- To inform the purpose of the collection, utilization or disclosure of Personal Data/information to the Personal Data owner, including the data/information storage period.
- Must ensure that the Personal Data/information is accurate, current, and complete. And that data will not cause any misunderstanding
4.2 Retention of Personal Data
- To ensure that data storage is being done through highly secured electronic systems. The person who will access the data/information must receive consent from the data owner to prevent any unauthorized deletion, elimination, or access to data.
- The collection of Personal Data/information shall meet an objective that previously informed to the data owner as well.
- The collection of Personal Data/information shall not include any sensitive information such as race, political opinion or information that affects people’s feelings without the consent of the data owner.
4.3 The rights to access Personal Data
- The Data owner has rights to request for access and obtain copies of personal data/information, or request to disclose the source of unauthorized information.
- The Data owner has rights to request for change, correct or delete the personal data/information, in case there are any data changes or incorrect information found.
4.4 Utilizing or disclosing of Personal Data
- The personal data/information that already received consent from the data owner will be used or disclosed only when necessary in order to comply with the contract, in which the personal data owner is a contract party. Or to be used or disclosed only when requested by the data owner within the legal boundary.
- The consent of personal data/information owner must be obtained prior to transferring of Personal Data/information to foreign countries
- In case that personal data/information breaching occurred, either found by the Data controllers’ own self or been notified by the Data processor, the data controller must notify to the committee immediately. In the case that the personal data/information breaching situation is in risk which will affects to the personal rights and freedom, the data controller must report the breaching case along with countermeasure to the Personal Data owner.
4.5 Elimination of Personal Data
- When the data is no longer needed for retention purposes.
- When the data is expired or reaching the end of contract/agreement period or receiving request from the data owner that it is no longer necessary to keep such data/information. The elimination processes need to be secured to prevent any data/information leakage.
- When the data controller has no legal authority to collect, utilize or disclose that
5.Laws, regulations and relevant international standards
- EU: General Data Protection Regulation (GDPR)
- The Organization for Economic Cooperation and Development (OECD)
- Personal Data Protection Act B.E. 2562
- Other laws that have rules to support Data Protection
6.Policy review
The Personal Data/information Management Committee shall review the Personal Data Protection Policy and related guideline, at least once a year. In order to enhance effective protection of personal data/information, including develop and improve the electronic systems which used to protect that personal information.