PERSONAL DATA PROTECTION
PERSONAL DATA PROTECTION
PERSONAL DATA PROTECTION
1. Objective
- To set guidelines for the management of personal data management according to the Personal Data Protection Act B.E. 2562
- To define the roles and responsibilities of those involved in the collection of personal data.
- to establish the hierarchy of confidentiality and security of personal data
- To determine the method of storage, use, transmission, surveillance, notification if an adverse event occurs with the handling of personal information. to determine the liability and penalties associated with non-compliance with the law, to establish guidelines for Implement personal data protection for all personnel and those who work with the company to acknowledge, understand and strictly comply with this policy. If employees or personnel of the Company fail to comply with Terms and guidelines for the protection of personal data This is a violation of the policy. important matters relating to the employment of the Company and the Company reserves the right to further consider punishing such persons as appropriate.
2. Scope
- This document is applicable to TSTE Public Company Limited and its affiliates.
- This Policy shall apply to the business operations and activities or operations of the Company, including the Company’s operations as an employer. This policy will be used as a guideline for the collection, use and disclosure of all types of personal data. whether it is in the form of a document or that is stored in electronic format.
3. Definition & Meaning
Unless clearly stated otherwise. Any of the following words or phrases mentioned or specified in this policy shall be the following meaning
- committed to development and has a high standard that meets the needs of customers under modern and efficient technology There is a product quality inspection system.
- Organize a system that allows customers to complain about defects and dissatisfaction with the service and offer helpful suggestions for swift response to customers.
- Strictly abiding by the conditions to the customers. In the event that the conditions cannot be complied with, the customers must be notified immediately and jointly find a solution to the problem. Including the preparation of a customer satisfaction assessment form. in order to improve and further develop the service.
- Provide service news to customers with accuracy, accuracy and fairness without distorting any facts.
- Emphasize and do not disseminate customer information or take advantage of yourself and related parties in any case.
4. Management Framework
Protection of personal information In addition to complying with the Personal Data Protection Act B.E. 2562 and the Computer Crime Act B.E. 2550 and B.E. 2560, the company also manages By using the guidelines of quality management ISO 9001 in management as well.
- Planning (Plan) or setting a framework for management (Identify) by assessing the potential risks associated with the personal data collected. Computer systems, assets of related organizations
- Action (Do) or protection in (Protect) by taking control of the system and related equipment.
- Practice and follow-up (Check) or Detect, Respond, Recover, inspection and surveillance. There are measures to deal with incidents. and measures to recover damage caused by threats.
- Continuous action (Act) to have continuous action to ensure that the quality system continues to operate continuously to maintain service efficiency.
There are three types of personal data breaches:
- breach of confidentiality of information (Confidentiality Breach) Disclosure or unauthorized access of personal data and without permission from the data owner
- Violation of integrity of data (Integrity Breach) by changing personal data
- Violation of the availability of information (Availability Breach) by making personal information unavailable. data corruption or the destruction of personal data that is not in accordance with the law
Personal data is stored in two forms: electronic and personal. and printed documents Or copied from the original (Hardcopy) with the following controls :
- Controlling access to personal information Provide controls for access to personal data collected by following access control policies to prevent unauthorized access. Do not allow unauthorized access to information.
- Data Security Data security management has the following actions to manage data in each data state.
5. Classification of personal data confidentiality
Because personal information is important and requires proper management. Therefore, personal data is categorized as “Confidential” and must be implemented and managed according to the Data Classification Policy.
6. Guidelines for the protection of personal data
Responsible for controlling the operations of the group of companies. have a duty to supervision Personal Data Protection Policy and Operating Framework The agency has the following duties:
- Prepare guidelines and supervision policies for the protection of personal data. Presented and signed for approval by an authorized person and announced throughout the organization
- Assign a "Data Protection Officer" (Data Protection Officer or DPO) to be responsible for management in accordance with this policy. It can be specified that the operations of any group of companies make the Company and its related person to be a "data controller" according to the law
- It can be specified that the actions of any group of companies make the Company and its related persons to be “The data processor" which will have the responsibility of handling the data in accordance with this policy.
- Consider the information of the organization to determine "Personal Data" (Personal Data) that must be processed by laws or regulations announced in force Define a framework for governance and data management at the organization level (Data Governance, Data Management, Data Protection).
- Define risk management framework risk assessment Personal Data Protection Impact Assessment (Privacy/Data Protection Impact Assessment, Risk Assessment)
- Clearly define responsible persons for each business process (Business Owner) and Data Owner.
- Make a practice procedure Personal Data Protection Practice Manual and announced for use within the organization.
- Provide awareness raising Enhancing knowledge for operators.
- Enhance knowledge for those assigned “Data Protection Officer) and related workers according to the Privacy Data Protection framework.
- Establish a framework for coordinating with regulators of government agencies. and other cooperative agencies involved in the present and in the future.
Because of the wide variety of information collected, use the following guidelines in determining what information is personal information.
- personally identifiable information by posting or requesting personally identifiable information, including (but not limited) - identification numbers; social security number passport number or test number - a government-issued identification card - a student or student identification card showing at least two of the following: (1) Name, (2) Picture, or (3) National ID number. Recognize - Digital Identity including password.
- History or medical, psychological, biometric, or genetic documents of another person.
- Personally identifiable information via external links.
- Financial information of an organization or business
- Personal financial information (Own or others) the following - bank account and/or credit card information - financial records along with account information.
- The following personal contact information - personal phone number or email - email, messenger and identity information.
- The above information can be used for charitable purposes. non-infringement service or assist in finding lost persons or animals, except in the case of news-based content. or content purported or confirmed to be from the infringing source, whether the affected person is a public or private person.
- Person's name and documents indicating personal information This includes: - driver's license, state-issued ID other than a driver's license, green card or immigration document - marriage certificate, birth certificate and name change certificate - digital identity including password -vehicle registration.
- A private residence if it meets the following conditions - The residence is a detached house. or have a house number shown in the caption. - State the city or neighborhood. - Say or represent the resident. - Residents object to the disclosure of private housing.
7. Rights and exercise of rights of personal data subjects
The subject of personal data has rights protected under the Personal Data Protection Act B.E. 2562 as follows:
7.1.1 Right to withdraw consent
In the event that the Company has requested and received consent from the data subject to collect, use or disclose personal data for the purpose of collecting use or disclose personal information Such persons for purposes of obtaining consent from the subject of personal data. The owner of personal data has the right to withdraw his consent to the Company's use of such data at any time by notifying such intention in writing to the Company. When the company receives the notification of the intention to exercise the right to withdraw such consent, the company will immediately stop using such personal data.
7.1.2 The right to request access to and receive a copy of the personal data subject's personal data stored by the Company.
The data subject has the right to request access to and obtain a copy of the data subject's personal data. Persons that the company can keep This is in accordance with the rules set by the Data Protection Committee. personal prescription When the Company receives the notification of the intention to exercise such rights from the Personal Data Owner, the Company will consider the Personal Data Owner's request to take appropriate action. However, within a period of not more than 30 days from the date of receipt of such request However, the company We reserve the right to refuse the data subject's request to exercise such rights if it is a legal refusal or a court order. and accessing and obtaining copies of personal data will impact that may cause damage to the rights and liberties of other persons
7.1.3 The right to request disclosure of the acquisition of personal data that the Company receives from other sources.
In the event that the Company receives the Personal Data of the Personal Data Subject from sources other than Owner of personal data directly If the company will use such information, the company will notify The personal data subject shall be notified within 30 days from the date of receipt of such personal data (unless the law exempts from notification). Inquire and ask the Company to disclose the source of the Personal Data of the Personal Data Subject.
7.1.4 Right to claim and asked the company to transfer or forward the information of the owner of the personal information to the person Control other personal information
In the event that the Company updates the information of the data subject of the Personal Data In a format that can be read or used by automatically activated devices. and can forward by automatic means Transfer or transfer of personal data under this clause Refers to the case where the information of the owner of the personal data Individuals are stored electronically. Which forwarding can be done through the device. Electronic devices that can only read information contained in electronic form. does not include giving the company be a courier or send data of personal data subjects in other formats
When the Company receives the notification of its intention to exercise such rights from the Personal Data Subject, the Company will consider the Personal Data Subject's request to take appropriate actions within Not more than 30 days from the date of receipt of the request. However, the Company reserves the right to refusing the request to exercise such rights of the data subject If the exercise of such rights may cause damage to the rights and liberties of other persons
7.1.5 Right to object to collection and use the personal information of the personal information subject
The subject of personal data has the right to object to the collection. and use the information of the owner of the information Personally in the following cases by notifying in writing to the Company
7.1.5.1 The collection of personal data is exempt from the need for consent as it is necessary for the legitimate interests of the Company. or other legal entities that are not data controllers (Unless such benefits take precedence over the fundamental rights of the personal data subject.
7.1.5.2 in the event that the collection, use or disclosure of personal data is for direct marketing purposes or when the Company has been notified of the intention to exercise the rights From the data subject, the company will separate the data of the data subject. out of other information immediately. However, the Company reserves the right to refuse the application for the right of the owner of the personal data In the event that the company can prove that the collection of personal data is exempt from the need for consent because it is Necessary for the legitimate interests of the company, there is a legitimate reason to more important or to the establishment of legal rights Compliance with or exercising legal claims or raising up against legal claims
7.1.6. The right to request the Company to destroy or anonymize the Personal Data that the Personal Data Subject previously provided to the Company becomes non-personally identifiable.
The personal data subject can request the Company to destroy the personal data of the data subject and/or make the personal data that the data subject has provided become invalid. can identify the identity of the owner of the personal data In the following cases:
7.1.6.1 When the personal data is no longer necessary to keep the personal data according to the purpose
7.1.6.2 When the personal data is no longer necessary to keep the personal data according to the purpose
7.1.6.3 When the owner of personal data exercises the right to object to the collection, use or disclosure of the data. and the Company has no reason to refuse the request; or
7.1.6.4 when the personal data is collected, used or disclosed unlawfully When the Company receives a notification of the intention to exercise such rights from the Personal Data Owner, the Company will consider the Personal Data Owner's request to Take appropriate action, provided that within a period of not more than 30 days from the date of receipt of such request. However, the company reserves the right to reject the offer. Request to exercise such rights of the data subject. If the Company has the necessity and legal right to refuse such request.
7.1.7 Right to request the Company to suspend the use of personal data.
The owner of the personal information can immediately notify the Company to suspend the use of the information of the owner of the personal information by notifying the Company in writing. In the following cases.
7.1.7.1 when the personal data controller is in the process of verification. Complete or update that personal information to be up-to-date upon the request of the owner of the personal information.
7.1.7.2 when the personal data may be deleted. or destroy but the owner of the personal data requests to suspend the use of that personal data instead of deleting or destroying the personal data.
7.1.7.3 When the personal data is no longer needed for the purpose of collection. But the owner of the personal data is required to request the collection. preserved for use in establishing legal claims Compliance with or exercising legal claims or raising up against legal claims; or
7.1.7.4 When the Company is in the process of exercising the right to object to the collection, use or disclosure of personal data of the data subject.
7.1.8 The right to request the Company to update the data of the personal data subject to be correct. complete and is information that meets current conditions
In case of any changes The personal information that the owner of the personal information has provided to the company or that the company has collected If it is still within the period of personal data storage as specified in the summary chart on personal data collection and data flow (Data Mapping), the subject of personal data can notify the Company to take corrective action. Update the information of the personal data subject at any time.
7.1.9 The right to file a complaint in case of violation of the provisions of the Personal Data Protection Act B.E. 2562
In the event that the data subject finds that the Company and/or its employees have taken any action That violates or does not comply with the Personal Data Protection Act B.E. As the details appear in clause 17 of this policy.
In the event that the data subject wishes to exercise any rights As shown in clause 7.1 above, the owner of the personal data Individuals can contact the Company at any time to notify their intentions of the personal data subject according to the details of convenient contact methods for the personal data subject as specified in Article 17 of this Policy.
8. Collection of Personal Information
To collect personal information at any time The Company will operate in accordance with the following principles and guidelines.
8.1.1 The Company will collect Personal Data as necessary for legitimate purposes. and according to the purposes that have been notified to the owner of the personal data only before or during the collection of personal data
8.1.2 Before collecting, using or disclosing personal data The company will consider the appraisal as follows:
8.1.2.1 Personal data that needs to be collected, used or disclosed Is the information necessary for collection, use or disclosure according to the main objectives of the business operation? and
8.1.2.2 Personal data that needs to be collected, used or disclosed as a collection Use or disclose for purposes that the law can collect, use or disclose without obtaining consent. or consent is required before collecting, using or disclosing before or while collecting
8.1.3 Personal data from personal data subjects for the first time The company must notify Always the following details
8.1.3.1 Purpose of collecting personal data for use or disclosure
8.1.3.2 Reasons and necessity for obtaining personal data including the possible consequences of not providing personal information.
8.1.3.3 Personal data to be collected and period of collection
8.1.3.4 The categories of persons or entities to whom the collected information may be disclosed.
8.1.3.5 Information about the Company as a data controller place of contact and how to contact In the event that a Personal Data Protection Officer is required to provide information Where to contact and how to contact the Personal Data Protection Officer
8.1.3.6 Rights of Personal Data Subjects As shown in details in Article 7 of this policy.
8.1.4 In the event that the Company will use the Personal Data of the Personal Data Subject for other purposes. In addition to notifying the owner of personal information The company must notify the objectives. Always let the data subject know and obtain consent before collecting data, unless it is permitted by law.
8.2.1 Collection of personal data without prior consent of the data subject or while collecting personal data
(1) to collect personal information that is not sensitive personal information which the company needs to use or disclosed for the purposes described below. The company can collect Such personal data can be obtained without consent.
(a) it is necessary for the performance of a contract to which the Personal Data Subject is a party or for the processing of the Personal Data Owner's request before entering into the contract;
(b) necessary for the performance of duties and taking any action According to orders of government officials or as required by law
(c) It is necessary for the legitimate interests of the Company as a data controller or of a natural person or juristic person who is not a data controller, unless such interests are less important than fundamental rights in data. or
(d) Compliance with the law of the Company
(2) To collect sensitive personal information which the company needs to use or disclosed for the purposes described below. The Company may collect such sensitive personal data. without consent
(a) to prevent or suppress a danger to life, body or health of an individual whose personal data subject is unable to give consent; for whatever reason
(b) It is a legitimate activity with the appropriate protection of the foundation or association or trade union for its members. former member or those who have contact regularly with the said foundation or association without disclosing such personal information outside the foundation or association
(c) is publicly available with the explicit consent of the data subject.
(d) necessary for the formation of legal claims Compliance with or exercising legal claims or raising up against legal claims
(e) it is necessary to comply with the law in order to achieve the objectives relating to
1. Preventive Medicine or Occupational Medicine Assessment of employees' ability to work medical diagnosis Provision of health or social services, medical treatment health management or system and Providing social welfare services, provided that it is not a legal practice and Personal data is the responsibility of a professional or professional or person have a duty to keep that personal information confidential according to the law, must be in accordance with the contract between the owner of the personal information and a medical professional
2. Public health benefits such as health protection from dangerous communicable diseases or epidemics that may be transmitted or spread into the Kingdom, or the control of the standards or quality of medicines, medical supplies or medical devices, which has provided appropriate and specific measures to protect the rights and freedoms of The owner of personal data, especially the confidentiality of personal data according to duties or professional ethics.
3. Labor Protection social security National Health Insurance Welfare relating to medical treatment of persons with legal rights protection of victims from car accidents or social protection which the collection of personal data is necessary for the performance of the rights or duties of the data controller or Owner of personal data by providing appropriate measures to protect the rights of Fundamentals and Benefits of Personal Data Subjects
4. Scientific research studies history or statistics or other public interests. only necessary and has provided appropriate measures to protect fundamental rights. and benefits of personal data subjects or
5. Significant Public Benefits Appropriate measures have been put in place to protect the fundamental rights and interests of the data subjects.
8.2.2 Consent and collection of personal data requiring consent
In the event that the personal information that the company will collect for use not for that purpose Exempt from the need for consent as set forth in clause 8.2.1 above, the Company must obtain The explicit consent of the subject of personal data is first obtained by the Company in accordance with the following methods.
(except in the condition that consent cannot be obtained by such methods)
(1) Collecting information in document form
In the case of collecting information in document form The Company will apply the consent document to obtain consent from the data subject.
(2) Electronic data collection
In the case of collecting information in electronic form, The company will apply documents for obtaining consent to apply for obtaining consent. In requesting that consent, in the event that the Company requires the data subject to press accept to give consent. The company will not Set a check mark in the message box that the owner of personal data must press to confirm, accept any conditions (No Default Setting on Check-Box) at any time. In obtaining that consent must be caused by the owner of the personal data are free to choose and consent to the provision of their personal data to the Company; And the company will not create a condition for storing unnecessary data as a condition for the service of the company.
“Cookies” (Cookies) Company website In some cases, cookies may be used. Cookies are small data files that store information that are exchanged between the data subject's computer and our website. The Company uses cookies only to store information that may be useful to the Owner next time the Owner visits the Company's website. If the service user does not want the company to collect information about the use of cookies You can go to settings on the website to refuse the use of cookies.
company website Links to other websites may be provided and the Company is not responsible for the privacy practices used by other websites. In addition to the company's own website
8.2.3 Obtaining Consent from Minors incompetent person or quasi incompetent
In the event that the company has contact or is required to obtain personal information of minors incompetent person or quasi incompetent The company will proceed to obtain consent from authorized persons. on behalf of such person according to the following details
| บุคคลที่ความสามารถทางกฎหมายมีความบกพร่อง | บุคคลที่มีอํานาจกระทําการแทนและให้ความยินยอม | เอกสารประกอบเพื่อใช้พิจารณา |
|---|---|---|
| ผู้เยาว์ (ในกรณีที่ผู้เยาว์มีอายุไม่เกิน 10 ปี หรือเป็นกรณีที่การยินยอมนั้น ไม่ใช่การใดๆ ที่ผู้เยาว์สามารถให้ ความยินยอมโดยลําพังได้ตามที่กําหนดในประมวลกฎหมายแพ่งและพาณิชย์) | ผู้ใช้อํานาจปกครอง | สูจิบัตร และใบทะเบียนสมรส บิดา หรือ มารดา คําสั่งศาลแต่งตั้ง ผู้แทนโดยชอบด้วยกฎหมาย (สำหรับแต่งตั้งผู้ใช้อำนาจปกครอง) |
| คนไร้ความสามารถ | ผู้อนุบาล | คําสั่งศาลแต่งตั้ง ผู้แทนโดยชอบด้วย กฎหมาย (สําหรับแต่งตั้งผู้อนุบาล) |
| คนเสมือนไร้ความสามารถ | ผู้พิทักษ์ | คําสั่งศาลแต่งตั้ง ผู้แทนโดยชอบด้วย กฎหมาย (สําหรับแต่งตั้งผู้พิทักษ์) |
In order to confirm the identity of the legal representative, the Company will also request the supporting documents listed above to support the exercise of such rights.
The company has prepared a record about the processing of personal data of the company (Data Log) for use in record the type of information collected Purpose of collection and duration of data collection Personal data that the Company collects, uses or discloses The company will make improvements. and add to the said record to be up-to-date and always be truthful about the use of personal information.
The company will ask for consent from the owner of personal data before collecting. except in the following cases
(1) to achieve the objectives related to the preparation of historical documents or archives public interest or relating to studies or statistics for which appropriate safeguards have been provided. in order to protect the rights and freedoms of the data subjects, as prescribed by the Commission.
(2) to prevent or suppress a danger to life, body or health of a person
(3) it is necessary for the performance of a contract to which the data subject is a contracting party; or To be used to process the request of the owner of the personal data before entering into that contract.
(4) it is necessary for the performance of duty in carrying out missions for the public interest of the controller; personal information or performing duties in exercising state powers that have been given to the data controller
(5) It is necessary for the legitimate interests of the personal data controller. or of other persons or juristic persons who are not data controllers unless such benefits are important Less than the basic rights to personal information of the personal information subject
(6) Compliance with the law of the personal data controller
9. Collection of personal data from sources other than the data subject
The Company will always collect personal information directly from the owner of the personal information unless
1. It is the case where the Company is exempted by law to be able to collect personal data of the data subject from sources other than the data subject; or
2. It is the case that the Company needs to collect personal information of the personal information subject from sources other than the personal information owner. The company will proceed as follows.
(a) in the event that the Company will use such information to contact the owner of the information The Company must notify the data subject of the collection of information from such other sources. In the first contact, together with the details before the collection of personal data as specified in clause 8.1.3, including the purpose of collecting, using or disclosing such personal data within 30 days from the date of collection. gather information Unless the Company is exempt from notifying the purpose of collecting such information.
(b) where the Company has obtained consent to collect such personal data The Company must notify the data subject of the collection of data from other sources to the data subject. within 30 days from the date of consent. Along with informing the details Before collecting personal data as specified in clause 8.1.3, including the purpose of collection, use or disclosure of such personal data within 30 days from the date of data collection. Unless the Company is exempt from notifying the purpose of collecting such information.
(c) In the event that the Company will disclose personal data collected from other sources to The Company will inform about the collection of Personal Data of Personal Data Subjects from other sources including Purpose of collection, use or disclosure of personal data within 30 days from the date of collection Unless the company is exempt from the need to notify. Purpose of collecting such information And must notify such cases before proceeding to disclose that information for the first time.
10. Using personal information
The company will process personal data. With the consent of the data subject Unless the processing of such personal data is subject to the following legal exemptions:
1) Contract basis when the owner of personal data contacts the company via website or telephone. The company will use the personal data of the data subject to process the products or services. to continue to contact or offer contracted services;
2) Consent: The Company may collect information to be a customer database. to analyze or offer new services if the data owner does not wish Able to notify the Company according to Clause 17
3) Legitimate Interest The Company may process personal data to carry out necessary tasks in the legitimate interests.
4) Vital interest basis. The Company may process personal data to prevent or suppress harm to the life, body or health of the data subject.
5) Legal Obligation
- The Company will only use personal information for the purposes that have been notified to the owner of the personal information.
- As for personal data that the Company can collect without obtaining the consent of the personal data subject as detailed in Clause 8.2.1, the Company will use such personal data. Only for the purposes specified in clause 8.2.1 and the Company will record the use of data. such personal information in Records about the processing of personal data of the company (Data Log)
The company has set conditions and methods for accessing the personal data that the company has collected. to use or disclose accordingly Objectives that have been notified to the owner of personal data according to A summary chart on the storage section. People and the flow of information (Data Mapping)
The company will conduct an impact assessment on personal data every time the company will use it. personal data in a high-risk manner The evaluation will be made according to the evaluation form. Impact on personal data (Data Protection Impact Assessment)
11. storage and data protection?
11.1.1 In the operation of the company The Company shall provide a summary chart on personal data storage and data flow (Data Mapping) of each department of the Company. for use in recording and Provides a summary of the personal data that is collected and the purposes for which it is collected. each type of person and the storage period of each type of personal data and store such charts in the Company's database system
11.1.2 The company will provide a record of the exercise of the rights of the data. subject. This will record details about the exercise of rights of personal data subjects. and details of the implementation of the Company against the request to exercise that right This includes cases where the Company refuses to exercise the right of the subject of personal data.
11.2.1 The company will ensure that any action and personal data collected by the Company will receive appropriate protection. and safe from loss, use, access, alteration, alteration or disclosure of personal data by unauthorized persons. or any action unlawful
11.2.2 The company will create security for personal information. This covers the creation of security standards for personal data in terms of access or control of the use of personal data (access control), both management protection measures. administrative safeguards, technical safeguards and physical safeguards, which shall at least consist of
(1) Control of access to personal data and equipment for storing and processing personal data
(2) Determination of permission or permission to access personal data
(3) User access management to control unauthorized access to personal information, disclosure, knowledge or unauthorized duplication of personal information. theft of personal data storage or processing equipment
(4) Provision of means to enable retrospective access to, change, delete or transfer of personal data. to be consistent with the methods and media used for collection use or disclose personal information
11.2.3 The Company will keep personal information in a safe place. which receives appropriate care for the storage of data in various formats (documents and/or electronic files) in accordance with the policies and procedures set forth in the Policy Documents and Procedures. The company has limited access to personal data of personal data subjects to individuals with Duties and responsibilities related to data processing as specified by the Company as shown in the summary chart on personal data collection and data flow (Data Mapping). other with the personal data of the data subject Personal information can only be performed according to the duties and orders of the Company and must keep the personal information of the owner of the personal information confidential.
12. Disclosure of personal information
In disclosing personal information that the Company has collected at any time The company will operate in accordance with the principles and the following guidelines
12.1.1 The Company will disclose personal data only for the purposes that have been notified to the data subject.
12.1.2 As for the personal data that the Company can collect without the consent of the data subject as detailed in clause 8.2.1, the Company will disclose the personal data. only for the purposes specified in clause 8.2.1 and the Company will record the Disclose such personal information in the Company's Data Log.
12.2.1 In the business operation of the company The Company may assign persons other than the Company's personnel to carry out certain types of work according to the orders and scope of work specified by the Company. If such person is required to process the personal data of the data subject that the Company has stored for use in the performance of the assignment. according to the order of the Company for the purposes specified by the Company Such persons are the Company's personal data processors.
12.2.2 In entrusting the Company's personal data processor to process that personal data The Company must impose on the Personal Data Processor the duty to carry out the instructions. and operating conditions related to the protection of personal data according to the policy and good personal data protection standards and complies with the requirements of the Act Personal Data Protection B.E. 2562 and related regulations and the company will enter into a contract Processing of personal data (Data Processing Agreement) with the personal data processor, which clearly states that the personal data processor must make every effort to protect personal data.
12.3.1 Other data controllers are third parties who are not the company. Whether it is an individual or a juristic person who has the authority to make decisions about the collection, use or disclosure of personal data by oneself.
12.3.2 The company will send or disclose the personal data of the data subject to other third parties. Only if it is necessary for the Company to comply with the law, or as a result of contractual obligations between the Company and other data controllers, or where the consent of the data subject has been obtained. (depending on the case)
12.3.3 In sending or disclosing personal data to other data controllers. The Company will notify the owner of personal information about the list of information to be disclosed. Purpose and reason for disclosure, together with the name of the data controller of such other personal data. Unless it's a case of sending Personal data to government agencies with relevant legal jurisdiction. The company will do so in accordance with the relevant laws.
12.3.4. The Company will not disclose personal information to any other agency or person. except in the following cases.
12.3.4.1 obtaining consent from the data subject.
12.3.4.2 An order of a court, authority or law to disclose such information.
The Company may transfer personal data of data subjects between affiliates. To provide services to data subjects efficiently and achieve their objectives. The information that may be forwarded includes the customer's name, address, telephone number. Fax numbers, email addresses, company (organization) names, job titles, and sales-related information. Such information will only be disclosed for the purpose of providing the service.
13. Destruction of personal information
The Company will delete or destroy personal information after the expiration of the data retention period specified for each type of information or where the personal data is not necessary for the purposes of the Company or relevant laws. to collect use or disclose such information no longer or when requested by the subject of the personal data subject to the methods and conditions as specified in the Document Control and Records Policy.
13.1 Documentation unit The agency that is in control of that document of the company will have a duty to inspect and separate personal data that have reached the period of data retention. and take action in destroying documents according to the following methods and requirements
13.2 Where personal data is stored in hard copy destroy the data by
Importing into a shredder or destroying documents
13.3 Where personal data is stored in electronic files to the document department / agency that controls that document Make contact with the information technology department of the company. to delete Destroy such electronic files.
14. Training of relevant personnel and information
Training of relevant personnel and providing information about practices related to personal data protection to partners. or users of the company’s services The Company will provide training and education to its personnel in order to understand, acknowledge, realize the importance and be able to properly and accurately comply with the requirements and guidelines regarding the protection of personal data.
15. Monitoring and improving the Company’s operations regarding personal information
The company will develop and update policies and documents. related to the protection of personal information from time to time. Every time the relevant laws are updated. or every time there is an improvement of the company’s internal practices or at least every 1 year.
16. Personal data breaches
16.1 In the event that any person finds or has reasonable grounds to suspect that personal data may be leaked or
Taking action in connection with the collection, use or disclosure of personal data by the company is in conflict with 2562 (2019) and/or any regulations relating to the protection of personal data. or requirements under this Policy, please notify the Company and the Company’s Personal Data Protection Officer of such cases through the channels specified in Article 17 of this Policy.
16.2 In case of personal data leakage or actions in connection with the collection, use
Or disclosure of personal information by the company is conflicting. or not complying with the provisions of the Act Personal Data Protection B.E. 2562 (2019) and/or any regulations Related to the protection of personal data or requirements under this policy The Company will act in accordance with the requirements and methods specified in the Guidelines in the event of a personal data breach within a reasonable period of time.
16.3 The company supports the management of corporate risks. and related agencies The risks associated with personal data are considered. and take appropriate risk management actions. And there must be an investigation of the actions related to personal data by the internal audit department.
16.4 In the event that the Company is a data controller The Personal Data Protection Officer is responsible for informing Incidents of personal data breach to the Office of the Personal Data Protection Commission without delay within seventy-two hours from knowing the cause to the extent that it can be done unless such violations pose no risk of affecting the rights and liberties of individuals. In the event that the breach has a high risk of affecting the rights and liberties of individuals, the data subject shall be notified of the breach without delay, together with the remedial measures.
17. Personal data protection officer/ internal department dealing with personal data protection
The company has appointed personal data protection officers / assign duties to internal departments in charge of protect personal information to perform the duties of giving advice and inspecting the operations of the Company in the part relating to the collection, use and disclosure of personal data in accordance with the requirements under the Personal Data Protection Act B.E. 2562 and related regulations In this regard, the Company has prepared a document summarizing the duties and responsibilities of Responsibilities and duties of the Personal Data Protection Officer are included in the document summary of duties and responsibilities. and preliminary qualifications of personal data protection officers and internal departments of the company relating to the protection of personal data In order to provide the performance of personal data protection officers/internal units in charge of personal data protection And the person involved is in order. And meet the purposes specified in the personal data protection law.
In the event that the Personal Data Owner wishes to exercise any rights of the Personal Data Owner as specified in Clause 7 of this Policy. The owner of personal data can notify the Company of his/her intention to exercise such rights. According to the contact channels of the company as follows
Company personal data protection agency
Personal Data Protection Officer The Company The Company TSTE Public Company Limited and its affiliates
Email: thaisugar@tstegroup.com
Please specify the subject of the email as : “Request to exercise the rights of the data subject”
Address: 90 Moo 1, Poochaosamingprai Road Samrong Klang Phra Pradaeng District, Samut Prakan 10130 Tel. 0-2183-4567
In the event that the subject of personal data wishes to contact a government agency concerned with the protection of personal data
Can be contacted at: Office of the Personal Data Protection Commission
Phone: 02-141-6985 to 99
Address: 7th floor, Ratthaprasasanaphakdi Building Government Center Commemorating His Majesty the King’s 80th Birthday Anniversary 5 December 2007
Chaeng Watthana Road, Thung Song Hong, Lak Si, Bangkok 10210
18. Penalty
Punishment according to company regulations Employees who neglect to comply with the Data Protection Act and do not comply with this policy Must be punished according to the company’s regulations, including other related penalties. The company reserves the right to amend, change or cancel this regulation as appropriate.
This policy shall be effective from 1 June 2022 onwards.