Personal Data Protection Policy
Last update: 1 June 2022
| 1. Reasons for Policy
Nowadays, technological advancement enables information systems and communication to be rapidly developed. Accessing personal data can be done easier than before. As a result, personal data and privacy rights may be infringed, and data owners could be damaged.
Siamnuwat Company Limited, we understand that your privacy is important. We'll protect the personal data of employees, clients, business partners, and visitors at all times. We strongly adhere to the Personal Data Protection Act, B.E. 2562 (2019) (the "PDPA"), when it comes to collecting, using, and disclosing your data. Therefore, we have set policy and guidelines for anyone who handle personal data to follow.
| 2. Definitions
"Company" refers to Siamnuwat Company Limited and its subsidiaries.
"Personal Data" refers to any information that can identify a specific individual. Identifiers are name, address, and date of birth, gender, educational background, phone number, I.D., passport, social security, driving license, tax I.D., bank account, email, and any information that may directly or indirectly specify the owner's identification.
"Data owner" refers to the owner of that personal data, such as employee, client, business partner, or visitor.
“Person” refers to Individual or personal
“Data Protection Officer” refers to a staff who performing the duties related the security of personal data in the organization and inside data (“Employee’s data”) and outside data (“Client’s data”). Since investigate, collection, use, disclosure, and maintenance of the Personal Data with respect to the compliance with the Personal Data Protection Act, B.E. 2562 and coordinate and cooperate with the Office of Personal Data Protection Committee.
| 3. Policy and guidelines on keeping, collecting, and disclosing personal data.
3.1 The company always comply with the law about keeping, collecting, and disclosing personal data. We keep personal data that are essential to and for business transaction purposes only. Your data will be kept for the period that is permitted by law.
3.2 To keep personal data, the company will only do so after receiving the owner's consent. There are, however, the following exceptions.
We may keep personal data without requesting for owner's consent if:
3.2.1 Required by law.
3.2.2 Obliged by a legal contract as a contracting party and as requested by the data owner.
3.2.3 The data is for the lawful benefits of the data controller unless such benefits are less important than the basic rights of the owner.
3.2.4 The data is for public interest as assigned by the authority.
3.2.5 The authority requests to keep the data for investigation purposes, in the case of legal trial or court order.
3.2.6 The data is for researching and statistical purposes of the government. However, there must be the proper measure to protect the owner's rights.
3.2.7 Keeping personal data will protect the life or health of a person.
3.3 The company will only obtain personal data directly from the owner, and never from the indirect source.
3.4 As for sensitive data given by data owner: race, religion, sexual orientation, criminal record, health record, disabilities, and biometric data, the company will keep them only if the data owner has expressed consent, except in certain circumstances, such as required by law or court order.
3.5 As for visitor who is present at the company's premises or through the company's information technology, the company will notify the data owner about this policy. The data owners will acknowledge that this policy applies to their data protection. Besides, the data owners also agree that the company has the right to keep or use their data according to the purpose written in this policy.
3.6 The company will appoint a designated person or department to be in charge of controlling and processing personal data. They'll strictly follow this policy and guidelines.
3.7 Department supervisors and managers are responsible for making sure that their staff adopt this policy and follow the guidelines. When they process personal data, whether it comes in any format; electronic data, hard copy, cloud data, or application software, every department and staff will be required to adhere to this policy.
| 4. Purposes of processing personal data
4.1 Personal data of employee, consultant, contractor, and temporary staff will be used for the following purposes; Employment contract, Social securities, Taxation, Insurance, Life and Health insurance, Medical treatment and health records, Performance evaluation, Payroll, Educational background, Criminal record (for some positions), Personal background and any relevant and necessary data.
4.2 Personal data of the client, supplier, business partner, stockholder, and the investor will be used for the following purposes.
4.2.1. Business transaction and its related activities; research and development, marketing, PR, and advertisement, CSR activities.
4.2.2. Improving service and efficiency to our clients.
4.2.3. Accepting complaints from clients and stakeholders.
4.2.4. Communicating with clients or stakeholders either through phone, text messages, E-mail, postal mail, and other communication channels; sending notifications, verifying client and stakeholder's accounts, survey and questionnaires.
4.2.5. Verifying client and stakeholder's information in compliance with updated laws or regulations. However, please rest assured that we'll neither sell, transfer, nor publish your data without your expression of consent.
4.3 The company can lawfully disclose personal data without the owner's expression of consent for the following: Court order, Government order, Legal investigation, Trail investigation, Life protection, and Personal health protection.
4.4 If the company hires other service providers i.e. law firm, insurance, hospital, and IT, we'll make sure that they treat personal data confidential. They must not use personal data for any other purposes instructed by the company.
| 5. The quality and accuracy of personal data
The collected personal data must be accurate and updated. The information must neither cause confusion nor damage data owner, except in cases where other laws are governing the matter.
| 6. The right of the personal data owner
6.1 Data owners have the right to request access to personal data that concerns them. They can also request to suspend, delete, destroy, and update their data if doing so isn't in conflict with national securities, economy, justice, or freedom rights.
6.2 Please know that if data owners do not allow the company to use or process personal data, the data owners may not be able to receive services from the company as effective as it's supposed to be.
6.3 Former employees or job applicants who are no longer obligated legally or financially to the company can request to retrieve their data back, except in cases where there are legal rights or owner's beneficial binding contract restricting the withdrawal. Their data may include information of their family members, relatives, guarantors, and collateral owner.
However, the company reserves the right to collect information about performance evaluation, promotion, and hiring. We're required to reserve the right to collect, use, disclose, or process personal data. Please consider this policy as notification of the impact to the data owner and the withdrawal of consent.
| 7. Protection of personal data
Measures to protect personal data are found below.
7.1 The right to access, use, disclose, and process personal data is restricted to the specific person(s) only. Personal Identification must be verified to access personal data. All concerned parties must strictly follow this lawful measure.
7.2 If there's a transfer of personal data to a foreign country or to the external database, the data controller at the destination must securely protect the data. The standard of data protection must be equally safe or better than this policy.
7.3 Papers that contain employee's data are prohibited from being reused. They'll be destroyed once the employment ends or after the specific legally allowed period, except in cases where there are other pending legal matters.
7.4 If there's a violation of data security measures under this policy, or there’s a leak of personal data to the public, the company will notify the owner as fast as we can. Also, the company will provide a remedy to the data owner once it has been proved that the company is at fault.
The company reserves the right not to provide a remedy for the damage caused by the data owner's faults; voluntarily disclose personal data to the others, ignoring security protection measures and procedures.
| 8. The securities of personal data storage
To securely and properly store personal data, the company provides a controlled database. I.T. department will be in charge of monitoring securities of the storage. The rights to access personal data of the employee, client, business partners, suppliers, and visitors will be controlled and restricted. To prevent data from leaking and misusing, only designated persons of the company will be allowed to access.
Internal Audit department will be in charge of assessing the efficiency of personal data keeping.
| 9. The revision of personal data protection policy
The company may revise policy without prior notification to the employee, client, business partner, supplier, and visitor. However, the revision will enable us to provide better service. Therefore, we recommend that you read this policy every time you visit the company's website. (http://www.siamnuwat.com/)
| 10. Enforcement
10.1 This announcement is effective for the board of directors, managing director, the staff of all levels, and anyone who is under the company's governance.
10.2 This announcement is effective for all company's activities that concerns personal data; Storage channels, Storage types, Format, Purpose of usage, Processing, Protection
10.3 Department Managers must appoint a responsible person to be in charge of implementing this policy.
10.4 Staff and departments who handle personal data must use it with caution. When collecting, using, disclosing, or processing personal data, you must strictly follow the guidelines.
10.5 Personal data is strictly confidential. Accessing the data without permission is perceived as violating the code of conduct and committing a criminal offense. Disciplinary action may be taken against the violator whether the damage has occurred to the data owner or not.
| 11. Penalties
11.1 A violation of personal data protection policy could result in civil and criminal liability. If a person in the company violates this policy and causes damage to the data owner, that person will be punished without compromise. Such a person must also be liable for punitive damage that occurred to the owner.
Furthermore, if the damage occurs to the company, we may take legal action against the violator also.
11.2 The penalties will NOT be effective for the event that the data owners disclose their data. If they voluntarily disclose their data to the third party or allow the third party to disclose their data, the company will not lawfully be a data controller or processor. Therefore, the company will not be liable for the damage occurred.
| 12. Contact
Should you have any questions about this policy, please contact:
Siamnuwat Company Limited
989 Siam Piwat Tower 8th Floor, Rama I Rd., Pathumwan District, Bangkok 10330, Thailand.
Call Center: 02-6580678
Email address: email@example.com Website: http://www.siamnuwat.com/contact
Data Protection Officer
989 Siam Piwat Tower 8th Floor, Rama I Rd., Pathumwan District, Bangkok 10330, Thailand.
Email address: DPO@siamnuwat.com
This announcement and policy are subject to the Personal Data Protection Act, B.E. 2562. The company reserves the right to revise this policy as deemed appropriate to comply with the related laws. This announcement is considered as part of the company's rules and an employment contract that employees must strictly adhere to.
This announcement and policy are made effective on 1st June 2022, onward.