DERMAPROOF ASIA CO., LTD. (collectively referred to as “Company”) recognize the importance of the protection of personal data. Therefore, we have issued our Personal Data Protection Policy (“Policy”) in order to prescribe the process of data collection, storage, usage and disclosure, also including other rights of the Data Subject. Company would like to announce this Policy with the following:
1. Definition “Personal Data” is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data but not including the information of deceased Persons in particular.For example:
- a name and surname; - a home address; - an email address such as email@example.com; - an identification card number; - location data (for example the location data function on a mobile phone); - an Internet Protocol (IP) address; - a cookie ID; - the advertising identifier of your phone; - data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
“Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks to the person’s fundamental rights and freedoms, which includes data regarding racial or ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any data which may affect the Data Subject in the same manner, as prescribed by the Personal Data Protection Committee.
“Personal Data Protection Committee (PDPC)” means the Committee appointed under the Personal Data Protection Act B.E. 2562, in charge of the duties and authorities to govern, issue criteria or measures or provide any other guidance as prescribed by this Act.
2. Collection of Personal Data Company shall collect personal data within the purpose, scope, and lawful and fair methods as is necessary which is defined in the scope of the Company’s objectives. Accordingly, Company will inform the Data Subject to gain acknowledgment and consent through electronic or other methods as specified by the Company. (such as Email and Acknowledge post mail etc.) In case the Company needs to collect sensitive data, the Company shall request explicit consent from the Data Subject before such collecting, except for when this is allowed by the Personal Data Protection Act B.E. 2562, or other laws.
3. Purpose of Collecting and Usage of Personal Data Company shall collect or use personal data for the purposes or activities such as the study process, procurement process, contract agreement, financial transactions, all company activities, collaborations or improvement of the Company’s processes; database preparation, process analysis and development, and/or any other purposes which are in compliance with the legal obligations or regulations to which the Company are subject. Company shall retain and use the Personal Data as long as necessary only for the above-mentioned purposes, or as prescribed by laws.Company shall not conduct any processes which are different from the purposes as have previously been shared with the Data Subject except for when:
- the Data Subject has been informed of such a new purpose, and prior consent is obtained; - it is necessary for Company to be in compliance with this Act or other laws.
4. Personal data disclosure Company shall not disclose personal data of the Data Subject without the consent of the Data Subject and shall disclose it solely for the above mentioned purposes. However, for the benefit of company operations and service provision to the Data Subject, Company may disclose personal data to Company’s subsidiaries or other required persons, domestically and internationally, such as service providers dealing with personal data. Company shall govern the above-mentioned persons to treat the personal data as confidential and not to use the data for purposes which are not covered in prior notifications. Company may disclose personal data of the Data Subject as required by laws and regulations, such as disclosing it to a government agency, state enterprise, regulator. Also, the Company may disclose it by virtue of laws, such as requests for the purposes of litigation or prosecution, or requests made by the private sector or other persons involved in the legal proceedings.
5. Direction of Personal Data Protection Company shall establish measures including for the security of personal data in accordance with the laws, regulations, rules, and guidelines regarding the personal data protection for employees and other relevant persons. Company shall promote and encourage employees to learn and recognize the duties and accountabilities in the collection, storage, usage, and disclosure of personal data. All employees are required to follow this policy and all guidelines regarding personal data protection in order for the Company to remain in compliance with this Act accurately and effectively.
6. DATA BREACH NOTIFCATION Company shall notify the PDPC of the personal data breach without delay and, where feasible, within 24 hours after having become aware of it. In case the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the company shall notify data subject of the breach incident and the remedial measures without undue delay.
7. Rights of Data Subject The Data Subject is entitled to request any actions regarding their personal data as per the following:
7.1 Right to be informed 7.2 Right to Access 7.3 Right to Erasure or Right to be forgotten 7.4 Right to Rectification 7.5 Right to Restriction of Processing 7.6 Right to Data Portability 7.7 Right to Object 7.8 Right to Withdraw Consent
Data Subject may request these rights by sending a notice or submitting the Data Subject Request Form at firstname.lastname@example.org or via electronics form set by the Company to the channel following the Contact Information of this policy. This form is available for download at www.dermaproofasia.com. Company shall consider the right request received and inform the Data Subject not exceeding 30 days from the date of receiving such request. However, the Company may deny such a right subject to exception by applicable laws.
8. Review and Changes of Policy Company may review this policy to ensure that it remains in adherence to laws, any significant business changes, and any suggestions and opinions from other organizations. Company shall announce and review amended policies thoroughly before implementing all the changes.
9. Retention and Destruction
Data Retention Period and Destroy
Employee and Resigned Employee
Personal data on recruitment documents and service period and wage notifications made to the Social Security Institution
The data shall be retained continuation until the expiry of the employee contract agreement. And the data will be destroyed after employee resigned for 5 years.
Information on the Candidate's CV and job application form
The data shall be retained for 2 years from the beginning of the application.
All personal data both in application REC-AM-VO02 and database
The data shall be retained continuation until the volunteer wants to withdraw the data from database. And the personal data of volunteers will be destroyed after 10 years after withdrawal.
All document related to the study, Video, CD etc.
The data shall be retained for 10 /15 years.
All document related to the accountant, Company ID, Customer and Supplier contact information, etc.
The data shall be retained for 10 years.
Information contained in the internship file of the student
The data shall be retained for 5 years at the continuation of the internship and from the beginning of the calendar year following the expiry of the internship.
10. Contact Information DermaProof Asia Co., Ltd. 240/28-30, Ayothaya Tower, 17th Floor, Ratchadapisek, Huaykwang, Bangkok 10310, Thailand Phone: (+662).274.1714-18 Fax : (+662).274.1721 Email : email@example.com and firstname.lastname@example.org