SILPIN Asia co.,LTD
- Principles and rationale of SILPIN Asia co.,LTD (“the Company”) emphasize the importance of safeguarding personal data of employees, customers, business partners, service users, service providers, business affiliates, and other individuals associated or involved with the Company. It is a fundamental right that must be protected according to the Constitution of the Kingdom of Thailand and international principles concerning human rights (Universal Declaration of Human Rights). Any individual shall not be interfered with regarding their privacy, family, residence, communication, or subject to defamation, insult, honor violation, or damage to reputation. Everyone has the right to legal protection against such interference with rights or defamation. This entails safeguarding personal data from unauthorized use and ensuring its security as per the law and international standards, including supporting and respecting human rights as declared globally under the principles of the United Nations Global Compact, encompassing the Personal Data Protection Act B.E. 2562 (2019). Therefore, the Company announces its Personal Data Protection Policy (“the Policy”) as the foundation for protecting personal data (Data Privacy), access, collection, usage, and disclosure of personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019).
- The objectives of this Personal Data Protection Policy are established to safeguard the personal data of individuals who have engaged in transactions, used services, had involvement, or association with the Company, with the following objectives:
2.1 To define the roles and responsibilities of departments, management, and employees involved in personal data.
2.2 To establish procedures or measures for maintaining the security of personal data.
2.3 To set guidelines for the work practices of employees involved with personal data.
2.4 To instill confidence in maintaining the security of personal data for employees, customers, business partners, service users, and other individuals associated with personal data.
2.5 To verify or authenticate individuals.
2.6 To investigate and prevent actions that violate the law.
2.7 For Data Analytics within legal and compliant objectives.
2.8 For the benefit of managing the human resources of the Company and its subsidiaries.
2.9 For internal organizational management purposes.
2.10 To provide information to government agencies or state departments as mandated by law or upon request by said government agencies or state departments.
2.11 For legal rights establishment and litigation purposes.
2.12 For business transactions related to the Company’s operations.
2.13 To comply with relevant laws associated with the Company.
- Scope of Use
3.1 This policy is applicable and binding on the board, committees, shareholders, management, and employees at all levels of SILPIN Asia co.,LTD, including customers, business partners, service users, service providers, business affiliates, and any other individuals associated or involved with the Company.
3.2 This policy is applicable and binding on all operations of the Company related to personal data.
“Company” refers to SILPIN Asia co.,LTD.
“Personal Data” refers to any information related to an individual that directly or indirectly identifies that individual, excluding deceased persons. In this context, individuals refer to living natural persons and do not include legal entities established under the law.
“Sensitive Data” refers to personal data that is inherently private about an individual but is detailed and carries a risk of unfair discrimination if used, hence requiring special caution in handling, such as race, religion, sexual behavior, political opinions, criminal records, labor union information, health data, disabilities, genetic information, biometric data, or others as specified by law.
“Data Subject” refers to the individual whom the personal data identifies, not including cases where the individual owns data as property rights or is the creator of said data.
“Data Controller” refers to an individual or legal entity responsible for making decisions regarding the collection, acquisition, usage, or disclosure of personal data.
“Data Processor” refers to an individual or legal entity involved in collecting, acquiring, using, or disclosing personal data, such as business partners, individuals, or companies outside SILPIN Asia co.,LTD hired by the Company.
“Person” refers to a natural person.
“Data Protection Officer (DPO)” refers to an individual or a group of individuals appointed by the Company to serve as the data protection officer in accordance with the Personal Data Protection Act B.E. 2562.
“Data Protection Coordinator (DPC)” refers to an individual designated or assigned the responsibility of coordinating and liaising with individuals or other relevant parties according to this policy.
- Protection of Company’s Personal Data Collection and Principles of Personal Data Collection:
5.1 Personal Data Collected by the Company:
5.1.1 General Personal Data:
(a) Identity Data: Such as name, surname, national identification number, passport number, nationality, date of birth, photographs, educational information, family information, driver’s license number, vehicle registration number.
(b) Contact Information: Such as phone numbers, addresses, email addresses, and aliases.
(c) Identity Verification Data: Such as usernames, passwords, employee IDs, customer IDs.
(d) Financial or Transactional Data: Such as bank account numbers.
(e) Other Information Related to the Company: Such as information provided to the Company by the data subject in contracts, forms, surveys, or collected during the data subject’s participation in the Company’s business activities, seminars, or events.
5.1.2 Sensitive Personal Data:
Pursuant to the Personal Data Protection Act, certain types of personal data are classified as sensitive, and their collection must comply with the law. This includes the need for explicit consent from the data subject for the collection, use, or disclosure of sensitive personal data. Types of sensitive data include:
(d) Genetic Information
(e) Biometric Information (e.g., fingerprints, facial images)
(f) Health Data (e.g., existing medical conditions, annual health checkups)
(g) Criminal History: The Company will only collect, use, or disclose sensitive personal data when necessary and will clearly inform the data subject about the necessity and reasons for such collection, use, or disclosure.
5.1.3 Technical and Personal Data Usage Information:
(a) Website Visitor Information: Such as email addresses, contact information, or registration details of website visitors or subscribers.
(b) Computer Traffic Log Data: Includes IP addresses, access times, device IDs, network data, geographic location, browser types, website access before and after, browsing history, login records, and transaction logs.
(c) Closed-Circuit Television (CCTV) Data: The Company records images and sounds when individuals enter its office premises through CCTV cameras. Notices are provided in these areas to inform data subjects about CCTV usage.
(d) Analysis and Statistical Data: The Company collects and analyzes statistics related to service usage, digital behaviors, website visits, search queries, website feature usage, and data collected through cookies.
The collected personal data may vary based on the nature of the relationship between the data subject and the Company, the digital technologies used by the data subject, and the services the data subject has with the Company.
5.2 Sources of Company’s Personal Data:
5.2.1 Direct Collection from Data Subjects:
– Data gathered directly from data subjects, such as personal information filled out in contracts, employment applications, or by becoming an employee or staff member of the Company.
5.2.2 Collection from Business Partners or Service Users/Providers:
– Information obtained through contracts, services used, or provided to the Company. Personal data received from business-related documents or contracts with the Company.
5.2.3 Collection from Indirect Sources:
– Data collected from sources other than data subjects directly. The Company will promptly inform data subjects within 30 days of obtaining such data, seeking explicit consent if necessary.
5.2.4 Collection through Online Communication Channels:
– Data gathered through email correspondences, applications (e.g., LINE), publicly available data, business-related data, commercial data, or social media, whether disclosed by data subjects or permitted by them.
5.2.5 Collection via Service Channels:
– Personal data obtained directly from data subjects in various forms, including surveys, participation in marketing activities, or communication with the Company through controlled channels or other official contact points.
5.2.7 Collection as Shareholders or Company Directors.
5.2.8 Collection from Visual or Motion Recordings:
– Personal data acquired from static or motion images through CCTV, mobile phones, or cameras within Company-controlled premises. The Company will collect personal data as necessary and in compliance with previously informed or consented purposes, unless the law allows otherwise.
(a) To achieve objectives related to the creation of historical records or memoranda for public interest or research and statistics, where appropriate measures have been established to protect the rights and freedoms of the data subject.
(b) To prevent or suppress danger to the life, body, or health of individuals.
(c) When necessary to fulfill a contract to which the data subject is a party, or to comply with the data subject’s requests prior to entering into such a contract.
(d) When necessary for the performance of duties in the public interest of the data controller or the exercise of official authority granted to the data controller.
(e) When necessary for the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights of the data subject’s personal information.
(f) To comply with legal obligations of the data controller, in cases where the data subject is required to provide personal information to comply with the law, a contract, or is necessary for entering into a contract or providing information by other means. Failure to provide such information may result in the suspension or temporary cessation of transactions or other activities related to the data subject, as the Company may be unable to process that data.
5.3 Objectives of Processing Personal Data by the Company:
The Company collects the aforementioned personal data to carry out its lawful operational purposes and improve its operations, storing only necessary information for the following purposes:
5.3.1 Recording still images, and/or motion pictures, and/or sound related to meetings, training, seminars, recreational, or other marketing activities.
5.3.2 Developing and enhancing systems and services, improving work efficiency, elevating service standards, and/or activities related to the Company’s business operations.
5.3.3 Necessary actions to comply with the responsibilities of the Company towards supervisory authorities, tax agencies, legal enforcement, or legal obligations of the Company for orderly compliance with current and anticipated laws, principles, or relevant criteria.
5.3.4 Enforcing agreements, contracts, or debt collection, or undertaking legal actions related to any disputes involving the Company, whether civil and/or criminal.
5.3.5 Benefitting from lawful interests of the Company, other individuals, or legal entities.
5.3.6 Contacting the data subject through various channels for inquiries, notifications, verification, or confirmation of data related to the data subject.
5.3.7 Developing services, compiling statistics, conducting marketing, advertising, and public relations.
5.3.8 Communication, service provision, customer care, payment under contracts, or billing services. If there are changes in the purposes of collecting personal data, the Company will promptly notify or publicize this information to the data subjects concerned.
- Collection of Personal Data:
The collection of personal data shall be carried out under the necessary objectives aligned with the framework or related benefits directly associated with the purpose of collection, usage, or disclosure of personal data. Before or during the collection, details shall be communicated to the data subject, including:
1) Objectives of the collection.
2) Duration for data retention.
3) Types of individuals or entities that may access the disclosed personal data.
4) Information or contact channels with the Company.
5) Rights of the data subject.
6) Notification of consequences arising from the refusal to provide personal data, in cases where the data subject declines to provide personal data as required by law or for contractual obligations.
6.1 Sensitive Data Collection:
The Company shall refrain from collecting sensitive personal data unless explicit consent is obtained from the data subject, except where the law permits collection without consent.
6.2 Website Data Collection:
6.3 Data Storage Methods:
The Company will store personal data as follows: 1. Hard copy documentation in restricted-access filing cabinets within the Company premises. 2. Soft copy documentation in offline systems on password-protected servers. 3. Data stored in online cloud storage services like Microsoft or Google, which do not specify restrictions.
7. Roles and Responsibilities of the Company:
The Company designates employees or related units handling personal data to prioritize and take responsibility for the collection, usage, or disclosure of personal data according to Company policies and data protection laws. The following individuals or units shall:
7.1 Data Controllers:
7.1.1 Implement appropriate data security measures and regularly review standards for effective measures aligned with evolving technologies.
7.1.2 Define the scope of managing disclosed personal data to individuals or other legal entities.
7.1.3 Ensure the existence of a system for auditing the management of personal data as required by law.
7.1.4 Record data-related transactions as stipulated by law.
7.1.5 Establish agreements with data processors, legal entities, or external individuals if disclosing personal data to processors hired by legal entities or external individuals. These processors must adhere to data security, usage, and disclosure policies outlined in this policy and the Personal Data Protection Act B.E. 2562.
7.2 Roles and Responsibilities of the Data Processor:
7.2.1 Act on the collection, use, or disclosure of personal data as instructed by the Data Controller.
7.2.2 Implement appropriate security measures for personal data as deemed suitable.
7.2.3 Develop and maintain records of personal data processing activities.
7.3 Data Protection Officer (DPO):
7.3.1 Offer guidance on various aspects of personal data protection to Company management, employees, and affiliates. Monitor the operations of Data Controllers and Processors, ensuring compliance with data protection policies and laws.
7.3.2 Collaborate and cooperate with the Personal Data Protection Office in cases related to the collection, use, or disclosure of personal data by the Company, its subsidiaries, or business partners.
- Data Security Measures for Personal Data Protection:
8.1 Establish rights concerning access, usage, disclosure, processing, and verification of individuals accessing or using personal data. Implement stringent security measures, including periodic review and assessment of their effectiveness.
8.2 Regarding international data transfers or storage on other databases located abroad, the recipient or data storage service must uphold data protection measures equivalent to or better than those outlined in this policy.
8.3 In cases where Company security measures are breached, leading to personal data violations, the Company will promptly inform the Personal Data Protection Office within 72 hours, unless such a breach risks the data subject’s freedoms. The Company will take immediate steps to notify affected individuals and provide necessary remedies.
- Data Processing by the Company:
9.1 Data Collection Procedures: The Company will collect personal data in hard copy and/or electronic formats as necessary for service delivery aligned with the stated objectives. The data obtained shall be accurate, complete, up-to-date, and provided with legal consent. Data may be combined if necessary for data accuracy and service enhancement.
9.2 Data Usage Procedures: The Company will utilize personal data only when it aligns with the data owner’s stated objectives and/or for operational benefits, legal compliance, service efficiency enhancement, or risk management to prevent potential law violations. Communication channels like phone calls, emails, or postal services may be used for verification, feedback, or provision of relevant product and service-related information.
9.3 Disclosure of Personal Data:
The Company will disclose personal data of data subjects to external parties solely for operational purposes and as per the purposes requested by the data subjects. The Company will not disclose the personal data of data subjects to any other external party without explicit consent unless sharing with government agencies, authorized personnel, or individuals lawfully entitled to access such personal data. The Company shall mandate confidentiality and data security to these entities and prohibit the use of the provided personal data for any purposes beyond those specified by the Company. The external parties to whom the Company may disclose personal data include:
9.3.1 External service providers (outsourcing/service providers) within Thailand or abroad, such as cloud computing service providers, registrars, etc.
9.3.2 Service providers or contractors engaged in agreements with the Company or acting as representatives on behalf of the Company.
9.3.3 Government agencies or regulatory bodies to comply with laws, orders, or requests, such as the Revenue Department, Legal Execution Department, National Police Office, and other entities as mandated by applicable laws or regulations.
9.3.4 Disclosure for legal compliance, court proceedings, court orders, summons, or other legal processes.
9.3.5 Disclosure to consultants, advisors, external auditors, debt collectors, lawyers, for the Company’s rights enforcement, litigation, or legal compliance beyond the scope of this privacy notice, if the Company deems it necessary or has obtained authorization under relevant laws.
9.3.6 Disclosure based on necessity or lawful requirements for data usage and retention periods specified in this policy or as per data protection laws. Data retention periods may vary based on usage necessity, and data subjects can refer to specific activities and services of the Company for details. Upon termination of relationships between data subjects and the Company, the Company will retain personal data as required by necessity or specified by law.
- Data Retention Period:
The Company will collect and retain personal data of data subjects as necessary to achieve the purposes outlined in this policy or as specified by data protection laws. Data retention periods may vary based on data usage necessity and data subjects can refer to specific activities and services of the Company for details. Upon termination of relationships between data subjects and the Company, the Company will retain personal data as required by necessity or specified by law.
Alternatively, under certain circumstances, the Company may need to retain the personal data of the data subject beyond the specified retention period if notified in good faith of potential breaches, legal violations, disputes/litigation, necessitating investigation, inquiry, and evidence collection for legal proceedings. The Company will retain the personal data of the data subject for as long as necessary until the processes conclude or as specified by relevant laws. The retention periods, methods of destruction, and retention after positions or holdings cease are as follows:
– Board members or shareholders: Retention for 10 years beyond their term, deletion/destruction within 30 days after the retention period ends, engaging external companies with confidentiality agreements.
– Clients under contract: Retention for the contract duration plus 10 years after contract termination.
– Clients with Purchase Orders (POs): Retention for transaction duration plus 10 years after the end of the business relationship.
– Vendors under contract: Retention for the contract duration plus 10 years after contract termination.
– Vendors with Purchase Orders (POs): Retention for transaction duration plus 10 years after the end of procurement regulations.
– Current and former employees: Retention for 10 years after termination of employment.
– Job applicants: Retention for 6 months after the interview date.
The Company certifies that upon expiration of retention periods or upon withdrawal of consent where allowed, it cannot rely on previous consents for further processing or usage of personal data. The Company will delete or destroy such personal data within 30 days from the end of the retention period or upon complete consent withdrawal. Please note that the deletion or destruction of personal data mentioned earlier does not apply to the following ongoing data retention purposes:
10.1 Personal data retained for freedom of expression and opinion purposes.
10.2 Personal data retained for historical documentation, research, or archival purposes.
10.3 Personal data retained for preventing threats to life, body, or health.
10.4 Data collected due to the necessity of fulfilling a contract with the data subject or for operations preceding the contract with the data subject.
10.5 Data collected for the legitimate interests of the data controller as permitted by law.
10.6 Data retained due to legal obligations to achieve significant public interests. The Company ensures appropriate measures to safeguard fundamental rights and interests of the data subject.
11: Rights of the Data Subject under Legal Mandates – The data subject holds the following rights concerning their personal data under data protection laws:
11.1 Right to Withdraw Consent: The data subject has the right to withdraw consent provided to the Company for data collection, usage, or disclosure if the Company lacks legal grounds to continue such activities. The Company will proceed with data deletion.
11.2 Right to Access: The data subject has the right to inquire about and obtain copies of their personal data under the Company’s responsibility or request the Company to disclose the derived information without their consent.
11.3 Right to Rectification: The data subject has the right to request the Company to rectify, update, and ensure accuracy, completeness, and clarity of their personal data.
11.4 Right to Data Portability: The data subject has the right to receive their data from the Company in a readable, commonly used, and machine-readable format. They also have the right to request the Company to transmit the data directly to another data controller if technically feasible.
11.5 Right to Erasure or Right to be Forgotten: The data subject has the right to request the Company to delete or anonymize personal data to render it unidentifiable unless there are lawful grounds for the Company to deny such requests.
11.6 Right to Restriction of Processing: The data subject has the right to request the Company to suspend the use of personal data in specific instances. This could occur during the data subject’s request for rectification or objection to data collection, usage, or disclosure, or when it’s necessary to preserve the data for legal claims, compliance, or legal defense.
11.7 Right to Object: The data subject has the right to object to the collection, usage, or disclosure of personal data in certain cases:
– When collecting, using, or disclosing personal data for purposes related to scientific research, historical, or statistical purposes, except when necessary for public interest or tasks carried out for the Company’s benefit.
– When the data is collected due to essential public interest or the Company’s lawful interest, unless the Company demonstrates compelling legal reasons, significant interests, or establishment of legal claims or defense rights.
11.8 Right to Lodge a Complaint: The data subject has the right to file a complaint with relevant government authorities if the Company, its employees, or contractors violate or fail to comply with the Personal Data Protection Act regarding the data subject’s rights. The Company will make reasonable efforts to address the complaint within a reasonable timeframe as required by law. The Company will consider and inform the data subject of the actions taken within 30 days of receiving the complaint, without any additional cost to the data subject.
12: Transferring Personal Data Abroad – In cases where it’s necessary to transfer personal data abroad:
12.1 Compliance with the law.
12.2 Informed consent from the data subject after notifying them of the insufficient data protection standards in the destination country.
12.3 Compliance with agreements between the data subject and the Company or upon the data subject’s request before entering into an agreement.
12.4 Compliance with agreements between the Company and individuals or legal entities for the data subject’s benefit.
12.5 Prevention or suspension of threats to the life, body, or health of the data subject or others when immediate consent is not possible.
12.6 Carrying out tasks for significant public interest.
13: Managing Personal Data Breach
In the event of a personal data breach, the Company will take the following actions:
13.1 Establish policies or plans to prepare and handle incidents of data breaches or violations of personal data.
13.2 Appoint a responsible individual within the Company.
13.3 Specify the type or nature of the security breach and assess if security measures were breached.
13.4 Notify and report the incident to the Office of the Personal Data Protection Committee and the data subject.
13.5 Assess risks and damages caused by the personal data breach and find remedial actions.
13.6 Develop measures to mitigate and cope with such incidents.
13.7 Investigate the causes of the personal data breach.
13.8 Enhance security measures or patch system vulnerabilities to prevent future data breaches and minimize risks.
13.9 Regularly review and improve the personal data security system.
14: Policy Amendments
The Company will review and maintain its data protection policies in compliance with the Personal Data Protection Act 2019. Any changes to policies or purposes will be updated on the Company’s website within 30 days of the policy change agreement.
The Company will conduct training and assessments on compliance with personal data protection laws for management and employees at all levels. Data coordinators must attend the training, and relevant employees must also participate.
16: Penalties for Data Controllers
In cases where data controllers, data processors, or responsible individuals fail to comply with the Company’s policies, data protection laws, or cause damages, they will face disciplinary actions within the Company’s regulations. Legal penalties may also apply, and if the breach causes harm to the Company or any individual, legal actions may be pursued.