Personal Data Protection Policy

Principles and objectives

AMATA Corporation Public Company Limited and its subsidiaries (“the Company”) is committed to strengthen personal data protection in accordance with the Personal Data Protection Act B.E. 2562, therefore, the Company would like to introduce this Personal Data Protection Policy to ensure the Company’s compliance with laws and international standards on personal data protection. In addition, the Company has established rules for the protection of personal data of data subjects and has implemented effective and appropriate measures for addressing any violations of the rights of data subjects.

 

Scope of enforcement and application
All processing of personal data performed by the Company, as well as any person who comes into contact with personal data because it is related to the Company's operations and must therefore comply with this Personal Data Protection Policy and the legal framework.

 

With respect to personal data collected prior to the introduction of the Personal Data Protection Act B.E. 2562, the Company is enabled to continue collecting and using the personal data for the initial purposes. Any disclosures and acts other than the collection and use of personal data must be in compliance with the Personal Data Protection Act B.E. 2562.

 

Definitions


“Personal Data Protection Policy” means the policy that the Company has established to make the data subject aware of the Company’s processing of data and a number of relevant issues as stipulated by the Personal Data Protection Act B.E. 2562.

 

“Personal data” means any information relating to an identifiable person, either directly or indirectly, but excluding the information of a deceased person in particular.

 

“Sensitive data” means personal information relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biological data, or any other data which may impact the data subject in a similar manner, as stipulated in the Personal Data Protection Committee’s announcements.

 

“Processing” means the collection, use, or disclosure of personal data.

 

“Data subject” means an individual who is the owner of personal data.

 

“Data Controller” means any person or juristic person with authority and duties in making a decision regarding to the collection, use or disclosure of personal data.

 

“Data Processor” means any person or juristic person who processes, collects, uses or discloses personal data in accordance with an order of or on behalf of the Data Controller. The person or the juristic person engaging in those procedures is not the Data Controller.

 

“Cookies” means small, temporary files collecting personal data that it is necessary to install on the computer of the data subject only for convenience and facilitation of communication while gaining access to a website.

 

Roles and responsibilities

Roles and responsibilities of the Company are set forth in accordance with the Personal Data Protection Act B.E. 2562 in cases where the Company is the Data Controller or the Data Processor.

 

Data controller

  • To put in place appropriate protection measures to prevent loss of, or unauthorized or illegal access to or use, alteration, modification or disclosure of personal data and to review the measures where necessary or when technology changes.
  • To take appropriate courses of action to prevent unauthorized or illegal exploitation or disclosure of personal data by a recipient who is not the Data Controller.
  • To establish a system of checks of the deletion or destruction of personal data as stipulated by the Personal Data Protection Act B.E. 2562.
  • To inform the Office of the Personal Data Protection Commission and the data subject of any breach of personal data immediately.
  • To keep records of transactions as stipulated by the Personal Data Protection Act B.E. 2562.
  • To establish a personal data processing agreement between the Data Controller and Data Processor in cases where the personal data processing is assigned to a Data Processor.
  • To provide the data subjects and the Office of the Personal Data Protection Commission with information about data protection officers, where they can be contacted and the method of contact.
  • To support the data protection officers in performing their duties.

 

Data processor

  • To carry out the collection, use, or disclosure of personal data in accordance with the orders received from Data Controllers only, unless the order is contrary to the law or the provisions regarding personal data protection under the Personal Data Protection Act B.E. 2562.
  • To establish appropriate security measures to prevent loss of or unauthorised or unlawful access to or use, modification, correction or disclosure of personal data.
  • To notify the Data Controller of personal data breaches.
  • To prepare and maintain records of personal data processing activities.
  • To provide data subjects and the Office of the Personal Data Protection Commission with information about data protection officers, where to contact them and the methods of contact.
  • To support the data protection officers in performing their duties.

 

Personal Data Collection

The Company’s collection of personal data (such as specific personal information, information related to personal life or personal interests, financial information, sensitive personal information) is to be based on the following sources and principles:

 

Sources of personal data
The Company may receive personal data from 2 channels as follows:

  • Collection from the data subjects, for example, collection of personal data from filling out personal information in application forms, either in paper form or online, responses to surveys conducted by the Company, or access to the Company’s website using cookies.
  • Collection from sources other than the data subjects, for example, searches for personal data via a website or inquiries made by third parties.

the Company may collect are as follows:

  • Personal information: name, date of birth, nationality, ID card number or passport number, or other identifiable government documents.
  • Contact information: email address, phone number, and fax number.
  • Work history: professional status, position.
  • Information on use of websites: username and password for use of online services and applications, IP address information.
  • Information on use of cookies
  • Data from marketing surveys: data analysis, marketing statistics of data subjects.
  • Sensitive information: information on religion, health, criminal history.
  • Information on devices and the locations of devices, such as GPS data.
  • CCTV footage.

 

Principles of personal data collection
The Company will only collect personal data that is necessary for the operations of the Company. However, the purposes for which the Company processes personal data may differ by case, and can be exemplified as follows:

  • To enter into an agreement and comply with an agreement between the Company and the data subjects.
  • To verify identity or investigate an individual before providing services or entering into an agreement with the Company.
  • To answer questions and provide assistance to customers.
  • To develop and improve the Company's services
  • To provide information about services or conduct PR/marketing campaigns through contact channels provided by customers.
  • To comply with laws relating to the operations of the Company, e.g., to collect personal data for the purpose of withholding tax, to verify customers’ information in compliance with the law of Anti-Money Laundering.
  • To provide information to government agencies as required by law or by public authority.
  • For the purposes of audit, analysis and preparation of documents as requested by other agencies or organizations that are involved with or may be relevant to the Company's business operations, such as The Industrial Estate Authority of Thailand, The Stock Exchange of Thailand, The Board of Investment.
  • For the benefit of the Company’s internal management, e.g., to pay salaries and compensation to its employees, wage earners and trainees, to enter into an employment agreement, to internally manage personnel of the Company and to provide benefits to Officers and employees of the Company.

 

In case where it is necessary for the Data Subject to provide the Personal Data for the purpose of entering into the contract or any other purposes, a refusal of presenting the Personal Data may affect activities relating to the Data Subject being suspended or ceased as required by business operation or laws, unless the Data Subject provides such data to the Company.

 

The Company will collect personal data only as long as necessary for the fulfilment of the purposes in accordance with applicable laws, with data subjects notified prior to or at the time of collection of personal data. The Company shall obtain explicit consent from data subjects prior to or at the time of collection of personal data, except under the following circumstances, where the Company may collect personal data without requesting consent.

  1. To fulfill purposes relating to the preparation of historical documents or archives on public interest grounds or relating to research studies or statistics. In such cases the Company will implement appropriate security measures to protect the fundamental rights and freedoms of data subjects.
  2. To prevent or to avoid danger to an individual’s life or health.
  3. To comply with a contract, only to the extent that it is necessary to do so, to which the data subject is a party or in order to take steps requested by the data subject prior to entering into a contract.
  4. To carry out tasks, only to the extent that it is necessary to do so, for the public interest or in the exercise of official authority vested in the Company.
  5. For the purposes of legitimate interests pursued by the Company or by third parties or by other juristic persons, except where such interests are overridden by the fundamental rights and freedoms of data subjects.
  6. To comply with laws such as Civil and Commercial Code and Criminal Code.

 

Collection of sensitive personal data

The Company shall obtain explicit consent from data subjects prior to or at the time of collection, in accordance with the Company's rules and in compliance with applicable laws.

 

Using and disclosure of personal data

Using and disclosure of personal data by the Company shall be in compliance with the purposes and Principles of personal data collection. The Company may disclose personal data to agencies or third parties with the consent of the data subjects only to the extent that it is necessary to do so, unless such disclosure is permitted by law. Personal data may be disclosed to third parties, organisations or government agencies as follows:

  1. Affiliates or group companies.
  2. Contractual parties, service providers and business partners of the Company
  3. Government agencies with legal authority such as the Social Security Office, the Revenue Department
  4. Other agencies or organisations who are or may be involved in the business operations of the Company, such as as The Industrial Estate Authority of Thailand, The Stock Exchange of Thailand.

 

Period for personal data retention

The duration for which the Company stores personal data will be either one of the following:

Personal data will be kept for the periods stipulated by laws specifically relevant to retention of personal data such as the Accounting Act B.E. 2543 (2000), Act on Commission of Offences Relating to Computer, B.E. 2550 (2007) and the Revenue Code.

 

In cases where the retention period for personal data is not specified by relevant laws, the Company will determine the period necessary and appropriate for its operations.

 

At the end of such period, the Company shall delete, destroy, or anonymize the personal data.

Transmission or transfer of personal data to other countries.

 

Transferring personal data to another country

The Company shall take steps to ensure that the destination country has sufficient personal data protection standards. However, in cases where that the destination country does not have sufficient personal data protection standards, the transfer of such personal information must comply with exceptions specified in the Company’s rules that are not in violation of the law.

 

Rights of Data subjects

This policy is established to assure data subjects that they can exercise the following rights available to them under the Personal Data Protection Act, B.E.2562 (2019).

 

  1. Right to withdraw consent: The data subjects have the right to withdraw their consent for the processing of personal data that they have given to the Company throughout the period in which the personal data is kept by the Company.
  2. Right of access: The data subjects have the right to access their personal data and request the Company to make a copy of such data, including the right to ask the Company to disclose any acquisitions of their personal data for which consent has not been given.
  3. Right to rectification: The data subjects have the right to request the Company to rectify incorrect or incomplete data.
  4. Right to erasure: The data subjects have the right to request the Company to delete their personal data for certain reasons.
  5. Right to restriction of processing: The data subjects have the right to request the Company to restrict the use of their personal data for certain reasons.
  6. Right to data portability: The data subjects have the right to transfer personal data that they have provided to the Company to other Data Controllers or themselves for certain reasons.
  7. Right to object: The data subjects have the right to object to the processing of their personal data for certain reasons.

 

However, the Company may refuse the exercise of the above rights by the data subjects, provided that the rejection is in accordance with the Company’s rules that are not in violation of the law.

 

The Company shall provide a channel through which data subjects can contact the Company to make requests to exercise the above rights. In the event that the Company rejects a request, it shall notify the data subjects of the reason for the rejection.

 

The Data Subject has the right to file a complaint in case where the Data Controller or the Data Processor, including its employees or service providers violates the Personal Data Protection Act B.E. 2562, or notifications issued in accordance with the Act.

 

Personal data security

The Company has established appropriate personal data security measures to prevent the loss of, unauthorized and unlawful access to, and the use, modification, correction or disclosure of personal data in accordance with the Company's policies and procedures for information security.

 

In case where the Company has engaged an agency or a third party to perform work related to the collection, use or disclosure of personal data of the data subjects, it shall require the agency or the third party to keep the personal data confidential and secure, and to prevent the collection, use or disclosure of such personal data for any purposes other than specified in the scope of engagement or for any unlawful purposes.

 

Contact information

AMATA Corporation Public Company Limited

Address: 2126 Kromadit Building, New Petchaburi Rd, Bang Kapi, Huai Khwang, Bangkok 10310.

Telephone Number: 02 792 000

www.amata.com , email : dpt@amata.com

Other channels for contact or news updates including the Company’s LINE@, Facebook