Personal Data Protection Policy
Sahamitr Pressure Container Public Company Limited
Article 1 : Principle and Rationale
Personal data Protection Act B.E. 2562 was created to make personal data protection effective and to have efficient measures to remedy the personal data subject from infringement of the rights in personal data. The enactment of this Act is in accordance with the provision in Article 26 of the Constitution of the Kingdom of Thailand.
Sahamitr Pressure Container PLC the Company adheres to conducting business with ethics, paying respect and complying with applicable laws. The Company is aware of data privacy related to personal data and is committed to protecting the privacy of personal information. Thus, the policy is declared to be the basis for personal data protection. The Company acknowledges of the need in safety in conducting transactions and the storage of personal data. Therefore, the Company pays attention to paying respect to the privacy rights of individuals and personal data security. The Company has set out the policies, regulations and criteria for operation with strict measures for personal data security to ensure that the personal data received by the Company will be used according to individual needs and will be legally utilized.
Article 2 : Personal data
2.1 Data Collected by the Company
- The Company may collect personal data of the data subject through various channels, such as:
(1) when the data subject applies for a job with us through website or telephone, as well as when employed as the employee of the Company, the Company would request for the necessary information as follows:
name-surname, telephone number, e-mail, address, profile, education, etc.
(2) When the data subject contacts for inquiry or is interested in our service, the Company may ask for the data about data subject, such as name, e-mail, telephone number, etc.
(3) The Company may record the Log Files of the data subject, including IP Address or access time, etc.
2.2 Personal data
- Personal data is the data that make us be able to specify the identity of each person, directly or indirectly, which are:-
(1) Personal data that is provided to the Company directly or through other channels, including when using the service, contact, visit, search through digital channel, website, Call Center, the person in charge, or any other channels.
(2) The personal data received or accessed by the Company through other sources that is not directly from you, such as father, mother, children, spouse, sibling, government agency, financial company, financial institution, financial service provider, business partner, National Credit Bureau and data service provider, etc. which the Company will gather from other sources when receiving your consent according to the law, except when it is necessary as allowed by law.
The personal data that the Company have gathered, used and/or disclosed, such as
(1) Personal information, such as name, surname, age, dated of birth, marital status, National ID Number, Passport Number
(2) Contact information, such as accommodation, workplace, telephone, number, e-mail, LINE ID
(3) Financial information, such as saving account number, financial history, list of assets owned by the person and related parties (father, mother, children, spouse, sibling)
(4) Transaction data, such as bank statement, payment, borrowing, investment in assets of the person and related parties (father, mother, children, spouse, sibling)
(5) Information of equipment or tools, such as IP Address, MAC Address, Cookie ID
(6) Other information, such as website usage, sound, image, animated image, and any other information that is considered personal data under personal data protection law.
2.3 Sensitive Data
- Sensitive data is the personal data that is specifically specified by law, which are sexual behavior data, health data, political opinion, religious belief, etc. The Company will gather, use and/or disclose the sensitive personal data when the Company has obtained consent expressly from individual or in the case that the Company is necessary in case it is allowed by law. The Company may have to gather, use and/or disclose personal data, biometric data, such as fingerprint simulation data, for the purpose of proving and verification the identity of person who request to enter into the Company’s area (hereinafter the personal data and sensitive data will be collectively called “personal data”, unless the data is specific.
Article 3 : Purpose and details of the gathering, usage and/or disclosure of personal data
The Company will gather the personal data for the benefit of business operation according to the purposes, as well as to comply with any law that the Company or the individual must follow and for any purposes as specified in this policy as follows:
3.1 To make the Company be able to operate the business according to the purposes
3.2 To perform its duties according to the relevant law or legal obligations, such as:
- (1) Compliance with the orders of the legal authority
(2) Compliance with the financial institution business law, securities and exchange law, life insurance law, non-life insurance law, tax law, anti-money laundering law, terrorism and proliferation of weapons of mass destruction financing law, computer law, bankruptcy law and other laws that the Company is required to comply with, both in Thailand and abroad, including announcements and regulations issued under the said laws.
3.3 to conduct necessary operation under the legitimate interest without exceeding the limits that an individual can reasonably expect (Legitimate Interest), such as:
- (1) CCTV recording and ticket exchange before entering the Company area
(2) Maintaining relationship with the customers, such as handling complaints, satisfaction assessment for customer care conducted by the employee of the Company
(3) Risk management, auditing supervision and internal management
(4) Making personal data to be anonymous data
(5) Preventing, handling and mitigating the risks of fraudulent activity, cyber threat, default for debt repayment or breach of contract (e.g. bankruptcy information), law violation, such as money laundering, financial support for terrorism and proliferate weapons of mass destruction, offenses relating to asset, life, body, liberty, or reputation), which includes sharing personal data to raise the standard of work of the office in preventing, handling and mitigating the above risks.
(6) Gathering, using and/or disclosing the personal data of the authorized directors, representative of the corporate customer
(7) Contacting, recording the image or voice of meeting, training, recreation activities and exhibition
(8) Gathering, using and/or disclosing personal data of the person who is under receivership by court order
(9) Receiving – delivery of parcels
3.4 Personal data that the Company has processed and categorized by the legal basis is as follows:
- (1) Contract basis
(2) Vital Interest basis
(3) Legal Obligation basis
(4) Public Task basis
(5) Legitimate Interest basis
(6) Consent basis
If there is a (lawful) change in the purpose of personal data use, the Company will notify the individual within 30 days.
3.5 For the personal data that the Company has recorded the personal data usage in log, each department should record the log as follows:
- (1) If it is used for general purpose of the Company, personal data usage record is not required.
(2) If it is used outside the purpose of the Company, the personal data usage must be recorded by adding the purpose of use and request for consent from the data subject again.
(3) In the case of important personal data that is used from time to time, consider to record the usage log to keep user information and the details of use
(4) In the case there is Access Log to examine the user, record the usage, so that if the information is leaked, it will be verifiable.
(5) In the case there is Access Control, limit the number of people who can access the personal data use.
Article 4 : Processing of data by third parties
The Company may need to submit or transfer the personal data to third parties for processing. The Company will ensure the submission or transfer of personal data in accordance with the law and will take action to have personal data protection measures that we deem necessary and appropriate to comply with confidentiality standards, such as fragmentation before submission of personal data. Alternately, the Company may choose to implement a personal data protection policy that has been reviewed and approved by the relevant legal authority and will proceed to submit or transfer personal data to third parties for processing according to the aforementioned personal data protection policy instead of the operation according to the law.
Article 5 : Disclosure of personal data
The Company may disclose the personal data to other people under the consent of the person, according to the Consent Form or under the criteria allowed by law.
Article 6 : Submitting or transferring the personal data abroad
the Company may need to submit or transfer personal data to companies in the Company’s network located abroad or to other recipients as part of the Company’s normal business operations, such as submitting or transferring personal data to store on the server / cloud in various countries. In the event that the destination country does not have sufficient standards, the Company will take care of the submission or transfer of personal data to be in accordance with the law and will take personal data protection measures that are deemed necessary and appropriate in accordance with confidentiality standards, such as entering into confidentiality agreements with recipients in such countries, or if the recipient is a company in the Company’s network located abroad, the Company may choose to implement a personal data protection policy that has been examined and approved by the authority according to the relevant laws. And the Company will proceed to submit or transfer personal data to the company in the Company’s network abroad to be in accordance with the aforementioned personal data protection policy instead of complying with the law provision.
7.1 What are cookies?
7.3 Types of cookies that are used
Types of cookies
Cookies for analysis and performance evaluation
Cookies for ads
Cookies for Operation
This type of cookies helps your website experience become consistent, such as remembering your logging in to the system, remembering the information you provide on the website.
This type of cookies helps use to evaluate the performance, such as processing the number of pages you have accessed, the number of certain characteristics of such group of user. The information will be used to analyze user behavior patterns.
This type of cookies will be saved on your device to collect access information links you have visited and followed. Apart from that, third party cookies may also use information they have transmitted. News in online media and content collected from the service providing to understand the needs of users with the objectives to customize your website ang advertising campaigns to suit your interests.
This type of cookies will help to facilitate when you come back to the website again. We will use the information to customize according to your usage.
- Google Analytics
- Adobe Audience Manager
- Adobe Target
- Google Analytics
- Google Analytics
7.4 Cookie management
- You can delete and refuse the cookie record by studying instruction specified in each browser you used.
7.5 Change of cookies policy
- This cookies policy may be revise and amend occasionally in order to comply with the law. Therefore, we would like to suggest that you make sure that you understand the change under such provision.
Article 8 : Duration of personal data record
The Company will keep personal data for a period required for conducting the business according to the purpose or throughout the period required for achieving the objectives related in this policy. The data may need to be kept further if any laws requiring or allowing to do so, for example, keeping in accordance with the Anti-Money Laundering Law, keeping for the purpose of verifying and examining a possible dispute within the legal term of the law, for not more than 10 years. In this regard, the Company will delete or destroy persona data or make it to be anonymous data when it is not necessary and such term has ended.
Article 9 : Personal data protection and risk and impact assessment
The Company will duly keep the personal data according to the Technical Measure, Management Measure and Organizational Measure to secure personal data processing and to prevent personal data violation. The Company has established relevant regulations and criteria for the protection of personal data and have assessed the risks and impacts of personal data protection, such as information technology system security standards, measures to prevent recipients who have received the data from the Company from using or disclosing information outside of their purpose or without authorization or unlawful authorization.
The Company has revised regulations, criteria and risk and impact assessment for such personal data protection regularly, as necessary and as appropriate, assessment of risks and impacts of personal data protection, including loss of reliability, trust and reliability of the customer, disadvantage in competition in the market and business, being taken legal action. In addition, the directors, personnel, contractors, representations, consultants and data recipients of the Company have obligation to keep personal data confidential in accordance with the confidentiality measures set by the Company. The Company specifies that the personal data violation must be reported to the data subject within 72 hours of personal data violation.
Article 10 : Right of an individual about personal data
Right of an individual about personal data is the right according to the law that people should be aware of. An individual can request to exercise the rights under the existing laws or the policy or further amendment thereto in the future, as well as the criteria as specified by the Company. In the case where a person is a minor or the ability to conduct juristic acts is limited according to the law, the individual can request to exercise the rights by getting the parent, guardian or authorized person to submit the request.
10.1 Right to be informed
- If an individual wishes to give consent to the Company for the collection, use and/or disclosure of personal data, they have the right to know in detail about the purposes for which personal data is collected, used and/or disclosed. The data subject may or may not provide information, or in the case where the law is required to provide information.
10.2 Right to withdraw consent
- If an individual has given consent for the Company to collect, use and/or disclose personal data (whether consent has been given by the person before the date on which personal data protection law comes into force or thereafter), the individual has the right to withdraw consent at any time throughout the period that personal data is with the Company, unless there is a restriction to the rights according to the law or there is a contract that will benefit the individual. In this regard, the withdrawal of the consent of the individual may affect such individual from the performance according to the contract. For the benefit of the individual, it is important to study and inquire about the effects before withdrawing consent.
10.3 Right to request to access information
- An individual has the right to request to access to the personal data of such individual which is in the Company’s responsibility and ask the Company to make a copy of the data for such individual, including asking the Company to disclose how the Company got that personal data.
10.4 Right to request for data portability
- An individual has the right to apply for personal data in case the Company has made the personal data in a form that is readable and usable by automatic tools or devices and usable or revealable personal data by automated method. An individual also have the right to request the Company to submit or transfer personal data in such format to other personal data controllers when it can be done by automated method and have the right to request personal data that the Company submitted or transferred personal data in such format to other personal data supervisor directly, unless it cannot be performed due to technical reasons.
However, the above personal data must be personal data that the Company has obtained consent to gather, use and/or disclose, or is the personal data that the Company is required to gather, use and/or disclose in order to perform the obligations according to the contract as wishes, or other personal data as specified by the legal authority.
10.5 Right to object to the gathering, use and disclosure of personal data
- An individual has the right to object to the gathering, use and/or disclosure of personal data at any time. In case of the gathering, use and/or disclosure of personal data that is made for the operations necessary within the legitimate interest of the Company or as required by law, without exceeding the limit that an individual can reasonably anticipate, or to carry out their mission for the public benefit, if individuals submit an objection, the Company will continue to gather, use and/or disclose their personal data, only those the Company can state that the legal reason that is more important than you fundamental rights or is it for confirmation of legal rights, legal compliance or the counter in legal action as the case may be.
10.6 Right to request for data erasure
- An individual has the right to request to delete or destroy their personal data or make the personal anonymous, if an individual believes that the personal data is collected, used and/or disclosed in any unlawful manner, or it is deemed that the Company is not necessary to retain it for the related purposes in this policy, or when an individual has exercised the right to withdraw consent or exercise the right to objection as stated above.
10.7 Right to request for data restriction of processing
- An individual has the right to request the temporary suspension of personal data use, in case the Company is in the process of reviewing the request to exercise the right to correct personal data, or objection, or any other cases where it is not necessary for the Company and the personal data must be erases or destroyed according to applicable law.
10.8 Right to request for data rectification
- An individual has the right to request to correct personal data to be updated, completed and not to be misleading.
10.9 Right to complain
- An individual has the right to submit a complaint to a related authority under the law, if the individual believes that the gathering, use and / or disclosure of your personal data is in a manner that violates or fails to comply with applicable laws.
10.10 Restrictions on the Exercise of Rights
- The exercise of the rights of the individual as mentioned above may be restricted under applicable law and there are some cases where there is a need for the Company to refuse or fail to comply with the above request. For example, it is required by law or a court order for the public interest, or the exercise of right may violate the rights or liberties of others, etc. If the Company rejects the above request, the Company will inform the individual the reason for the refusal. In this regard, the Company will take action according to the exercise of right within 30 days from the day that the person submitted the application and supporting documents to the Managing Director of the Company completely.
Article 11 : Persons in charge of personal data protection
The Company has appointed a person in charge of personal data protection and has assigned the roles of the personal data protection supervisors as follows:
11.1 Data Controller
- refers to an individual or juristic person having the authority to make decisions about the gathering, use or disclosure of personal data.
11.2 Data Processor
- refers to an individual or juristic person operating related to collection, gathering, use or disclosure of personal data according to the order of or on behalf of the data controller. In this regard, the individual or juristic person who take such action is not the data controller.
11.3 Data Protection Officer (DPO)
- refers to the person who is appointed the conduct the obligation in the case that the Company has large about of data processing or sensitive data. The Company will appoint DPO to coordinate, examine, advise and supervise in terms of security of personal data.
Article 12 : Penalty
If the person who is responsible for taking any action in accordance with their obligations has neglected, refrained from directing, or failed to perform or direct, or perform any of their duties, which is a violation of the policy and guidelines relating to personal data, leading to a legal offense and/or damage, such person is subject to disciplinary action in accordance with the Company’s regulations. The Company will not compromise on any offenses that the responsible person has acted and that person is subject to legal punishment according to their offense. However, if such offense causes damage to the Company and/or any other persons, the Company may take further legal action.
Article 13 : Revision of the Policy
The Company will revise this policy at least once a year or in case there is any amendment to the law.
Article 14 : Contact information
Sahamitr Pressure Container PLC.
92, Soi Thientalay 7 (4th Intersection), Bangkhunthien-Chaitalay Road,
Samaedam Sub-district, Bangkhunthien District, Bangkok
Tel : 02-895-4139-53
อีเมล์ : firstname.lastname@example.org
Announces on 24 September 2020
(Mr. Surasak Urpsirisuk)