Personal Data Protection Policy of Hydrohealth (Thailand) Company Limited
Hydrohealth (Thailand) Company Limited (referred to as “Company”) have realized the importance of personal data protection and have strived to maintain safety and security measures on personal data in accordance with appropriate standards at an international level.
Therefore, the Company has established and disseminated this personal data protection policy (“the Policy”) to every relevant party for their acknowledgement. Such policy shall be in effect for every executive, employee, external party and contractor.
In addition, the executives of every division shall be responsible for supporting, encouraging and auditing the Company’s operations to ensure their strict compliance with policies and laws relating to personal data protection as follows:
- Personal data collection shall be conducted in a restricted manner and only when deemed as necessary as well as to comply with the established objectives, policies, handbooks and/ or guidelines set forth by the Company.
- For the quality of data collected, the Company shall take into consideration the accuracy and appropriateness, while putting in place suitable security and risk management measures, as well as creating an awareness of, and responsibility for, the security of personal data.
- The objectives of collection, use or disclosure of personal data, in accordance with the law, and data shall be processed according to the specified objectives. Personal data collected shall not be disclosed to any external parties except in the following circumstances:
- Vital interest
- Official authority
- Legitimate interest
- Legal obligation
- Research or statistics
- To publicize and disseminate the policy, including guidelines on personal data protection via the Company’s website and to carry out other duties as stipulated by law. For example, to establish measures to support the data subject to exercise his/ her right, to specify the responsibility of the data controller and data processor as well as to appoint the DPO etc.
- Every personnel of the Company shall have an awareness and responsibility while being ready to protect personal data of other related parties as if they were their own personal data.
The objectives of this policy are to inform every sector of the details of the collection, use or disclosure of personal data, including the transfer of such data to other countries, measures in handling and safety of personal data to ensure its strict compliance with the Personal Data Protection Act B.E. 2562 (“Personal Data Protection Act”), relevant laws and must be in line with personal data protection standards at an international level.
Consequently, the Company has endeavored to collect personal data only as deemed necessary, while limiting personal data collection only to achieve the established objectives in order to prescribe the process of data collection, storage, usage and disclosure, also including other rights of the Data Subject.Company would like to announce this Policy with the following :
This Personal Data Protection Policy must be applied to personal data in which the Company may collect, use, disclose or transfer to other countries. Such personal data belong to the following groups of people:
- Customers which encompass both a natural person whether he/she is the Company’s present, past or future customer and employee, personnel, staff, representative, agent, authorized person of a juristic person, director, contact person and a natural person who acts on behalf of the juristic person who is also the Company’s customer
- Business partners, counterparties which encompass both a natural person who is the Company’s business partner or counterparty, at present, in the past or in the future and employee, personnel, staff, representative, agent, authorized person of a juristic person, director, contact person and a natural person who acts on behalf of the juristic person who is also the Company’s customer
- Shareholders, investors, including any persons interested in the Company’s investment
- Visitors and external parties entering the Company’s premises whereby the Company must gather their personal data to ensure the security of the area under responsibility
- CSR stakeholders or any persons whom the Company may maintain their personal data to proceed with social activities or other related purposes
- Personnel, employees and applicants which include a family’s member, or a person referred to by such employee or applicant
“Company” refers to Hydrohealth (Thailand) Company Limited and its Subsidiaries, including an authorized representative of such company.
“Personal Data” refer to data of a person which help identify such person, whether directly or indirectly, in which the Company has collected as notified in this Policy; for example, name, last name, nickname, address, telephone number, ID number, passport number, social security number, driver’ s license number,
tax ID number, bank account number, credit card number, education background, financial status, health record, work experience, criminal record, email address, license plate number, etc. However, the following forms of data are not considered personal data such as data for business contact that does not identify such a person. For example,
the company’s name, address of the company, juristic ID of the company, office phone number, office email address, email address of the Company Group, anonymous data or inherent data which are considered pseudonymous data, data of the deceased person, etc.
“Sensitive Personal Data” refers to personal data stipulated by the Personal Data Protection Act as sensitive data. The Company shall collect, use, disclose or transfer sensitive personal data abroad, provided that the data subject has already given his/her consent.
Sensitive personal data shall include data pertaining to nationality, race,political opinion, cult, religion or philosophy, sexual behavior, criminal record, health record, disability, trade union information such as membership data, etc. ,
genetic data, biometric such as facial recognition data, iris recognition data, voice identification data, fingerprint recognition data for identity authentication purposes,including other information which may affect the data subject in the same manner according to the notification of the Personal Data Protection Committee.
“Data Processor” refers to the collection, use or disclosure of personal data
“Data Subject” refers to a person who owns such personal data, but not in a case that the person has ownership or is the creator or collector of such data. The data subject shall refer to a natural person and does not include a juridical person constituted by law such as company, association, foundation or any other organizations.
While browsing the Company’s website, cookies may be placed in the viewer’s device, while data may be collected automatically. Some cookies may be required in order to facilitate the proper operation of the website, whereas others shall be used to facilitate the viewers and enable them to browse additional information regarding the Company’s cookies policy.
4. Improvement of Personal Data Protection Policy
The Company may review, improve and change this Personal Data Protection Policy from time to time to ensure its consistency with relevant guidelines, laws, rules and regulations. Nonetheless, upon any changes in this Policy, the Company shall publish the revised policy via the Company’s website, including other channels.
5. Retention Period and Safety Measures
The Company shall maintain personal data as long as deemed necessary and appropriate in order to achieve the objectives specified in this Policy. The Company shall take into consideration the appropriate data retention period, contract period, prescription, including the necessity to further data collection for the duration required for the purpose of legal compliance, internal and external audit or audit of major shareholders, assessment, constitution or exercising of legal claim.
The Company shall maintain and keep your personal data in a safe and appropriate manner, whether in a form of document, computer and electronic system. Thus, you can be confident of the Company’s security measures which are appropriate and in line with international standards in order to prevent any losses, accesses, uses, changes, rectifications or disclosures of personal data improperly or without legitimate authorization.
Nonetheless, the Company has restricted the access and use of technology on the safety of your personal data to prevent any unauthorized access to computer or electronic systems. Besides, in a case that your personal data may be disclosed to the external party who processes data or to the data processor, the Company shall supervise such person to proceed appropriately and in compliance with the order.
6. Rights of the Data Subject
The consent given by the data subject to the Company for the objectives of collection, use and disclosure of personal data shall remain usable until the data subject revokes his/her consent in a written document.
The data subject can revoke his/ her consent or withhold the use or disclosure of personal data in order to proceed with any activities which can be achieved by sending the data subject’s request to the Company for acknowledgement in a written document or via email to firstname.lastname@example.org
Furthermore, the data subject is entitled to request his/ her legal rights within the criteria stipulated by the Personal Data Protection Act as indicated below:
- Rights of Access: The data subject is entitled to request for right of access to his/ her personal data collected by the Company and the data subject is entitled to request the Company to provide him/her with a copy of such personal data.
- Right to Rectification: The Company shall endeavor to retain accurate and up-to-date personal data to ensure its integrity and avoid any misunderstandings. The data subject is entitled to be rectified, any inaccurate personal data changed or more details added on such personal data, in order to ensure their completion.
- Right to Object, Right to Erasure and Right to Restriction of Processing: The data subject is entitled to object to the collection, use or disclosure of personal data within the criteria prescribed by law. Besides, the data subject is entitled to request the Company to erase or destroy such personal data or to make such personal data unable to identify personal identity by any means and the data subject also has the right to restriction of processing, except for legal restriction.
- Right to Withdraw Consent: The data subject is entitled to revoke his/her consent on data processing when the data subject has already given his/her consent throughout the period, except in a case that such revocation of consent may incur some legal or contract restrictions. However, such revocation of consent shall not affect personal data processing which has previously been given legitimate consent to the Company.
- Right to be informed: In case you have any concerns or inquiries about your compliance with the Personal Data Protection Act or personal data processing, please contact the Data Protection Officer or PDPA Center as detailed in this Policy. In a case where any breaches of personal data protection law have been found, the data subject who has been violated is entitled to file a complaint to the authorized officer as set forth in the Personal Data Protection Act. Nonetheless, the Company shall endeavor, depending on the relevant system, to facilitate and proceed with the request without further delay unless it appears that such proceeding is unreasonable or may violate other people’s personal data protection or deemed as a violation against the law or beyond one’s power to proceed with such request.
7. Contact Information
Attention: Data Protection Officer (DPO)
The executives, employees, the Company shall regularly perform self-audits to ensure that their operations are in line with the policies, guidelines, handbooks and laws and whether such operation is involved with personal data as well as how to operate in accordance with the Policy. Besides, they shall also:
- Endeavor to understand the content of rules, regulations, policies, guidelines which are considered part of the Policy, including other handbooks
- Endeavor to understand laws, rules and regulations which relate to the operation and personal data protection on a regular basis
- In a case where noncompliance has been found out, please report such matter directly to email : email@example.com or via other contact channels specified by the Company.
9. Review of Personal Data Protection Policy
The Company may review and improve the Personal Data Protection Policy or guidelines on a regular basis to ensure their compliance with relevant laws. Nonetheless, if there are any improvements, changes or rectifications, the Company shall notify such improvements, changes or rectifications.
Announced on 1 June 2022
Miss Wachira Narkpongpun