Last updated: 2 Jun 2022 | 1615 Views |
Aeroklas Company Limited, a subsidiary of EPG: Eastern Polymer Group Public Company Limited,respects the privacy rights of customers, shareholders, vendors, suppliers, subcontractors and employees. The Company realizes the importance of personal data. The Company must protect to prevent infringement of privacy rights which may cause trouble or damage the personal data. Therefore, the Company has announced this Personal Data Protection Policy as a framework for the collection, use or disclosure of personal data as follows:
The scope of application
This policy applies to Aeroklas Company Limited, employees, and all relevant personnel who process personal data according to a directive or on behalf of the company.
2.1 “Company” means Aeroklas Company Limited, including its directors and employees.
2.2 “Personal Data” means information about an individual that enables an identifiable person to be identified, whether directly or indirectly, but does not include information about the deceased.
2.3 “Data Subject” means a natural person whose personal data can identify that person, whether directly or indirectly.
2.4 “Data Controller” means a person or juristic person who has the authority to make decisions about the collecting, use or disclosure of personal data.
2.5 “Data Processor” means a person or juristic person who performs the collection, use or disclosure of personal data on order or behalf of the Data Controller. However, the person or juristic person is not a controller of personal data.
2.6 “Data Protection Officer” means an individual person or an appointed group that provides recommendations, verifies operations and coordinates with the Office of the Personal Data Protection Commission. In the event of a problem with the collection, it can use or disclose personal data.
3. Purpose for collecting, using or disclosing of personal data
The Company collects, use, or discloses personal data if deemed necessary for the Company's proper business operations under the objective of internal processes, offering product and service, procurement, marketing communications, product development and service, data analysis, legal compliance, human resource management, occupational health, safety, and environment, including security, etc.
In the event that the company collects, uses or discloses personal data other than specified, the company will inform the owner of the personal data for further acknowledgment in the following aspects:
1) Purpose for collecting, using, or disclosing personal data
2) The type of person or enterprise for which the collected personal data may be used or disclosed.
3) Data Subject Rights Collection period
4) Reasons for collecting, using or disclosing personal data, in the case of collecting and using or disclosing information without the consent of the owner of the personal data.
5) Contact information for the Personal Data Controller or the Company's Personal Data Protection Officer. If there is a change of purpose later, The Company will inform and ask for consent and provide additional amendments as evidence.
The Company will not collect, use or disclose personal data for any purpose other than the purpose
that was mentioned before or at the time of collection.
4. Source of personal data
4.1 Obtain personal data from the data subject directly through the contact with the Company.
4.2 When obtaining personal data from other sources for the necessary collection, use or disclosure of personal data by the Company, it will notify the affected person by either method within 30 days from the collection date.
The Company will collect, use or disclose personal data for necessary purposes on a consent basis from the owner of the personal data.The company will proceed to seek consent as required by law, except for the collection, use or disclose of personal data to exceptions as required by law as follows:
5.1 General Personal Data
1) It is necessary to achieve research or statistical purposes for which appropriate safeguards are in place to protect the rights and freedom of data subjects as required by law.
2) It is necessary to prevent or suppress harm to a person's life, body or health.
3) It is necessary for the performance of the contract; as a contracting party, or to be used to perform the request of the personal data subject before making the contract.
4) It is necessary for the public benefit or to perform the duties of the state powers that have been given to the Company.
5) It is necessary for the legitimate interests of the Company.
6) It is necessary to comply with the Company's policies.
5.2 Sensitive Personal Data
1) It is necessary to prevent or suppress harm to the life, body, or health of a person, when the data subject cannot consent for any reason.
2) It is information that is made public with the express consent of the data subject.
3) It is necessary to establish legal claims, comply with legal claims or uphold legal claims.
4) It is necessary to comply with the law to achieve the objectives relating to:
• Preventive medicine or occupational medicine employee competency assessment and health management
• It is a necessity for the benefit of public health, such as protecting health from dangerous communicable diseases or epidemics that may be contagious or spread, for which appropriate measures are applied, specifically to protect the rights and freedom of the data subject, especially the confidentiality of personal data.
• It is a necessity for labor protection, social security, national health insurance, health care benefits for legal persons, motor vehicle insurance or social protection. The collection of personal data is necessary for the performance of the rights or duties of the Company or the personal data by providing appropriate measures to protect fundamental rights and the benefits of the data subject.
• Scientific or statistical research studies shall be undertaken to achieve such objectives to the extent necessary and provide appropriate measures to protect fundamental rights and benefits of personal data as required by law.
In the case of collecting personal data about criminals, the Company will operate under the control of the competent authorities or has provided measures to protect personal data in accordance with the rules prescribed by law.
Personal data subjects have the right to withdraw consent at any time, including the right to refuse consent. However, if the withdrawal of consent or the refusal of such consent affect the performance of the contract or the provision of services, the Company will notify the owner of the personal data about the impact.
6. Personal data collection
The Company will collect personal data of the data subject when necessary forvarious purposes and/or benefits.Collection can be done through various channels. The data subject may provide personal data to the Company when contacting the Company, e.g. when making inquiries, requesting information, filling out forms expressing opinions, applying for a job, entering and leaving the Company's area, purchasing, selling, access to computer information, work systems, applications, network systems, electronic devices, e-mail systems, websites, application for other services of the Company, etc.
The personal data collected by the company includes the personal data of customers, shareholders, and suppliers, legal assistants, job applicants, trainees who apply for scholarships, donation benefactors, receptionists, contacts, visitors, etc.
The type of personal data that the Company collects from data subjects depends on the subject or person's type and may include:
1) Contact information such as an address, telephone number, e-mail address, social media contact and details of persons to be contacted in an emergency, etc.
2) Personal data such as name, surname, date of birth, age, gender, photograph, marital status, military status, interests and opinions, religion, health information, medical examination, disability and biometrics, ID card or copy of ID card or passport, signature, family members, education, competence and personal development and other features, work experience, finances, account numbers and tax.
4) Photo and animation information
5) Information and documents related to the recruiting process, such as resume curriculum vitae (CV), cover letter, job application including supporting documents for applying for a job, and employee interview assessment comments.
6) Information required for regulatory reporting such as the Ministry of Labor, Stock Exchange of Thailand and Office of the Securities and Exchange Commission, etc.
7) Other information necessary for the performance of the labor contract, supervision of benefits, welfare, analysis and administration, including taking care of employees after their retirement and compliance with various laws.
In case the Company collects sensitive personal data, the Company will strictly comply with the Personal Data Protection Act policies to comply with the personal data protection Act, B.E. 2562(2019).
7. Usage or disclosure of personal data
The Company will use, process, or may disclose personal data as necessary under the specified objectives and in accordance with the lawful rules for those involved as follows:
1) Within the Company, EPG affiliates or joint venture companies. However, it may be necessary to send or transfer personal data to a subsidiary in a foreign country or to an international organization that has adequate personal data protection standards and is in accordance with the rules for the protection of personal data as required by law.
2) Government agencies
3) An entity requesting disclosure by virtue of law
4) A service provider or recipient or a personal data processor that the Company has entrusted to take care, be responsible, provide services or manage personal data, collect, use or process personal data to develop, improve or maintain security standards of work systems and information systems, financial/accounting systems, human resource management, etc.
8. Personal Data of minors, incompetent or quasi-incompetent people
The Company will comply with the law on protecting personal data relating to the collection, use, or processing of personal data for minors, incompetent persons and quasi-incompetent people. It includes obtaining consent from parental authority for a minor or guardian with the power to act on behalf of the unskilled or a quasi-incompetent person. However, the Company does not have a policy on employing minors.
9. Personal data collection period
The Company will keep the personal data for the period necessary to achieve the specified objectives and/or store it as required by law, considering the necessity of each type of data practice. After the expiration of such periods, the Company will destroy or delete personal data by an appropriate method as specified by the Company.
10. Rights of Data Subject
The Company will provide measures, channels, and methods for the Data Subject to exercise their rights as required by law.
11. Integrity and quality of Personal Data.
The Company will make sure that the collected personal data is complete, accurate, current, and does not cause any misunderstandings before it is used or disclosed in any way.
12. Security measures
For security and loss prevention, access, use, change, amendment or disclosure of personal data without authority or wrongdoing, the Company has established a personal data storage system. There is an access control mechanism and security measures in place. The Company will arrange to review the measures regularly for the right to maintain appropriate security according to the following measures:
1) Determine the right to access, use, change, amend or disclose personal data when following the Company's information policy.
2) Providing personal data to other persons or juristic persons not within the Company. Only to those who have measures to prevent, collect and use personal data will data be disclosed appropriately.
3) Set up a monitoring system to delete or destroy personal data after the retention period is over. Unless it is preserved for purposes as required by law or the data subject requests to suspend the use instead.
4) Establish a personal data protection committee to administer personal data protection according to the Personal Data Protection Act in an appropriate, efficient and legal manner. Establish security measures to prevent the loss, access, use, change, amendment, or disclosure of personal data.Regularly review measures, including controlling and supervising the collection, use, or disclosure of personal data within the capacity of a personal data controller and personal data processor according to the personal data protection measures and the level of risk that may be violated.
5) Appoint a personal data protection officer to provide recommendations to verify compliance with the operations of the personal data controller or personal data processor within the Company. This is in regard to the compliance with the law on personal data protection, measures and the specified objectives, including coordinating with the Personal Data Protection Committee.
6) Appoint an internal auditor to verify compliance with the operations of the personal data controller or personal data processor within the company regarding the collection, use, or disclosure of personal data to comply with the law, according to measures and objectives as specified.
13. Person's Responsibility
The Company requires employees and people involved in personal data to pay attention and be responsible for collecting, using, or disclosing of personal data accordance with the law, strict measure and policy personal data protection.
If the responsible officer neglects any action that is a violation or non-compliance with relevant laws and policies that may cause damage to the owner of personal data and an offense under the law, that person will be subject to disciplinary action of the Company, and may also be subject to legal penalties according to the Personal Data Protection Act.
14. Policy Review and Policy Change
The Company will regularly review this policy.In case the law has changed it may amend the policy accordingly to comply with the changes related to the collection, use or disclosure personal data. The Company will notify any amendments via the Company's website.
15. Contacts regarding personal data protection policy
If you have any questions about this Personal Data Protection Policy or want to exercise any
specified rights, you can contact us at:
Aeroklas Company Limited
Personal Data Protection Officer (DPO)
No. 111/1, 111/10 Moo 2 Subdistrict Makhamku, District Nikomphattana, Rayong 21180
Telephone 038 – 893599 website www.aeroklas.com
This policy shall be effective from now onwards
Announced on May 10, 2022
Mr. Ekawat Vitoorapakorn