About > PERSONAL DATA PROTECTION ACT (PDPA) 1. Introduction and scope For the performance of its activities the company. (hereinafter referred to as “ART-SERINA PISTON CO.,LTD.”, the “Company”, “we”, “our” or, “us”) processes various data, both commercial and personal data. This policy concerns the processing of the personal data of different categories of identifiable persons such as clients, supplier, directors of our clients or suppliers or any other persons contacting the company. The company understands the importance of the protection of personal data and the concerns of our clients and clients’ contact persons, suppliers and suppliers’ contact persons and other persons with whom it has contacts regarding the processing of their personal data. The company always carefully considers the protection of personal data during the different personal data processing operations. This policy is designed to provide a uniform minimum standard for the protection of personal data applicable to the company. This policy will be applied by the company, except if other compulsory data protection legislation is applicable which contains stricter obligations and conditions. The data controller for the purposes of this policy is the company, with registered office address at 169 soi Chalongkrung 31, Lamplatiew, Ladkrabang, Bangkok 10520 Thailand 2. Contact point for the protection of personal data The company has created a PDPA contact point, to ensure the implementation and enforcement of the Personal Data Protection Act B.E. 2562 (2019) (referred to as the “PDPA”) and this policy. To exercise any of your rights (see article 7 of this policy), or if you have any other questions about how the company processes your personal data, please e-mail [Please insert contact e-mail here] or write to the company by registered letter at the address below: The company PDPA Contact 169 soi Chalongkrung 31, Lamplatiew, Ladkrabang, Bangkok 10520 Thailand. 3. Definitions The applicable data protection legislation uses specific language and refers to an abstract matter. Below you will find several definitions in order to enable you to better understand the terminology, and by extension, this policy. a. Personal data Personal data means any information relating to a natural person, also known as the data subject, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons. For example, a name, an identification number, location data, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. b. Data controller Data controller means a natural person or juristic person (for example a company), having the power and duties to make decision regarding the collection, use, or disclosure of the personal data. c. Data processor Data processor means a natural person or juristic person who operates in relation to the collection, use, or disclose of the personal data pursuant to the orders given by or on behalf of the data controller, whereby such natural person or juristic person is not the data controller. d. Processing personal data Processing personal data means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means (e.g. software), such as collection, use , disclose by transmission, transfer, send, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 4. Principles applicable when collecting and processing personal data The PDPA has several basic principles which every data controller and data processor must comply with in order to be in accordance with this legislation. In the event of doubt regarding the application of these principles in a concrete case, you can always contact the PDPA contact point for further explanations. a. Lawfulness The PDPA provides that personal data must be processed lawfully and fairly with respect to the data subject. In order to process personal data lawfully, a legal basis must exist. In principle, the Company processes personal data only when: ● The processing is necessary for the purposes of the legitimate interests pursued by the Company as a controller or the interests of a third party other than the data controller, except where the fundamental rights and freedoms of the data subject regarding the protection of his or her personal data override these interests. Other than where justified by the legitimate interests above, the Company will usually process personal data where necessary for: ● The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. ● The processing is necessary for compliance with a legal obligation which is imposed upon the organization. ● The processing is necessary for preventing or suppressing a danger to a person’s life, body, or health. ● The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company. ● The processing is necessary for the achievement of the purpose relating to the preparation of the historical documents or the archives for the public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject rights and freedoms are put in place. ● The data subject has given his or her consent. The Company shall inform the person concerned before or at the time the data is collected about the purpose for which consent is required, which personal data will be collected for the processing, the right to revoke consent, the possible consequences for the data subject in the context of automated individual decision-making and profiling, and transfer to third countries. If you have given your consent for a specific processing purpose to the company in order to process your data for that purpose, you can withdraw this consent at any time. the company will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent. If the company processes your personal data for other purposes and in order to do so it refers to other legal bases, it will still be able to process your personal data. The company ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. If you have questions about the applicable legal basis that the company is referring to, you can always contact the PDPA contact point. Some categories of personal data are of a sensitive nature and data protection legislation also has a stricter regime for these special categories of personal data (also known as “sensitive personal data”). These are data concerning racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data which may affect the data subject in the same manner. In principle, the processing of these sensitive personal data is forbidden unless the Company can refer to one of the exceptions. In a limited number of cases, should the company process sensitive personal data, the data subject will be informed in advance. For more information about the company's handling of sensitive personal data, please contact the PDPA contact point. b. Fairness The data controller ensures that personal data shall be processed: ● For specific, explicit and legitimate purposes and may not be processed further in a way incompatible with the initial purposes for which the data were collected. ● This processing shall be limited to what is necessary for the purposes for which the data were collected. If possible, the data controller will anonymize the data or use pseudonyms in order to limit the impact for the data subject as much as possible. This means that the name or identifier will be replaced so that it is difficult or even impossible to identify an individual. ● Limited in time and only as necessary for the specific purpose. ● Accurately, and the data shall be updated where necessary. The data controller shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which they are processed. c. Transparency (personal data collected and purposes for processing) In principle, the company processes personal data it has received directly from the data subject or indirectly and shall inform him/her about the following matters: ● Information, address, contact channel, details of the controller; ● The purpose of the processing and its legal basis; ● If the personal data processing is supported by a legitimate interest, an explanation of this interest; ● The (categories of) receivers of the personal data; ● The transfer of personal data to third countries (outside Thailand) or international organizations (+ on what basis); ● The time limit for the storage of personal data or the criteria used to determine the time limit; ● The rights of the data subject (including the right to revoke consent); ● The right to lodge a complaint with the related supervisory authority; ● Explanation when the transmission of personal data is a contractual or legal obligation; ● If the Company receives personal data from a third party, it shall clearly inform the data subject about the categories of personal data which it received from this third party and will also make this third party known to the data subject. When the data subject already has all the information, the company will not inform the data subject unnecessarily about the processing of his/her personal data. If the company processes personal data for other purposes that are incompatible with the purposes for which they were initially collected (the new purpose is not described in the initial information note and the data subject cannot guess that his or her personal data will also be processed for this new purpose), the Company will take all the necessary measures to process such data lawfully and will inform the person concerned. Specific legislation may contain exceptions or set additional requirements which the Company must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy. d. Personal data to be processed The personal data that the company collects may notably include the following information: 1. Name-surname; 2. Address; 3. Telephone number; 4. Company’s name; 5. Title or position; 6. E-mail address 7. Image 8. Videos captured through security camera, 9. Etc. e. Purpose of processing The company processes personal data to provide our clients, supplier, directors of our clients or suppliers etc., with the requested services. As part of this, the company may also process your personal for the following purposes: - Customer management - Supplier management - Public relations for example, creating different types of media to present the activities of the Company or posting your photos on Company’s website - Security management - Marketing - Trade information / technical sales information - Procurement - Purchase order management - Evidence in doing business - Claim management - Performance of a contract with our clients or suppliers or in order to take steps at your request prior to entering in to a contract - Etc. In addition to the aforementioned purposes the company may also use personal data collected via its websites: 1. To manage and respond to any request submitted through our websites; 2. To manage subscriptions to the company’s newsletters; 3. To receive orders from customers f. Confidentiality and integrity The company takes the required technical and organizational measures to ensure that the processing of personal data is always carried out with the appropriate safeguards to protect the data against unauthorized access or unlawful processing and against loss, destruction or damage, accidental origin. The company use a range of physical, electronic and managerial measures to ensure that it keeps personal data secure, accurate and up to date. - Education and training to relevant employees to ensure they are aware of our privacy obligations when handling personal data - Administrative and technical controls to restrict access to personal data on a need-to know-basis - Technological security measures - Physical security measures, such as staff security passes to access premises, locking filing cabinets etc. 5. Transfer of personal data In some cases, the company may have to transmit personal data to third-party receivers, both inside and outside the Company's group. In any event, these personal data are only transferred on a need-to-know basis to these receivers who carry out the processing for specific purposes. The company shall always observe the necessary security measures when transferring the data and with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data. The transfer to third parties can take several forms, as described in more details below. a. Transfer within the group of the company Third-party transfers can only intervene if the company has respected the various principles and obligations imposed by PDPA. This means, among other things, that the data subject must be informed about the transfer and the reason for this transfer and that the transferring Company can rely on a legal basis (legitimate interest, consent from the data subject, performance of an agreement, etc.) for this transfer. In this further processing, the Company must also comply with the other principles listed in article 5 of this policy. When your personal data are passed on to companies within the group, but which are located outside Thailand (i.e. Japan), the company will provide for the appropriate guarantees described in point c. b. Transfer to third parties Other than specified in the preceding paragraph, the company may send or transfer personal data to third parties including law enforcement agencies and other third parties that are our service assignees. c. Overseas Transfer It is also possible that the company transfers personal data to parties that are based outside Thailand. Such a transfer is possible if the country where the receiver is based has adequate data protection standard in accordance with the rules for the protection of personal data as prescribed by the Data Protection Committee. In other cases, the company may send or transfer your personal data overseas if the Company provide appropriate safeguards which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Data Protection Committee. Where this has not occurred or is not possible, the company may still transfer the personal data of the data subject, following the consent of the data subject. In order to allow the transfer, and therefore the processing, also in these cases, the company will ask the person concerned if he/she agrees to this transfer to third countries that may have inadequate personal data protection standards. If more information for these international transfers are desired, the procedure as described under article 7 can always be followed. 6. Time limit for the storage of personal data The company will securely store your personal data on our systems for the longest of the following periods: - As long as is reasonably necessary for the relevant activity or services; - Any retention period that is required by law; or - The end of the period in which litigation or investigations might arise in respect to the company or by the company. To determine the appropriate retention period of the personal data, the company will consider the amount, nature and sensitivity of such personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purpose for which the Company process the personal data and whether that Company can achieve those purpose through other means, and the applicable legal requirements. After the final time limit has passed, the company shall delete or anonymize the personal data if the Company still wishes to use such personal data for statistical purposes and may retain it for a longer period of time for dispute management, study or archiving purposes. 7. Rights of individual data subjects Data protection legislation provides for different rights for data subjects with respect to the processing of personal data so that the data subject can still exercise sufficient control over the processing of his or her personal data. Through this policy, the company is already trying to provide as much information as possible to the data subjects in order to be as transparent as possible with respect to the processing of personal data. The company understands that the data subject may still have questions or desire additional clarifications with respect to the processing of his or her personal data. The company thus understands the importance of the rights and shall therefore comply with these rights, considering the legal limitations in the exercising of these rights. The different rights are described in detail below. a. The right of access The data subject has the right to request access to and obtain a copy of your personal data, which is under the responsibility of the Company, or to request the disclosure of the acquisition of the personal data obtained without your consent. For any further copies requested by the data subject, the Company may charge a reasonable fee. b. The right to rectification When the data subject establishes that the company has incorrect or incomplete data about him or her, the data subject always has the right to inform the company of this fact so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the Company. c. The right to erasure The data subject can ask to have his or her personal data erased, or destroyed, if the processing is not in accordance with data protection legislation (Article 33 of PDPA). d. The right to restriction of processing The data subject may request the processing restricted if: - the accuracy of the personal data is contested by the data subject, for a period enabling the controller to check their accuracy; - the processing is unlawful, and the data subject opposes the erasure of the data; - the company is no longer needs the data, but the data subject requests that they not be removed, given that he or she needs them for the exercise or defense of legal claims; - the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject. e. The right to data portability The data subject has the right to obtain his or her personal data which he or she provided to the company in case where the company has arranged such personal data to be in the format which is readable or commonly used by ways of automatic tools and can be used or disclosed by automated means. In addition, the data subject has the right to have those personal data transmitted to another data controller (directly by the company). This is possible if the data subject has consented to the processing. f. The right to object When personal data are processed for direct marketing purposes, the data subject can always object to this processing. The data subject can also object to processing due to a specific situation regarding the data subject. the company shall stop processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests of the data subject or for the exercise or defense of legal claims. g. The right to withdraw consent If you have given your consent for a specific processing purpose to in order to process your data, you can withdraw this consent at any time by contacting the PDPA contact point. However, such withdrawal of consent shall not affect the processing of personal data that you have already given consent legally to the Company. h. The right to complaint to the authority The data subject has the right to file a complaint with the relevant data protection authority in the event that the company does not comply with the data protection legislation (the PDPA). The data subject can exercise his/her rights provided in the a. to g. above by sending an e-mail or registered letter to the company’s PDPA contact point described in article 2 of this policy. the company may ask the data subject to identify themselves in order to ensure that the effective exercise of the rights is requested by the data subject. In principle, the company shall respond to the request of the interested person within 30 days. Otherwise, the company informs the data subject of the reasons for their delay in the follow-up of the request. 8. Revision of this policy The company reserves the right to adjust and review this policy when it deems necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection. |