banner-privacy-policy

Home > Privacy Policy

Personal Data Protection Policy

1. Principles and Objectives
2. Scope of Enforcement
3. Definition
4. Roles and Responsibilities
5. Personal Data Collection
6. Use or disclosure of Personal Data
7. Period of Collection of Personal Data
8. Transmission or Transfer Personal Data Abroad
9. Rights of Personal Data Subject
10. Personal Data Protection Security
11. Penalty
12. Review and Improve Policy
13. Contact Information

1. Principles and Objectives.
Thai Auto Conversion Co., Ltd. (Company) has commitment to protect personal data in accordance with the Personal Data Protection Act. 2019. The company has prepared a personal data protection policy so that the operation of the company legal and international standards for personal data protection including determine rules for the protection of personal data of personal data subjects and measures for management and violations of the rights of personal data subjects that efficient and appropriate

2. Scope of Enforcement
Personal Data Protection Policy according to the Personal Data Protection Act. 2019. There is scope of enforcement that covering all processing of personal data carried out by the company. Including any person who knows personal data. Due to it is related to the operation of the company which must comply with this privacy policy and within the framework determined by law.
For personal data that collected before the personal data protection Act 2019. To applicable to the company to continue collecting and using that personal data for the original purpose. By disclosing and performing other operations other than the collection and use of personal data, it shall comply with the Personal Data Protection Act.2019.

3. Definition
Personal Data Protection Policy means the policy that the company has prepared to inform the personal data subject of the company’s data processing and details as specified by the Personal Data Protection Act 2019.
“Personal Data” means any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the information of deceased person in particular.
Example: personal data.
1. Name-Surname
2. Identification number, Passport number, social security card number, Driver’s license number, Tax identification number, Bank account number, Credit card number.
3. Address, Telephone number.
“Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks to the person’s fundamental rights and freedoms, which includes data regarding racial or ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any data which may affect the Data Subject in the same manner, as prescribed by the Personal Data Protection Committee.
Example: Sensitive personal data.
1. Ethnicity
2. Race
3. Political views
4. Belief in cult, religion, philosophy
5. Sexual Behavior
“Data Processing” means collection, use, and reveal of personal data.
“Personal Data Subject” means person who owns personal data.
“Data Controller” means other person or legal person which has the power to make decisions about collection use and reveal of personal data.
“Data Processor” means person or legal person which operates about collection use and reveal personal data to order or on behalf of the data controller so that person or legal person that operates is not a personal data controller.

4. Roles and Responsibilities.
4.1 Roles and responsibilities of company according to the personal data protection Act, 2019. In case of the company as a controller of personal data or a processor of personal data.

RolesResponsibilities
Controller of Personal Data
  • Provide to has appropriate security measures to prevent the loss, access, use, change or disclosure of personal data in an unauthorized or unlawful manner. including reviewing such measures when necessary or when technology changes.
  • Operation preventing receiver of personal data who are not the personal data controller from using or disclosing personal data unauthorized or unlawful.
  • Provide to has inspection audit system for deletion or destruction personal data as set by the personal data protection Act. 2019.
  • To inform violation of personal data to the Social Development Council and personal data subject without delay.
  • Record list as specified in the personal data protection Act. 2019.
  • Provide to personal data processing agreement between the personal data controller and the personal data processor. In case of the processing of personal data is assigned to a processor of personal data.
  • To inform the information about the personal data protection officer contact and how to contact with the personal data subject and the office of the personal data protection commission.
  • Provide and support the performance of the personal data protection officer.
Personal Data Processor
  • Operation about collection, use or disclosure of personal data only in accordance with order received from the personal data controller. Except the order is against the law or provisions for personal data protection under the Personal Data Protection Act 2019.
  • Provide appropriate security measures to prevent loss, access, use, change, edit or disclosure of personal data without power or against to the law.
  • To inform violation of personal data to the personal data controller.
  • Provide and keep recording activities of personal data processing.
  • To inform information about personal data protection officer, location and how to contact to personal data subject and inform to personal data protection commission officer.
  • Provide and support the performance of the personal data protection officer.

4.2 Roles and Responsibilities of executives, employee personal data protection officer and employees of the company.

RolesResponsibilities
Executive
  • Perform, check, and follow up of employee performance strictly comply with the personal data protection policy.
Employee
  • Perform comply with the privacy protection policy strictly.
Personal Data Protection Officer
  • Provide advice, management and check operation that related to the processing of personal data in accordance with the Personal Data Protection Act 2019.
  • Report to top management when there is a problem with the performance on duties.
  • Coordinate and cooperate with the office of the Personal Data Protection Commission.
  • To inform the personal data breach to the office of the personal data protection commission and the personal data subject without delay in accordance with the rules set by the company that without contrary to the law.
  • Provide and review the personal data policy.
  • Keep the confidentiality of personal data that have known on duty.
  • Perform or other tasks that are not contrary to the law.


5. Personal Data Collection.
The company will collect personal data such as personal data, information related to personal life or personal interest, financial data, sensitive personal data with a source and principles for collecting personal data as follows.

5.1 Source of personal data
The company may receive personal data 2 ways as follows.
5.1.1 Collecting directly from the personal data subject such as collecting personal data from filling personal information through a job application, contact both of paper and answering surveys online of the company.
5.1.2 Collecting from other sources that are not from personal data subject directly such as searching for personal data through the website or inquire from the third person. The company will inform to personal data subject does not delay but not more than 30 days from the date of the company collect personal data from such sources. Including to request consent to personal data collection from the personal data subject, unless has exempted does not to requesting consent or notifying to personal data subject as required by law. consent is not required
However, the company may collect personal data such as.
• Personal Data: Name, Date of birth, Nationality, ID card number or Passport number or Other identifiable official documents.
• Contact Information: Address, Email, Telephone number, Fax number.
• Experience to work information: Professional status, Position.
• Information related to the use the website: Username and Password.
• Information about business partners.
• Information about the Company’s shareholders or company partners.
• Sensitive Information: Religious information, Health information, Criminal record.
• Device Information and device location information: GPS system.
• CCTV Information.
• Information about contacting in the company.

5.2 Principles for collecting personal data.
5.2.1 The company will collect personal data that important to company operations only. However, the Company may have different purposes for processing personal data on a case-by-case basis, for example:
• To entering a contract and performing the contract between the company and the personal data subject.
• To verify the identity or verify the person before entering the work or entering a contract with the company.
• To develop knowledge and abilities such as training.
• To performing comply with the laws related to the company such as collecting information for withholding taxes, social security payments, group insurance filing.
• To provide information to government agencies as required by law or as requested by the government agency.
• To purpose of various audits, analysis, and document preparation at the request of other agencies or organizations related to or possibly related to the Company business operations such as the Bank of Thailand, Courts.
• To benefit of internal management of the company such as for the payment of salaries and compensation to employees and trainees of the company for entering an employment contract with the company for the management of internal personnel of the company and providing welfare to employees of the company.

5.2.2 In case of the personal data subject must provide personal data for comply with a law or contract or need to provide personal data to entering a contract or other data. If personal data subject does not provide data may affect to transaction or other activities that related with personal data subject was suspended or stopped temporarily until the company will receive data of personal data subject. However, the company can not to process those data or law prohibits such transactions or activities any longer.

5.2.3 The company will collect personal data as necessary for lawful purposes that had informed to personal data subject before or while collecting personal data. The company will request consent of the personal data subject before or while collecting personal data except in the following cases. The company can collect personal data without consent.

  1. To achieve the objectives relating to the preparation of historical or archival documents for public benefit or related to research studies or statistics. The company will provide appropriate preventive measures to protect the rights and freedoms of personal data subjects.
  2. To prevent or suppress a danger to life, body, or health of a person.
  3. It is necessary to perform comply with the contract that personal data subject as a contract party or to process the request of the personal data subject before entering a contract.
  4. It is necessary to perform on duty of process missions for the public interest or performing on duties in the perform of state powers entrusted to the company.
  5. It is necessary for the legitimate interests of the company or person or other legal person except such benefits are less important than the basic rights to personal data of personal data subject.
  6. To perform comply with the law such as Credit Information Business Act.2016, Civil and Commercial Code or Criminal code.

5.2.4 To Collecting sensitive personal data. The company will request consent of the personal data subject before or while collecting such sensitive personal data in accordance with the regulation that the company determined without contrary to the law.

6. Use or Disclosure of Personal Data
Use and disclosure of personal data of the company. There are objectives and principles of operation are in accordance with Article 5.2 principles of personal data collection. The company may disclose personal data as necessary to agencies or outsider under the consent of the data subject. Except have acted within the framework of the law. However, personal data may be disclosed to outsider, organizations or government agencies as follows:
1. Contract parties, service providers and business partners of the company.
2. Bank
3. Government agencies which have powers of legal duties such as the Social Security Office, the Revenue Department, the Legal Execution Department, and the court.
4. Agency or any other organization that may be related to the company’s business operations such as the Bank of Thailand.

7. Period of Collection of Personal Data
The company will keep personal data for a period as the following.
7.1 Following the period that was specified by law regarding the retention of personal data especially such as Accounting Act,2000, Computer-related Crime Act.2007 and Revenue Code.
7.2 In case of the law do not specify a period of collection of personal data especially. The company will determine the period as necessary for the proper operation of the company.
When after period of collection has expired. The company will delete, destroy, or do non-identifiable personal data to the person who is the personal data subject.

8. Transmission or Transfer Personal Data Abroad
In case of the company had transmission or transfer personal data abroad. The company will operate for sure that destination country has adequate personal data protection standards.
However, in case of destination country has not adequate personal data protection standards. transmission or transfer personal data must comply with the exceptions according to the regulation of the company determined that without contrary to the law.

9. Rights of Personal Data Subject
This policy has prepared to assure that personal data subjects can use the rights as the follow that exist according to the personal data protection Act.2019.
1. Right to withdraw consent: Personal data subject has right to withdraw consent in the processing of personal data that the personal data subject has given consent to the company throughout the period of personal data of personal data subject is with the company.
2. Right of access personal data: Personal data subject has right to access personal data of personal data subject and request for the company make a copy of personal data including request the company disclosing the acquisition of personal data that personal data subject do not give consent to the company to the personal data subject.
3. Right to rectification personal data: Personal data subject has right to request the company correct incorrect inaccurate data or additional incomplete data.
4. Right to erasure personal data: Personal data subject has right to request the company to delete personal data of personal data subject for some reason.
5. Right to restriction of processing personal data: personal data subject has right to restriction to use personal data of personal data subject for some reason.
6. Right to data portability personal data: Personal data subject has right to data portability personal data of personal data subject that personal data subject has provided to the company to another personal data controller or personal data subject for some reason.
7. Right to object personal data: Personal data subject has right to object personal data of personal data subject for some reason.
However, the company may reject to use the right of above-mentioned of personal data subject in accordance with the regulation of the Company without contrary to the law.
The company will provide a channel for the personal data subject can contact to the company through the contact information as specified in this policy to submit a request for the right in accordance with the above rights. So, in case of the company reject the above request. The company will inform the reason for the refusal to the personal data subject.
The personal data subject has right to complaint to the Personal Data Protection Committee. In case of the company, personal data processor, employees of the company violate or do not comply with the Personal Data Protection Act.2019. or announcements issued under the Act.

10. Personal Data Protection Security
The company has determined measures to maintain the security of personal data appropriate for prevent the loss, access, use, change, correction or reveal of personal data without authority or contrary to law in accordance with the company’s information security policies and information security of the company.
In case of company has hired an agency or outsider to carry on about collection, use or reveal personal data. The company will require agency or outsider to keep personal data confidential and security of personal data including preventing personal data to collected, used, or disclosed for any other purpose that is not in accordance with the scope of employment or contrary to the law.

11. Penality
In case of management and employees take any action that violates or not perform to comply with this policy whether directly or indirectly.
Management and employees will be punished to disciplinary in accordance with the company regulation and statutory penalties personal data protection Act. 2019.

12. Review and Improve Policy.
The company will arrange to review and improve policy at least once a year or when there is a change in event that has a significant impact on the policy.

13. Contact Information.
Human Resources Department.
Thai Auto Conversion Co.,Ltd.
159 M.16 Thepharak Rd., Bangsaothong, Bangsaothong, Samutprakan 10570
Tel: 0-2313-1371-9 to 116,173