Personal Data Protection Policy

Personal Data Protection Policy of Olympia Thai Tower Co., Ltd.

Part 1 : Personal Data

Personal data is any data pertaining to a person, which enables the identification of such person, whether directly or indirectly. The personal data under the protection of this Policy includes: 

  1. General personal data of customers, business partners,visitors, or any related parties in the Company’s business, for instance, name-surname, telephone number, email, ID Line, ID Card No., Passport No., Bank Account No., signature or any other personal data needed for using in jointly performing the transaction or as prescribed by law.
  2.  General personal data of the employees, for instance, name-surname, ID Card No., Bank Account, photograph, signature, fingerprint, telephone number, email, ID Line, Facebook, educational background, spouse’s name, or any other personal data necessary for using in employment, management, or as prescribed by law.
  3.  Sensitive data of the customers, business partners, visitors, any related parties of the Company, or of the employees, for instance, race, lineage, political opinion, dogmabelief, religion or philosophy, sex behavior, criminal record, health data, disability, labor union data, heredity data, physical dominantbiometrics data, or any other sensitive data as prescribed by law to be necessary for use in the joint cooperation or business operation or according to the requirement of law.

Part 2 : Personal Data Protection Policy

The Company highly realizes and gives precedence to the personal data of the customers, business partners, employees, or related parties of the business of the Company. For the storage, collection, use, and disclosure of the personal data in conformity to the Personal Data Protection Act B.E. 2562 (2019), the Company, therefore, formulates the Personal Data Protection Policy as follows.

1.The Company shall maximally respect the privacy rights of the customers, business partners, employees, and related parties.

2.The Company shall request the personal data only as much as necessary for using or as prescribed by law, and directly request from the data subject.

3. The Company shall firstly inform the purpose of storage, collection, use, and disclosure of the data, and inform the rights to the data subject for acknowledgment, and give consent.

4.The Company shall establish a secure personal data protection system as prescribed by law.

5.The Company shall arrange a data controller, a data processor, and a data protection officer to ensure that the use of personal data is corresponding to the purpose and/or as prescribed by law.

6. If it is necessary for collecting, using, and disclosing the sensitive personal data, for instance, race, lineage, political opinion, dogma belief, religion or philosophy, sex behavior, criminal record, health data, disability, labor union data, heredity data, and physical dominant biometricsdata, the Company shall explicitly make a request for consent from the data subject, and carefully use the said data as confidential.

7.The foreign and alien data subject shall protect and use the data like Thai people’s data.

8. In delivering the personal data to the external or foreign agency, the Company shall make an agreement with the external agency or the destination country to ensure the strict and secure protection or according to the requirement of law.

9. The data subject has the right to audit, request for receiving a copy, object, erase, destroy, transfer, or request for withdrawing the consent on the said data. Unless the Company needs to use the said data according to law or according to the contract and the agreement entered by each other, the right can be requested from the data controller defined by the Company.

10. The Company shall maintain the personal data of the customers, business partners, employees or related parties as if the said data is the Company’s asset; not allow whoever to violate, disclose, access, take for exploitation, or cause damage to the data subject without the data subject’s approval. The violator shall be considered and punished at the highest rate, and absolutely sued, and reimburse the incurred damage in the full amount at the rate defined by law.

Part 3 : Person with the Duty Related to the Personal Data Protection

For the continuous and efficient implementation of this Personal Data Protection Policy, the Company appoints the persons with the following positions to comply with the related policies and/or laws.

1. An authorized director is the data controller in the name of a juristic person.

2. A representative of the Executive in the personal data protection system shall have the duty to manage the personal data protection system to be conforming to the Personal Data Protection Act B.E. 2562 (2019), and/or any other relevant laws.

3. A data protection officer shall suggest, verify, coordinate and control to ensure that the personal data protection system is conforming to law,confidential, and efficiently implemented.

4. The Human Resource Department Manager shall control the personal data of the employees, and control the personal data stored in all electronic media and software of the Company to ensure security.

5. The manager/supervisor of every work unit shall control the personal data of the employees, customers, business partners, or visitors involved in his/her work unit.

6. All employees shall collect, use, and disclose the personal data used by them in the line of the entrusted duty.

7. The Personal Data Protection Working Group shall prepare the personal data protection system to be consistent with this law.

Part 4 : Request for Consent on Use of Personal Data

4.1 The following is defined by the Company to be available.

(1) List of the personal data of the customers, business partners, employees, and visitors
(2) Determination of the using purpose and necessity
(3) Scope of the usage
(4) Validity of the data storage
(5) Rights of the data subject
(6) Data controller and data protection officer for informing the customers, business partners, visitors, and employees for acknowledgment, and giving a consent prior to the joint business operation or cooperation.

4.2 If the sensitive data (pursuant to Section 26) is stored, used, and disclosed according to the management necessity or according to the requirement of law, the Company shall explicitly make a request for consent from the data subject prior to the collection, use, and disclosure of data; and carefully use the said data as confidential.

4.3 In the case of the change of personal data whether the personal data of the customers, business partners, and visitors, and the data of the employees protected by the Company, the Company shall assign the data controller to review and approve prior to change, in order to ensure that the protected data is securely stored, collected, used, and disclosed.

Part 5 : Scope of the Data Usage

The Company shall use the personal data of the customers, business partners, visitors, or employees in every section requiring to use the said personal data in working or using according to the requirement of law whether inside the office, branches, affiliated companies, the Company, business partners, or any other agencies requiring for using the said data, both within the country or the foreign countries (if any), and both presently and in the future; and shall store, collect, use, and disclose as confidential for the data subject’s security.

Part 6 : Storage Place and Keeper of the Personal Data

6.1 The Company shall store the personal data in a computer or any other electronic media with security, and provide a Password or a Cryptogram of any other person to the user in order to ensure the storage security of the personal data.

6.2 In the case of the storage in the file, the storage place shall be securely locked with a key.

6.3 The Company shall determine a periodic inspection, a review, and an update of the whole system at least once a year; or in the case of an abnormal event or the promulgation of the additional law, or the technological change, the Company shall immediately review and update in order to ensure that the stored, collected, used, and disclosed personal data is protected according to the relevant policies and laws.

Part 7 : Validity of the Personal Data Storage

7.1 The personal data of the employee or customer used in the joint cooperation or business operation shall be stored all the time during the joint cooperation or business operation. The key information shall be continuously stored after invalidity for not exceeding 10 (ten) years, and stored in the safe electronic media or in the file.

7.2 Any non-usable personal data shall be stored for not exceeding 3 (three) months and destroyed by shredding or burning for destroying or by any other means in order to prevent the misuse.

7.3 In the case of any data stored in the electronic media or software and properly verifiable based on fact, the Company may destroy the paper data to avoid the burden and redundancy in storage.

Part 8 : Assigning the third party to process or transferring the personal data abroad

8.1 In the case where

8.1.1 the Company delivers the personal data to a person or an external agency (outside the Company but within the country) for execution according to the agreement,
8.1.2 the Company assigns any other person and organization to store, collect, use, and disclose the data (process),
8.1.3 the customer, business partner, and visitor recognize the employee’s personal data while dealing with the Company,
the Company shall provide the covenant and agreement of the notifications to the external agencies or third parties for the security of data storage, collection, usage, and disclosure according to the standards determined by law.

8.2 In transferring the personal data abroad, the Company shall assign the data controller or the data protection officer to concisely and prudently verify, review and approve; and make the agreement of the notifications with the destination country to ensure the appropriate and adequate protection according to the standards determined by law.

8.3 In delivering the sensitive data to the external agency or to abroad, a prior approval shall be given by the data controller in the name of the Juristic Person (the authorized director), and the data protection officer to have a mutual opinion and comply with the law every time in order to ensure the protection security of the destination country according to the requirement of law.

Part 9 : Rights of the Data Subject

9.1 The Company shall maximally respect the rights of the data subject, and grant the following rights to the data subject.

(1) To request recognition of the source of data without his/her consent.
(2) To request auditing of the storage, usage, and disclosure method.
(3) To request objecting and request suspending the usage.
(4) To request for withdrawal of his/her consent.
(5) To request erasing from storage, usage, and disclosure.
(6) To request changing and revising to be correct.
(7) To request receiving a copy or request for the data certification.
(8) To request transferring of the data to other work units.
(9) If the damage arises or another person is advantageous, the data subject is entitled to sue and claim for the damages.
However, the exercise of such rights shall not affect the right to use the Company’s data as prescribed by law.

9.2 In the case where the Company remains using the data according to the purpose in good faith, does not exploit and cause damage to the data subject or uses based on the management necessity or according to the contract and the agreement entered with each other or according to the requirement of law for usability, the Company shall request for consent from the customer or the employee on the continuous use of the said personal data as usual.

9.3 The employee who suspects or detects an abnormal event from the use of his/her personal data, can complain or request for exercising the rights of the aforesaid data subject, with the data controller of the employee (Human Resource Department Manager) defined by the Company for execution.

9.4 The customer, business partner, and visitor who suspect or detect an abnormal event from the use of their personal data can complain or request for exercising the rights of the aforesaid data subject, with the data controller of each work unit (Manager of the Work Unit dealt by the customer) for execution.

9.5 The employee or customer who is not facilitated, and the said problem is not corrected according to the defined rights, shall give notice to the data protection officer or the data controller for execution.

9.6 In judging a complaint or a doubt, the data controller in the name of a Juristic Person (the authorized director) under the consent of the data protection officer shall have the judicial power and the said judgment shall be deemed as final.

Part 10 : Duty of the Data Subject

10.1 Submit his/her personal data to the person with the related duty, as requested within the specified period.

10.2 If the personal data is changed, a notice shall be immediately given to the related parties for acknowledgment or within not more than 7 (seven) days.

10.3 The personal data of the employee or customer shall be dutifully used in good faith. It is prohibited to exploit or cause any damage to the data subject under no circumstances.

10.4 If the abnormal event or the event of violation against the personal data is detected, and the damage may be arisen, immediate notice shall be given to the Company to suspend the incident in time.

Part 11 : Penalty for the Violator

In the case where any customers, business partners, visitors, or employees take the personal data protected by the Company to

1. use, disclose, and exploit other than the purpose allowed by the data subject;

2. cause damage to the data subject;

3. breach the Personal Data Protection Act B.E. 2562 (2019), and any other policies or practices related to this Policy,

the Company shall punish up to the highest degree, or take the legal proceedings according to the maximum requirement of law; and the violator shall fully reimburse the damage.

Part 12 : Publicity of the Personal Data Protection Policy

12.1 The Human Resource Department shall disseminate this Policy to the applicants, new employees, and full-time employees for acknowledgment.

12.2 The managers of all work units shall disseminate this Policy to the customers, business partners, and visitors involved with them for acknowledgment.

12.3 The Marketing & Customer Service Manager shall disseminate this Policy via the Company’s Website or Media for acknowledgment of the related parties and/or those interested.

Announced on 25 May 2022.