Personal Data Protection Act

  1. Home
  2. Corporate Governance
  3. Personal Data Protection Act


Purpose
  1. To ensure that the execution of the Company's various business operations complies with the requirements of relevant laws and regulations, such as the Personal Data Protection Act.
  2. To clarify the personal data protection objectives that all personnel must follow, and to collect, process, and use personal data within a reasonable scope. This establishes the basis for the Company's business operations and internal management regarding the use of customer and employee personal data, thereby reducing potential legal risks for the Company and its employees, protecting customer rights, and safeguarding the Company's reputation.
  1. Applicable Personnel
    This policy covers all personnel within the Company, including dispatched personnel from temporary staffing agencies, and vendors or consultants with whom the Company conducts business (including their employees or temporary staff).
  2. Scope of Protection
    The scope of protection of this policy covers personal data protected by the Personal Data Protection Act (PDPA). Relevant regulations are established for the collection, processing, use, and international transmission of personal data to ensure the security of personal data.
  1. Personal Data Management System (PDMS)
    A system based on business risk orientation used to establish, implement, operate, monitor, review, maintain, and improve the management of personal data.
  2. Personal Data Management Metrics
    Defined measures used to gauge the effectiveness of selected controls in achieving the Company’s personal data management objectives.
  3. Personal Data
    Refers to data related to a natural person's name, date of birth, national identification card number, passport number, characteristics, fingerprints, marital status, family status, education, occupation, medical records, medical treatment, genetic information, sexual life, health examinations, criminal records, contact information, financial situation, social activities, and any other information that can directly or indirectly identify the individual. Should the definition and scope of personal data be revised in response to future changes by the competent authority or regulations, the revised definition and scope shall prevail.
  4. Special Categories of Personal Data
    Refers to personal data concerning medical treatment, genetic information, sexual life, health examinations, and criminal records (hereinafter referred to as "Special PD"). Should the definition and scope of Special PD be revised in response to future changes by the competent authority or regulations, the revised definition and scope shall prevail.
  5. Management
    Includes the Board of Directors, the General Manager, and senior executives.
  6. Data Protection Officer (DPO) / Head of Data Management
    The person responsible for forming the personal data protection management execution organization and overseeing the formulation and implementation of management procedures.
  7. Personal Data Protection Management Execution Organization
    An organization reporting to the Head of Data Management/DPO, responsible for overall coordination and execution of the Company's compliance matters related to the Personal Data Protection Act (PDPA).

Management shall appoint a Data Protection Officer (DPO) responsible for the formulation and promotion of these procedures, and establish a personal data management organization to plan, implement, operate, monitor, audit, maintain, and improve the Personal Data Management System (PDMS). Management reviews of the PDMS shall be conducted periodically or when significant changes occur to ensure its appropriateness and effectiveness. The management scope should include the following items, based on the scale and characteristics of the business:

  1. Establishment of Personal Data Protection Management Procedures
    Establish personal data management procedures using personal data management metrics equivalent to domestic information security standards.
  2. Regulation of Principles for Personal Data Collection, Processing, and Use
    Process personal data within a strictly necessary scope based on a lawful specified purpose. The key points are as follows:
    (1) Confirm that the specified purpose for collecting personal data complies with laws and regulations, and appropriately retain audit trails.
    (2) When processing personal data, follow the Company's information security procedures, establish internal data access permissions and corresponding data risk levels, and define control mechanisms based on these risk levels.
    (3) Fulfillment of the Obligation to Inform: Confirm whether exceptions to notification apply, and adopt appropriate notification methods based on the circumstances of collection.
    (4) Confirm that the use of data aligns with the specified purpose, whether use beyond the specified purpose is permissible, and appropriately retain audit trails.
    (5) Comply with restrictions on the collection, processing, or use of special categories of personal data (Special PD).
  3. Establishment of Security Maintenance Measures for Personal Data Files
    Protect personal data with appropriate technology and provide suitable security management measures for personal data files to protect the data collected, processed, or used.
  4. Establishment of Personal Data Management Incident Emergency Response Procedures
    (1) Define acceptable levels of risk for personal data protection and corresponding response measures. When a data incident occurs resulting in damage to the rights and interests of stakeholders, respond to and handle the situation appropriately.
    (2) Set up channels for handling complaints and consultations for data subjects to exercise their related personal data rights.
  5.  Continuous Operation and Maintenance of Related Personal Data Protection Management Procedures
    (1) Conduct evaluations and audit operations of relevant personal data management procedures, the PDMS, and personal data management metrics to ensure the effectiveness of these procedures and related measures, and check that implementation is consistent.
    (2) If implementation gaps exist or regulations change, assist in improving relevant procedures and management measures to continuously enhance the effectiveness of the personal data management system.
  1. All personnel of the Company shall understand and strictly comply with these procedures, and shall fully participate in the implementation of this policy's initiatives.
  2. The Company’s Management is responsible for appointing the Data Protection Officer (DPO). The DPO is tasked with the supervisory management authority over the operation of the Company's personal data management system, as well as managing and directing the operations of the Personal Data Protection Management Execution Organization to ensure the implementation and compliance with the Personal Data Protection Act (PDPA).
  1. All personnel of the Company shall comply with these procedures. Violators will be subject to disciplinary action in accordance with relevant Company regulations.
  2. If the violation involves relevant civil liability for compensation, criminal liability, or administrative penalties, the Company may terminate the employment relationship and pursue legal responsibility commensurate with the circumstances of the case.
  3. An employee's obligation to protect the Company's personal data continues to remain effective even after the termination of the employment relationship between both parties.
  1. The Company has established a comprehensive personal data protection management system in accordance with the Personal Data Protection Act (PDPA) and relevant regulations.
  2. To enhance personal data protection awareness among all employees and provide necessary personal data protection education and training, the Company publishes the contents of the data protection policy at least once a year to reinforce employees' understanding of the importance of personal data protection.
  3. Employees' obligations regarding personal data protection continue to remain effective even after the termination of the employment relationship between both parties.