Subject : Personal Data Protection Policy
Eastern Polymer Group Public Company Limited, hereinafter referred to as the “Company”, respects the privacy right of Customers, Shareholders, Vendors, Suppliers, Subcontractors, Employees of the Company and other concerned persons. The Company recognizes the importance of personal data and the protection of personal data that must be adequately provided to prevent infringement of your privacy rights that are under the responsibility of Eastern Polymer Group. Therefore, the Company has announced personal data protection policy as a framework for the collection process, use or disclosure of personal data as follow:
Scope of application
This policy is for the Company, Employees of the Company and other concerned persons in processing personal data according to order or on behalf of the Company, and allowing the subsidiary to use this policy as a framework for formulating policies and guidelines.
- “The Company” means Eastern Polymer Group Public Company Limited and also means the Directors and Employees of the Company.
- “Personal Data” means information about a person who can be identified either directly or indirectly, but does not include information of the deceased person.
- “Person” means a natural person.
- “Personal Data Controller” means a person or juristic person who has the power and duty to make decisions about the collection, use or disclosure of personal data.
- “Personal Data Processor” means a person or a juristic person who carries out the collection, use or disclosure of Personal Data in accordance with the order or on behalf of the Personal Data Controller.
- “Personal Data Protection Officer” means a person or group of persons appointed to have a duty to provide recommendations, verify operations and coordinate with the Office of the Personal Data Protection Commission in case of a problem with the collection, use or disclosure of personal information.
The Purpose for collecting, using or disclosing personal data
The Company will collect, use or disclose personal data as necessary for the Company’s business operations under the objectives such as for internal operations, sales of goods and services, procurement and hiring, marketing communication, product and service development, data analysis, compliance with the law, human resources management, occupational health and safety and maintaining security, etc.
In case that the Company will collect, use, or disclose personal data that belongs to the owner of the data, if other than those specified, the company will inform the owner of the personal data with additional clarification to explain the purpose of using the data.
To collect, use or disclose personal data, the Company will notify the owner of the personal data about the following:
- The purpose for collecting, using or disclosing personal data.
- The type of person or department from which the collected personal data may be used or disclosed.
- The rights of the owner of personal data and collection period.
- Reasons for collecting, using or disclosing personal data. In the case of collecting, using or disclosing data unnecessarily, this requires the consent of the owner of personal data.
- Contact information of the Personal Data Controller or the Company’s personal data Protection Officer.
Source of Personal Data
- Obtain personal data directly from the owner of personal data who provides the data upon contacting the company.
- Obtain personal data from other sources. And it is necessary to collect, use or disclose personal data, the Company will notify the owner of personal data by any means within 30 working days from the date of collection.
The company will collect, use or disclose personal data for such purposes as necessary on the basis of the consent of the owner of personal data. The company will proceed to seek consent as required by law. Unless the storage, collection, use or disclosure of personal data is subject to the exceptions of the following laws:
General Personal Data
- It is necessary to achieve research or statistical purposes for which appropriate safeguards are in place to protect the rights and freedom of the owner of personal data as required by law.
- It is necessary to prevent or suppress the danger to a person’s life, body or health.
- It is necessary to implement the contract as a contract party or to process the request of the owner of personal data prior to entering into the contract.
- It is necessary to perform the duties for public interests or to exercise state’s powers granted to the company.
- It is necessary for the legitimate benefit or the legitimate benefit of the Company.
- It is necessary to comply with the law of the Company.
Sensitive Personal Data
- It is necessary to prevent or suppress the danger to a person’s life, body or health, which the owner of personal data is unable to give consent for any reason.
- It is information that is made public with the explicit consent of the owner of personal data.
- It is necessary for the establishment of legal claims, compliance or exercise of legal claims or raising the defense of legal claims.
- It is necessary to comply with the law in order to achieve the objectives relating to the following:
- Preventive medicine or occupational medicine, employee competency assessment, health management.
- It is a necessity for public health benefits such as health protection from dangerous contagious diseases or epidemics that may be transmitted or spread. It has put in place appropriate and specific measures to protect the rights and freedom of the owner of personal data, especially the confidentiality of personal data.
- It is a necessity for labor protection, social security, national health insurance, welfare related to medical treatment of persons entitled to the protection by law. Protection of car accident victims or social protection in which the collection of personal data is necessary for the practice of the Company’s rights or obligations, or the rights of the owner of personal data by taking appropriate measures to protect the fundamental rights and interests of the owner of personal data.
- Scientific or statistical research studies as it shall be undertaken to achieve such objectives to the necessary extent, and should provide appropriate measures to protect the fundamental rights and interests of the owner of personal data as required by law.
Collection of personal data
The Company will collect personal data from the owner of personal data as necessary for the purposes and/or for the relevant benefits through various channels. The owner of personal data may provide personal data to the Company by contacting the Company such as contacting inquiries, requesting information, filling out forms, commenting, applying for a job, entering and exiting the areas of the Company Group, purchasing, selling, subscribing to the Company’s various services, etc.
The types of persons that the Company collects personal data includes: personal data of customers, shareholders, vendors, suppliers, individual subcontractors, or a person authorized to act on behalf of a juristic person, job applicants, internships, persons applying for scholarships who the company provides assistance or donations, and employees of the Company including those who come to contact or visit, etc.
Types of personal data from the owner of personal data collected by the Company to use or process that depends on the types of persons consisting of:
- Contact information such as address, telephone number, email address, contact information in social media and details of emergency contacts, etc.
- Personal information such as name-surname, date of birth, age, gender, photograph, marital status, military status, various interests and opinions, religion, health information, health check results, disability and biometrics information, number and copy of ID card or passport, signature, information about family members, information about education, ability and self-development and other features, information about work experiences, information about finances, account numbers and tax information.
- Photos and videos.
- Information and documents related to the recruitment process such as Resume Curriculum Vitae (CV), cover letter, job application, including supporting documents for job applications and employee interview assessment comments.
- Information required for reporting to a regulatory agency such as the Ministry of Labor, Stock Exchange of Thailand, the Securities and Exchange Commission (SEC), etc.
- Other information necessary for the practice of labor contract, supervising welfare benefits, analysis and administration including taking care of employees after retirement and compliance with various laws.
In case that the Company collects sensitive personal data, the Company will strictly follow the personal data protection policy in order to comply with the Personal Data Protection Act B.E. 2562.
Use or Disclosure of Personal Data
The company will use, process or may disclose personal data as necessary under the stated purposes and in accordance with the law to those involved as follow:
- Within the Company, subsidiaries or joint ventures, it may be necessary to transmit or transfer personal data to foreign subsidiaries or international organizations that have adequate personal data protection standards and in accordance with the rules for the protection of personal data as required by law.
- Government agency or regulatory agency by law.
- Organizations requesting for disclosure by the virtue of law.
- Service providers or service recipients or personal data processors assigned by the Company to be responsible for, provide services or manage personal data, or collect use or process personal data to improve or maintain safety standards of work systems and information systems, financial/accounting system, human resource management, etc.
Personal Data of Minors, the Incompetent and the Quasi-Incompetent
The Company will comply with the law on protection of personal data related to the collection, use or process personal data relating to minors, incompetent persons and quasi-incompetent persons. This includes obtaining consent from the parental authority for minors. A custodian or guardian who has the power to act on his/her behalf for an incompetent or quasi-incompetent person. However, the Company has no policy to employ minors.
Storage time of personal data
The Company will retain the personal data that belongs to the owner of personal data for the period necessary to achieve the stated purpose, and/or store as required by law taking into account the necessity of each type of data practice. And after the expiration of such period, the Company will destroy or delete personal data by appropriate means as determined by the Company.
The Rights of the owner of personal data
The Company Group will provide measures, channels and methods for the owner of personal data to exercise his/her rights as required by law.
The integrity and quality of personal data
For the integrity and quality of the personal data collected, the Company will keep accurate, up to date, complete data that is not leading to any misunderstanding.
In order to maintain security and to prevent loss, any access, use, alteration, correction or disclosure of personal data without authorized duty or by any wrongdoing, the Company has provided a system for collecting personal data with an access control mechanism and security measures. And the Company will arrange to regularly review the measures to be effective in maintaining appropriate security according to the following measuresซ
- Determine the right to access, use, change, correct or disclose personal data in accordance with the Company’s information policy.
- Providing personal data to other persons or juristic persons that are not within the Company or subsidiaries, the data will be disclosed only to those who have preventive measures and appropriate collecting and use of personal data.
- Provide an audit system for deletion or destruction of personal data after the retention period has expired, unless it is preserved for purposes as required by law, or the owner of the personal data requests to suspend the use.
- Establish a Personal Data Protection Working Committee in order to administer personal data protection according to the Personal Data Protection Act to be decent and effective in accordance with the law. And to establish security measures to prevent loss, access, use, change, correction or disclosure of personal data, and regularly review the measures including controlling and supervising the collection, use or disclosure of personal data within the section as a personal data controller and personal data processor according to the measures of personal data protection and the level the risk that might be violated.
- Appoint a Personal Data Protection Officer to provide feedback to the personal data controller or personal data processor within the Company according to the data protection laws. Verify the compliance of the Company’s personal data controller or personal data processor regarding the collection, use or disclosure of personal data in order to comply with the law, measures and objectives as specified, including coordinating with the Office of the Personal Data Protection Commission.
- Appoint an internal auditor to verify the compliance of the personal data controller or personal data processor within the Company regarding the collection, use or disclosure of personal data in order to comply with the law, measures and objectives as specified.
The Company requires employees and persons related to personal data to strictly pay attention and be responsible for collecting, using or disclosing personal data according to the law, measures and policies to protect personal data.
If the person in charge for the operation neglects or ignores not to take any action, which is a violation or non-compliance with the relevant policies and provisions of law, causing damage to the owner of the personal data and causing an offense under the law, such person will be subject to disciplinary action by the Company and may be subject to legal penalties in accordance with the Personal Data Protection Act.
Policy review and policy change
The Company will review the policy on a regular basis or in the event that the law is changed, which may amend the policy as appropriate to comply with changes related to the collection, use or disclosure of personal data. The Company will notify the amendment via the company’s website.
Contact methods for personal data protection policy
- Email: dpooffice@EPG.co.th
- 770 Moo 6, Theparak Road, Thepharak Subdistrict, Mueang District, Samut Prakan Province 10270
This will come into effect from 1 March 2021 onwards.
Announced on 1 March 2021.