Home
Our Project
Services
BLOG
About Us
Contact Us
ไทยData Protection Policy
Chaithanin Company Limited and its affiliates collect, use, and disclose personal data of customers, partners, employees, applicants, personnel, and any other individuals associated with Chaithanin Company Limited The company respects and recognizes the importance of the Personal Data Protection Act B.E. 2562 (2019) and has therefore established this Data Protection Policy to provide guidelines, regulations, management, and appropriate measures for personal data processing. This policy is binding on all employees of Chaithanin Company Limited to ensure that any personal data received is used in accordance with the regulations and the Personal Data Protection Act. Details are as follows:
Section 1: Definitions
|
“Company”
|
means Chaithanin Company Limited and its affiliates, including Marina Golden Bay Victoria Co., Ltd., Marina Golden Bay Elia Co., Ltd., Marina Golden Bay Geneva Co., Ltd., The Sunlight Residence 9 Co., Ltd., Global Top Group Co., Ltd., and other companies under the control of Chaithanin Company Limited |
|
“Personal Data”
|
means any information relating to an identified or identifiable natural person, directly or indirectly, but excluding data of deceased persons. |
|
“Sensitive Personal Data”
|
means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biometric data, or any other information that may significantly affect the data subject, as declared by the Personal Data Protection Committee. |
|
“Data Controller” |
means a person or legal entity that has the authority to make decisions regarding the collection, use, or disclosure of personal data. |
|
“Data Processor” |
means a person or legal entity that processes personal data under the instructions or on behalf of the data controller. |
|
“Data Subject” |
means a natural person to whom the personal data refers. |
|
“Data Processing” |
means any operation relating to the collection, use, and disclosure of personal data. |
|
“Board” |
means the Board of Directors of Chaithanin Company Limited |
|
“Management” |
means the management of Chaithanin Company Limited |
|
“Employees” |
means employees at levels below management of Chaithanin Company Limited |
|
“Privacy Notice” |
means a notice on the website informing website users of the purposes, methods of collection, processing, and storage of personal data by the website. |
|
“Cookies”
|
means unique files created by websites and stored on a user’s computer or communication device, which store personal data, usage, and various settings of the user to improve their website experience. |
Section 2: Purposes and Collection of Personal Data Use
2.1 The company, as a data controller under the Personal Data Protection Act, will collect and/or use personal data for lawful and fair purposes, informing data subjects of such purposes for business operations and compliance with any applicable laws.
2.2 The company, as a data controller under the Personal Data Protection Act, will collect and/or use personal data only to the extent necessary for operations under the defined purposes of personal data processing. If the company engages in any activities beyond the specified purposes, it will inform data subjects and obtain consent if required.
2.3 When collecting or using personal data, the company will obtain consent from the data subject beforehand, except in cases of exemptions under the Personal Data Protection Act where such consent is not required.
2.4 The company will not collect sensitive personal data, such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health information, disability, trade union information, genetic data, or biometric data, unless explicit consent is obtained from the data subject or where exemptions under the Personal Data Protection Act apply. The company will collect and use such personal data with caution and under appropriate security standards.
Section 3. Disclosure of Personal Data
3.1 The company may disclose personal data to individuals, government agencies, regulatory bodies, organizations, and external legal entities that have contracts with the company or under the legal framework permitted by law.
3.2 The company may disclose personal data to its affiliates for the benefit of the company’s operations and for the benefit of the data subject, under appropriate security measures.
Section 4. Personal Data Processing by Third Parties
The company may need to send or transfer personal data to third-party individuals or entities for processing. The company will manage the sending or transfer of personal data in accordance with the law and will implement necessary and appropriate measures to protect personal data in line with confidentiality standards. This includes data masking before sending personal data, sending only necessary data, and having confidentiality agreements or Data Processing Agreements with such data recipients.
Section 5. Sending or Transferring Personal Data Abroad
The company may need to send or transfer personal data to companies within its network located abroad or to other data recipients as part of its normal business operations. This includes sending or transferring personal data for storage on servers or clouds in various countries. The company will consider and ensure that the destination country has adequate personal data protection standards.
In cases where the destination country does not have adequate standards, the company will manage the sending or transfer of personal data in accordance with the law and will implement necessary and appropriate data protection measures consistent with confidentiality standards, except for exemptions under the Personal Data Protection Act. If the destination country has inadequate standards, the transfer of personal data abroad can still be carried out if it falls under exemptions such as legal compliance, consent from the data subject, necessity for contract performance, protection against danger to life, or if it is essential for the public interest.
Section 6. Personal Data Retention Period
The company will retain personal data for the period necessary for business operations according to the objectives or for the entire duration required to achieve those objectives. It may be necessary to retain data beyond that period if required or permitted by law, such as for compliance with anti-money laundering laws or for the purpose of verification and investigation in case of potential disputes within the statutory limitation period, which is not more than 10 years.
The company will delete or destroy personal data or anonymize it when it is no longer necessary or at the end of the specified period.
Section 7. Security Measures
7.1 The company will implement appropriate security measures to protect personal data, including technical measures (e.g., password protection, encryption (Secure Sockets Layer/SSL), network device security systems) and organizational measures (e.g., establishing information security policies, confidentiality safeguards, access controls, risk assessment and management, guidelines, and regulations). These measures will be strictly enforced and reviewed regularly or as technology evolves to ensure effective security and prevent unauthorized access, use, alteration, modification, disclosure, or destruction of personal data.
7.2 All employees and personnel of the company are responsible for complying with the Personal Data Protection Act, prioritizing the security of personal data, and refraining from using information obtained through work for other purposes or causing damage to the company.
7.3 To prevent unauthorized or unlawful use or disclosure of personal data, the company will implement the following measures:
7.3.1 Assessment Before Data Transfer
(a) Verify the authority and legal basis used by the individual or legal entity requesting personal data.
(b) Inquire about the purpose of data use to assess the level of detail required for the data copy (to determine the necessary level of data granularity).
7.3.2 Data Delivery
(a) Prepare new data from raw data with a level of detail necessary for the intended purpose.
(b) Request data delivery and record the requester’s name, contact information, date of provision, legal basis for accessing the personal data, and intended purpose of use.
(c) Inform the individual or legal entity that upon receiving the data, they must also comply with the obligations of a data controller for the requested data set, in accordance with the stated scope and purpose of use.
7.3.3 After Data Delivery
(a) Monitor usage periodically to record the latest status of data use. If there is no longer a need for the data according to the original purpose, notify the individual or legal entity to erase or destroy the data.
(b) Establish methods to keep the data up-to-date for users, such as using computer programs to automatically synchronize and update the source and destination data.
Section 8. Personal Data Breach
In the event of a personal data breach, the company will notify the Personal Data Protection Committee within 72 hours of becoming aware of the breach. If the breach poses a high risk to the rights and freedoms of the data subject, the company will promptly inform the data subject of the breach and the remedial measures taken.
Section 9. Rights of the Data Subject
The rights of the data subject are legal rights. The data subject may exercise various rights under the provisions of the law. The company will comply with data subject requests without delay. If the company needs to reject a request, the company will inform the data subject of the reason for the rejection.
9.1 Right to Withdraw Consent: If the data subject has given consent to the company for the collection, use, and/or disclosure of personal data (whether consent was given before or after the effective date of the Personal Data Protection Act), the data subject has the right to withdraw consent at any time while the personal data is held by the company, unless such right is restricted by law or a beneficial contract. The company will inform the data subject of the potential consequences of withdrawing consent.
9.2 Right to Access Personal Data: The data subject has the right to access or request a copy of their personal data under the responsibility of the company, including requesting the company to disclose how such personal data was obtained without the data subject’s consent. The company reserves the right to refuse the request if it is in accordance with the law or a court order, or if granting access or providing a copy would affect the rights and freedoms of others.
9.3 Data Portability Right: The data subject has the right to receive personal data if the company has processed such data in a format readable or usable by automatic tools or devices, and if the personal data can be used or disclosed automatically. The data subject also has the right to request the company to send or transfer personal data in such a format to another data controller when technically feasible and has the right to directly receive personal data that the company sends or transfers to another data controller, unless technically impossible.
The aforementioned personal data must be data for which the data subject has consented to the company’s collection, use, and/or disclosure, or data that the company needs to collect, use, and/or disclose for contract performance, or other personal data as specified by law.
9.4 Right to Object to the Collection, Use, and Disclosure of Personal Data: The data subject has the right to object to the collection, use, and/or disclosure of personal data at any time if such data was collected under an exemption from consent requirements, or for direct marketing purposes, or for scientific or statistical research purposes. The company may refuse the request if it is necessary for carrying out tasks in the public interest, or if the company demonstrates compelling legitimate grounds, or for the establishment, exercise, or defense of legal claims.
9.5 Right to Erasure or Destruction of Data: The data subject has the right to request erasure or destruction of personal data, or anonymization of the data, if the data subject believes that the personal data was collected, used, and/or disclosed unlawfully, or if the company no longer needs to retain it for the purposes specified in this policy, or if the data subject has exercised their right to withdraw consent or object as stated above.
9.6 Right to Restrict Processing: The data subject has the right to request a temporary restriction on the processing of personal data while the company is investigating a request for rectification or objection, or in other cases where the company does not need to retain the data and must erase or destroy it in accordance with the law.
9.7 Right to Rectification: The data subject has the right to request rectification of personal data to ensure its accuracy, completeness, and non-misleading nature.
Section 10. Penalty Provisions
Any responsible person who neglects, omits, fails to order, or fails to perform, or orders or performs any act within their responsibilities that violates this policy and practices concerning personal data, leading to legal offenses and/or damages, or reputational harm, shall be subject to disciplinary action in accordance with the company’s regulations. The company will not tolerate any wrongdoing committed by the responsible person(s), and they will be subject to severe disciplinary action, including potential termination without severance pay. Additionally, they will be liable for compensation for actual damages caused to the company within 30 days of written notification from the company. The responsible person(s) will also face legal penalties according to the committed offenses. If such offenses cause damage to the company and/or any other individual, the company may consider further legal action.
Section 11. Policy Review
Chaithanin Company Limited will review this policy at least twice a year or in the event of legal amendments.
This policy is effective from 15 January 2023 onwards.
Announced on 1 December 2022