This policy has been devised to serve as guidelines for the Company’s staff members, suppliers, customers, visitors or relevant external parties to acknowledge and understand the personal data protection policy that the Company has compiled, enforced and stored the aforementioned personal data.
Phol Dhanya PCL (the Company) is aware of the importance of personal data, in response to the Personal Data Protection Act B.E.2019 in ensuring that the personal data that has been stored, collected and processed is well protected. This announcement is intended to inform owners of personal data of the objectives and details of data storage, utilization and/or disclosure, as well as legal rights related to personal data, to acknowledge and understand the Company’s objectives.
“The Company” means Phol Dhanya PCL, including subsidiaries under the Company’s authority.
“The Company’s staff members” mean directors and employees of Phol Dhanya PCL and subsidiaries and/or entities under the Company’s authority.
“Customers” mean general individuals, organizations, companies, stores/juristic persons, state enterprises, government institutes who purchase the Company’s products and/or services.
“Suppliers” mean companies, shops/juristic persons or individuals who sell products or provide services to the Company.
“Visitors” mean external parties who come to the Company for any work-related matters, visit, or perform any inspections, other than selling or purchasing products or services.
“Personal data” means the data related to an individual person that provides a person’s identity, either directly or indirectly, but not including the data of the deceased. Examples of personal data are as follows:
(1) Name-surname or nickname
(2) Personal identification number, passport number, social security card number, driving license number,
personal income tax identification number, account number, credit card number.
(3) E-mail address, phone number
(4) Network device data such as IP address, MAC address and Cookie ID, etc.
(5) Biometric data, for instance, facial image, fingerprint, x-ray film, iris scan data, vocal recognition data,
as well as genetic data, etc.
(6) Personal asset data such as license plate or land title deed, etc.
(7) The data that can be linked to the aforementioned data; birthday or place of birth, race, nationality,
weight, height, location, medical data, educational background, financial data or employment record, etc.
(8) Work performance evaluation data or an employer’s opinions on an employee’s performance.
(9) The data record to trace different activities of a person such as a log file, etc.
(10) The data that is used to search for other people’s data on the Internet.
“Data” means something that conveys the facts, information or any matters, either the interpretation can be conveyed by the state of such matters or via any means; in the forms of documents, folders, reports, books, charts, maps, photographs, drawings, voice recordings or computer records via electronic means or any other means that make such recorded matters physically show.
“Sensitive data” means personal data that relates to race, ethnicity, political views, beliefs, religions, philosophy, sexual orientation, criminal record, health record, disability, biometric data, facial appearance data, iris or fingerprints, labor union data or any other data announced to be sensitive by the Personal Data Protection Committee.
“Data controller” means Phol Dhanya PCL.
“Data processor” means the person who processes the data for the benefits of or on behalf of the data controller.
“Individuals” mean normal persons who own personal data according to this policy.
“Data Protection Officer (DPO)” means the person authorized to advise or inspect the operations, collaborate and cooperate with the Personal Data Protection Committee and other relevant bodies.
1. Collection, Utilization or Disclosure of Personal Data
Personal data collection involves the access and usage of the services provided in the system and the website, for instance, accounting programs, member and non-member registration on the website, which has been arranged for the purpose of the Company’s operations in placing orders of products and services, making inquiries, submitting feedback or suggestions, including other matters as necessary, based on what is required of the data owner to provide one’s data that allows for identification, in order for the Company to proceed with providing eligibility or benefits to access the services as agreed, as well as the development of products and services quality, the development of marketing activities related to products or services, promotions, public relations of useful information, market research, analyses and surveys, and the preparation of statistical data to develop new products and services.
The Company collects, utilizes, stores and discloses personal data of data owners, by placing great emphasis on the accuracy, comprehensiveness and up-to-dateness of the data via lawful and honest means. The Company only stores the data as necessary for providing services via electronic means, and other areas of execution based on the authority and the scope of business operations, whereby the Company will notify data owners and seek their approval prior to collecting, storing, utilizing or disclosing such data, unless otherwise regulated by laws and/or other cases as specified in this policy.
The Company may collect personal data of data owners via a number of channels as follows:
1.1 Collect Directly from Personal Data Owner, for instance
(1) Collect personal data from paper form filling and/or online form filling.
(2) The data that data owners register with the Company in making inquiries, creating user accounts,
placing orders on the website, giving feedback on products or services via the website, subscribing for
a newsletter or participating in the Company’s activities, including via social media, etc. Examples of
the registered personal data might be the name-surname, gender, age, date of birth, address, e-mail, etc.
The Company might use this information for contact purposes regarding the products and services.
1.2. Data from Social Media
In case the data owner contacts the Company via social media, the data collected by the Company may include the profile information used and allowed access by the data owner such as a profile picture, e-mail address or list of friends. It is held that the data owner grants the Company permission to access, collect and utilize the data from social media, based on the regulations stated in this Personal Data Protection Policy.
1.3. Data from the Data Owners’ Usage
When visiting the Company’s website, the Company may collect data from the usage, for instance, serial number, IP address, location, browser information, language selection, date, time, duration of use, product purchase information, preferences and other information related to lifestyles, such as hobbies, favorite sports, etc. This is in order to analyze and understand users’ usage and present the Company’s website and news that match with users’ needs (except if the data owner chooses not to receive news and updates from the Company). This set of data is collected from all users, whether or not they have user accounts or have filled out any information on the website. The Company may receive the personal data from other sources, if the data owner provides consent to disclose such data. This also applies to the case where the data is derived from other commercial sources such as public database and data provision agency, as well as the data from any other individuals.
2. Objectives and Basis of Data Processing
Data processing involves the Company processing your personal data, which features collecting, recording, structuring, storing, changing or adjusting, receiving, considering, utilizing, disclosing by way of sharing, disseminating or executing it in any other ways to allow for availability. Data processing also involves placement, making combinations, removal, or destruction of the data. All of which will be processed based on the contracts as follows:
2.1. Data Processing
The Company will be utilized for the following purposes:
contract is borne when the data owner does or does not register as a member, including receiving other services, which is highly necessary for the data owner to provide the data to the Company for data processing purposes in service provision as agreed in the service provision agreement, as well as for communication purposes, following-up and informing privileges on products or services, and giving responses. If the data owner does not provide this personal data, the Company will not be able to arrange for the rights and privileges as agreed in the condition, communicate and check up on the ability to enter into contracts, as well as verify the data owner’s identity, based on Section 24(3) of the Personal Data Protection Act B.E.2019.
Consent is required when it becomes necessary for the Company to use the data owner’s personal data for processing purposes as part of product or service designs or development to propose new products or services, in order to organize marketing activities that may require collecting, utilizing or disclosing the data owner’s personal data, for purposes of direct marketing. If the data owner does not wish to do so, one can withdraw consent via the Company’s contact channel.
Legitimate Interest comes into play when the Company needs to process the data owner’s personal data for managerial purposes, for critical internal report preparation, for system maintenance to ensure the standard and service development, for organizational risk management, internal control and audit, which are legally critical for the data controller and manipulation of the data processor, in accordance with Section 24(5) of the Personal Data Protection Act B.E.2019.
Legal Obligation applies when the Company needs to process the data owner’s personal data for legal compliance purposes, for instance, Accounting Act B.E.2000, Public Limited Company Act B.E.1992 and other laws enforced upon the Company that require submission of personal data, such as the Civil and Commercial Code, that requires the litigant to submit the documents or data as part of the lawsuit consideration, in accordance with Section 24(6) of the Personal Data Protection Act B.E.2019.
2.2 Personal Data of Customers, Suppliers or Visitors
2.2.1 Customers’ personal data collected by the Company will be utilized for the following purposes:
(1) Proposing products and services, organization of prize competitions, and provision of news and
information that the data owner prefers to receive.
(2) Giving responses to inquiries and providing advices.
(3) Analyzing the effectiveness of advertising, competition and promotions.
(4) Making improvement and decoration of the website as necessary, including conducting analyses
of website visits such as store visit times, whether or not the data owner has visited before, as
well as the visits to the Company’s branches.
(5) Making the website more user-friendly, and enhancing the website and products to suit the
interests and needs.
(6) Improving the quality of the Company’s products and services based on the data and market survey.
(7) Providing support on product maintenance.
(8) Issuing service certificates based on the warranty.
(9) Providing different types of member services.
(10) Providing data services and preparing statistical data.
(11) Making verification for development purposes of the products and business strategies.
(12) Executing agreements or contracts.
2.2.2 The personal data related to the Company’s staff members, including suppliers and third parties, will be utilized for the following purposes:
(1) Communication and/or business negotiations.
(2) Data management and processing, for instance, data related to income, money received or paid.
(3) The work executed related to the contracts or assignments.
2.2.3 The personal data of shareholders will be utilized for the following purposes:
(1) (1) Treatment towards shareholders in accordance with relevant laws and regulations
2.2.4 The personal data related to employment and resignation of staff members and job applicants:
(1) To develop the database and keep the record (including internships).
(2) To proof one’s identity, verify educational background and employment history.
(3) To design welfare and benefits.
(4) To use in tax exemption benefits.
(5) To make contacts, evaluate and manage relationships.
(6) To manage relevant risks.
(7) To comply with the laws, regulations as well as the directions and guidance of the regulatory bodies
governing the Company’s business operations.
(8) To ensure compliance with the Company’s regulations.
(9) To follow up on, monitor and evaluate the Company’s service provision and manage relationships.
3. Personal Data to be Processed and Data Collection Period
The Company will process personal data based upon the Company’s policy, which includes names, surnames, addresses, contact locations, mobile phone numbers, e-mails and other service data of the data owner.
The Company will collect personal data with certain objectives as stated in the policy, whereby the data will be collected until such objective has been met. The Company will cease to collect the data once the objective has been met and acted upon, unless the Company is required to do otherwise as required by laws.
4. Individuals or Institutions to Whom Personal Data might be Disclosed
The Company may disclose your personal data to the Company’s auditors, external auditors and government bodies as required by laws.
5. Data Owners’ Rights
Based on one’s legal rights, the data owner may request to exercise such rights under the legal regulations and the stated policy, or one that might be amended in the future, as well as the Company’s criteria. In case the data owner has not reached 20 years of age, or has been limited of one’s ability to execute juristic acts, one may request to exercise one’s rights by asking one’s parents, guardians or authorized persons to declare one’s intention, whereby the rights can be detailed as follows:
5.1 The right to withdraw consent; the data owner can withdraw consent to process one’s data throughout the entire period that the data resides with the Company.
5.2 The right to access personal data, by asking the Company to make a copy of personal data for the data owner and the data owner can ask the Company to disclose how the data has been obtained, when the consent of the data owner was not given.
5.3 The right to correct personal data, by asking the Company to correct the wrong data or add details to the incomplete data.
5.4 The right to erase personal data, by asking the Company to erase the data for certain reasons.
5.5 The right to terminate the use of personal data; the data owner is entitled to terminate the use of one’s personal data for certain reasons.
5.6 The right to transfer personal data; the data owner is entitled to transfer one’s personal data given to the Company to the other data controller or the data owner oneself, for certain reasons.
5.7 The right to oppose personal data processing; the data owner is entitled to oppose the processing of one’s personal data for certain reasons.
5.8 The right to file complaints to the authorized body by law; if the data owner believes that the collection, utilization and/or disclosure of personal data is carried out in a manner that violates or does not comply with relevant law.
Exercising the data owner’s right as mentioned might be limited by relevant laws, and the Company may deny or not be able to proceed with the request to exercise certain rights in some cases, for instance, the Company needs to comply with the law or the court’s order for the public benefits. Failing to do so may violate other people’s liberty. If the Company denies the aforementioned requests, the reasons for denial will be explained.
Any requests to exercise the aforementioned rights must be filed in writing by the data owner, and the Company will proceed under the appropriate timeframe to the best of its ability, not to exceed the duration required by law. The Company will hereby comply with legal regulations related to the rights of that particular data owner.
There might be limitations in service provision in cases that the data owner asks the Company to erase, remove, terminate, transfer, oppose or make the data unidentifiable, or withdraw consent, these may cause limitations for the Company in carrying out transactions or providing services to the data owner in some cases. However, this shall be executed under the regulations and conditions regarding consent in using services and/or as required by law.
6. Ensuring Security and Safety
6.1 The technological means shall be available to prevent unauthorized access to the computer system.
6.2 Destroy personal data to ensure safety when such data is no longer necessary for the legal and business objectives. If the data owner has the reason to believe that one’s personal data is violated by the Company’s contact channel via the e-mail stated in this policy.
The data owner’s password is important for a user’s service account. Please use different numbers, alphabets or symbols, and do not share the password with others. If the password is shared, the data owner is responsible for any actions carried out on one’s behalf or via the data owner’s user account, and their entailing consequences. If the password cannot be controlled, it might not be possible to control personal data or other data submitted to the Company. The data owner may need to accept any juristic acts carried out on the data owner’s behalf. Hence, if the password gets revealed or ceases to be confidential for any reasons, or there are reasons to believe that the password has been revealed, the data owner is advised to contact the Company to change the password, log off from the account, and close the browser every time when using the public computer.
6.3 Personal data is stored in a document format, in a key-locked cabinet. It is to be accessed by the authorized person only.
6.4 Personal data stored in computer devices or the information system must be accessed via password, given to the authorized person only.
6.5 In utilizing personal data, it is possible to make additions, but erasing, changing or removing must be authorized by the data controller.
7. Data Owner’s Participation
The Company only discloses the personal data when requested by the data owner, one’s successor, heir, rightful representative, or legal guardian, whereby the requests in different matters based on the data owner’s rights may be filed. However, the Company will proceed within the appropriate timeframe and not to exceed the time period stated by laws.
In case that the data owner, one’s successor, heir, rightful representative, or legal guardian opposes the data collection, accuracy or any doings with the data, such as the correction or removal of personal data, the Company will record such opposition as evidence as well.
8. Sending or Transferring Personal Data to Other Parties
The Company does not disclose personal data to external parties. However, it may be shared in the scope agreed upon by the data owner to trustable external parties, and such external parties may reside in Thailand or overseas as follows:
8.1 Advertising agency, marketing and promotion agencies; to analyze the effectiveness of the advertisement, marketing and promotional activities, including that of the subsidiaries, branch offices, domestic and international business partners.
8.2 External parties responsible for distributing products and providing services, for instance, distributing parcels from online purchase orders.
8.3 External parties receiving consent from the data owner to disclose their personal data.
8.4 Law enforcers or government bodies who have the authority to request for data disclosure.
8.5 Website analyzers such as Google etc.
9. Sending or Transferring Personal Data Overseas
The data controller may send or transfer the data owner’s personal data overseas in the following cases:
9.1 The destination country or the international organization has a sufficient personal data protection standard, as required by laws, rules and regulations on personal data protection.
9.2 Consent must be given by the data owner, who must be notified and acknowledged of the personal data protection standard of the destination country or the international organization receiving such data.
9.3 It must comply with the laws.
9.4 It is a necessary matter to comply with the agreement where the data owner is the contract partner, or to meet the request of the data utilizer prior to entering into such agreement.
9.5 It serves to comply with the agreement between the data controller and other individuals for the benefits of the user of such personal data.
9.6 To prevent or hold back dangers to the data owner’s or any individual’s life, physical body or health when the data owner is unable to provide consent in that particular point in time.
9.7 It is necessary to carry out the matter for significant public benefits.
10. Amendments of the Policy
The Company reserves the rights to amend the Personal Data Protection Policy as deemed necessary and appropriate or at least once a year to align with the practices, regulations and other relevant laws. Any amendments will be announced and publicized on the Company’s website or via any other appropriate means.
11. Period of Personal Data Storage
The personal data is stored for a period that the person serves as the Company’s staff member, supplier, customer, visitor, external party, member or contract partner. It will be stored for no more than 10 years for those who provide personal data to the Company for one’s own benefits.
12. Contact Channels
If the data owner has any suggestions or wishes to inquire about the details on storage, utilization and/or disclosure of personal data, as well as requests to exercise one’s rights based on this policy, one can contact the Company via the following channels:
Personal Data Controller and/or Personal Data Protection Officer
Phol Dhanya Public Company Limited.
1/11 Lamlukkha Road, Lad Sawai, Lamlukkha, Pathumthani 12150
Telephone: 02-791-0111 E-mail: dpo@pdgth.com
Office Hours: 08:00- 17:30 (Except Saturday-Sunday, and Public Holidays)
This Personal Data Protection Policy has been devised to align with the Personal Data Protection Act B.E.2019, which has been approved by the Company’s Board of Directors on February 18, 2021.
