SK Development Service Co., Ltd. ("the Company") hereby declares its intention to comply with the Personal Data Protection Act B.E. 2562 (2019), including royal decrees, ministerial regulations, criteria, rules, regulations, announcements, and related regulations (collectively referred to as the "PDPA") by announcing this Personal Data Protection Policy ("Policy") to establish a framework for the collection, use, and disclosure of personal data by the Company, security and protection of personal data, including the appointment of a Data Protection Officer (DPO) as required by the PDPA, and to inform data subjects of their rights under the law as follows:
1. Definition of Personal Data and Personal Data Collected by the Company
"Personal Data" means any information relating to a person which enables the identification of such person, whether directly or indirectly, but does not include the data of deceased persons in particular.
"Sensitive Personal Data" means personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union data, genetic data, biometric data, or any other data which may affect the data subject in the same manner as prescribed by the Personal Data Protection Committee, etc.
Examples of personal data collected by the Company include name, address, telephone number, educational and work history, photographs, and other personal data of job applicants specified in the job application, and of the Company's employees, including criminal records, health examination results, drug test results, leave records, employment contracts, personal status and annual personal data notifications, employee records, payroll calculations, compensation, performance appraisals, training records, disciplinary records, and other personal data of the Company's employees, as well as names, national ID numbers, photographs, and vehicle registration numbers of visitors to the Company's premises, etc.
2. Respect for Personal Rights and Personal Data Protection Standards
The Company, including executives and supervisors at all levels, will respect personal rights and protect the personal data of data subjects, whether they are employees, job applicants, business partners, customers, or those who contact the Company's business or services, in accordance with or higher than the standards specified by the PDPA.
3. Collection, Use, and Disclosure of Personal Data
The Company will collect, use, and disclose personal data only to the extent necessary for legitimate purposes and by lawful means. The Company may collect personal data directly from data subjects or from other sources, such as collecting criminal records of job applicants/employees from the Royal Thai Police, health data from hospitals, and other personal data from references and emergency contacts as notified by employees to the Company, etc. In cases where the PDPA requires the Company to obtain consent for the collection, use, or disclosure of personal data, the Company will request and obtain proper consent from the data subject before or at the time of collecting, using, or disclosing such personal data.
The Company may collect, use, or disclose personal data for the following purposes:
- For employment consideration and human resources management within the Company
- For business contact or transactions as business partners, service providers or recipients, employers or contractors
- For security of persons and property, for legal compliance (e.g., tax laws, labor laws, etc.)
- For investigation by inquiry officials or judicial proceedings
- To prevent or suppress a danger to a person's life, body, or health
- For the performance of a contract to which the data subject is a party or in order to take steps at the data subject's request prior to entering into a contract
- For legitimate interests of the Company or other persons
- For the performance of a task carried out in the public interest by the Company
- For achieving purposes relating to the preparation of historical documents or archives for public interest, or for research or statistical purposes, etc.
The Company will inform the data subject of the purpose of the collection, use, or disclosure of personal data, specify the retention period of personal data, and provide other information as required by the PDPA.
4. Security and Protection of Personal Data
The Company will implement security measures for personal data by providing equipment and tools, and establishing security systems for the collection, use, maintenance, processing, or disclosure of personal data without authority or unlawfully. The Company will also take the following actions:
- Restrict access to each type of personal data by allowing only authorized personnel or those involved to access the relevant personal data (e.g., allowing only authorized persons to hold keys to rooms containing personal data or to have passwords to access data stored in the Company's computer systems, etc.)
- Establish a system for deleting or destroying personal data upon the expiry of the retention period or when it is no longer necessary or relevant, or upon the data subject's request or withdrawal of consent, as specified by the PDPA
- Take action to prevent persons who receive personal data from the Company from using or disclosing such personal data without authority or unlawfully, including entering into agreements to control the data processor's operations in accordance with the PDPA
- Notify the Office of the Personal Data Protection Commission of any personal data breaches without delay and within the time period prescribed by law. If such breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will inform the data subject of the breach and the remedial measures to be taken without delay
- Establish internal policies and procedures for the security and protection of personal data to ensure compliance by all departments and personnel/employees at all levels, including the Company's directors and executives, and to support the duties of the Data Protection Officer (or other persons responsible for personal data protection under the law)
- Appoint a Data Protection Officer to perform duties as required by law in cases where the PDPA requires the Company to do so
- Regularly inspect equipment, tools, and systems for personal data protection, as well as review this Policy and related internal procedures on a regular basis
5. Collection, Use, or Disclosure of Sensitive Personal Data Requiring Specific Protection
In the event that the Company needs to collect, use, or disclose sensitive personal data (such as data on race, religion, health, disability, and physical characteristics, etc.), the Company must obtain explicit consent from the data subject (unless the collection of sensitive data is for purposes or as required by law that does not require the data subject's consent), and the Company will handle sensitive personal data with special care. For example, if it is criminal record data, the Company will only take related actions within the framework of the rules and regulations of the competent authority under the law, etc.
6. Sending or Transferring Personal Data to Foreign Countries
In the event that the Company needs to send or transfer personal data to a data controller or data processor located in a foreign country and affiliated with the same group of companies or businesses as the Company for joint business operations, the Company will establish a personal data protection policy for such cross-border transfer of personal data as required by the PDPA.
7. Rights of Data Subjects
Data subjects have the right to access and obtain a copy of their personal data, request the Company to correct any inaccurate or incomplete data, object to or request the restriction of the collection, use, or disclosure of their personal data, request the deletion or destruction of their personal data or make it non-personally identifiable, as specified by the PDPA. In cases where the Company is required to obtain and has obtained consent from the data subject for the collection, use, or disclosure of personal data, the data subject has the right to withdraw such consent at any time (unless the PDPA specifies that consent cannot be withdrawn). If the withdrawal of consent would affect the data subject in any way, the Company will inform the data subject of the consequences of such withdrawal. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of personal data based on the consent before it was withdrawn.
Data subjects who wish to exercise any of the above rights may do so by contacting the Company as specified in Section 10 of this Policy. In addition, data subjects have the right to lodge a complaint with the competent authority under the PDPA if the Company, its employees, or contractors violate or fail to comply with the PDPA.
8. Prohibition of Personal Data Violations
The personal data collected by the Company shall be treated as the Company's property. No person shall violate, attempt to access, collect, use, or disclose such personal data without the data subject's consent or the Company's authorization, or use such personal data for personal benefit, or modify, delete, or destroy such personal data, whether directly or indirectly, without lawful cause.
9. Penalties for Violations
Company personnel/employees, including directors and executives, who violate or fail to comply with this Policy, including internal procedures or measures related to the security and protection of personal data, whether intentionally or negligently, shall be subject to disciplinary action, legal proceedings, and/or penalties as prescribed by law and the Company's regulations.
10. Contact Information
In the event that you wish to exercise your rights as a personal data owner or have any questions or suggestions regarding the Company's personal data protection policy, please contact the Company using the following contact details: S.K. Development Service Co., Ltd.
- Address : 1/193 Moo 5 Khanham Subdistrict, Uthai District, Phra Nakhon Si Ayutthaya Province 13210
- Telephone: (66) 0-3522-6128
- Email: benjawan@skd-service.co.th
- For the benefit of the investigator's investigation or the consideration of relevant cases, to prevent or suppress danger to the life, body or health of a person.
- For the performance of a contract to which the personal data subject is a party or for use in taking action at the request of the personal data subject prior to entering into that contract.
- To: Ms. Benjawan Saelao (Human Resources and Administration Department)
The Company hereby announces this policy to ensure that all personnel/employees of the Company, including all directors and executives of the Company, are strictly bound by this policy and any related regulations in order for this policy to achieve its objectives and be in compliance with the Personal Data Protection Act. No employee may claim ignorance.