Personal Data Protection Policy
Section 1 Rationale
The Personal Data Protection Act B.E. 2562 (2019) was established to ensure the effective protection of personal data and to provide effective measures to remedy the owner of personal data from personal data violation. The enactment of this Act is consistent with the conditions provided in Article 26 of the Constitution of the Kingdom of Thailand.
Samart Plastpack Co., Ltd. adheres to ethical business practices, respects and complies with applicable laws, as well as recognizes the importance and strives to protect the privacy of personal data; therefore, has announced the data privacy policy. The company acknowledges the need for transaction security and retention of personal information and, hence gives priority to respecting individuals’ data protection rights and security of personal information. Operation policies, regulations, and criteria have been established for the operation under strict measures to maintain personal data security to ensure that individuals’ data received by the company is legally used and meets the needs of each person.
Section 2 Personal Data
2.1 Data Collected by the Company
The company may collect personal information of the data subject through several channels, such as:
(1) When the data subject applies for a job with us via the website or telephone, including becoming the company’s employee, the company would like to know the necessary information as follows: name, surname, telephone number, email address, address, educational background, etc.
(2) When the data subject contacts the company for information or is interested in the company’s services, the Company may request information about the data subject, such as name, email address, phone number, etc.
(3) The company may store log files of the data subject. The information that may be collected includes IP address or access time, etc.
2.2 Personal Data
Personal data is any information that can identify the data subject, whether directly or indirectly, including:
(1) Personal data that an individual provides directly to the company or the company receives through other channels, whether arising from the use of services, contacting, visiting, or searching through digital channels, websites, call centers, assigned persons, or any other means.
(2) Personal data that the company receives or accesses from other sources not directly from you, such as parents, children, spouses, brothers and sisters, government agencies, financial group companies, financial institutions, financial service providers, business partners, credit information companies, and information providers, etc., which the company may continue collecting this information only with your consent as required by law, unless in necessary cases approved by laws.
Personal data that the company collects, uses, and/or discloses, including:
(1) Personal information, such as name, surname, age, date of birth, marital status, identification number, passport number, etc.
(2) Contact information, such as residential address, place of work, telephone number, email address, Line ID, etc.
(3) Financial information, such as account numbers, financial history, report of securities holdings of an individual or relevant person (parents, children, spouses, brothers and sisters)
(4) Transaction information, such as account statements, payments, loans, investments in securities of an individual or relevant person (parents, children, spouses, brothers and sisters)
(5) Information on devices or tools, such as IP address, Mac address, Cookie ID
(6) Other information, such as website access, audios, still images, motion pictures, and any other information that is considered personal data under the personal data protection laws.
(7) Cookies. The company’s website may use cookies in some cases. Cookies are small data files storing information exchanged between the data subject’s computer and our website. The company uses cookies only to collect information that may be useful to the data subject the next time he/she visits the company’s website. When the data subject accesses the web browser service, he/she can set to accept or refuse all cookies, or receive notification when cookies are sent. The data subject can go to the “Help” menu in the browser to learn how to change the use of cookies. Please note that disabling cookies may affect the use of certain services.
2.3 Sensitive Data
Sensitive data is personal data specifically required by law, including information about sexual behavior, health, political opinions, religious beliefs, etc. The company shall collect, use, and/or disclose sensitive data only when the company receives explicit consent from an individual or where the company deems necessary as required by law. The company may collect, use, and/or disclose biometric information, such as fingerprint mockup, for roving and verifying the identity of person requesting access to the company’s premises (hereinafter in this policy, if not specifically stated, will refer to personal data and sensitive data relating to the aforementioned individuals collectively as “personal data”).
Section 3 Purposes and details of personal data collection, use, and/or disclosure
The company shall collect personal data for the benefit of business operations based on the company’s purposes, as well as to comply with any laws that the company or individuals require to follow, and for any other purposes as specified in this Policy as follows:
3.1 To ensure the company operates its business according to its objectives
3.2 To perform legal obligations, for example:
(1) Compliance with orders of legal authorities.
(2) Compliance with business law, financial institution law, securities and exchange law, life insurance law, non-life insurance law, tax law, anti-money laundering law, law on prevention and suppression of financing support to terrorism and proliferation of weapons of mass destruction, computer law, bankruptcy law, and other laws that the company shall comply with both in Thailand and foreign countries, including notices and regulations issued following such laws.
3.3 To perform the necessary tasks under a legitimate interest, without exceeding the scope that a person can reasonably expect, for example:
(1) Recording CCTV images and exchanging ID cards before entering the company’s premises
(2) Maintaining customer relationships, e.g., complaint handling, satisfaction assessment, and customer care by the company’s employees
(3) Risk management, audit oversight, and internal management
(4) Anonymization of personal data
(5) Preventing, settling, and mitigating risks of fraud, cyber threats, defaults or breach of contract (e.g., insolvency information), law violations (e.g., money laundering, financing terrorism and proliferation of weapons of mass destruction, offences against property, life, body, liberty or reputation), including sharing of personal data to upgrade the standard of the office in preventing, settling, mitigating the above risks.
(6) Collecting, using and/or disclosing personal data of directors, authorized persons acting on behalf of directors, and representatives of corporate clients.
(7) Contacting, image recording, and audio recording of meetings, training, recreation activities, or booth exhibition
(8) Collecting, using and/or disclosing personal data of persons with receivership order
(9) Receiving and delivering parcels
3.4 Personal data received by the company is processed separately by legal basis as follows:
(1) Contract
(2) Vital Interest
(3) Legal Obligation
(4) Public Task
(5) Legitimate Interest
(6) Consent
If there is any change in the purpose for which personal data is used lawfully, the company shall notify the individual within 30 days.
3.5 Log data recorded by the company. Each department should save log data as follows:
(1) For the general purposes of the company, do not save logs on personal data using.
(2) For the use of personal data outside of the company’s purpose, logs must be recorded together with the additional purpose. The consent shall be request from the data subject.
(3) In case of using sensitive personal data from time to time, it should consider logging such usage for storing user data and recognizing usage details.
(4) There should have an access log to monitor visitors and usage logs. In case of data leakage, it makes possible for checking.
(5) There should have an access control to restricts user access to personal data.
Section 4 Third Party Data Processing
The company may need to transmit or transfer personal data to third parties for processing. The company shall take care of the transmission or transfer of personal data as specified by laws and shall take measures to protect personal data that it deems necessary and appropriate in accordance with confidentiality standards, for example, data fragmentation before sending and sign on confidentiality agreement with data recipients. Moreover, the company may choose to use the personal data protection policy that has been reviewed and certified by the relevant legal authority, and proceed to transmit or transfer personal data to third parties for processing in accordance with the said personal data protection policy instead of action as required by law.
Section 5 Personal Data Disclosure
The company may disclose personal data to others under the consent of the individual according to a consent form or under the criteria permitted by law.
Section 6 International Data Transfer
The company may need to send or transfer personal data to companies in the company’s international network or to other data recipients as part of the company’s normal business operations, such as sending or transferring personal data to be stored on servers/clouds in different countries.
In the event that the destination country does not have sufficient standards, the company shall take care of the transmission or transfer of personal data as required by law and shall take measures to protect personal data that are deemed necessary and appropriate in accordance with confidentiality standards. For example, the company enters into a confidentiality agreement with the information recipient in such country. In the case that the information recipient is a company in the network in foreign countries, the company may choose to implement a personal information protection policy that has been reviewed and certified by the relevant legal authority and shall proceed to transmit or transfer personal information to companies in the network in foreign countries in accordance with the said personal data protection policy instead of taking action as required by law.
Section 7 Cookie Policy
When you access our website, information related to your access to our website is stored in the form of cookies. This Cookie Policy describes the meaning, function, purpose, including the deletion and refusal of cookies for your privacy. By accessing this website, you consent to our use of cookies in accordance with the Cookie Policy detailed below.
7.1 What are cookies?
A cookie is a small file saved to your computer devices and/or communication devices, e.g., tablets and smartphones. Cookies are stored via a web browser, while you access our website. The company’s website may use cookies in some cases. Cookies are small data files storing information exchanged between the data subject’s computer and our website. The company uses cookies only to collect information that may be useful to the data subject the next time he/she visits the company’s website. When the data subject accesses the web browser service, he/she can set to accept or refuse all cookies, or receive notification when cookies are sent. The data subject can go to the “Help” menu in the browser to learn how to change the use of cookies. Please note that disabling cookies may affect the use of certain services.
7.2 How are cookies used?
We use cookies to enhance your experience and satisfaction. Cookies allow us to quickly understand how you use our website and improve our website more accessible and convenient. In some cases, we require third parties to do this matter. The internet protocol addresses (IP addresses) and cookies may be used for statistical analysis, as well as information linkage and data processing for marketing purposes.
7.3 Types of Cookies Used
| Types of Cookies | Details | Examples |
| Persistent cookies | This type of cookie facilitates your continued experience with the website, e.g., remembering log in details, remembering information you provide on the website. |
|
| Analytics cookies or performance cookies | This type of cookie allows us to measure performance, e.g., processing the number of pages you access and the number of characteristics of a particular user group. Such information is used to analyze user behavior patterns. |
|
| Advertising cookies | This type of cookie is saved on your device to record your access information and links you have visited and followed. In addition, cookies from third parties may use the information forwarded in online media and content from the service to understand the user needs. The data are used for tailoring websites and advertising campaigns to suit your interests. |
|
| Functional Cookies | This type of cookie facilitates you when you return to our website. We use the information to tailor the website to your preferences. |
|
7.4 Cookie Management
You can delete and refuse the collection of cookies by studying the methods specified in each web browser.
7.5 Changes in Cookie Policy
This cookie policy may be amended from time to time to comply with the regulations. Therefore, it is advisable to ensure that you understand the changes to these Terms.
Section 8 Duration of Personal Data Storage
The company shall retain personal data for the period necessary to operate businesses according to the company’s purposes or for the period necessary to achieve relevant purposes in this policy, which may be necessary to retain afterward in case required or permitted by law, for example, storing personal data according to the law on the prevention and suppression of money laundering, and collecting information for the purpose of proving the case when disputes may arise within the statute of limitations as prescribed by law for a period not exceeding 10 years. However, the company will delete or destroy personal data or make it non-personally identifiable information when necessity ends or at the end of data retention.
Section 9 Protection of Personal Data and Risk and Impact Assessment
The company shall keep the personal data in good manners according to technical measures and organizational measures to maintain proper security in processing personal data and to prevent data breaches. The company has established relevant regulations and criteria for the protection of personal data and has assessed the risks and impacts of personal data protection, e.g., information technology system security standards, measures to prevent data recipients from using or disclosing data outside the set purpose or without authority or without legal grounds. The company has regularly updated regulations and criteria, as well as has assessed the risks and impacts of such personal data protection as necessary and appropriate. Risk assessment and impacts of personal data protection includes the loss of credibility, customer trust, disadvantage in market and trade competitiveness, and legal proceedings. Directors, employees, contractors, agents, consultants, and data recipient are obliged to maintain the confidentiality of personal data in accordance with the confidentiality measures established by the company. The company requires that the incident of a personal data breach be reported to the data subject within 72 hours from a personal data breach.
Section 10 Rights of Persons Relating to Personal Data
The rights of a person relating to personal data are legal rights that should be recognized. A person can exercise various rights under the terms of law and policies currently prescribed or to be amended in the future, as well as the criteria set by the company. If the person is under the age of majority or has limited ability to make legal acts under the law, such person can exercise the rights by having parents, administrative authority, or authorized representatives inform his/her intention.
10.1 Rights to be informed.
If a person wishes to give consent to the company to collect, use, and/or disclose personal data, such individual has the right to know the purposes for which the personal data are collected, used, and/or disclosed. The data subject may provide or not provide the information in case of information request; however, he/she shall provide personal data in the case required by law.
10.2 Right to withdraw the consent
If a person has given consent to the company to collect, use, and/or disclose personal data (whether the consent was provided by the individual prior to the date of applicable data protection laws or thereafter), such person has the right to withdraw the consent at any time when the personal data retained with the company, unless there is a restriction on that right by law or there is a contract that benefits the individual.
However, the withdrawal of a person’s consent may affect that person from the performance of the contract. Therefore, for the benefit of the person, so it is important to study and inquire about the implications before withdrawing the consent.
10.3 Right of access
A person has the right to request access to his/her personal data under the responsibility of the company, requesting the company to make copies of such information, as well as asking to disclose how the company obtained such personal data.
10.4 Right to data portability
A person has the right to receive personal data in the event that the company has prepared such information in a form that can be read or used with automatic tools or devices, and can use or disclose personal information by automated means. He/she also has the right to ask the company to send or transfer personal data to another data controller when it can be done by automated means; and has the right to receive personal data that the company sends or transfers directly to another data controller, unless it is unable to do so due to technical reasons. However, the personal data of the aforementioned data subject must be information that has given consent to the company to collect, use, and/or disclose, or be personal data that the company is required to collect, use, and/or disclose in order to perform according to the intention of the contract, or other personal data as required by authorized representatives.
10.5 Right to object to the collection, use, and disclosure of personal data
A person has the right to object to the collection, use, and/or disclosure of personal data at any time. If the collection, use, and/or disclosure of personal data is prepared for the necessary operations under the company’s legitimate interest or as required by law without exceeding the reasonable expectation to do so, or for mission implementation for public interest, and the data subject files an objection, the company shall continue to collect, use, and/or disclose personal data only if the company can demonstrate the legal reasons that are more important than your fundamental rights, or to assert legal rights, comply to the law, or fight lawsuits, as the case maybe.
10.6 Right to request deletion or destruction of data
A person has the right to request deletion or destruction of personal data or to make personal data non-personally identifiable. If the person believes that his/her personal data has been collected, used, and/or disclosed unlawfully, or considers that the company is not necessary to retain information for the relevant purposes of policies, or when the individual has exercised his/her right to withdraw the consent or exercise his/her right to object as above mentioned.
10.7 Right to restrict processing
A person has the right to request temporary suspension of data use in the case that the company is in the process of reviewing the request for rectification or objection of personal data, or in any other case where the company is not obliged and must delete or destroy personal data under relevant laws.
10.8 Right of rectification
A person has the right to request for correction of their personal data to be updated, complete and not misleading.
10.9 Right to complain
A person has the right to lodge a complaint with the relevant legal authority if he/she believes that the collection, use, and/or disclosure of your personal information is in violation of or failure to comply with applicable laws.
10.10 Restrictions on the exercise of rights
The exercise of rights of above-mentioned persons may be restricted under the relevant laws, and there are cases where it is necessary for the company to refuse or fail to comply with the above-mentioned application, such as in complying with a law or a court order for public interest, the exercise may violate the rights or freedoms of others. If the company refuses the above request, the company shall notify a person of the reason for the refusal. The company shall process the request for the exercise of various rights within 30 days from the date a person has submitted the request and supporting documents to the managing director of the company in full.
Section 11 Responsible Persons for Personal Data Protection
The company shall appoint the person responsible for personal data protection and define the role of the data controller as follows:
11.1 Data Controller
refers to a person or entity who has the authority to make decisions about the collection, use, or disclosure of personal data.
11.2 Data Processor
refers to a person or entity that collects, gathers, uses, or discloses personal data as directed by or on behalf of the data controller. However, the person or entity doing so shall not be the controller.
Section 12 Penalty
If a person who is responsible for carrying out any task under his/her duties neglects or omits to do, or fails to do or directs, or performs any of his/her duties in violation of the policies and practices relating to personal data until causing an offense under the law and/or damages, the person shall be subject to disciplinary action according to the company’s regulations. The company shall not compromise any offense committed by the responsible person and such person shall be subject to legal penalties according to the offense incurred. If such offense causes damage to the company and/or any other person, the company may consider further legal proceedings.
Section 13 Policy Review
The company shall review this policy at least once a year or in case the law is amended.
Section 14 Contact
Samart Plastpack Co., Ltd.
Address: 110 Soi La-ongsri, Petchkasem Road, Nong Klang Phlu Sub-district, Nong Khaem District, Bangkok 10160
Telephone: 02-4212060
Email : customerservice@samartplastpack.co.th
Letter of Consent : Consent form
