Company ; means Toshiba Thailand Co., Ltd.
Data Controller ; means the Company that has the authority to make decisions about the Personal Data and to obtain the Personal Data from the employees, job applicants applying for a role, or to provide services or to perform contracts with such persons.
Data Processer ; means a natural person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller.
Data Protection Officer ; means officer(s) appointed by the Data Controller to perform and act as the Data Protection Officer in accordance with the Personal Data Protection Act B.E. 2562.
Website ; means any websites owned or provided by Toshiba Thailand Co., Ltd. as the case may be.
Personal Data ; means any Personal Data which can be identified a natural person directly or indirectly, but not including information relating to deceased person according to Section 6 of the Personal Data Protection Act B.E. 2562.
PDPA ; means Personal Data Protection Act B.E. 2562, as amended, including relevant rules, regulations, and orders.
Processing of Personal Data ; means the collection, use, and/or disclosure of Personal Data in which you are the data subject.
2. General Provision
3. Collection of Personal Data
3.1 The Company shall collect, use, and/or disclose Personal Data in compliance with the law and shall collect only to what necessary to fulfil the purpose it was collected for.
3.2 In some cases, the Company may collect, use, and/or disclose Personal Data that Data Subject has provided to the Company or the Company has received from other reliable sources such as government agencies, etc.
3.3 If the Data Subject choose not to provided information or provide inaccurate or outdated information to the Company, the Data Subject may subject to certain restriction. For example, the Data Subject may be unable to conduct any transaction with the Company or may be unable to demand certain performance of a contract with the Company. All of these restrictions may potentially cause damages and loss of opportunity to the Data Subject and may potentially affect any legal obligation in which the Data Subject or the Company, as the case may be, is under obligation to comply.
3.4 The Company generally processed the following 2 categories of Personal data:
3.4.1 General Personal Data including:
(1) Identification information and contact information such as photo, name and surname, national identification card number, identification card information, passport number, gender, date of birth, age, status, address, occupation, workplace, telephone number, e-mail address.
(2) Personal information such as marital status, family member information, beneficiary and emergency contact information, education background, military status
(3) Work Information such as job title, job department, details in agreement, CVs, resume, employment information
(4) Payroll and welfare information such as salary details, compensation, and other relevant benefits or welfare
(5) Account and transaction information such as details of payment of Company’s products and services, credit and/or debit card information including Toshiba branded products bought from the Company including your bank account information
(6) Information necessary for references or for your transactions such as Personal Data as shown in the copy of identification card, copy of passport, copy of house registration, copy of driving license, copy of vehicle registration, vehicle registration number, copy of power of attorney, invoices, receipts, or payment vouchers, etc.
(7) Disciplinary action information such as CCTV footage, software system, internet access, email and telephone usage
(8) Technology Information such as log, IP address, location, browser, referring website, login log, transaction log, access time, searched information, social media, website function usage, cookies, or other technologies in the same manner, etc.
3.5 Sources of Personal Data
3.5.1 The Company may collect Personal Data directly obtained from you, for example, from using the Company’s services or from filling your Personal Data through Company’s Websites or though other available channels, or when you entered into a contract or transaction with the Company and submitted or make copy of any document relating you to the Company, or when you submitted your inquiries, feedback, or complaint to the Company, etc.; or
3.5.2 The Company may collect your Personal Data obtained from third parties such as through government agencies, through business partners of the Company, or through other reliable websites, etc.
3.6 Retention Period of Personal Data
4. Purposes of Processing of Personal Data
The Company processes your Personal Data for the following purposes:
4.1 Purposes of Processing of Personal Data in which the Company must obtained consent.
4.1.1 The collection, use, disclosure of Sensitive Data for the following purposes:
(1) For purpose to determine eligibility for initial employment, including verifying references and qualifications.
4.1.2 In case that the Company shall obtain consent before transferring Personal Data to foreign country with no adequate data protection standard in compliance with PDPA.
4.2 Purposes in which the Company may processed by lawful basis of processing in collecting, using, and/or disclosing of Personal Data including disclose of Personal Data and Sensitive Data to The Company’s affiliates.
4.2.1 The Company may process Personal Data by lawful basis of processing as follows:
(1) Processing is necessary for commencement of employment contracts or performance of employment contracts or any other contracts that the Company is hired;
(2) Processing is necessary for compliance with legal obligations;
(3) Processing is necessary for the purposes of the legitimate interests of the Company or third party, where such interests are proportionate to the fundamental rights of the Data Subject of his or her Personal Data;
(4) Processing is necessary for preventing or suppressing a danger to a person’s life body or health; and
(5) Processing is necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
4.2.2 Aforesaid in clause 4.2.1, the Company shall rely on lawful basis of processing listed in (1) to (5) for the collection, use, and/or disclose of Personal Data for the following purposes;
(1) If the Data Subject here is the job applicant, the Company shall rely on lawful basis for processing Personal Data for the following purposes:
* For recruitment process purposes including decisions to hire or to determine other potential roles and the Company’s discretion, contacting or notifying Data Subject of the results of the job application.
* For any other purposes that are related to employment of the Data Subject, or in any other human resources related document.
(2) If the Data Subject is the Company’s customers or contracting parties, the Company shall rely on lawful basis for processing Personal Data for the following purposes:
* For the purposes of drafting and managing contracts made between the Company and other contractual parties including for performance of a contract.
* For the purposes of procurement or registration of new customers or contracting parties or any other persons with the same manner as well as processing of requests of the contracting parties or any other persons with the same manner.
* For the purposes of recording the Company’s creditor and the Company’s debtor, for issuing invoices, for issuing tax invoices, for checking Company’s credit bureau, for disbursement and receiving money including related financial transactions and accounting operations.
* For communicating or coordinating purposes to operate the Company with third parties, contractors, contract parties.
* For legal obligations purposes which related to the Company’s businesses and to comply with the government’s official orders such as registration of business at the Department of Business Development, notification of registration personnel or related persons, conducting tax reports to submit to the Revenue Department, accounting audits by the auditors, etc.
* For purposes of Company’s announcements such as Company’s news, trainings, conferences, seminars, Company’s projects, relation events, social events, etc.
* For the purposes of health management, occupational health, and safety management of the contractors and for the purposes to organize an annual health check up for both general health check-up and occupational health check-up (Health check according to risk factors), to administer health insurance and assess health readiness, to use health data for reporting, investigation, causal analysis or for development of preventive health management and to formulate measures to prevent incidents occurring.
* For the purposes of health protection and to prevent from any communicable disease spreading in the Company’s premises by screening people entering and leaving premises including tracking travel and conduct report on travel which may result in potential risk of spreading disease.
* For surveillance purposes to enhance facility security performance in building or in premises of the Company. For safety risk assessment purposes of entering and exiting the premises. For identification purposes and keeping record of entering and exiting the premises. For video footages in buildings, offices, or surrounding areas under CCTV surveillance.
* For the establishment, compliance, exercise, or defense of legal claims. For initiating litigation, as well as proceeding for legal enforcement such as investigation and/or examination by government officials, for case preparation, and/or defense of legal claims in court, etc.
4.3 The Company shall not processing your Personal Data other than what the Company has notified the purpose of processing Personal data to Data Subject, unless the Company has notified new purposes to the Data Subject and has obtained consent or it falls under any exception as prescribed by the law.
5. Disclosure of Personal Data
The Company shall disclose your Personal Data in compliance with the notified purposes to the following persons:
(1) The Company’s affiliates. Whereby the Company may disclose your Personal Data to its affiliates’ employees or designated person(s) to what necessary to manage data or to fulfil the purpose it was collected for.
(2) Service Provider(s) and the Data Processor which the Company appoints to manage/ process Personal Data for the Company in providing services. For example, human resources management, to provide services in security, to provide services in information technology, accounting audits, or other services related to business operations or benefits you.
(3) Government agencies, authorized official authorities under the law such as Ministry of Labor, Social Security Office, Department of Skill Development, Legal Execution Department, Student Loan Fund, Department of Empowerment of Persons with Disabilities, Revenue Department, Department of Land Transportation, Social Security Office, Department of Business Development, Department of Industrial Works, Industrial Estate Authority of Thailand, Immigration Bureau, Office of the Personal Data Protection Committee, Courts Official, Police Officers, or other related official authorities as prescribed by the law.
(4) Vendor(s), contractors, Contract parties of the Company in which you coordinate or related to your job position or responsible person or designated person(s).
(5) State enterprise or private agencies such as Commercial banks, financial institution, Insurance companies.
(6) The Company's advisor such as auditors, external auditors, lecturers, lawyers or legal advisors, etc.
(7) Other person(s) or business sector(s) in which you had given consent to disclose your Personal Data to such person(s) or business sector(s).
6. Rights of Data Subject.
6.1 The Data Subject may file a request form in accordance with the Company’s conditions and procedures in cases the Data Subject requests for a copy of the Personal Data being processed by the Company or requests the Company to inform what sources the Personal Data originated.
6.2 In the event that the Data Subject sees that his/her Personal Data is inaccurate, not up to date, or incomplete which may cause misunderstanding. The Data Subject has the rights to request the Company to correct and complete Personal Data based on information they may provide by filing Data Subject rights request application to the Company in accordance with the Company’s conditions and procedures. In case where the Company do not respond or comply with the rights request, the Company shall keep record of the request with reasons of refusal as an evidence for future inspection.
6.3 The Data Subject has the rights to withdraw consent once given to the Company for Processing your Personal Data at any reasonable time unless there is a restriction of the withdrawal of consent by law, or there is contractual obligation that benefits you. For example, you are still bound by employment contract with the Company, or you have contractual obligations or legal obligation with the Company. Nevertheless, if you choose to withdraw consent, you may not be able to receive services from or conduct transaction with the Company, or the Company’s ability to provide services to you may be limited.
6.4 The Data Subject has the rights to receive the Personal Data concerning yourself from the Company. In which the Company shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. You are also entitled to request the Company to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by the automatic means or entitled to request to directly obtain the Personal Data in such formats that the Company sends or transfers to other Data Controllers unless it is impossible to do because of the technical circumstances.
6.5 The Data Subject has the rights to object Processing of your Personal Data at any reasonable time in one of the following circumstances:
(1) Where collection, use, and disclosure of Personal Data is necessary for the performance of a task carried out in the public interest by the Company or necessary for the legitimate interest of the Company;
(2) Where Processing of Personal Data is for the purpose of direct marketing; or
(3) Where Processing of Personal Data is for the purpose relating to scientific or historical research or statistics, unless it is necessary for the performance of a task carried out in the public interest by the Company.
6.6 The Data Subject has the rights to request the Company to erase or destroy or anonymize Personal Data to become anonymous data where legitimate ground applies.
6.7 The Data Subject has the rights to request the Company to restrict the use of Personal Data, where the following applies:
(1) When the Company is pending examination process in accordance with your request to ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading;
(2) Where it is the Personal Data which shall be erased or destroyed because it has been unlawfully collected, used, or disclosed, but you request for restriction of the use instead;
(3) Where it is no longer necessary to retain such Personal Data for the purposes of such collection, but you have necessity to request the retention for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims; or
(4) Where the Company is pending verification to demonstrated that there is a compelling legitimate ground or pending examination for the establishment, compliance or exercise of legal claims, or defense of legal claims to reject the objection request made by you.
6.8 The Data Subject has the rights to complain to expert committee in accordance with PDPA in cases the Company or the Data Controller including employees or Data Processor(s) does not take action or does not comply with PDPA.
Nevertheless, the Company reserves the rights to examine the right requests as abovementioned and to proceed in accordance with PDPA. If you wish to exercise your abovementioned rights, please see the contact details in this Policy
7. Security Measures for Storing Personal Data
The Company is committed to protecting your Personal Data. Hence, the Company shall provide security measures including a safe and appropriate system for collecting, using, or disclosing Personal Data to prevent your Personal Data from accidental loss, unauthorized access of data, destroy of data, misuse of data, unauthorized change or disclosing of data in accordance with the Company’s information technology security policies and/or procedures.
The Company shall provide security measures of Personal Data which include operational safeguards, technical protection measures and physical safeguards regarding access or control of the Personal Data usage which at least consists of the following actions:
1) Control of access to Personal Data and storage devices and Processing of Personal Data considering the usage and security;
2) Determine permission to access Personal Data;
3) Users access management to Personal Data for designated person(s) only;
4) Determine roles and responsibilities of users to prevent unauthorized access, disclosure, cybercrime, copy of Personal Data, or to prevent theft of storage devices or data; and
5) Provide method for tracing back in access, alteration, disposal, or transmission of Personal Data in accordance with the methods and storage media used for processing of Personal Data.
9. Policy Review
The Company and related business unit shall often review this Policy. Updated versions are to be adopted by the Board of Directors of the Company where deemed necessary or appropriate.
10. Governing Law and Jurisdiction
11. Contact Information
Data Protection Office
Toshiba Thailand Co., Ltd.
Address: 201, Vibhavadi Rangsit 32, Vibhavadi Rangsit Road, Chatuchak, Bangkok
Email address firstname.lastname@example.org
Announced as of 1 April 2022