Privacy Notice

Privacy Notice

Updated on June 1st, 2022

1. Definition

The Company is aware of the importance of the collection and keeping the confidentiality of User Personal Data. However, in order to operate the business and provide products to clients, it is necessary for the Company to use, collect, store, and disclose User Personal Data. Therefore, the Company, has duty to comply with the PDPA as Data Controller and Data Processor (in some cases). The Company hereby confirms that:

  • the Company shall duly and lawfully use, collect, store, and disclose User Personal Data within the scope of law;
  • the Company supports the protection of User Personal Data;
  • the Company has security and storage system to protect and safeguard the confidentiality of Personal Data in accordance with applicable legal standard; and
  • the Company shall create a system that take User’s privacy into consideration when using, collecting, storing, and disclosing any information.

Consequently, the Company has prepared this privacy policy to explain how the Company will treat User Personal Data, such as, use, collection, storage, disclosure, and protection of Personal Data, including User’s rights. For your own benefits, the Company suggests that User thoroughly read and comprehend the following privacy policy as follows:

Unless specified otherwise herein, the following words shall have the meaning as provided herebelow:

  1. “PDPA” means the Personal Data Protection Act of 2019 (B.E. 2562) or any amendment thereafter, including any royal decrees, ministerial regulations, notifications, orders, and other laws related to Personal Data protection;
  2. “Personal Data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the data of the deceased persons or anonymized data such as name, identification number, location data, online identifier.
  3. “Cookies” means small text file consisting of parts of data from a download activity that may be stored in a web browser you use to access. Cookies data may be saved on your computer device or any communication tools that you use to access the web browser while you visit the Company’s website.
  4. “Company” means STP&I PUBLIC COMPANY LIMITED
  5. “Company’s business group” means the business entity that held by STP&I PUBLIC COMPANY LIMITED
  6. “Company’s business partner” means the business entity that are incorporated with agreement for personnel data disclosure.
  7. “Data Controller” means a person or juristic person who has power and duties to make decisions regarding the collection, use or disclosure of Personal Data;
  8. “Data Processor” means a person or juristic person who acts in respect of the collection, use, or disclosure of Personnel Data as per an order or on behalf of Data Controller. In this regards, the said person or juristic person shall not be deemed as Data Controller; and
  9. “User” means a person or juristic person who receives Service or Product in any form from the Company, including its customers, subcontractors, agents, tenants, staffs, employees, executive, or representatives.

2. Personnel Data the Company Collects from You
The company will collect your personnel data as necessary for lawful purposes. The company may receive personnel data through both direct and indirect means such as electronic channels, physical documents, inquiries, government agencies, business partners, and/or other service providers such as Facebook, Instagram, Line, and etc.

The company may collect your personnel data such as;

  • Personal data and your interest such as name, surname, gender, age, nationality, date of birth, marital status, address, occupation, work place, postal code, email address, telephone number, national ID number, passport number, credit card number, bank account number, monthly income, payment data, vehicle information, purchase history;
  • Identifiable image data such as pictures and videos of you and/or your belongings that the Company may collect from CCTV cameras and cameras when there is access to office building, retail space, areas under the Company’s responsibility, during events, meetings, or any seminars;
  • Sensitive data such as race, religion, health information, and etc. In the event that the Company has accidentally received it and has no intention to collect such data, the Company will not use your sensitive data;
  • Technical data such as website usage and searching behaviors. The Company may use cookie as a tool to collect IP address, the type of web browser used to access website, visit duration, websites that refer to the Company’s website, and your location data during website access;.
  • Marketing and communication data such as your preferences in receiving marketing material, including contact information, and voice recording when you communicate with Call Center or through other social media channels.

The company collect, use, and disclose aggregated data, such as statistical and project information. The aggregate data may derive from your personal data; however, such data is not considered as a personnel data since it cannot be used identify a specific individual. For example, the Company may use some of your data after the process of anonymization to create statistical information of people who access the website.

The company is fully aware that the data used must not be able to revert to identifiable data. If the data is then able to be used to identify a specific individual, it will be considered as personal data and will be treated in accordance with this privacy Notice.

The Company’s website may lead you to a third-party website via a link; such action may allow other websites to collect, use, or disclose your personnel data without the Company’s involvement. These service and websites may operate independently from the Company and may have their own privacy notices and policies. The Company cannot be held accountable for any collection, use, or disclosure of personnel data occurred on other websites. Hence, it is encouraged that you read the privacy notices of every website you have visited.

3. Data management policy

In order to operate the business, it is necessary for the Company to use, collect, store, and disclose User Personal Data. The Company, therefore, has duty to comply with the PDPA as Data Controller and Data Processor (in some cases). In this regard, the Company represents and warrants that:

  • the Company shall use, collect, store, and disclose User Personal Data within the scope of law;
  • the Company has security and storage system to protect and safeguard User Personal Data in accordance with applicable legal standard; and
  • the Company shall take User’s privacy into consideration when using, collecting, storing, and disclosing any Personal Data.

4. Scope of privacy policy

To protect User Personal Data and privacy, this privacy policy shall apply to all use, collection, storage, or disclosure of User Personal Data from all transaction and operation activities between User and the Company.

5. Personal Data collection and processing principles

The Company shall collect and process Personal Data under six principles as follows:

Personal Data protection principles Context for the Company’s operation
Lawfulness, Fairness and Transparency The Company shall use, collect, store, disclose, and process User Personal Data in accordance with the consent given by User, or as specified in the terms and conditions of the agreement between the Company and User. The said data will be stored in paper and electronic form according to its nature and purpose as consented or contractually agreed. The use, collection, storage, and disclosure of Personal Data will be for the purposes of using, collecting, storing, and disclosing Personal Data as stipulated by law and the purposes which the Company has notified User when collecting such information.
Purpose Limitation The Company shall only use, collect, store, and disclose Personal Data for the purposes for which it was collected, or according to the legal authority or obligation, or the specified scope of work.
Data Minimization The Company shall limit the use, collection, storage, and disclosure of Personal Data to the extent necessary as per the specified purposes, unless stated by law to additionally operate, use, collect, store, and disclose the data to protect the legitimate interest of the Company.
Accuracy The Company shall verify and keep Personal Data accurate and up-to-date, including correcting any inaccuracy without delay.
Storage Limitation The Company shall limit the storage period of Personal Data to the extent necessary or as required by law for the purposes specified by the Company, unless stipulated by law to extend the storage or to protect the legitimate interest of the Company.
Integrity and Confidentiality The Company shall use appropriate security measures suitable for data collected by the Company to protect against unauthorized access, loss, or destruction by third party, or unlawful use.The Company collects, stores, and uses User Personal Data to provide the operation system to User, or to create database, or to perform data analysis in order to improve the operation system of the Company, and/or any other purposes not prohibited by law, and/or to comply with any laws or company regulations applicable to the Company, whether currently in effect or may be enforced in the future, and/or for any purposes beneficial to the Company’s business operation.

 

6. Purposes of the use, collection, storage, or disclosure of Personnel Data
The Company collects, stores, and uses User Personal Data to provide the operation system to User, or to create database, or to perform data analysis in order to improve the operation system of the Company, and/or any other purposes not prohibited by law, and/or to comply with any laws or company regulations applicable to the Company, whether currently in effect or may be enforced in the future, and/or for any purposes beneficial to the Company’s business operation.

In order to conduct business operations, activities and/or transactions according to your request and/or to achieve the Company’s objective, the Company may collect, use and disclose your personnel data, including but not limited to; the following objectives;

  • To proceed with the purchase of the Company’s operation or services systems, equipment, machine or programs as requested;
  • To carry out the contract you have with the company, or to process your request prior to entering into the contract; whether it is for procurement inspection of product or service quality, service provider performance evaluation, or any other relevant procedures. If you do not provide your personal data, the Company may not be able to proceed with your request as notified or there may be other legal effects;
  • To carry out the contract with the contracting party that the Company procures or uses;
  • To comply with the law;
  • To serve public interest or carry out tasks assigned to the Company by government agencies;
  • To carry out the Company’s legitimate interests such as maintain relationship with you, enhance the Company’s business operation standard, and prevent illegal activities;
  • To develop marketing plans, conduct data analysis, assess system, improve and develop product or service of the Company, and enhance the efficiency of the website;
  • To provide security and prevent illegal actions in the factory, office or areas under the Company’s responsibility, using data from CCTV cameras when there is access of such locations;
  • To achieve the Company’s internal objectives or to conduct public relations for external audience through both print and the Company’s social media channels. This activity include the Company’s collection of picture or video from events, meetings, or any seminars held by the Company. Nonetheless, the said data will not be used for commercial purposes;
  • In the event that the Company receives your explicit consent, the Company will only use your personal data for purposes you have given consent to;
  • In the event that the Company collects minor personal data, the Company will only process in accordance with the purposes data subject has provided it for and such data will not be used for any other or marketing purpose;
  • If the Company wishes to process sensitive data, the Company has to acquire your explicit consent before or during the collection of such data.

7. Legal basis for the use, collection, storage, and disclosure of Personal Data

The Company shall not use, collect, store, and disclose User Personal Data without User’s consent, unless it is for compliance with applicable law, or the performance of a contract, or the Company is permitted by law or legitimate right to proceed with the said use, collection, storage, and disclosure of Personal Data. The Company applies the following legal basis for the aforesaid use, collection, storage, and disclosure of Personal Data:

Legal basis Example of the Company’s use, collection, storage, and disclosure of Personal Data
Necessary for performance of a contract The use, collection, storage, and disclosure of User Personal Data for performance of a contract, or any terms or conditions stipulated in a contract, or the Company’s guidelines for performance of a contract.
Necessary for performance of the Company’s task carried out in public interest as a Data Controller in the exercise of official authority vested in the Company as a Data Controller The disclosure of Personal Data to competent government authorities according to the court order or lawful orders of government authorities.
Necessary for the purposes of legitimate interests pursued by the Company and Subsidiaries as a Data Controller, except where such interests are overridden by the fundamental rights of the data subject which require protection of Personal Data The collection of User Personal Data via the Company’s closed-circuit television (CCTV) system and processing of such data for security purposes, including for the development of the security system of the Company.

The recording of image or Personal Data from regular use of the Company’s services, or to protect the security of the confidentiality of the Company.

 

8. Legal basis for the use, collection, storage, and disclosure of sensitive Personal Data

The Company shall not use, collect, store, and disclose User’s sensitive Personal Data, such as, data in respect of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal record, health information, disabilities, labor union information, heredity information, biological information, without User’s consent, unless the Company has a legal basis to support its operations as specified in the PDPA, for example:

Legal basis Example of the Company’s use, collection, storage, and disclosure of sensitive Personal Data
To protect the vital interests, life, and health of the data subject where the data subject is for whatever reason incapable of giving consent The disclosure of User Personal Data, such as, health information, blood group, or religious beliefs, to medical staff or hospital to protect the vital interests, life, and health of User in the event that User has an accident and User is unconscious and unable to give consent.
It is the data which are manifestly made public by the data subject The disclosure of User’s name, surname, and photo, which disseminated by the Company through website with User’s consent.
Necessary to comply with legal obligation to achieve the objectives relating to preventive or occupational medicine, assessment of working performance of employee The disclosure of User Personal Data, such as, name, surname, gender, health information, blood group, or religious beliefs, to officer or public health authorities in the event of an outbreak of contagious disease in the vicinity of or related to the Company.
Necessary to comply with legal obligation to achieve the objectives relating to public interest, or construction , or engineering study, or other public interest The use of Personal Data to analyze, research, or develop construction, engineering for common interest, such as, data processing by artificial intelligence (AI), etc.9. Limitation of Personal Data collection

 

9. Limitation of Personal Data collection
The Company shall use, collect, store, or disclose Personal Data under lawful and fair purposes, scopes, and means. The Company shall limit its collection of Personal Data to the extent necessary for the provision of the Service. The Company may collect Personal Data from any physical or electronic means, in whatever form, according to the purposes of the Company or for the benefit of the Company’s business operation only.

User acknowledges and renders consent to the Company’s use, collection, storage, or disclosure of User Personal Data in accordance with the purposes specified by the Company via physical, electronic, or any other means designated by the Company. In addition, in the event that the processing of sensitive Personal Data (such as, data in respect of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal record, health information, disabilities, labor union information, heredity information, biological information or any other information which affects the data subject in the same manner) is necessary for the provision of the Service to User, User has also consented to the Company’s use, collection, storage, or disclosure of such sensitive Personal Data.

The Company may use, collect, store, or disclose User Personal Data without requesting consent from User during the collection of Personal Data in the following events:

  1. to achieve purposes in the making of company operation process for public interest, or relating to the study, research or statistics for which the appropriate protection standard is established;
  2. to protect vital interests, life, and health of persons;
  3. necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  4. necessary for the performance of a task carried out in public interest;
  5. necessary for the purposes of the legitimate interests pursued by the Company or by a person or juristic person that is not the Company;
  6. to comply with legal obligation to which the data controller is subject, such as, the PDPA, the Civil Procedure Code, the Penal Procedure Code, and etc.;
  7. necessary to protect vital interests, life, and health of User;
  8. for the benefit of the investigation by investigators or court trials; or
  9. for the interest of User where User is incapable of giving consent at the relevant time.

10. Transfer of Personal Data to third country

The Company may transfer User Personal Data to third country for the purpose of the Company’s business operations as necessary. User agrees and renders consent for the Company’s transfer of User Personal Data to person or entity in third country or under the jurisdiction of other countries, regardless of whether Personal Data protection law of such country may or may not reach the protection standard of Thailand’s Personal Data protection law. In any event, the Company shall comply with appropriate measure to protect the security of User Personal Data at the same level of protection as Thailand’s Personal Data protection law.

11. Data retention

The Company shall only retain User Personal Data for as long as necessary or as regulated by law for the purposes specified by the Company. For more information regarding the Company’s Personal Data retention period, please contact the Data Protection Officer.

12. User’s right under the PDPA

As a data subject under the PDPA, User is entitled to the following legal rights:

Right Details
Consent withdrawal User is entitled to withdraw consent for the Company’s collection, use, processing, or disclosure of User Personal Data by notifying the Data Protection Officer in writing.

The said consent withdrawal is subject to the conditions, rules, notifications, or regulations provided in the PDPA, as well as the Company’s privacy policy and other criteria specified by the Company.
Right to access User has the right to examine as to how the Company processes User Personal Data retained by the Company, including the right to access to and request a copy of the said Personal Data from the Company.
Right to rectification The Company shall use its best efforts to ensure that User Personal Data retained by the Company is accurate, complete, and up-to-date. However, if User finds that any of User Personal Data in the Company’s possession is inaccurate, User can request the Company to correct such inaccuracy and the Company will verify and correct such information, accordingly.
Right to erasure User has the right to request the Company to erase or destroy, or cause User Personal Data in the Company’s possession to be unidentifiable, unless such request is contrary to the law or may impact or cause damage to the Company. Upon receiving User’s request, the Company shall verify the request and proceed with the deletion, destroy, or making unidentifiable data without delay, subject to the criteria and measures specified by law.
Right to restrict processing User has the right to request the Company to stop using User Personal Data, unless such request is contrary to the law or may impact or cause damage to the Company.
Right to data portability User has the right to request for User Personal Data in electronic form in the event that the Company makes such Personal Data available in a structured, commonly used and automated machine-readable format which can use or disclose the said Personal Data by automatic method, as well as requesting the Company to transmit or transfer such Personal Data in the said format to third party, unless such request is contrary to the law or may impact or cause damage to the Company.
Right to object User has the right to object the use, collection, storage, or disclosure of User Personal Data in the event that User finds any use, collection, storage, or disclosure of Personal Data for other purposes, unless such objection is contrary to the law or may impact or cause damage to the Company.In the event that User refuses to give consent for the Company’s processing of User Personal Data or requests the Company to erase User Personal Data, the Company may be unable to provide service to User, effectively. Therefore, User may not be able to obtain the Services from the Company.

 

In the event that User refuses to give consent for the Company’s processing of User Personal Data or requests the Company to erase User Personal Data, the Company may be unable to provide service to User, effectively. Therefore, User may not be able to obtain the Services from the Company.

The Company reserves the right to reject User’s request in the event that it is permitted by law, or there is an order of competent government authorities or the court, or User’s request is contrary to the law or may impact or cause damage to the Company.
If there is a request to erase User Personal Data from the system, the Company shall use its best efforts to erase User Personal Data from the system. However, User agrees and acknowledges that the Company may retain records or make copies of such data in the Company’s server or back-up system to back up data in case of errors, defects, or malfunctions to the Company’s system, including retaining them as evidences or for the performance of legal obligation.

User’s exercise of rights shall be subject to the rules, notifications, and regulations prescribed by the Company, which shall be in line with the criteria of the PDPA, including the Company’s privacy policy and other criteria specified by the Company. User can exercise the above data subject’s right by sending written request to the Data Protection Officer as detailed in clause 14 of this privacy policy.

13. Notification of breach of Personal Data

In the event of any violation of Personal Data, please notify the Data Protection Officer as detailed in clause 14 of this privacy policy within 72 hours from the occurrence of such event in order to protect Personal Data and to prevent and remedy the said violation for User.

14. Data security

For the exercise of rights specified in clause 12 or report of Personal Data breach, or any inquiries regarding the collection, use, or disclosure of Personal Data of the Company, please contact the Data Protection Officer as per the details below;

Data Protection Officer
Miss Sunettra Sathapanasiri
Address:   32/24 Sino – Thai Tower, 3rd Floor, Sukhumvit 21 Road (Soi Asoke), Klongtoey Nua Sub-district, Wattana District, Bangkok 10110 Thailand
Tel: 02-2601181
Fax: 02-2601182
Email: DPO@stpi.co.th

15. Privacy policy update

The Company has policies and programs on information technology security protection that meet international standards to protect the confidentiality and security of User Personal Data and to prevent loss or unauthorized destruction, access, or disclosure of User Personal Data, that must be strictly complied by the Company’s employees. The Company also educates and raises awareness of the importance of Personal Data and the responsibility for the security of such information. However, the Company makes no representations or warranties that the implementation of the said policy will be free of any defects or errors. The Company, therefore, reserves the right to discharge all liabilities for any damage or loss occurred to User.

16. Additional information

For the benefit and efficiency in providing the Service to User, the Company reserves the right to update or revise this privacy policy without notifying User in advance. Consequently, the Company requests User to review this privacy policy, regularly.

17. Additional information
For more information regarding this privacy policy or any operation related to User Personal Data, please contact the Data Protection Officer as detailed in clause 14 of this privacy policy.

……………………………..