Buriram Sugar Public Company Limited and its Affiliates (collectively referred to as the "Company") recognize the importance of protection of personal data. Therefore, we have issued our Personal Data Protection Policy in order to prescribe the process of personal data protection in accordance with the Personal Data Protection Act, B.E. 2562, and to prescribe the process of data collection, storage, usage and disclosure, also including other rights of the Data Subject. The Company would like to announce this Policy with the following:
- “Personal Data” means information about a person which enables identification of such person, whether directly or indirectly, but not including information on the deceased in particular.
- “Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks of unfair discrimination such as races, ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic information, biological information or any other data which may affect the Data subject in the same manner, as prescribed by the Personal Data Protection Committee.
- "Personal Data Protection Committee" means a Committee appointed under the Personal Data Protection Act , B.E. 2562, in charge of the duties and authorities to supervise, issue criteria, measures or provide other practices related to the protection of the Personal Data by this Act.
- "Personal Data Protection Policy" means the policy that the Company has issued as a guideline and notifies the data subject regarding the processing of the data and other details as prescribed by the Personal Data Protection Act, B.E. 2562.
- "Processing" means the collection, use and disclosure of Personal Data.
- "Data Subject" means a natural person who Personal Data relates to.
- "Data Controller" means a person or a juristic person who has the authority to make decisions regarding the collection, use or disclosure of the Personal Data.
- "Data Processor" means a person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not the Data Controller;
- “Data Protection Officer” means a person appointed by the Company who has a duty to advise, manage and inspect the operations related to the processing of the Personal Data with respect to the compliance with the Personal Data Protection Act, B.E. 2562, including to coordinate, report, correct, remove the Personal Data with the Data Subject and to report in the circumstance where there are problems and/or violations against the Personal Data.
- “Cookies” means small text files stored on the user's browser or on the hard drive of a computer, smartphone or internet enabled devices while visiting the website. It is responsible for storing or tracking the users' usage of the website, such as recording language setting information on the webpages or recording the user's access status. It helps the users to access the website easier and more conveniently.
2. Scope of Enforcement and Application
The Processing of the Personal Data performed by the Company, as well as any person who comes into contact with the Personal Data as it is related to the operations of the Company shall comply with the Personal Data Protection Policy and as required by law. With respect to the Personal Data collected prior to the introduction of the Personal Data Protection Act, B.E. 2562, the Company is enabled to continue collecting and using such Personal Data for the initial purposes. For any disclosure and/or processing of the Personal Data for other than as specified in the initial purpose, the Company shall obtain consent from the Data Subject and comply with the Personal Data Protection Act, B.E. 2562.
3. Collection and Retention Period of Personal Data
The Company shall collect the Personal Data within the purpose, scope and lawful and fair methods as is necessary, which is defined in the scope of the Company’s objectives. The Company shall collect the Personal Data, such as specific personal information, information related to personal life or personal interests, financial information and Sensitive Personal Data. In this regard, the Company shall inform the Data Subject of the purpose, as well as the period for which the Personal
Data will be retained, to gain acknowledgment and consent in writing, through electronic or other methods as specified by the Company. The sources and principles for collecting the Personal Data are as follow:
3.1 Sources of Personal Data
- Collecting directly from the Data Subject, for example, responding to a questionnaire, filling out personal information in application forms, either in paper form or online, or access to the Company's website using cookies. In case such data is referred to or contains identifiable data of third parties, the Company shall request consent to use, collect, or distribute the Personal Data from the third parties who own the Personal Data.
- Collecting from sources other than the Data Subject, for example, inquiries or examination from government agencies or third parties, such as, criminal records checks for a job application. In these cases the Company shall request consent to collect such Personal Data from the Data Subject, except where exempted by law from the need to request consent from or notify the Data Subject.
3.2 Collected Information
Examples of data that the Company may collect are as follows:
- Personal information: name, surname, date of birth, nationality, national ID card number or passport number, or other identifiable government documents.
- Contact information: email address, Line ID, phone number, fax number.
- Work and education history: profession status, position, education and training.
- Sensitive information: information on religion, health, criminal records.
- Marketing survey data.
- CCTV video footage.
- Conversations and communications by telephone or electronic equipment.
3.3 Principles for Personal Data Collection
3.3.1 The purposes for which the Company processes the Personal Data may differ by case. However, the Company shall only collect the Personal Data that is necessary for the operation of the Company, which can be exemplified as follows :
- To enter into an agreement and comply with an agreement between the Company and the Data Subject, e.g., agricultural credit, job application, or procurement contract, etc.
- For the internal management of the Company, e.g., to hire employees, to pay salaries and compensation, as well as, to provide benefits to directors, officers and employees of the Company, etc.
- To manage the Company activities, collaborations, and to perform contractual obligations with the third parties.
- To comply with the laws relating to the operations of the Company, e.g., to collect information for the purpose of withholding tax etc.
- To explore the market information and customer satisfaction for developing and improving products.
- To provide information about products, services, or marketing campaigns, or to order products and issue documents related to trading.
In this regard, in gaining consent from the Data Subject in each case, the Company will expressly state the purpose of the use of the Personal Data.
3.3.2 In a case where it is necessary for the Data Subject to provide the Personal Data for the purpose of entering into the contract or to comply with the law, a refusal to present the Personal Data may affect a transaction or any other activities relating to the Data Subject being restrained or suspended, unless the Data Subject provides such data to the Company for processing.
3.3.3 The Company shall implement appropriate security measures to protect the Personal Data, including the rights and freedoms of the Data Subject.
3.3.4 When collecting Sensitive Personal Data, the Company shall obtain explicit consent in writing or electronic form from the Data Subject prior to or at the time of collection, in accordance with the Company’s regulation and in compliance with applicable laws, except for when the collection of such Sensitive Personal Data is allowed by the Personal Data Protection Act, B.E. 2562 or other laws.
3.4 The duration for which the Company stores the Personal Data will be of the following:
- Personal data will be kept for the periods stipulated by laws specifically relevant to retention of personal data.
- In cases where the retention period for the Personal Data is not specified by relevant laws, the Company will determine the period necessary and appropriate for its operations, and request the consent from the Data Subject.
- At the end of a retention period for the Personal Data, the Company shall delete, destroy or anonymize the Personal Data.
4. Disclosure of Personal Data
The Company shall use and disclose the Personal Data solely for the purpose and principles stated in Clause 3., the Collection and Retention Period of Personal Data. The Company shall not disclose the Personal Data to any person or agency without consent of the Data Subject. The Company shall disclose the Personal Data only for the purposes notified to Data Subject, unless such disclosure is permitted by law.
Nonetheless, for the benefit of the Company's operations and service provision to the Data Subject, the Company may disclose the Personal Data to Company’s subsidiaries or other required persons, domestically and internationally. The Company shall govern the above-mentioned persons to treat the Personal Data as confidential and not to use the data for any purposes which are not covered in prior notifications.. In the event that the Company sends or transfers the Personal Data to a foreign country, the Company shall take steps to ensure that the destination country has sufficient personal data protection standards.
Personal Data may be disclosed to the third parties, organizations, or government agencies as follows:
- Affiliates or group companies of the BR Group;
- Contractual parties, service providers and business partners of the Company; and
- Regulators and government agencies with legal authority, e.g., the Social Security Office, the Revenue Department, the Securities and Exchange Commission, or the Stock Exchange of Thailand, etc.
Whereby the disclosure to the third parties, organizations, or government agencies as mentioned above shall be for the following actions.
- To comply with laws, such as, the Personal Data Protection Act, the Civil and Criminal Code, the Code of Civil and Criminal Procedure, or for the benefit of the investigation of the inquiry official or the trial and adjudication of the court, and
- To prevent or suppress the danger to a person's life, body or health.
5. Personal Data Protection and Security
The Company shall establish appropriate Personal Data protection and security measures in accordance with laws and this Personal Data Protection Policy in order to prevent loss, access, use, modification, correction or disclosure of the Personal Data, as well as, to be a guideline for Company’s directors, executives and employees and other related persons, including supporting and organizing training for the Company's personnel to acknowledge and be aware of their duties and responsibilities towards the Data Subject.
Moreover, the Company shall prevent Personal Data from being lost, unauthorized access, destruction, use, modification, or disclosure of Personal Data. In addition, the Company shall limit persons who have the right to access the Personal Data to only employees who are required to receive the data for Processing. The employees or those persons shall treat such Personal Data as confidential.
In a case where the Company has engaged an agency or a third party to collect, use or disclose the Personal Data of the Data Subject, it shall require the agency or the third party to keep the Personal Data confidential and secure, and to prevent the collection, use or disclosure of such Personal Data for any purposes other than specified in the scope of engagement or for any unlawful purposes.
6. Rights of Data Subject
The Data Subject is entitled under the Personal Data Protection Act, B.E. 2562 as follows:
In this regard, the Data Subject is able to apply for the above-mentioned rights by submitting a request to the Company in writing or via e-mail in the form specified by the Company, the details of which are in Clause 8, Contact Information. The Company shall consider and notify the result of consideration according to the Data Subject's request within 30 days from the date of receipt of such request. The Company reserves the right to consider the request of the Data Subject and proceed in accordance with the Personal Data Protection Act, B.E. 2562 or the notifications issued in accordance with the Act. In the event that the Company rejects the request, it shall notify the Data Subject of the reason for the rejection.
Should any questions regarding the Company's Personal Data Protection Policy be required, please contact us through the channel provided in Clause 8, Contact Information. If there is a reasonable belief that the Company has violated the Personal Data Protection Act, B.E. 2562 or the notifications issued in accordance with the Act, the Data Subject is entitled to lodge a complaint with the Personal Data Protection Committee.
7. Review and Changes of Policy
The Company may review and revise the Personal Data Protection Policy from time to time to ensure that it remains in adherence to laws, any significant business changes, and any suggestions and opinions from other organizations. The Company shall expressly announce the amended policy. The latest version of the policy shall be displayed on the Company's website, www.buriramsugar.com.
8. Contact Information
The Company has assigned Buriram Sugar Public Company Limited as a representative for the coordination of the Personal Data protection, which can be contacted through the following channels:
Data Protection Officer
Buriram Sugar Public Company Limited
128 / 77-78 7th Floor, Phayathai Plaza Building, Phayathai Road, Thung Phayathai Sub-district, Ratchathewi District, Bangkok 10400
Tel: 0-2216-5820-2 ext. 217 Email firstname.lastname@example.org
This policy is effective as of February 23, 2021.