Last updated: July 12, 2022
TPBI Public Company Limited and subsidiaries, which consist of TPBI Public Company Limited, the head office and Rayong branch, TAK Packaging Company Limited, TMP Packaging Company Limited, TPBI International Company Limited, TPBI Sunny Products (Thailand) Company Limited and Thai Product Coating Industry Company Limited (herein shall referred as the “Company”) adhere to ethical business conduct, respect to the privacy rights of individuals and the security of personal data and comply with applicable legal framework. Therefore, the Company has announced this Policy which is the principle of personal data protection and to ensure personal information that the Company has collected, used, or disclosed shall be treated in accordance with laws of personal data protection.
1.1 To protect personal data of data owner, who are natural person, that transacts, uses services, has stakes, or has relation with the Company including but not limited to the following persons:
(d) Investors, Creditors, Debtors
(e) Supplier, Business Partners
(f) Persons who are contractors of the Company such as consultants, information technology system service providers, etc.
(g) Persons who visit the Company's website or application
(h) Persons who enter into the Company’s office, building and premises
(i) Family of employees and beneficiary under life insurance or non-life insurance that the Company has provided
(j) Persons who are referred in job application or offers of goods and services to the Company, etc.
1.2 To define roles and duties of department, executives and employees who are involved in personal data.
1.3 To establish procedures, security measures or any other measures to protect personal data to be in accordance with applicable laws.
1.4 To establish guidelines for employees who involve in processing or any other operations related to personal data.
1.5 To build confidence of individuals, customers, business partners, service users, as well as other people who have a stake in or relate to personal data in security of personal data.
|“Company”||means TPBI Public Company Limited and subsidiaries|
|“Personal Data”||means any personal information which directly or indirectly enables to identify owner of such information, but not including the information of deceased persons.|
|“Sensitive Personal Data”||means any personal data that may potentially cause unfair discrimination such as race, religion, sexual behavior, criminal record, personal health record, disability, genetic data, biological data, or any other data as prescribed by laws.|
|“Date Subject”||means a person who owns personal data, such as customers, business partners, service users, job applicants and employees.|
|“Data Controller”||means person or juristic person who has an authority to consider to collect, use, or disclose personal data. Herein means the Company, departments, or employees responsible for such personal data.|
|“Data Processor”||means person or juristic person who collect, use or disclose personal data in accordance with an order or on behalf of data controller.|
|“Data Processing”||means any action that is taken on personal data, whether by automated means or not, such as collection, recording, systematization, retention, use, disclosure, alteration or any other action that causes its availability of use, mixing, or erasure and destruction.|
|“Collection”||means the acquisition of personal data.|
|“Person”||means natural person.|
|“ Data Protection Officer” (DPO)||means a person who has been appointed by the Company to act as a personal data protection officer according to the Personal Data Protection Act, B.E. 2562|
|Personal Data Protection Act Committee (PDPA)||means a committee who drives operations in accordance with the Personal Data Protection Act B.E. 2562, which is appointed or assigned under this Policy.|
Collection of Personal Data
The Collection of Personal Data shall be limited to the extent necessary or beneficial to the purpose of data Collection. The Data Controller shall inform the Data Subject, prior to or at the time of such Collection, of the following details:
Except for the following circumstances which Personal Data could be collected without requirement of consent :
The Collection, use, or disclosure of Personal Data will be consistent with the principles of Data Privacy as follows:
3.1 The Company collects Personal Data for the following purposes:
(1) For providing services, improvement of service quality, selling, marketing activities, education, and data analytics for products and services development to be more efficient.
(2) For the benefit of the Data Subject, and offering the benefits based on the interests of the Data Subject.
(3) For the procurement and human resource operation.
(4) For compliance with laws. In case purpose is changed, the Company shall inform the Data Subject as soon as possible.
3.2 The Company will collect Personal Data such as name, surname, address, date of birth, gender, education background, telephone number, email address, ID number, credit or debit card information, bank account number or other information related to banking or payment, IP address, cookies, MAC address, service account, service usage information, record communication information with the Company and any other information that may occur while using the service with the Company, etc. The Company shall retain to the extent necessary Personal Data for the purpose of data processing and as prescribed by laws. When the retention period ends, the Company has no right to retain, or cannot compel legitimate ground for Data Processing. The Company shall destroy that Personal Data in a reasonable method and in compliance with laws.
3.3 In case the Data Subject has to provide his or her Personal Data for compliance with laws, contract, or entering into the contract, the Company shall inform the Data Subject of the possible impact of refusal to provide such Personal Data.
3.4 The Company may disclose Personal Data to Persons or entities such as disclosure as prescribed by laws, security or providing services, etc. This must be disclosed only as necessary.
3.5 The Company shall collect Personal Data directly. When the Data Subject gives voluntary or explicit consent by one of the following methods.
3.5.1 Service request form or the petition procedure for rights request.
3.5.2 Conducting surveys or e-mail correspondence.
3.5.3 The Company's website or mobile application.
3.5.4 Short message service (SMS).
3.5.5 Other communication channels between the Data Subject and the Company according to the Company's method.
3.6 The Company has cookies policy.
3.7 Personal Data that the Company collected may be Sensitive Personal Data which the Company will request explicit consent, such as race, religion, health record, criminal record, trade union information, etc. The Company shall collect Personal Data to the extent necessary in compliance with laws and regulations. The Company shall request consent from the Data Subject, prior to or at the time of Collection, use or disclosure Personal Data, except in the following circumstances:
(1) where it is for the benefit relating to research or statistics, in which suitable measures to safeguard the Data Subject's rights and freedoms;
(2) where it is to prevent danger to the life, body, or health of the Data Subject or other Persons;
(3) where it is necessary for the performance of a contract to which the Data Subject is a party or processing upon requested by the Data Subject prior to entering a contract;
(4) where it is necessary for carrying out the activities in relation to the public interest or the exercising of governmental authority;
(5) where it is for the legitimate interests that cover the Company's business;
(6) where it is for in compliance with a court order or prescription by laws, such as the Communicable Disease Control Act, Computer-related Crime Act, Cyber Security Act, Anti-Money Laundering Act, etc.;
(7) where it is information that is legally disclosed to the public.
3.8 In case the Data Subject provides Personal Data of relevant Person such as spouse, family members or friends, etc. to the Company, for example, for emergency contact. The Data Subject shall represent and warrant that the relevant Person has consented to such Data Processing as set forth in this Policy.
3.9 In case the Company uses consent base or explicit consent to collect, use, or disclose Personal Data, a request for consent shall be explicitly made in a written statement, or via electronic means, unless it cannot be done by its nature. In requesting consent from the Data Subject, the Company shall also inform the purpose of Collection, use, or disclosure of Personal Data. Such consent request shall be presented in a manner which is clearly distinguish from the other matters, in an easily accessible and intelligible form and statements, using clear and simple language, and does not deceptive or misleading to the Data Subject in respect to such purpose.
In requesting consent from the Data Subject, the Company shall utmost take into account that the Data Subject's consent is freely given. Also, the entering into the contract, including any provisions of the service shall not be a condition to obtaining consent for Collection, use, or disclosure of Personal Data that is not necessary or not related to such contract entering, including the provisions of the service. Furthermore, the Data Subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by laws, or the contract which gives benefits to the Data Subject. However, the withdrawal of consent shall not affect Collection, use, or disclosure of Personal Data that the Data Subject has already given consent legally. In the event that the withdrawal of consent will affect the Data Subject in any manner, the Company shall inform the Data Subject of such consequences of consent's withdrawal.
In the event that the Data Subject is a minor who is not sui juris by marriage or has no capacity as a sui juris person under section 27 of the Civil and Commercial Code including an incompetent or quasi-incompetent person, the request of consent and the withdrawal of consent from such the Data Subject, the Company shall act in compliance with the Personal Data Protection Act.
Use or disclosure of Personal Data shall be in compliance with the purpose or necessity for the benefits of the purpose of Collection. However, the Company may disclose Personal Data to Persons or any external entity under the requirements of laws such as the Department of Labor Protection and Welfare, Legal Execution Department or Legal Execution Office, Student Loan Fund, Technology Crime Suppression Division or other security agencies, etc.
The Company processes Personal Data with purpose and legal basis as follows:
5.1 Contract, example :
5.1.1 When customers, counterparties, and service users contact about the service offering or contact entering with the Company. It is necessary to provide their Personal Data to the Company for Data Processing about service, entering into a contract, communicating, or tracking and notification of the performance of the contract.
5.1.2 When Persons apply for a job or transact business via Company's channels. They must provide their Personal Data to the Company. Then, the Company shall process such data about recruitment considerations, approvals for employment, work performance evaluation, benefits, welfare, wage, organizational communication, following up and notifying any change of benefit from the performance, and answering and noticing of other changes.
5.2 Consent, example :
The Company may use Personal Data of the customers, counterparties, and service users to process to enter into contracts with such individuals. The Company may need to process Sensitive Personal Data as shown in the identity document ( e.g., religion) to verify the person's identity. Furthermore, the Company may process Sensitive Personal Data of employees who are sick or need of urgent assistance including facilitating employees about life insurance claims and medical expense reimbursement. In this regard, the Company will not process such Personal Data without the consent of customers, counterparties, service users, and employees.
In addition, if customers, counterparties, service users and employees will withdraw their consent of Personal Data in the above cases. The customers, counterparties, service users and employees can contact the Company to request the withdrawal of consent.
5.3 Legitimate Interest , example :
The Company processes Personal Data of customers, counterparties and service users for administration, operation and contract management that includes, but is not limited to invoicing process compliance with the requirements for keeping internal records, internal management, auditing, reporting, submitting information, Data Processing or other related or similar activities. However, the Company may process Personal Data of employees for the management and internal reporting of the Company, system maintenance for keeping service standards including tax operation, risk management, auditing, reporting, submitting information, Data Processing or other related or similar activities.
5.4 Legal Obligation, example :
The Company may process Personal Data of customers, counterparties and service users for compliance with applicable laws, including orders of legal authorities, legal obligations, rights and duties under laws and/or internal processes, corruptions detection, legal or other regulatory investigations. The Company may process Personal Data of employees to comply with laws of employment and the Company's operation such as the Labor Protection Act B.E. 2562 (2019), the Student Loan Fund Act B.E. 2560 (2017), the Provident Fund Act B.E. 2530, etc., as well as other laws that the Company must be subject.
The Company shall retain Personal Data appropriately. Whether Personal Data is in document, file, or electronic form including various tools that the Company uses for security of such Personal Data as prescribed by laws. The benefit is confidentiality, integrity and availability of Personal Data. However, The Company provides appropriate security measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data. The Company has established security of Personal Data with the following guidelines :
6.1 Provide Authentication measures, Authorization and Accounting for accessing, using, disclosing and processing Personal Data in accordance with information technology security system of the Company strictly.
6.2 In the event that the Company sends, transfers or retains Personal Data to a foreign country or any other system that receives such Personal Data shall have adequate Data Privacy standards, and shall be carried out in accordance with this Policy, except for compliance with laws or with the consent of the Data Subject.
6.3 In case of violation of security of Personal Data that causes Personal Data breaches. The Company shall notify Personal Data breach to the Data Subject as soon as possible. If that is caused by the Company which results in a high risk to the rights and freedoms of the Data Subject, the Company shall also notify the remedial measures to the Data Subject without delay. However, the Company shall not be liable for any liabilities that may incur as a result of using and disclosing Personal Data to third party including negligence to log out of the system that access by the Data Subject or another Person with the consent of the Data Subject.
6.4 The Company has established rules for all employees to comply with when accessing Personal Data of customers, counterparties, service users and employees. Such Personal Data can access by authorized employees who carried out only the extent necessary to achieve purposes of duties such as human resources officers, employees who supervise and manage contracts between the Company and counterparties, etc.
6.5 The Company revises and evaluates the efficiency of computer systems to maintain the quality security of Personal Data that is always efficient according to the measures set forth.
The Company requires employees or departments related to Personal Data that must priority and be responsible for collecting, using or disclosing Personal Data in accordance with the Company's Policy and guidelines strictly. The Company assigns such employees or departments to supervise and monitor the Company's operations in accordance with this Policy and laws.
7.1 Board of Directors have responsibilities as follows :
7.1.2 Supervise the implementation of Policy in a concrete manner.
7.2 Executives have responsibilities as follows :
7.2.1 Provide Personal Data Collecting procedures and measures that are suitable for the Company in accordance with Policy, guidelines, laws, and international standards.
7.2.2 Provide responsible persons such as department or personnel responsible for the supervision of implementation under the regulations.
7.2.3 In the case of the Company employ third parties for Data Processing. Executive must provide selection system of third party that put in place security protection of Personal Data in accordance with the standard.
7.2.4 Supervise the implementation of Policy, guidelines, and procedures including finding the ways to improve to make implementation more efficient and ensure that have reported the result of the operation in accordance with Policy, guidelines and regulations.
7.3 Data Processor have responsibilities as follows :
7.3.1 Carry out and control the activities related to Data Processing including notifying, requesting consent, Collecting, using, or disclosing Personal Data to comply with Data Privacy regulations and laws.
7.3.2 Carry out and control to provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data. Including, the Data Processor shall notify the Data Controller of any Personal Data breach.
7.3.3 Carry out and control to erasure or destruction of Personal Data when the retention period ends or when Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the Data Subject has requested to do so.
7.3.4 Investigate, control and revise Personal Data remains accurate and up-to-date.
7.3.5 When the Data Processor discovered Personal Data breach that occurred must notify the Personal Data Protection Officer and Personal Data Protection Act Committee immediately.
7.3.6 Carry out and control data records and reports related to responsible Personal Data.
7.3.7 Assess the risks that relate to Personal Data for which they are responsible. Then, they manage and implement measures to reduce risks.
7.4 Personal Data Protection Act Committee have responsibilities as follows :
7.4.1 give advices to the Data Controller, the Data Processor, or the relating employees with respect to compliance with the Personal Data Protection Act.
7.4.2 investigate the performance of the Data Controller or the Data Processor with respect to Collection, use, or disclosure of Personal Data comply with laws.
7.4.3 coordinate and cooperate with the Personal Data Protection Commission (PDPC) with respect to Collection, use, or disclosure of Personal Data comply with laws.
7.4.4 keep confidentiality of Personal Data known or acquired in the course of his or her performance of duty.
7.5 Data Protection Officer (DPO) have responsibilities as follows :
7.5.1 give advice about Data Privacy to executives, employees, and business partners of the Company.
7.5.2 investigate the performance of the Data Controller and the Data Processor,
7.5.3 coordinate and cooperate with the Personal Data Protection Commission (PDPC) with respect to Collection, use, or disclosure of Personal Data of customers, business partners or another relevant Person.
8. Data Subject Rights
The Company shall provide facilitates channels for the Data Subject or Person who is authorized to act on behalf of the Data Subject in accordance with laws of Data Privacy which allows the Data Subject to perform the rights that are guaranteed and protected by laws as follows :
8.1 Right of Access : Right to access and request obtain copy of Personal Data related to the Data Subject, which is under the responsibility of the Company, or to request the disclosure of the acquisition of Personal Data obtained without the Data Subject consent.
8.2 Right to Date Portability : Right to receive Personal Data concerning the Data Subject from the Company. The Company shall arrange such Personal Data to be in the format which is readable or commonly used by automatic tools or equipment and can be used or disclosed Personal Data by automated means. The Data Subject is also entitled to request the Company to send or transfer Personal Data in such formats to other the Data Controllers if it can be done by the automatic means and request to directly obtain Personal Data in such formats that the Company sends or transfers Personal Data to other Data Controllers unless it is impossible to do so because of the technical circumstances.
8.3 Right to Object : Right to object to Collection, use, or disclosure of Personal Data.
8.4 Right to Erasure : Right to request the Company to erase or destroy Personal Data, or anonymize Personal Data to become the anonymous data which cannot identify the Data Subject.
8.5 Right to Restriction of Processing : Right to request the Data Controller to restrict the use of Personal Data.
8.6 Right to Rectification : Right to request the Company process Personal Data remains accurate, up-to-date, complete, and not misleading.
However, the Company may deny the exercise of such rights of the Data Subject or Person who is authorized to act on behalf of the Data Subject if it is not contrary to laws.
However, internet browsers normally allow you to choose whether to accept cookies. If you reject, delete or block cookies that may affect to function of the website. If your browser does not collect cookies, some functions of the website may be limited.
The Company may update, review or change this Policy, in whole or in part from time to time to comply with the Company's operation, laws, announcements, or regulations of government agencies requirements.
The Company has established a procedure for entering into Data Processing contract with a third party or juristic person who is the Data Processor as follows :
12.1 Before hiring the Data Processor, the Company must evaluate the contractor's systems of Data Privacy and Data Privacy practices. If that contractor does not have a protection system or is inadequate. That contractor must comply with the rules or regulations prescribed by the Company.
12.2 The employment contract must require the purpose of contract, Data Collection method, how to notify the Data Subject, data usage, data transmission, data transfer, and destroy or erase data.
12.3 The parties must sign a Data Processing Agreement (DPA) as required by laws or as prescribed by the Company's regulations.
12.4 When hiring the Data Processor, the Company must control Data Processing system in accordance with the relevant procedure set forth.
12.5 When the retention period expires, the Company must monitor and control the contractor to erase, destroy, or make the anonymized data that cannot identify an individual in accordance with regulations that the Company set or agreed upon.
The Company attaches great importance to providing training to educate and raise awareness about compliance with Data Privacy laws for executives and employees at all levels. It is the duty of all executives to assign employees that relate to Personal Data shall attend training strictly along with assessment and follow-up to ensure that employees are able to perform their duties completely and in compliance with Data Privacy laws.
The Company requires employees or departments related to Personal Data must give priority and be responsible for collection, usage, or disclosure of Personal Data strictly in accordance with this Policy. They must operate their duties in accordance with Policy, guidelines, manuals, and laws relating to such operations. However, such operation willfully or negligently acts, omits to instruct, omit to operate, to order or operates any one of their duties that is a violation of Policy and practices regarding Data Privacy and/or damages. They may be subject to disciplinary action in accordance with the Company's regulations and must be liable for legal penalties according to such offenses. If such offenses cause damage to the Company and/or any another Person, the Company may consider further legal action.
In case of reason to suspect or believe that there has been a Personal Data breach, complaint, exercise of the rights of the Data Subject under this Policy or the Personal Data Protection Act B.E. 2562 or enquiries, please use the contact information as below:
Data Protection Officer, TPBI Public Company Limited
42/174 Moo 5, Raiking SampranNakorn pathom 73210
Telephone: (+66) (0)2 429 0354-7
Effective on 1 June 2022
Announced on 30 May 2022