Personal Data Protection Policy (PDPA Policy)
Purpose
The Company establishes this Policy for Employees common understanding regarding the collection, storage, usage, and disclosure of Employees’ Personal Data under the Act. This Policy specifies the types of Personal Data being collected and stored, the usage’ purposes of Personal Data, the disclosure of Personal Data to third parties or Affiliates, the rights of the Employees as the data subject, and the obligations of the Employees to protect the confidentiality of Personal Data.
Definition
"Personal Data" means information that reveals or reasonably could be expected to reveal the identity of any individual excluding the deceased person's information.
"Sensitive Data" means any Personal Data which the collection, storage, usage or disclosure may have a material effect against the data subject, including but not limited to information regarding race, political opinions, religious belief, sexual behavior or biological data.
"Company" means Thai Bridgestone Co., Ltd.
"Affiliates" means juristic persons who are under the same control or have the following companies as a majority shareholder, i.e. Bridgestone Asia Pacific Pte. Ltd., or Bridgestone Corporation.
"Act" means the Personal Data Protection Act B.E. 2562, including any subordinate legislation issued under the Act those are in effect at present or as amended in the future.
"Employees" means employees who have employment contract with the Company and shall also include the temporary workers who have been employed through labor outsourcing company.
“Policy” means this Personal Data Protection Policy
Scope of application
This Policy will be effective from June 1, 2022, onward. The previous Privacy Policy No. CLA-GR-007, dated March 20,2020 shall be repealed and replaced by this Policy. This Policy will be applied to all Employees regardless of the position or rank.
Amendments
The Company may amend this Policy (entirely or partially) from time to time by notifying such modification to the Employees.
Sources of Personal Data
The Company usually collects Personal Data directly from the Employees. In some cases, the Company may acquire such information from other sources. In this case, the Company will seek consent or notify the Employees of such acquisition within the time limit specified in the Act, unless the Company is entitled to any exemptions.
Personal Data acquired from other sources may come from the following (including but not limited to):
Legal grounds for the collection, usage, and disclosure of Personal Data
The Company may collect, store, use and disclose information in compliance with the employment agreement between the Employees and the Company, e.g. information regarding performance and bank account for salary and welfare payment.
The Company may have obligations to comply with the laws or regulations concerning its business operation, such as the workplace safety law, environmental law, labor protection law, social security law, or taxation law. For example, the Company must collect the Employees’ health information to comply with workplace safety law or calculate personal income for withholding tax and social security deduction.
The Company will seek prior written consent for the collection, storage, usage, or disclosure of Sensitive Data, e.g. the collection of fingerprints or facial recognition for office entry.
The Company may collect, storage, usage or disclosure of Employees’ Personal Data for its legitimate interest as long as such action is reasonably foreseeable by the Employees, for example, the collection of video and audio via surveillance camera for security purposes.
Types of Personal Data being collected, stored, used, or disclosed
The collection, storage, usage, or disclosure of Employees’ Personal Data by the Company might be different on occasions depending on the position, responsibilities, and welfare application. Examples of these are including but not limited to the information as described in Attachment 1.
Objectives and the change of objectives
The Company will collect, store, use, or disclose the Personal Data and Sensitive Data of Employees for the purpose of execution of employment agreement, compliance with the law, provide welfare and benefit to the Employees, and any other actions in relation to the achievement of the above objectives only.
In the event that the Company wishes to collect, store, use or disclose the Personal Data under any other objectives other than those mentioned above, the Company will seek prior consent from the Employees.
Disclosure of Personal Data
In accordance with and under the protection of the Act, the Company may disclose Employees’ Personal Data to the following entities:
Transfer of Personal Data abroad
Given the nature of the business, the Company constantly exchanges information with its Affiliates. As a result, the Company may disclose the Employees’ Personal Data abroad under the rules and regulations as specified within the Act.
Retention period of Personal Data
The Company will keep your Personal Data in the record as long as you remain Employees of the Company or still acting as an Employees to the Company. The Company will also store the Personal Data after the Employees’ status is terminated for a certain period depending on the prescription period of the relevant laws. For more information on this topic, please refer to the retention period as prescribed in Attachment 1.
Security measures
The Company provides strict security measures to protect the confidentiality of Personal Data. These security measures include the separation between generic data and Personal Data, password encryption, limitation of the person who has access to Personal Data, and specifies that all service providers to the Company must have appropriate security measures.
Employees’ rights as the data subject and how to execute the right
13.1 The Employees’ rights are as follows:
13.2 Potential effects as a result from the execution of legal rights, revocation or consent, refusal to provide consent or objection
Should the Employees exercise any of the rights in previous topic (e.g. revocation of consent or suspense the collection, storage, usage, or disclosure of information), the Company may not be able to continue the services that are generally available to the Employees. For example, the Company may not compensate the medical expense unless the Employees provide a medical treatment record to the Company.
13.3 How to exercise the rights as a data subject
The Employees may exercise the right as a data subject by applying through at https://privacy.bridgestone.co.th/pdpa/ticketform.php.
Alternatively, the Employees may contact the Legal and Compliance Department to exercise the rights or get a further recommendation.
13.4 Consideration of the application
Upon application submission, the Company will ask the Employees to submit relevant document(s) for identity’s verification and authentication before proceeding to the request
The time limitation, if any, will start after the Company has received all relevant documents from the Employees. The Company may refuse to proceed to the request in the following events: (i) the Company does not receive the documents within seven business days, (ii) the Employees fails to verify the identity as a data subject, (iii) the Company does not have Personal Data in possession, (iv) such request is an excessive or repetitive nature, or (v) when a request might violate the right of other data subjects directly or indirectly.
Moreover, the Company may refuse, partially or wholly, to proceed per the Employees’ request if the collection, storage, usage, or disclosure of Personal Data is allowed under the Act. In such case, the Company will notify the Employees of its decision with an explanation therein. The Company usually provide its service to the Employees free of charge. However, the company might collect a reasonable fee for application those it considers as excessive, unreasonable, or repetitive.
Duties of the Employees in relation to Personal Data
14. 1 Security duties
All Employees are obliged to comply with the Company's security policies to prevent Personal Data leakage (both physical and electrical data), including but not limited to Trade Secret Management Policy and data classification guideline.
All Employees are obliged to classify and separate the Personal Data from general data while also using appropriate measures to limit access to those directly involved with it only. For example, Personal Data in the form of the document shall be locked in a document cabinet, while those in the form of electronics files should be password encrypted and kept in a folder where access is limited.
14.2 Duty to report when spotting or suspecting any violation or potential data leakage
All Employees must monitor and report to the Data Protection Lead (DPL) immediately when spotting any suspect violation or data leakage.
Please avoid communication via the time-consuming communication channel, such as complain box, which will make the Company has limited time period to respond to the incident or may acknowledge the incident too late.
The Company takes data protection seriously. All Employees, in all ranks and positions, must assist and co-operate with the investigation for violation or data leakage conducted by the DPL.
The collection, storage, usage or disclosure of information prior to the date of this Policy
The Company will continue to have the right to collect, store, use, and disclose the Personal Data collected, stored, used, or disclosed prior to the date of this Policy. If the Employees does not wish the Company to continue using such Personal Data, the Employees may notify his/her intention to the Company per the aforementioned topic.
Should you have any questions regarding this Personal Data Protection Policy, please contact your DPL or the Legal and Compliance department.
