EN / TH

News & Events

May 24, 2022

Personal Data Protection Policy

Personal Data Protection Policy

Hi-Tech Apparel Co., Ltd.

 

Purpose and Scope of the Personal Data Protection Policy

Pursuant to the Personal Data Protection Act B.E. 2562 and other related laws, including any further amendments thereof (“PDPA”), Hi-Tech Apparel Co., Ltd. (the “Company”) has thereupon made this Personal Data Protection Policy (“Policy”) to describe details with regards to the collection, use, disclosure of Personal Data to personnel and staffs of the Company or personnel and employees of third parties representing or acting on behalf of the Company in processing of Personal Data relating to the business operation of the Company, in accordance with the PDPA.  

 

Important Definitions

Personal Data” means any information relating to a natural person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.

Sensitive Personal Data” means Personal Data consisting of information pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any of the data which may cause unfair discrimination to the Data Subject or affect the Data Subject in the same manner as specified by PDPA.

Data Subject” means a natural person who owns the Personal Data, such as customers, business partners, service providers, directors, employees, visitors, and any other natural persons whose Personal Data are collected, used or disclosed by the Company.

Data Controller” means a natural person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

Data Processor” means a natural person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of the Data Controller, whereby such person or juristic person is not the Data Controller.

Legal Basis” means the justifiable ground to collect Personal Data as prescribed in the PDPA.

 

Legitimacy of Personal Data Collection

Collection, use and disclosure of Personal Data must be conducted under a legal basis as specified in the PDPA; whereby it is also stipulated as a guideline in this Policy as follows:

1. General Personal Data: the collection can only be carried out if one or more of the seven legal basis has been met as follows:

1.1. Consent from the Data Subject (Consent Basis)

Where Personal Data cannot be collected by means of any other legal basis as specified in Clause 1.2-1.7 of this Policy, the Company needs to request for the explicit consent from the Data Subject before or while collecting their Personal Data. The absence of a response or inaction is not regarded as consent from the Data Subject. Such consent must be made in a written statement, or via electronic means which can either be in a form and with a content created by the Company (Letter of Consent) or stipulated by law (if any). Except where such request for consent cannot be made, in such case, the Data Subject may provide his or her consent verbally, provided that the Company must record the said consent in writing with details of the method and date of the consent. Notwithstanding, the Data Subject may withdraw his or her consent at any time, unless there is a law or contract advantageous to the Data Subject which restricts the Data Subject’s right to withdrawal.

Nonetheless, the Company shall always be aware that the Company can only request for the Data Subject’s consent provided that the Data Subject can give consent independently and voluntarily.

Remark: In the case that the Company shall request for consent from a minor, incompetent or quasi-incompetent person, the Company must obtain consent from the holder of parental responsibility, the custodian or curator who has the power to act on behalf of such Data Subject subsequently. If the minor is above the age of ten years, they may give their own consent in the case where they can solely act by themselves.

1.2 For preparing historical documents or the archives for public interest, or for the purpose relating to research or statistics (Archives/Research/Statistics Basis)

The Company may collect Personal Data to achieve the purpose relating to the preparation of historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which suitable measures to safeguard the Data Subject’s rights and freedoms are put in place as required by law.

1.3 For preventing or suppressing danger to a person’s life, body or health (Vital Interest Basis)

In some cases, the Company may need to collect Personal Data to prevent or suppress danger to a person’s life, body or health, which is not only limited to the Data Subject. For example, it is necessary for the Company to collect Personal Data in an emergency accident involving the Data Subject, which in this case, the Company does not need to obtain consent to collect the Data Subject’s Personal Data.

1.4 For performance of contract between the Company and the Data Subject, or to proceed with the Data Subject’s request prior to entering into a contract with the Company (Contract Basis)

In the case it is necessary for the Company to collect Personal Data for the performance of a contract to which the Data Subject is a party of, or in order to take steps at the request of the Data Subject prior to entering into a contract, the Company does not need to obtain consent to collect the Data Subject’s Personal Data.

1.5 For performing duties in the public interest (Public Interest Basis)

In the case where it is necessary for the Company to collect Personal Data for the performance of a task carried out for public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller, the Company does not need to request for consent to collect such Personal Data.

1.6 For legitimate interests (Legitimate Interest Basis)

The Company may collect Personal Data from the Data Subject without requesting for his or her consent if it is necessary for the legitimate interests of the Company or any third parties other than the Data Subject. For example, legitimate interests in the business operation of the Company and/or third parties, legitimate interests in securing and protecting property and people within the Company’s premises, legitimate interests in organizational management of the Company and so forth. However, the Company must act with caution when relying on this legal basis to collect Personal Data – as the Company may not collect Personal Data through relying on Legitimate Interest where such interests are overridden by the fundamental rights of the Data Subject, or where such interests may significantly affect the fundamental rights of the Data Subject. In such case, the Company must not collect Personal Data through relying on Legitimate Interest and is required to request for the Data Subject’s consent if the Company intends to continue collecting his or her Personal Data.

The following guidelines is provided for implementing the legitimate interest basis. The Company must assess whether the collection of any Personal Data is in accordance with the following criteria in all respects:

(1) Whether the Company or third party have legitimate interests to collect Personal Data or not;

(2) Whether the collection of such Personal Data is necessary for the objective pursuant to Clause (1) or not;

(3) Whether the Data Subject should expect that the Company is required to collect such Personal Data or not;

(4) Whether the collection of such Personal Data is of no less importance than the fundamental rights of the Data Subject, or is not the case whereby the fundamental rights of the Data Subject is significantly affected or not; and

(5) Whether the Company has appropriate Personal Data Protection measures in collecting Personal Data or not.

1.7 For complying with the laws enforced on the Company (Legal Duty Basis)

In the case the law stipulates that the Company is required to collect, use or disclose Personal Data, the Company does not need to request for consent from the Data Subject. This may include processing Personal Data in accordance with court orders or government officials, for example storing employee data to comply with labor protection laws, storing accounting documents for a period specified by the law, etc.

2. In case of Sensitive Personal Data, the Company may collect, use or disclose such Sensitive Personal Data only when the Data Subject has given his or her explicit consent (please see guidelines and methods in Clause 1.1), except where the law provides that:

  • It is to prevent or suppress danger to the life, body or health of a person, where the Data Subject is incapable of giving consent by whatever reason, often for emergencies;
  • It is information that is disclosed to the public with the explicit consent of the Data Subject;
  • It is necessary for compliance with a law to achieve the purposes with respect to:
    • Preventive medicine or occupational medicine, the assessment of working capacity of the employee;
    • Public interest in public health;
    • Employment protection, social security, national health security, social health welfare of the entitled person by law or social protection in which the collection of Personal Data is necessary for exercising the rights or carrying out the obligations of the Company or the Data Subject;
    • It is for scientific, historical, or statistical research purposes, or other public interests; or
    • Other substantial public interest e.g. collecting sensitive Personal Data for the purpose of preventing contagious diseases or epidemic, collecting and disclosing sensitive Personal Data to government agencies to prevent money laundering.
    • Remark: The guideline for considering and interpreting ‘public interest’ may change according to the guidelines and the definition provided by the Personal Data Protection Committee or as specified in secondary legislation which may be promulgated in the future.

Details of the type, purpose and legal basis for the collection of Personal Data of the Company will be in the Privacy Notice for different types of Data Subjects.

3. Guidance in collecting of Personal Data

The Personal Data must be collected, solely, to the extent where it is necessary to achieve the objectives as specified by the Company. The Company is required to consider on the request and select the collected data deemed necessary for the use, and erase or destroy the data received without necessity, especially Sensitive Personal Data. This is for the purpose of reducing the risks in unlawfully collecting, using and disclosing the Personal Data of the Company.

In the case where the Company has received more Personal Data than is necessary, the Company shall determine a method to solely collect Personal Data necessary to achieve the objectives of such Personal Data collection. For example, if the Company uses Personal Data to identify its business partner or their representative from a copy of the identification card, whereby typically the Company only requires general Personal Data for the identification of such person (i.e. name and photo). Hence, in case where the Sensitive Personal Data is contained in the identification card (i.e. religious beliefs and blood type), the Company should employ a method to prevent such Personal Data from appearing on the copy of the identification card when in the Company’s possession. This may include erasing unnecessary data received in the identification card, leaving only the necessary Personal Data for identification only.

 

Privacy Notice for Data Subjects

When Personal Data is collected, used or disclosed, the Company will create and provide a Privacy Notice for various types of Data Subjects to provide details of Personal Data processing, definitions, Personal Data which the Company collects, objectives of collecting Personal Data, legal basis of such collection, retention period or expected duration, type of persons or organizations Personal Data may be disclosed to, contact details of the Company, rights of the Data Subject and other relevant details, so that the Data Subject knows and understand, and consider providing their consent in the event that the collection of the Personal Data is not within the other legal basis which the Personal Data can be collected without consent.

The Company must inform or deliver the Privacy Notice to the Data Subject before or while collecting their Personal Data; except where the Company collects, uses or discloses the Personal Data prior to having this Policy, and it is still necessary for the Company to continue to collect, use or disclose that data, in which case, the Company must inform or deliver the Privacy Notice to the Data Subject without delay.

The notification or delivery of the Privacy Notice may not be required to be repeated in the event that the Company has previously notified or delivered the Privacy Notice to such Data Subject. However, in the event that the Company revises the Privacy Notice, the Company must notify or deliver such revised Privacy Notice to the Data Subject.

 

Source of Personal Data

In general, the Company is required to collect Personal Data from the Data Subject directly. However, if the Company collects Personal Data from other sources which is not from the Data Subject directly, the Company is required to inform the Data Subject of the collection along with the Privacy Notice without delay but shall not exceed 30 days upon the date of such collection, and has obtained consent from the Data Subject in the case of collecting Personal Data from the consent legal basis. Notwithstanding, except in the case the Company is required to use the Personal Data to contact the Data Subject, the Company can inform the Data Subject upon the first communication with the Data Subject. In the case the Company discloses Personal Data, the Company is required to inform the Data Subject prior to the first disclosure.

However, in some cases the Company may not have to inform the Personal Data collection and Privacy Notice to the Data Subject if the Company can prove that such notice is not possible, or will obstruct the use or disclosure of the Personal Data, or the Data Subject is already aware of such detailed information. For example, the Data Subject has received the Privacy Notice for other business transactions with the Company and intends to carry out the same transaction with the Company again.

In addition, if the Company hires the Data Processor to collect, use or disclose Personal Data on behalf of and by order of the Company, the Company may assign the Data Processor to provide privacy notices on its behalf whereby the Company is required to make sure that the Data Processor complies with and performs the obligations as stated in this Policy and it shall be deemed that the Company has provided the details of collection, use and disclosure of Personal Data in compliance with the PDPA as the Data Controller.

 

Rights of The Data Subject

The Company shall be aware that the Data Subject has the right to take any action regarding his/her Personal Data in the Company’s possession as stipulated in the Personal Data Protection Laws. Thus, the Company is required to provide a Data Subject Request Form to facilitate the Data Subject in notifying his/her intention to exercise his/her rights. However, in the event the Company has the necessity to deny the Data Subject’s request, the Company is required to notify the Data Subject of such rejection in writing and record the reasons of such rejection in writing.

1. Right to withdraw consent. The Data Subject may withdraw some or all of his or her consent, which was previously given to the Company through the Consent Letter, at any time throughout the period the Company maintains the Personal Data. The Company must also notify the Data Subject of any effects or consequences upon the withdrawal of consent (if any). Notwithstanding, the withdrawal of consent shall not affect the processing of Personal Data by the Company that the Data Subject has already given consent prior to the withdrawal.

Reason for denial: Restrictions on the right to withdraw consent includes legal compliance or contract performance which is beneficial towards the Data Subject.

Response time: Without delay.

2. The right to request access to and obtain a copy of the Personal Data. The Data Subject is entitled to request access to and obtain a copy of the Personal Data related to him or her which is in responsibility of the Company, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.

Reason for denial: The Company may deny the Data Subject’s request only in the following cases:

  • To comply with a legal obligation or court order; or
  • The Company opines that fulfilling the Data Subject’s request will result in an infringement of the fundamental rights and freedoms of other persons.

However, in the event of denying the Data Subject’s request of his or her Personal Data rights as stated above, the Company shall keep a record of such denial together with reasons in the record.

Response time: Where such requests cannot be denied, the Company must comply with the request of the Data Subject within 30 days of receiving the request.

3. The right to request to receive and send or transfer of Personal Data. The Data Subject has the right to request his or her Personal Data from the Company, or to request the Company to send or transfer the Personal Data to another person or organization in a format which is readable or commonly used. This includes the right to receive his or her Personal Data which are transferred and maintained by other companies, personnel or organizations. This request can only be used if the Personal Data has been collected, used or disclosed with consent, or for contract performance, or for requesting to enter into a contract between the Data Subject and the Company.

Reason for denial: The Company can refuse the Data Subject’s request in sending or transferring Personal Data which is used for the performance of a task carried out in the public interest, or for compliance with the law, or such exercise of rights shall violate the rights and freedoms of others. For example, the integral part of the information contains trade secrets or intellectual property information attached to the personal data.

However, in the event of denying the Data Subject’s request of his or her Personal Data rights as stated above, the Company shall keep a record of such denial together with reasons in the record.

Response time: Without delay.

4. The right to object the collection, use, or disclosure of the Personal Data. The Data Subject has the right to object to the collection, use or disclosure of their Personal Data by the Company in the following circumstances:

(1) Collection, use or disclosure of such Personal Data is carried out for the performance of a task necessary for legitimate interests, or carried out in the public interest, including complying with orders of government officials.

Reason for denial (for No. 4(1)): The Company can demonstrate that there is a more compelling legitimate ground than the interests, rights, or freedom of the Data Subject, or the data collection, use or disclosure is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims.

However, in the event of denying the Data Subject’s request of his or her Personal Data rights as stated above, the Company shall keep a record of such denial together with reasons in the record.

(2) For the purpose of direct marketing, the Data Subject can object without any conditions.

(3) For the purpose of scientific, historical or statistic research, unless it is necessary for performance of a task carried out for the public interest.

Response time: Without delay. In the case the Company does not have a reason for the denial of such request, the Company shall immediately proceed to separate the Personal Data out from other data immediately upon the notification of the Data Subject’s objection.

5. The right to erase the Personal Data. The Data Subject has the right to request the Company to erase or destroy the Personal Data, or anonymize the Personal Data to become anonymous data which cannot identify the Data Subject or cannot be further reused, where either of the following grounds applies:

(1) The Personal Data is no longer necessary to be retained for the purposes for which it was collected, used or disclosed; whereby in relation to the period where it is applicable to notify the Data Subjects in the Privacy Notice;

(2) The Data Subject withdraws consent, and where the Data Controller has no other legal grounds for such collection, use, or disclosure;

(3) The Data Subject objects to the collection, use, or disclosure of the Personal Data, and the Company cannot reject to such request; or

(4) The Personal Data has been unlawfully collected, used, or disclosed.

Reason for denial: The Company is entitled to deny the request in case of collection, use, or disclosure of Personal Data in the following cases:

  • Storing for the purpose of freedom of expression;
  • To achieve the purpose relating to the preparation of historical documents, or archives of research, statistics or for public interests;
  • The collection of Sensitive Personal Data which is necessary for compliance with the law to achieve the purposes with respect to preventive medicine or occupational medicine, the assessment of working capacity of the employee or public interest in public health;
  • For the purpose of establishment, compliance or exercise of legal claims, or defense of legal claims;
  • For compliance with the law.

Where the Company has disclosed the Personal Data to the public or transferred to other Data Controllers, and the Data Subject has requested for his or her Personal Data to be erased, destroyed, or anonymized, the Company shall proceed to have such Personal Data erased or destroyed, or anonymized. In addition, the Company shall inform other Data Controllers to proceed in the same manner. The Company shall be responsible for the expenses concerning the erasure or destroying and informing as aforesaid.

Response time: Without delay.

6. Right to restrict the use of the Personal Data. The Data Subject may request the Company to restrict the use of the Personal Data in the following circumstances:

(1) There has been a request to correct Personal Data whilst the Company is pending the examination process of the request. However, the Company may consider denying the request to restrict the use of their Personal Data if after examination, the Company finds that the Personal Data is accurate, and the Company notifies the Data Subject of the reason prior to rejecting their request;

(2) When the Personal Data has been processed unlawfully and the Data Subject had requested for restriction instead of deletion of such data;

(3) When it is no longer necessary to retain the Personal Data, but the Data Subject has to request the Company to retain such data for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims; or

(4) The Company is pending the verification to object the processing of Personal Data. However, the Company may reject the Data Subject’s request to restrict the use of their Personal Data if the Company has grounds on denial to the right to object as stated above.

Response time: Without delay.

7. Right to rectification. The Data Subject may request the Company to ensure that their Personal Data remains accurate, up-to-date, complete, and not misleading.

However, in the event of denying the Data Subject’s request of his or her Personal Data rights as stated above, the Company shall keep a record of such denial together with reasons in the record.

Response time: Without delay.

8. Right to file a complaint. The Data Subject has the right to file a complaint to the expert committee as appointed by the Personal Data Protection Committee in the event that the Company or the Data Processor, including the employees or the service providers of the Company or the Data Processor violates or does not comply with the PDPA.

 

Duties and Responsibilities of Personnel

All staffs and personnel, including all employees and person hired by the Company are responsible for complying with the laws and this Personal Data Protection Policy and must keep Personal Data strictly confidential and must not use Personal Data received during working as an employee for any inappropriate, personal interest or illegal purposes. The duties of the personnel may be sorted by rank of position as follows:

1. The managing director and upper management level

Shall be responsible for overseeing all the Company’s process to protect Personal Data as follows:

  • Designate a person or an organization as the Data Protection Officer (DPO) and/or other personnel or organizations to oversee and handle all matters relating to Personal Data protection from all departments within the Company;
  • Assign employees the responsibility to identify the procedures regarding Personal Data protection, including risk management procedures which may arise from the collection, use and disclosure of Personal Data by the Company, together with the practical guidelines in the event of a data protection violation within the Company;
  • Implement control and monitoring of compliance with this Policy, including assessing the suitability of this Policy on a regular basis;
  • Approve the process of the Policies concerning Personal Data protection, for example ensuring the suitability of this Policy, how Personal Data is protected within the Company, or amendment of this Policy; and
  • Consider and approve requests of the Data Subject to exercise his or her rights concerning his or her Personal Data in cases where their request may have a significant impact towards the Company, Data Subject and/or other persons.

2. Data Protection Officer (DPO) or Persons Responsible for the Personal Data Protection of the Company

Shall be responsible for advising and reviewing all of the Company’s Personal Data protection processes as follows:

  • Analyze, evaluate, audit and control the Company’s Personal Data processing activities and advise personnel or other departments within the Company to ensure the Company’s Personal Data processing activities comply with the PDPA and the Company’s Personal Data Protection Policy;
  • Review and approve Personal Data protection practices of each department within the Company. This shall include practices to manage risks that may arise from the collection, use and disclosure of Personal Data by the Company and methods to solve situations of Personal Data breach occurring within the Company;
  • Analyze, evaluate and advise personnel and departments within the Company on how to respond to the Data Subject’s request to exercise his/her right in cases where their request may have a significant impact towards the Company, Data Subject and/or other persons;
  • Report incidents regarding Personal Data processes within the Company to the managing director and executive personnel;
  • Contact, coordinate and cooperate with the Office of the Personal Data Protection Committee, including proceedings concerning incidents of Personal Data breaches occurring within the Company, within the period specified by law.
  • Study the details of the Personal Data Protection Act B.E. 2562 (2019), rules, announcements, orders, regulations or other laws relating to Personal Data protection. This shall include to follow up on amendments or revisions of laws relating to the protection of such Personal Data and to notify the Company’s personnel; and
  • Explain, create an understanding and awareness to the Company’s personnel on Personal Data protection and relevant Personal Data protection laws.

3. Department manager level

Shall be responsible for supervising the collection, use or disclosure of Personal Data within their department, which may have different characteristics in each department. The responsibilities may be categorized as follows:

  • Allow any person to access Personal Data or assign the responsibility to an employee to manage the Personal Data within the department;
  • Provide guidelines and training for Personal Data in the department and ensure that all members of staff in the department understand Personal Data which is required to be collected and Personal Data which is not necessary to collect for the operation of the department;
  • Provide standardized measures to secure Personal Data in the department in accordance with the law and this policy;
  • Approve responses of Data Subject’s requests to exercise his or her rights and consult with relevant departments, including consulting with personal data protection officers or persons responsible for the Personal Data protection of the Company and reporting to management to request for their approval if the request may have a significant impact towards the Company, Data Subject and/or other personnel;
  • Consult with management and personal data protection officers to determine appropriate Personal Data protection practices;
  • Provide a record of the collection, use or disclosure of Personal Data of the department in accordance with the lists specified herein this Policy; and
  • Keep a report of all Personal Data breaches from the controlees and consider whether such breach will affect the rights and freedoms of the Data Subject, including consulting with personal data protection officers or persons responsible for the Personal Data protection of the Company and management to consider whether any appropriate action needs to be taken in accordance with this Policy.

4. Staff level

Shall act strictly in accordance with the laws and this Policy to protect Personal Data, in particular the following steps:

  • Collect, use and disclose Personal Data in accordance with the law and this Policy, including participating in training regarding Personal Data protection of the Company;
  • Perform duties assigned to protect Personal Data while handling Personal Data, for example the security, transmission, disclosure or recording Personal Data etc.;
  • Inform supervisors when the collection, use or disclosure of Personal Data in the Company or any action they were instructed is unlawful. In addition, to further inform supervisors when the collection, use or disclosure of any Personal Data may pose a risk of violation to the fundamental rights and freedoms of Data Subjects;
  • Notify the supervisor to approve any Data Subject’s requests to exercise their rights; and
  • Notify the supervisor immediately if they become aware of any Personal Data privacy breach, whether it is a deliberate misconduct or negligence of any party whatsoever and whether the breach may pose a risk of violating the fundamental rights and freedoms of Data Subjects.

5. Contractors and service providers who are the Data Processor of the Company

Shall act strictly in accordance with the laws and policies to protect Personal Data and will be bind under the Data Processing Agreement with the Company (if any). Such responsibilities include:

  • Collect, use and disclose Personal Data in accordance with the law and this Policy, including participating in training regarding Personal Data protection of the Company upon request;
  • Notify the Company without delay and within 24 hours if there is a breach of Personal Data protection from the moment of becoming aware of the breach; and
  • Support and assist the Company in responding to the Data Subject’s request in exercising their rights.

Violations of the law and this Personal Data Protection Policy by employees may result in disciplinary action, and any violation of the law or this Policy by the contractor or service provider which is the Data Processor of the Company may also be regarded as a breach of contract with the Company. If such violation or non-compliance results in damage to the Company, the Company reserves the right to terminate the employment or agreement. In addition, there may be criminal penalties, fines and imprisonment for the Company’s representative who breaches or fails to comply with the law. Thus, employees and related parties should review and strictly adhere to this Policy and the law regarding Personal Data protection.

 

Personal Data Protection Measures

The Company must provide appropriate security measures, from both policy and technical perspectives, in order to prevent any loss, unauthorized access, use, alteration, or disclosure of Personal Data. In addition, the Company shall further review such measures when it is necessary or when there is any technology advancement to ensure that Personal Data is treated in a secure manner in the Company and in accordance with the standards prescribed by the laws.

 

Record of Usage and Disclosure of Personal Data

The Company must arrange a record of usage and disclosure of collected data which shall consist of, at the very least:

  • The lists of the collected Personal Data with the objectives and the retention periods,
  • The usage or disclosure of Personal Data under the legal basis other than consent,
  • The rights, method and condition for exercising of rights to access the information of the Data Subject,
  • Rejection or objection of request to exercise the rights, including the reasons as defined herein this Policy, and
  • The explanation of security measures which the Company has prepared.

This is for the purpose that the Data Subject can examine and enforce their rights where the Data Subject has notified or requested to the Company.

 

Sending or Transferring Personal Data to Foreign Countries or International Organizations

The Company may send or transfer Personal Data to foreign countries under the following circumstances:

(1) The destination country or international organization that receives such Personal data has adequate data protection standards.

(2) In the event the Personal Data protection standard of a destination country or international organization is inadequate, the transfer of Personal Data must be carried out in accordance with the following:

  • Where it is for compliance with the laws;
  • Where the explicit consent of the Data Subject has been obtained, provided that the Data Subject has been informed of the inadequate Personal Data protection standards of the destination country or international organization;
  • Where it is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • Where it is for compliance with a contract between the Company, and other persons or juristic persons for the interests of the Data Subject;
  • Where it is to prevent or suppress danger to the life, body, or health of the Data Subject or other persons, when the Data Subject is incapable of giving the consent at such time; or
  • Where it is necessary for carrying out the activities in relation to substantial public interest.

(3) The Company may send or transfer Personal Data to another person or juristic person who is in a foreign country and is in the same group/affiliated companies without having to proceed with the prior specification above. Notwithstanding, the Company has to put in place Personal Data protection policy regarding sending or transferring Personal Data within the group/affiliated companies, and such policy has been reviewed and certified by the Office of the Personal Data Protection Committee (no policy on data portability has been established among the group/affiliated company at present).

Currently, the Personal Data Protection Committee has not yet established a list of countries with sufficient standards nor adopted certification policies for sending or transferring the data within the group/affiliated companies. However, the Company is entitled to send or transfer Personal Data to foreign countries or international organizations if the Company has appropriate security measures of Personal Data which enable the enforcement of the rights exercised by the Data Subjects, including having effective legal remedies in accordance with the standards prescribed by the law. Notwithstanding, as the laws have not prescribed such measure, the Company is able to proceed on the sending or transferring of Personal Data to be in accordance with Clause 2 until the law relating to such matter is a further promulgated.

 

Personal Data Breach Handling Process

Upon the breach of Personal Data incurred within the Company in which the cause of violation risks affecting the rights and freedoms of the Data Subject, employees and personnel shall coordinate to conform with the law. The Company is obliged to notify the breach to the Office of the Personal Data Protection Committee without delay and within 72 hours after having become aware of it and to the possible extent. In the event where such violation has a high risk to cause an effect towards the right and liberty of the Data Subject, the Company must inform the breach incident to such Data Subject and the remedy measures without delay.

 

Amendment of Personal Data Protection Policy

This Personal Data Protection Policy will be amended and rectified as appropriate. It shall be subject to the amendment of laws and the appropriateness of business.

Note: This Policy has recently been revised on 27 April 2022.

 

Contact Details for Further Inquiry and Report Violations of Personal Data

Any question regarding personal data protection or in the event that you would like to report a violation of Personal Data, please contact:

[Name: Onsara Charoensook]

[Position: HR Manager (center)]

[Telephone number: 0-2479-9188]

[Email address: Onsara.C@hi-group.com]

Recent Posts

Related Posts

Hi-Tech Apparel are a world-class leader in garment manufacturing in South East Asia, with over 13,000 team members across our growing manufacturing facilities in Thailand, Cambodia, Vietnam, and Laos

Contact Us

  • Hi-Tech Apparel Co. Ltd (Global HQ)
    328 Prachauthit Rd, Thoongkru
    Bangkok 10140 Thailand
  • +66 (0) 2 479 9188
  • info@hi-group.com
Contact Us

Navigation

©2020 All Right Reseverd