CHÍNH SÁCH BẢO MẬT
Updated: December 2022
This Privacy Notice prescribes Hitachi Asia (Thailand) Co., Ltd. (“the Company”, “we”, “us” or “our”) fundamental principles in handling all personal data obtained, either directly or indirectly, by us. The Company and all our employees, business partners, vendors or other third parties who perform work for or on behalf of us are fully committed to protect your privacy and ensure that your personal data will be processed in accordance with the applicable data protection laws including the Personal Data Protection Act, B.E. 2562 (the “PDPA”). Your collected personal data will always be kept safe and secure.
This Privacy Notice comprises of:
- What is personal data?
- What personal data do we collect?
- How do we collect your personal data?
- How do we use your collected personal data?
- When do we disclose or share your collected personal data?
- Do we transfer your collected personal data overseas?
- When do we inform you about your personal data?
- What are your rights under the PDPA?
- How long do we keep your collected personal data for?
- What measures do we use to secure your collected personal data?
- When do we make changes to this Privacy Notice?
- How to contact us?
Please carefully read this Privacy Notice to understand how we handle your personal data and your rights to your personal data. This Privacy Notice is subject to change at any time while our relationship with you continues. So, you should come back and read this Privacy Notice from time to time. If there is any significant change to our Privacy Notice which may affect the rights to your personal data, we will inform you without delay by announcing on our website.
If you have questions or do not understand any part of this Privacy Notice or wish to exercise your rights relating to your collected personal data, please do not hesitate to contact us at https://www2.hitachi.com/inquiry/region/thailand/en/general/form.jsp.
1. What is personal data?
Under the PDPA, a personal data means any data or information relating to an individual which enable us to identify such individual, whether directly or indirectly, from that data or information alone or in a combination with other identifiers we possess or can reasonably access, except information of the deceased. The personal data can be categorised as follows:
- General personal data – means any personal data which is not sensitive personal data e.g. name and surname, gender, date of birth, age, nationality, contact number, photo, address, and email address.
- Sensitive personal data – means a special category of personal data under the PDPA consisting of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data or disability condition, trade union information, genetic data, and biometric data.
2. What personal data do we collect?
The type of personal data we collect from you may be different depending on who you are and your relationship with us. The collected personal data may include:
|General personal data||• Name, surname, nationality, gender, date of birth, age, photo
• Contact number, email, address
• Identification card number, driver license, copy of house registration
• Educational background, academic transcript
• Professional license, training certificate
• Car plate number, vehicle registration book
• Bank account details
• CCTV footage
• Tax identification number, social security number, work permit number
• Passport number, copy of passport
• Work experience, employment history
• Military service information, marriage information, copy of marriage certificate, copy of birth certificate, birth certificate number
|Sensitive personal data||• Copy of ID card (showing religion and blood group)
• Criminal record
• Congenital disease, physical disability, injury
• Covid test result, Covid-19 vaccination status
• Health condition details, medical certificate, health check-up result, drug test result
• Fingerprint data
If you do not or are unable to provide your personal data which we require, we may not be able to establish a relationship with you or offer you our products and/or services including our employment with you and other benefits and welfare.
3. How do we collect your personal data?
We will collect your personal data directly from you, but sometimes from publicly available sources and/or from other third parties, provided that we will ensure that we fully comply with the PDPA.
Those other third parties may include our subsidiaries, authorised business partners, service providers or vendors.
4. How do we use your collected personal data?
We collect, use, disclose, transfer or process your personal data by fair and lawful means to the extent necessary to achieve our purposes. The lawful basis includes:
- obtaining your consent to use your personal data;
- believing that the use of your personal data is of vital interest or to prevent or avoid danger to a person’s life, body or health;
- believing that the use of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- believing that the use of your personal data is necessary for the performance of our task carried out in the public interest or in the exercise of official authority vested in us;
- believing that the use of your personal data is necessary for the legitimate interests pursued by us or by a third party, unless the interests are overridden by your interests or fundamental rights and freedoms;
- believing that the use of your personal data is necessary for the establishment, complaint, exercise or defence of legal claims against you; and
- believing that the use of your personal data is necessary for compliance with a legal obligation to which we are subject.
We may use your personal data for purposes as follows:
4.1 Our contract with you
We will rely on the performance of contracts to which you are a party to use your personal data. Depending on the nature of each contract with us, we may use your personal data for the following reasons:
- Processing recruitment and selection, evaluate the qualification of candidates;
- Procuring, issuing or executing contracts, registering your account with us; and/or
- Exercising rights or performing obligations under executed contracts.
4.2 Our legitimate interests
We may rely on the purpose of legitimate interests pursued by us or by a third party which require us to use and process your general personal data, except where such interests are overridden by your interests or fundamental rights and freedoms.
For instance, we have legitimate interests which allow us to process your collected personal data in the following circumstances:
- Business communication;
- Maintaining security and safety of persons and properties on our premises e.g. using of CCTV surveillance, recording your entry and exit information from the Company;
- Contacting relatives or contact persons in emergency cases e.g. emergency contact persons of employees; and/or
- Designating a beneficiary for life insurance.
4.3 Our legal compliances and legal claims
We will rely on the purpose of legal compliances when it is required or allowed by any applicable laws to which we are subject. For instance, we rely on legal compliance or legal obligation grounds to process your collected personal data in the following circumstances:
- Performing obligations under the laws with government authorities such as the Revenue Department, Social Security Office, Department of Skill Development, Department of Labour Protection and Welfare, Empowerment for Person with Disabilities Fund, Department of Legal Execution and Student Loan Fund; and/or
- Complying with the applicable laws, notifications, and orders, or for litigation proceedings, processing data under subpoenas including the exercise of rights relating to personal data.
We may rely on the legal claims basis to process your sensitive personal data to establish, comply, exercise or defend legal claims against you or initiate litigation action to protect our interests.
We will process your collected personal data on grounds of consents; especially, in the case where our processing activities have potential impact on your sensitive personal data.
We may inform you of the objectives of our personal data usage and request your consent or explicit consent to process your collected personal data in the following circumstances:
- When we do not have other lawful grounds to process your general personal data or sensitive personal data, e.g. processing criminal records for your recruitment and selection process, processing copies of ID cards containing sensitive personal data for contract execution;
- When we intend to transfer your collected personal data overseas and the destination country has lesser data privacy standards; or
- When you are classified as a minor, quasi-incompetent or incompetent of which the consent will be requested from your legal representatives, guardians or curators, as the case may be.
5. When do we disclose or share your collected personal data?
We may disclose to or share your collected personal data with other third parties to achieve the specific purposes for which the personal data was collected. The third parties who we may disclose or share your collected personal data with may include:
- Group companies and subsidiaries;
- Governmental agencies, regulatory or judicial authorities;
- Commercial banks;
- Hospitals, doctors, and nurses;
- Authorised business partners, service providers or vendors; or
When we disclose or share your collected personal data with any third parties, we will conduct necessary and appropriate supervision of the third parties to ensure safe processing of disclosed or shared personal data, by, for instance, entering into an agreement regarding the processing of personal data with the third parties.
6. Do we transfer your collected personal data overseas?
We may transfer your collected general personal data and/or sensitive personal data to group companies or third parties located in countries outside Thailand for the purposes prescribed in this Privacy Notice.
We will only transfer your collected personal data to a country that, in the view of the Thai Personal Data Protection Commission, has adequate data protection or privacy laws. Where such data security standards are deemed inadequate, we will provide appropriate safeguards to protect your interest or the transfer will take place if one of the exceptions defined by the PDPA is met. The exceptions are where:
- the transfer is necessary for compliance with the law;
- you have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer due to the absence of adequate security standards or safeguards;
- the transfer is necessary for the performance of a contract with you or the implementation of pre-contractual measures taken at your request;
- the transfer is necessary for the conclusion or performance of a contract in your interest between us and another natural or legal person;
- the transfer is necessary to protect your vital interests or those of other persons, and the data subject is incapable of giving consent; or
- the transfer is necessary for important reasons of public interest.
7. When do we inform you about your personal data?
Before or at the time of collecting your personal data, we will always inform you of our purposes of processing your personal data. Only in some circumstances, it is not necessary for us to inform you of our processing purposes, such as when:
- you are already aware of such new purposes or details of processing of your personal data;
- we believe that notice of such new purposes or the details of our processing is impossible or will obstruct the use or disclosure of your personal data, where we have taken suitable measures to protect your rights, freedoms and interests;
- it is urgent to use or disclose your collected personal data as required by law and we have implemented suitable measures to protect your interests; or
- we are aware of or acquire your personal data from our duty, occupation or profession, and we have maintained such new purposes or certain details with confidentiality as required by law.
8. What are your rights under the PDPA?
Under the PDPA, you have the following rights in respect of your personal data:
- Right to access
You have a right to access and obtain a copy of personal data that we hold about you, or you may ask us to disclose the sources of where we obtained your collected personal data that you have not given consent.
We will respond to your request as soon as reasonably possible but not exceeding thirty (30) days after receiving your request.
- Right to data portability
You have a right to request us to transfer your collected personal data to other persons/organisations, or request to see your collected personal data that we have transferred to other persons/organisations, unless it is impossible due to technical circumstances.
- Right to object to the processing of your collected personal data
You have a right to object to the processing of your collected personal data, unless there are circumstances that do not allow you to make the objection. This may include when we have compelling legitimate grounds or when the processing of your collected personal data is carried out to comply, exercise or defend legal claims or for our public interest.
- Right to erasure
You have a right to request us to delete, destroy or anonymise your collected personal data in the following circumstances where:
- Your collected personal data is no longer necessary for the purpose for which it was collected, used or disclosed;
- You have withdrawn your consent to which the collection, use or disclosure is based on and we do not have legal grounds to collect, use or disclose your collected personal data;
- You have objected to the collection, use or disclosure of your collected personal data and we do not have legal grounds to reject your request; and/or
- Your personal data has been unlawfully collected, used or disclosed under the PDPA.
- Right to restrict the processing of your collected personal data
You have a right to request us to restrict the processing of your collected personal data in the circumstances when:
- It is under the pending examination process of checking whether your collected personal data is accurate, up-to-date, complete and not misleading;
- It is your collected personal data that should be deleted or destroyed as it does not comply with the laws, but you request to restrict it instead;
- Your collected personal data is no longer necessary to be retained for the purpose for which it was collected, used or disclosed, but you still have the necessity to request the retention for the purposes of the establishment, compliance, exercise of legal claims or the defence of legal claims; and/or
- We are pending verification in order to reject the objection request to the collection, use or disclosure of your collected personal data.
- Right to rectification
You have a right to rectify inaccurate personal data in order to make it accurate, up-to-date, complete and not misleading. If we reject your request, we will record such rejection with reasons.
- Right to lodge a complaint
You have a right to make a complaint in the case of where we, our data processors including our employees or contractors do not comply with the PDPA or other notifications or announcements under the PDPA.
- Right to withdraw consent
You may withdraw your consent at any time, unless we have a lawful basis to deny your request. We would like to also inform you that your consent withdrawal may affect our relationships with you or the products and/or the services that will be provided to you by us. This is because, for instance, the personal data, if remaining after consent withdrawal, may be insufficient for us to render complete services that you need, or we may need time to request additional information from you.
If you change your mind about how you would like us to have or process your collected personal data and would like to withdraw your consent, you can tell us anytime by contacting us at the provided details in the “Contact Us” section.
Upon our receipt of a request to exercise your rights, we may, in certain cases, request additional information in order to confirm your identity and your rights as part of our security measures.
9. How long do we keep your collected personal data for?
We will only retain your collected personal data for as long as it is necessary for the specific purposes for which the personal data was collected. This means that the retention periods will vary according to the type of your collected personal data and the purpose or reason that we collect the personal data. If we do need to keep your collected personal data for a longer period to comply with the legal obligation, or if some existing claims or complaints will reasonably require us to keep your personal data or for regulatory or technical reasons, we will continue to protect that collected personal data.
We have procedures in place regarding our retention periods, which are kept under constant review, taking into account the purposes for processing your collected personal data and the lawful basis for doing so.
We may need to retain images and video footages from CCTV surveillance systems installed for security and safety of persons and properties within our premises for 90 days.
We will delete, destroy, permanently anonymise or otherwise dispose of all collected personal data at the end of the retention period, or when we must comply with your request for erasure of your collected personal data.
If you have any questions, please contact us at the provided details in the “Contact Us” section.
10. What measures do we use to secure your collected personal data?
We adopt security measures to keep your collected personal data safe and secure as well as to prevent loss or damage and illegal or unauthorised collection, access, use, modification, correction, disclosure or otherwise processing of your collected personal data. Our security measures which are applied to all types of data processing regardless of whether the collected personal data is processed electronically or in paper form, include encryption and other forms of security.
We require our employees and third parties who carry out work on our behalf to comply with the PDPA and the appropriate privacy standards including obligations to protect any leakage of personal data and to apply appropriate security measures for the processing of personal data.
We consistently maintain our security procedures and measures and if an improvement proves to be needed, we will promptly correct or update our security procedures and measures taking into account the appropriate physical, technical and organisational security procedures and measures to ensure a level of security of your collected personal data appropriate to the respective risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing.
We assure that all collected personal data will be stored safely and securely with strict and adequate security standards. If you have a reason to believe that your collected personal data has been breached or if you have any questions regarding this Privacy Notice, please contact us at the provided details in the “Contact Us” section.
11. When do we make changes to this Privacy Notice?
We reserve the right to change, amend or update this Privacy Notice at any time as it deems appropriate. We will notify you of the changes on our website in which you can check at any time.
12. How to contact us?
If you have any comments, suggestions, questions or want to make a complaint or exercise your rights regarding your personal data, please contact us at https://www2.hitachi.com/inquiry/region/thailand/en/general/form.jsp or visit Hitachi Asia Website, click “Contact Us” and select Thailand in “Other Enquiries” section.