Nalux (Thailand) Co., Ltd. (hereinafter referred to as "our company") has established the following privacy policy(hereinafter referred to as "this policy") regarding the handling of personal information collected on the FACT-LINK home page(hereinafter referred to as "this homepage").

Paragraph 1 : Personal Data

Personal data refers to information about an individual that can identify that person, either directly or indirectly. Personal data protected under this policy includes

1. General personal information of customers, business partners, individuals contacting the company, or any external parties involved in the company’s business, such as full name, phone number, email, Line ID, national ID number, bank account number, signature, or any other personal data necessary for conducting business or as required by law. (* For brevity, the term "customers" will collectively refer to customers, business partners, individuals contacting the company, or external parties involved in the company's business.)
2. General personal information of employees, such as full name, national ID number, bank account, photo, signature, fingerprints, phone number, email, Line ID, Facebook, educational qualifications, spouse's name, or any other personal data necessary for employment, management, or as required by law.
3. Sensitive personal data of both customers and employees, such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal history, health information, disability status, union membership, genetic data, physical characteristics, or any other sensitive data as defined by law, which is necessary for conducting business or as required by law.

Paragraph 2 : Personal Data Protection Policy

The company acknowledges and places great importance on the personal data of customers and employees. In order to ensure that the collection, storage, use, and disclosure of personal data are in compliance with the Personal Data Protection Act B.E. 2562, the company has established the following Personal Data Protection Policy.

1. The company highly respects the privacy rights of customers and employees.
2. The company will collect only the personal data that is necessary for its operations or as required by law, and will obtain it directly from the data subject.
3. The company will inform the data subject of the purpose for collecting, storing, using, and disclosing the data, and will inform them of their rights and obtain consent beforehand. 
4. The company ensures that the personal data protection system is secure, safe, and compliant with legal requirements.
5. The company will appoint data controllers, data processors, and personal data protection officers to ensure that personal data is used in accordance with the purpose and/or as required by law.
6. Sensitive personal data, such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal history, health information, disability status, union membership, genetic data, biometric data, and physical characteristics, if required to be collected, used, or disclosed, will only be done with the explicit consent of the data subject and will be handled with confidentiality and caution.
7. Personal data of foreign or non-Thai data subjects will be protected and treated in  the same manner as data of Thai individuals.
8. When transferring personal data to external entities or abroad, the company will establish agreements with the external entities or the destination country to ensure robust, secure, and strict data protection in accordance with legal requirements.
9. Data subjects have the right to review, request copies, object, delete, destroy, transfer, or withdraw their consent for the use of their personal data unless such data is required by the company for legal purposes or contractual obligations. These rights can be exercised through the data controller designated by the company.
10. The company will treat the personal data of customers and employees as its own valuable asset. No person is allowed to violate, disclose, access, use for personal gain, or cause harm to the data subject without authorization from the data controller. Violators will be subject to the highest penalties, legal prosecution to the fullest extent, and full compensation for damages as prescribed by law.

Paragraph 3 : Individuals Responsible for Personal Data Protection

To ensure that this Personal Data Protection Policy is implemented continuously and effectively, the company appoints individuals holding the following positions to comply with the policy and/or relevant laws.

1. The President acts as the Data Controller on behalf of the legal entity
2. The Management Representative for the Personal Data Protection System is responsible for managing the system to ensure compliance with the Personal Data Protection Act B.E. 2562 and/or other relevant laws.
3. The Data Protection Officer is responsible for advising, monitoring, coordinating, and overseeing the personal data protection system to ensure compliance with the law, maintaining confidentiality, and ensuring effective implementation.
4. The Human Resources Manager acts as the Data Controller for employee personal data.
5. Manager/Supervisors of all departments act as Data Controllers for the personal data of employees or customers utilized within their respective departments.
6. All employees are responsible for collecting, using, and disclosing personal data as per their assigned duties.
7. The Information Technology Department is responsible for managing personal data stored in electronic media and software systems of the company, ensuring their security and stability.
8. The Personal Data Protection Task Force is responsible for developing and implementing the personal data protection system in compliance with this law

Paragraph 4 : Requesting Consent for the Use of Personal Data

4.1 The Company has established the following:

(1) A list of personal data of customers and employees that is necessary for operations or as required by law.
(2) The purposes and necessity of data usage.
(3) The scope of data usage.
(4) The data retention period.
(5) The designation of the Data Controller and Data Protection Officer
(6) The rights of the data subject.
These details will be communicated to customers or employees to obtain their consent before commencing business or work collaboration.

4.2 For sensitive personal data (as defined in Section 26), if it is necessary to collect, use, or disclose such data for business administration or as required by law, the Company will obtain explicit consent from the data subject prior to collecting, using, or disclosing the data. The Company will handle such data with caution and ensure its confidentiality.

4.3 Any changes to personal data, whether of customers or employees, that the Company protects will be reviewed and approved by the Data Controller and the Data Protection Officer before implementation. This ensures that the protected data is collected, used, and disclosed securely and safely.

Paragraph 5 : Scope of Data Usage

The Company will use the personal data of customers or employees:

1. As necessary for business administration.
2. In accordance with contractual obligations.
3. Within the scope defined by law.
4. For the benefit of the data subject.
The data will be used in all departments where it is necessary for operations, including offices, factories, branches, affiliated companies, partner companies, or any other entities requiring such data, both domestically and internationally (if applicable), in the present and future. The data will be collected, used, and disclosed confidentially to ensure the security and protection of the data subject. 

Paragraph 6 : Scope of Data Usage

6.1 The Company will store and collect personal data in computers or other secure and stable electronic media. Access will be restricted to authorized users with individual passwords or unique access codes to ensure the personal data is securely protected.
6.2 For data stored in paper documents, the storage location will be secured with reliable locks to ensure safety
6.3. Regular audits will be conducted, and the system will be reviewed and updated at least once a year. In cases of irregularities, new legal announcements, or technological advancements, the Company will immediately review and update the system to ensure that the collection, storage, use, and disclosure of personal data comply with the relevant policies and legal requirements.

Paragraph 7 : Retention Period of Personal Data

7.1 Personal data of customers or employees used for work or business purposes will be retained for the duration of its use. Important data will be stored for up to 10 years after it is no longer active, in secure electronic media or paper documents.
7.2 Personal data that is no longer in use will be retained for no more than 3 months. It will then be destroyed by shredding, burning, or other methods to prevent misuse.
7.3 If personal data stored in secure electronic media is verified to be accurate, complete, and auditable, the company may destroy its physical copies to avoid redundancy and reduce the burden of storage.

Paragraph 8 : The delegation of processing to external parties or the transfer of personal data abroad

8.1 In Cases Where :

8.1.1 The company transfers personal data of customers or employees to individuals or external entities under an agreement.
8.1.2 The Company assigns other individuals or organizations to collect, gather, use, or disclose personal data (process the data).
8.1.3 When a customer or employee knows personal data of another customer or employee during work interactions, the Company ensures that agreements are in place with external parties or individuals to collect, use, disclose, and protect the data securely according to the legal standards.

8.2 Sending personal data abroad: The Company ensures that the data controller or data protection officer carefully reviews, approves, and makes agreements to ensure that the destination country has sufficient protection standards as required by law.

8.3 Sending sensitive data to external parties or abroad requires approval from the data controller (the Managing Director) and the data protection officer, who must have a joint opinion and ensure compliance with the law to guarantee the destination country has adequate security and protection as mandated by law.

Paragraph 9 : Rights of Data Subject

9.1 The Company respects the rights of data subjects and ensures that they have the following rights:

(1) The right to know the source of information they did not initially consent to
(2) The right to review how their data is collected, used, and disclosed.
(3) The right to object or suspend the use of their data.
(4) The right to withdraw consent.
(5) The right to request deletion of their data.
(6) The right to request corrections or changes to the data to ensure its accuracy.
(7) The right to request a copy of or certification of their data.
(8) The right to request the transfer of data to another entity.
(9) The right to sue for damages if there is harm or someone else benefits improperly from the use of their data.

9.2 If the company continues to use personal data for legitimate purposes, without personal gain, and does not cause harm to the data subject, or if the data is used as necessary for business management, in accordance with a contract, agreement, or legal requirements, the company may request consent from the customer or employee to continue using their personal data as usual.

9.3 Employees who suspect or discover irregularities in the use of their personal data can file a complaint or exercise their rights as data subjects with the designated personal data controller (Human Resources Manager) at the company for further action.

9.4 Customers who suspect or discover irregularities in the use of their personal data can file a complaint or exercise their rights as data subjects with the designated personal data controller of the respective department (Manager/Supervisor from the department the customer is working with) for further action.

9.5 Interested parties or individuals involved with the company's use of personal data can contact the Data Protection Officer at the following: telephone number 02-157-3422-23, fax number 02-157-3450, or visit the website: https://www.fact-link.com/mem_content.php?pl=th&mem=00003044&page=00020811 during working hours.

9.6 Employees, customers, or individuals involved who have not been satisfied or have not received the resolution of their rights as specified should notify the Data Protection Officer or the Data Controller to take further action.

9.7 The decision on complaints or suspicions shall be made by the Data Controller, on behalf of the legal entity (President), with the approval of the Data Protection Officer. This decision shall be final and binding.

Paragraph 10 : Duties of Data Owners. 

10.1 Submit their personal data to the relevant parties as requested within the specified time frame.
10.2 In case of changes to personal data, notify the relevant parties immediately or within 7 days.
10.3 Use the personal data of employees or customers properly, honestly, and not for personal benefit, nor cause any damage to the data owner in any case.
10.4 If any abnormality or data breach is found that could cause harm, notify the company immediately to take appropriate action. 

Paragraph 11 : Penalties for Violating the Policy

If any customer, employee, or individual misuses or discloses personal data protected by the company:

1. Uses, discloses, or seeks personal benefit from the data beyond the purpose for which the data owner consented.
2. Causes harm to the data owner.
3. Violates the Personal Data Protection Act B.E. 2562 or any policies or regulations related to this policy.
The company will impose the highest penalty or legal action as stipulated by law and require full compensation for damages.

Paragraph 12 : Policy Promotion on Personal Data Protection

12.1 The Human Resources Department shall disseminate this policy to job applicants, new employees, and regular employees.
12.2 Managers of each department shall ensure this policy is communicated to customers, business partners, and visitors engaging with their respective units.
12.3 The IT Department shall publish this policy on the company’s website or other media platforms to inform relevant parties and interested individuals.

Paragraph 13 : The information desk

For inquiries regarding this policy, please contact the following.

Responsible    :  Mr.Pramote Ritprasert
Email address :  pdpa@nalux.co.th
Updated         :    21 Nov 2024