Thailand Professional Qualification Institute (Public Organization) (“The Institute”) respects and recognizes the importance of the privacy rights and the protection of Personal Data of employees which are the fundamental rights in privacy for individuals. Naturally, employees would prefer their Personal Data to be secured. Coupled with the rules and measures laid by Privacy law governing security measure in processing Personal Data and data subject’s rights. The Institute hereby implements this Privacy Policy to notify the principle for Personal Data protection with the following context:
1.Definitions
In this Privacy Policy, words or messages have meanings as described in the following definitions:
Privacy law
|
means Personal Data Protection Act B.E. 2562, as amended, including relevant rules, regulations, and orders.
|
Personal Data
|
means any Personal Data which can be identified a natural person directly or indirectly according to the Personal Data Protection Act B.E. 2562.
|
Data Protection Officer
|
means officer(s) appointed by the Data Controller to perform and act as the Data Protection Officer in accordance with the Personal Data Protection Act B.E. 2562.
|
The Institute
|
means Thailand Professional Qualification Institute (Public Organization)
|
Data Controller
|
means the natural or juristic person that has the authority to make decisions about the Personal Data and to obtain the Personal Data from the Customer to provide services or to perform contract obligations with such persons.
|
Data Processer
|
means a natural person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller.
|
Allies
|
Means business or trade partners which are the Institute’s allies or operating jointly with the Institute [please provide the list of the Institute’s allies or refer to such list via QR code or url link]
|
Website
|
means any website owned or provided by Thailand Professional Qualification Institute (Public Organization) as the case may be.
|
2.General Provision
This Privacy Policy aims to explain how the Institute collects, uses, and/or discloses and protects Personal Data of employees. Whereby the Institute may improve or amend any material changes in this Privacy Policy whether in whole or in part to comply with the amending laws and regulations. Therefore, employee should regularly access this Privacy Policy and follow up about the current version.
3.Collection of Personal Data
- The Institute will legitimately collect, use, and/or disclose employee’s personal data. The institute would only collect employee’s Personal Data that is necessary to fulfill the purposes of processing of Personal Data and in accordance with the law.
- The Institute may collect, use, and/or disclose employee’s Personal Data from employee or the Allies, or from other reliable sources, such as from information which employee have made available to the public.
- Employee’s refusal to provide employee’s personal data, or employee’s giving of inaccurate or outdated Personal Data to the Institute, may result in employee’s inability to conduct any transactions with the Institute or to demand certain performance of a contract with the Institute. All of these restrictions may potentially cause damages and lost of opportunities for employee and may potentially affect any legal obligation in which employee or the Institute, as the case may be, is required to comply. The Institute collects, uses, and/or discloses as follows
- General Personal Data such as
- Identification information and contact information such as photos, name and surname, national identification card number, information as appear in national identification card, passport number, gender, date of birth, age, marital status, address, occupation, workplace information, telephone number, fax number, email address, etc.
- Personal information such as marital status, family member information, beneficiary and emergency contact information, education background, military status.
- Occupation information such as position, department, contract details, personal resume, education and job records, etc.
- Payroll and welfare information such as salary details, compensation, and other relevant benefits or welfare.
- Bank account information for payroll, benefits, welfare, and other related information.
- Disciplinary action information such as inappropriate behavioral in workplace.
- Evaluation and training information such as evaluation performance and work performance appraisal.
- Sensitive Data is defined in Section 26 of PDPA as Personal Data pertaining to biometric data, finger scan, face recognition, religious, health data, racial, criminal records, etc. However, the Institute do not collect, use and/or disclose for Sensitive Data from employee unless the Institute obtained employee’s consent for processing of such sensitive data or it falls under any exception as prescribed by this privacy policy or the law.
The Institute will not collect employee’s sensitive data, unless
(1) the Institute has received explicit consent from Employee, or
(2) under other circumstance according to the law.
- Retention Period of Personal Data
The Institute shall collect and retain employee’s Personal Data for as long as necessary for the purposes of collecting, use, and disclosure of Personal Data in this Policy. In case employee terminate relationship or an agreement with the Institute, or if employee are no longer using the services or the business transaction has been executed, or if employee’s Personal Data is no longer necessary in relation to the specified purposes, the Institute shall store employee’s Personal Data for specified period or as specified by the law, or by prescription period or for exercise or defense of legal claims. After the expiration of the storage period of each type of Personal Data, the Institute shall proceed to erase or destroy or make anonymize of such Personal Data. The retention period shall be in accordance with the Institute’s Data Retention Policy. The Institute may continue to retain employee’s Personal Data after the retention period in accordance with the law.
4.Purposes of Processing of Personal Data
The Institute processes employee’s Personal Data for the purposes in accordance with lawful basis under PDPA as follows:
- Purposes of Processing of Personal Data in which the Institute must obtained consent.
- The collection, use, disclosure of Sensitive Data for the following purposes:
- For security purpose to verify or identify employee’s authentication in access on premises.
- For verification and identification of employee such as verification through identification card or passport in which Sensitive Data such as religious, blood group, race data may be shown.
- For purpose to determine eligibility for initial employment, including verifying references and qualifications.
- For purpose to process employee work-related claims. For example, health check-up, health insurance and/or other related benefits.
- In case that the Institute shall obtain consent before transferring Personal Data to foreign country with no adequate data protection standard in compliance with PDPA.
- Purposes in which the Institute may refers to other lawful basis for Personal Data processing
The Institute may process Personal Data by lawful basis of processing as follows:
(1) Processing is necessary for the performance of a contract to which the employee is a party, or in order to take steps at the request of the employee prior to entering into a contract;
(2) it is necessary for compliance with legal obligations;
(3) it is necessary for the purposes of the legitimate interests of the Institute or third party, where such interests are proportionate to the fundamental rights of the employee of his or her Personal Data;
(4) it is necessary for preventing or suppressing a danger to a person’s life body or health; and
(5) it is necessary for the performance of a task carried out in the public interest by the Institute, or it is necessary for the exercising of official authority vested in the Institute.
Aforesaid, the Institute shall rely on lawful basis of processing listed in (1) to (5) for the collection, use, and/or disclose of Personal Data for the following purposes;
For job applicants
If the Data Subject here is the job applicant, the Institute shall rely on lawful basis for processing Personal Data in Clause 4.2 listed in (1) to (5) to collect, use, and/or disclose Personal Data of job applicant for the following purposes;
- To determine eligibility for initial employment, interviewing and verifying references and qualifications, including recruitment for student internship.
- To identify and contact job applicant.
- To administer salary, compensation and/or other benefits.
- To identify a contact point in the event of an emergency.
- For any other purposes that are reasonably required by the Institute as specified in job application form or other related documents.
For Institute’s employees
If the Data Subject is the Institute’s employee, the Institute shall rely on lawful basis for processing Personal Data in Clause 4.2 listed in (1) to (5) to collect, use, and/or disclose Personal Data for the following purposes;
- For recruitment process purposes including decisions to hire or to determine other potential roles. The Institute may, at its discretion, change the Data Subject's part-time or trainee status to full-time status.
- For the Institute’s internal management purposes such as manpower restructuring, job transferring, reassignment job position, promotion, retirement planning, etc.
- For training and human resource development such as organizing internal and external training courses for employees, filing an application for course certification and request for training expenses from government agencies, and etc.
- For obtaining and verifying licenses or permits that are mandatory for operation.
- For salary payment, compensations, and other benefits such as wage, salary rate, bonuses, work benefits, etc.
- For communication, public announcement for work or related work activity’s purpose.
- For statistical and analytical purposes to develop human resources and enhance working processes.
- For complying with legal obligation such as regulations related to labor, health and safety requirement, or official authorities’ requests, etc.
- For recording proceeding history of employees' discipline for effective management or for determining employee disciplinary measurement if necessary.
- For internal audit purpose to handle any complaints or claims, to gather evidence for disciplinary action, to prevent employees from fraud, illegal act, or neglect of duties.
- For other purposes that related to employment of the Data Subject such as performing work tasks for or on behalf of the Institute, or as prescribed in employment contact, in work regulations, or in any other human resources related document.
- The Institute shall not collect, use, and/or disclose Personal Data for purpose which the Institute have not inform the employee, unless
(1) the Institute has notified new purposes to the employee and has obtained consent from employee; or
(2) it falls under any exception as prescribed by the law.
5. Disclosure of Personal Data
- The Institute shall only disclose Personal Data to the Allies for the purposes which the institute have informed the employee as following,
(1) Where the Institute obtain consent from the employee,
(2) Where it is necessary for the performance of a contractor upon the employee’s requests including the disclosure of Personal Data to enter into business transaction or any relevant activities of the employee.
(3) Where it is necessary for legitimate interests such as the disclosure of Personal Data to Institute or organization for fraud prevention, the video recording in conference or while doing business transaction with the Institute, or for safety purposes of the Institute.
(4) Where it is necessary for compliance with a law, regulations, orders from or authorized official authority under the law such as Ministry of Labor, Department of Public Welfare, Department of Skill Development, Legal Execution Department, Student Loan Fund, Court, Police, or other relevant government sector as prescribed by the law,
(5) To disclose Personal Data to the following third parties:
- Outsource and/or service provider such as provident fund managers, commercial banks, payment service providers, insurance companies, hospitals, VISA or Work Permit agent services, human resource consulting companies, human resource information system service providers, training service providers, financial service providers, to access and process Personal Data of the Data Subject for the purposes listed in Clause 4 of this Privacy Policy.
- Government agencies or authorized official authorities under the law such as Ministry of Labor, Social Security Office, Department of Skill Development, Legal Execution Department, Student Loan Fund, Department of Empowerment of Persons with Disabilities, Courts Official, Police Officers, or other related official authorities as prescribed by the law.
6.Improvement, Review, Amendment of Privacy Policy
Whereby the Institute may improve, revise, or amend any material changes in this Privacy Policy whether in part or in whole to comply with the Institute’s method of operation, or to comply with amending laws and regulations.
7.Employee rights as the Data Subject.
- Employee may file a request form in accordance with the Institute’s conditions and procedures in cases the Data Subject requests for a copy of the Personal Data being processed by the Institute or requests the Institute to inform what sources the Personal Data originated.
- In the event that employee sees that his or her Personal Data is inaccurate, not up to date, or incomplete which may cause misunderstanding. Employees have the rights to request the Institute to correct and complete Personal Data based on information employee may provide by filing Data Subject rights request application to the Institute in accordance with the Institute’s conditions and procedures. In case where the Institute do not respond or comply with the rights request, the Institute shall keep record of the request with reasons of refusal as an evidence for future inspection.
- Employees have the rights to withdraw consent once given to the Institute for Processing employee’s Personal Data at any reasonable time unless there is a restriction of the withdrawal of consent by law, or there is contractual obligation that benefits employee. For example, employee may still bound by a contract with the Institute, or employee has contractual obligations or legal obligation with the Institute. Nevertheless, if employee chooses to withdraw consent, employee may not be able to receive services from or conduct transaction with the Institute, or the Institute’s ability to provide services to employee may be limited.
- Employee have the rights to receive the Personal Data concerning himself or herself from the Institute. In which the Institute shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. Employees are also entitled to request the Institute to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by the automatic means or entitled to request to directly obtain the Personal Data in such formats that the Institute sends or transfers to other Data Controllers unless it is impossible to do because of the technical circumstances.
- Employee have the rights to object the collection use or disclosure of his or her Personal Data at any reasonable time in one of the following circumstances:
- Where collection, use, and disclosure of Personal Data is necessary for the performance of a task carried out in the public interest by the Institute or necessary for the legitimate interest of the Institute. Unless the Institute can prove that:
- There is a compelling legitimate ground; or
- It is necessary for the establishment, compliance, or exercise of legal claims, or defense of legal claims;
- Where collection, use, and disclosure of Personal Data is for the purpose of direct marketing; or
- Where Processing of Personal Data is for the purpose relating to scientific or historical research or statistics, unless it is necessary for the performance of a task carried out in the public interest by the Institute.
- Employee have the rights to request the Institute to erase or destroy or anonymize Personal Data to become anonymous data where legitimate ground applies:
(1) The Personal Data is no longer necessary in relation to the purposes for which it was collected, used, or disclosed;
(2) When employee withdraw the consent on which the collection, use, or disclosure is based on, and where there is no other legal ground for such collection, use, or disclosure;
(3) When employee object to the processing of the Personal Data referred in Clause 7.5(1) and the Institute cannot reject to such request or the processing of Personal Data is for the purposes relating to direct marketing; or
(4) The Personal Data have been unlawfully collected, used, or disclosed
- Employee have the rights to request the Institute to restrict the use of Personal Data, where the following applies:
- When the Institute is pending examination process in accordance with employee’s request to ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading;
- Where it is the Personal Data which shall be erased or destroyed because it has been unlawfully collected, used, or disclosed, but employee request for restriction of the use instead;
- Where it is no longer necessary to retain such Personal Data for the purposes of such collection, but employee have necessity to request the retention for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims; or
- Where the Institute is pending verification to demonstrated that there is a compelling legitimate ground or pending examination for the establishment, compliance or exercise of legal claims, or defense of legal claims to reject the objection request made by employee.
- Employee have the rights to complain to expert committee in accordance with PDPA in cases the Institute or the Data Controller including employees or Data Processor(s) does not take action or does not comply with PDPA at the following address:
Office of the Personal Data Protection Commission
7th Floor, Ratthaprasasanabhakdi Building 80th Anniversary Government Center, Chaengwattana Road, Thungsonghong Subdistrict, Laksi District, Bangkok 10210
Nevertheless, the rights of Data Subject as abovementioned depend on various factors and circumstances. The Institute reserves the rights to examine the right requests where it is permissible by law, where the Personal Data have been anonymized, or where it can be demonstrated by the Institute that there is compelling legitimate ground for processing of Personal Data, for example, employee is still using the service or conducting transaction with the Institute, or where the Institute is under legal obligation even if the employee has terminated the relationship with the Institute such as Personal Data collection as prescribed period by law or for exercise of legal claim.
8.Security Measures for Storing Personal Data
The Institute is committed to protecting employee’s Personal Data. Hence, the Institute shall provide security measures including a safe and appropriate system for collecting, using, or disclosing Personal Data to prevent employee’s Personal Data from accidental loss, unauthorized access of data, destroy of data, misuse of data, unauthorized change or disclosing of data in accordance with the Institute’s information technology security policies and/or procedures.
The Institute shall provide security measures of Personal Data which include operational safeguards, technical protection measures and physical safeguards regarding access or control of the Personal Data usage which at least consists of the following actions:
- Control of access to Personal Data and storage devices and Processing of Personal Data considering the usage and security;
- Determine permission to access Personal Data;
- Users access management to Personal Data for designated person(s) only;
- Determine roles and responsibilities of users to prevent unauthorized access, disclosure, cybercrime, copy of Personal Data, or to prevent theft of storage devices or data; and
- Provide method for tracing back in access, alteration, disposal, or transmission of Personal Data in accordance with the methods and storage media used for processing of Personal Data.
9.Application of Privacy Policy
This Privacy Policy applies to all Personal Data in which the Institute collected, used, and disclosed, and in which the Institute had obtained consent from employee prior to carrying out the processing activity (If any), as well as the collection of employee’s Personal Data in current or in the future for use and disclosure to the third parties within the scope of this Privacy Policy.
- Personal Data of Third Party
If the employee provided any third party’s Personal Data such as spouse, child, parents, family members, beneficiary, emergency contact, reference persons, and other third parties related to the security holding of the employee. The employee hereby affirms that he or she is authorized to provided information of such third party to the Institute. In addition, the employee shall be accountable to inform such third party about this Privacy Policy and to obtain consent from such third party.
- Policy Review
The Institute and related business unit shall review this Policy at least once a year. Updated versions are to be adopted by the Board of Directors of the Institute were deemed necessary or appropriate.
12.Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with Thai laws and Thai courts have the jurisdiction to consider any disputes that may arise.
13.Contact Information
Any questions or concerns regarding this Privacy Policy, the exercising of employee’s rights, or have reasonable reasons to believes that the Personal Data has been misused, please contact the Institute via the following channels:
Data Protection Office
Email address: [email protected]
Telephone No.: +66 2035 4900
Address: Thailand Professional Qualification Institute (Public Organization) 1177 Pearl Bangkok Building, 14th floor, Phahonyothin road, Phayathai Sub-district, Phayathai District, Bangkok 10400