1. THAI StemLife, as the Data Controller, shall not collect, use, or disclose your personal data, unless you as the Data Subject has given consent prior to or at the time of such collection.
2. In the event that the data subject is a minor; requesting consent for collection, use, and disclosure from the data subject, the withdrawal of consent, the exercise of rights of the data subject, the complaint of the data subject, and any other act under the Personal Data Protection Act B.E. 2562 (2019), THAI StemLife shall obtain the consent from a holder of parental responsibility over the minor.
3. The data subject may withdraw his or her consent at any time.
4. THAI StemLife shall collect, use, or disclose personal data according to the purpose notified to the data subject prior to or at the time of collection. The collection, use, or disclosure of personal data shall not be conducted in a manner that is different from the purpose previously notified to the data subject, unless;
4.1. The data subject has been informed of such new purpose, and the consent is obtained prior to the time of collection, use, or disclose;
4.2. It may be done by the provisions of Personal Data Protection Act B.E. 2562 (2019) or in other laws.
5. THAI StemLife shall appoint “Data Protection Officer (DPO)” as a consultant to advice and monitor the operation regarding the collection, use, and disclosure of personal data, as well as to coordinate with the Personal Data Protection Committee.
B. Personal Data Collection Policy
1. The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of the Data Controller.
2. In collecting personal data, THAI StemLife shall inform the data subject, prior to or at the time of collection, of the following details;
2.1. The purpose of collection for use or disclosure of personal data including the purpose which is permitted for personal data collection under Section 24 of Personal Data Protection Act without the data subject’s consent.
2.2. THAI StemLife shall notify the possible effect in the case that the data subject rejects to provide his or her personal data in order to comply with a law, or contract, or entering into the contract.
2.3. The period for which personal data will be retained. If it is not possible to specify the retention period, the expected data retention period according to the data retention standard shall be specified.
2.4. The categories of Persons or entities to whom the collected personal data may be disclosed to.
2.5. The contact information such as address, and contact channel details of THAI StemLife, where applicable, of THAI StemLife’s representative or the DPO.
2.6. The rights of the data subject (Details in Clause 4. Data Subject’s Right Protection Policy).
3. THAI StemLife shall not collect personal data without the consent of the data subject, unless;
3.1 It is for the achievement of the purpose relating to the preparation of the historical documents or public interest, or for the purpose relating to research or statistics.
3.2 It is for preventing or suppressing a danger to a person’s life, body, or health.
3.3 It is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
3.4 It is necessary for the performance of a task carried out in the public interest by THAI StemLife, or it is necessary for the exercising of official authority vested in THAI StemLife.
3.5 It is necessary for legitimate interests of THAI StemLife or any other persons or juristic persons other than the company.
3.6 It is necessary for compliance with the company policy.
4. THAI StemLife shall not collect personal data from any other sources, apart from the data subject directly.
5. THAI StemLife shall not collect personal data such as political opinion, religious or philosophical beliefs, sexual behavior, disability, trade union information, or any other information which may affect the data subject in the same manner as specified by the Personal Data Protection Committee.
C. Policy of Use or Disclosure of Personal Data
1. THAI StemLife shall not use or disclose personal data without consent from the data subject unless it is the data which falls within the exceptions to request consent under Section 24 or Section 26 of the Personal Data Protection Act.
2. In the event that THAI StemLife sends or transfers personal data to a foreign country; the destination country or international organization that receives such personal data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of personal data as prescribed by the Personal Data Protection Committee.
3. Disclosure of personal data to third parties may be done as necessary to comply with the purposes specified in this policy. THAI StemLife may disclose personal data to the following persons;
3.1. Agents of the affiliate entities or related domestic or international companies.
3.2. Agents, contractors, or outsource service providers who provide services to THAI StemLife and data subject such as cargo shipper, storage and warehouse service provider, logistic service provider, document preparation and shipment service provider including catalogue or birthday card, consultants, doctors or medical specialists of hospital or clinic who will treat the data subject, telecommunication service provider, information technology service provider, marketing and promotion service provider. Therefore, THAI StemLife shall have appropriate measures to ensure that personal data is protected and safely secured from the third parties who THAI StemLife will disclose personal data to, by having confidentiality agreement which the condition stated that the third parties have rights to use only the data specified in the agreement, or Non-Disclosure Agreement to secure the confidentiality of the collected data, etc.
D. Policy of Right Protection and Exercise of Data Subject’s Right
1. The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as giving consent. THAI StemLife shall protect the rights of data subject by providing data protection, considering the rights of data subject, and informing the data subject of such the consequences of consent withdrawal.
2. The data subject has rights to access and request for a copy of their personal data, or request to disclose the acquisition of the personal data they have not consented. THAI StemLife shall perform as requested, nevertheless, the request may be rejected where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
3. The data subject has rights to receive the personal data concerning him or her from THAI StemLife. In the event that THAI StemLife has processed such personal data to be in the format which is readable or commonly used by ways of automatic tools or devices, the data subject also has the following rights;
3.1 The right to request access and obtain copy of the personal data related to him or her, which is under the responsibility of THAI StemLife.
3.2 The right to request THAI StemLife to send or transfer the personal data to other Data Controllers.
3.3 The right to object the collection, use, or disclosure of the Personal Data concerning him or her, at any time.
3.4 The right to request THAI StemLife to erase or destroy the personal data or anonymize the personal data to become the anonymous data which cannot identify the data subject.
3.5 The right to request THAI StemLife to restrict the use of the personal data.
3.6 The right to request THAI StemLife to ensure that the personal data remains accurate, complete, and up-to-date.
3.7 The right to complain to THAI StemLife or Personal Data Protection Committee when THAI StemLife violates any right and causes any damage to the data subject.
3.8 The right to request the disclosure of the acquisition of the personal data obtained without his or her consent.
3.9 In the event that the data subject needs to make a request, the request shall be made in writing, therefore, THAI StemLife shall do our best to perform within an appropriate period of time and not over the specified time by laws.
4. Personal Data in clause D.3 (3.1 to 3.9) shall be the data which the data subject consent to collect use or disclose under Personal Data Protection Act or it is permitted with the exceptions to request consent under section 24.
5. The exercise of rights of the data subject in clause D.3 (3.1 to 3.9) shall not apply to the sending or transferring of personal data by THAI StemLife which is the performance of a task carried out in the public interest, or for compliance with law, or such exercise of rights shall not violate the rights and freedoms of others. In the event that THAI StemLife rejects the request by such reasons, THAI StemLife shall make a record of such rejection of the request together with reasons in the record as prescribed in section 39.
6. The data subject has the right to object the collection, use, or disclosure of the personal data concerning him or her, at any time.
7. The data subject shall have the right to request THAI StemLife to erase or destroy the personal data or anonymize the personal data to become the anonymous data which cannot identify the data subject.
E. Policy of Security Protection of Personal Data, Data Destruction Specified by the Laws, and Procedures for Data Collected Prior to the Act.
1. Security Protection Measures of Personal Data
1.1 THAI StemLife collects personal data in the information system and store the original document in a safe place with appropriate security measures for preventing the loss, unauthorized or unlawful access, use, alteration, correction or disclosure of personal data. Such measures shall be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety.
1.2 THAI StemLife has set up account for document withdrawal by requesting permission from the superior (Chief/Manager) before using the information or document. Each department shall have operation manual concerning document request and document retention clearly provided to the employee step by step.
1.3 Responsible staff audits the information system regularly, perform data backup, maintain backup media in an appropriate place where is not accessible for and protected from data breach, and test for data restoration efficacy. Thus, THAI StemLife has established backup and recovery measures in the Information Technology Security, IT Security Procedure according to its ISO 27001 accreditation.
2. THAI StemLife erases all data whenever replacing or handling laptops or portable communication devices, sets up passwords for computer access, and/or backs up data in the system whenever a new staff joins or resigns. Moreover, antivirus and access restricting programs are installed on each laptop to prevent data theft, and the information security risks are audited and assessed in every quarter as per our ISO 27001.
3. In the event of data breach, Data Protection Officer (DPO) appointed by THAI StemLife shall notify the Personal Data Protection Committee within 72 hours after becoming aware of it unless such personal data breach is unlikely to result in a risk to the rights and freedoms of the persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the Data Protection Officer shall also notify the personal data breach and the remedial measures to the data subject without delay.
4. Remedial measures in the case of data breach shall be in accordance with the rules and methods prescribed and announced by the Personal Data Protection Committee.
5. THAI StemLife performs risk management to control and secure personal data in compliant with the standard. The risks are defined in risk management report proposed to Management Meeting and Board of Directors in every quarter. Personal data protection risk in the risk management report with primary details are as per below;
• Risk 1 Personal Data Protection Risk Assessment
• Risk 2 Collection, Use, or Disclosure of Personal Data
• Risk 3 Operational Surveillance
• Risk 4 Preventive Actions for Data Leakage and Violation Report
• Risk 5 Data Send or Transfer
• Risk 6 Operations per Data Subject Request
THAI StemLife performs personal data risk assessment, monitors and limits authorized access of users, and controls careful use or disclosure of sensitive personal data such as religion, disability, etc. THAI StemLife also established preventive measures for data leakage, and remedial measures in the event of data breach. Personal data send or transfer has adequate personal data protection standard, both sender and recipient (domestic/international), therefore, the rights of data subject shall be followed in accordance with the law. Details of personal data risks are included in risk management report of every quarter.
2. Personal Data Deletion per Specified Period of Time
2.1 THAI StemLife puts in place the examination system for personal data erasure or destruction after the retention period ends. The customers’ personal data collected in electronic system, and important document such as Hire Purchase Agreement and other related documents shall be collected per the agreement term and condition. When account is completely closed, THAI StemLife may collect some accounting data for 5 more years. THAI StemLife shall destroy the contract document and some unnecessary information which is not needed to be collected for accounting or management statistic by using paper shredders such as ID card copy and other identity document.
2.2 In the event that the customer violates the agreement, leading to litigation or prosecution; THAI StemLife shall retain documents and database in the system for use in litigation until final judgment, and the debt is fully paid, then later destroy such personal data.
2.3 According to Accounting Act B.E. 2543 (2000), THAI StemLife shall collect accounting and tax information for not less than 5 years.
2.4 Data Protection Officer (DPO) appointed by THAI StemLife is responsible to ensure that each party destroys the personal data document within the specified period or at an appropriate time.
2.5 Personal data deletion or destruction per request, details in D.7.
The data subject may submit a request for personal data access per the Policy of Right Protection and Exercise of Data Subject’s Right (Clause D.3.9) by email, phone call, or direct talk (in the event of request submission by direct talk, the officer shall request the data subject to make such request in written document, so that THAI StemLife can perform correctly as requested, and the document can be used as evidence required by law) or in any written format to;
THAI StemLife Co., Ltd., THAI StemLife Headquarters 566/3 Soi Ramkhamhaeng 39, (Thepleela 1),
Prachaouthit Rd, Wangthonglang, Bangkok 10310
• Phone number: (+66) 2 022 7000
• Email: info@THAI StemLife.co.th
Please find the appropriate form for privacy information change HERE : Download