- MEDEZE, as the Data Controller, shall not collect, use, or disclose your personal data, unless you as the Data Subject has given consent prior to or at the time of such collection
- In the event that the data subject is a minor; requesting consent for collection, use, and disclosure from the data subject, the withdrawal of consent, the exercise of rights of the data subject, the complaint of the data subject, and any other act under the Personal Data Protection Act B.E. 2562 (2019), MEDEZE shall obtain the consent from a holder of parental responsibility over the minor.
- The data subject may withdraw his or her consent at any time.
MEDEZE shall collect, use, or disclose personal data according to the purpose notified to the data subject prior to or at the time of collection. The collection, use, or disclosure of personal data shall not be conducted in a manner that is different from the purpose previously notified to the data subject, unless;
- The data subject has been informed of such new purpose, and the consent is obtained prior to the time of collection, use, or disclose;
- It may be done by the provisions of Personal Data Protection Act B.E. 2562 (2019) or in other laws.
- MEDEZE shall appoint “Data Protection Officer (DPO)” as a consultant to advice and monitor the operation regarding the collection, use, and disclosure of personal data, as well as to coordinate with the Personal Data Protection Committee.
2. Personal Data Collection Policy
- The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of the Data Controller.
- In collecting personal data, MEDEZE shall inform the data subject, prior to or at the time of collection, of the following details;
- The purpose of collection for use or disclosure of personal data including the purpose which is permitted for personal data collection under Section 24 of Personal Data Protection Act without the data subject’s consent.
- MEDEZE shall notify the possible effect in the case that the data subject rejects to provide his or her personal data in order to comply with a law, or contract, or entering into the contract.
- The period for which personal data will be retained. If it is not possible to specify the retention period, the expected data retention period according the data retention standard shall be specified.
- The categories of Persons or entities to whom the collected personal data may be disclosed to.
- The contact information such as address, and contact channel details of MEDEZE, where applicable, of MEDEZE’s representative or the DPO.
- The rights of the data subject (Details in Clause 4. Data Subject’s Right Protection Policy).
- MEDEZE shall not collect personal data without the consent of the data subject, unless;
- It is for the achievement of the purpose relating to the preparation of the historical documents or public interest, or for the purpose relating to research or statistics.
- It is for preventing or suppressing a danger to a person’s life, body or health.
- It is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
- It is necessary for the performance of a task carried out in the public interest by MEDEZE, or it is necessary for the exercising of official authority vested in MEDEZE.
- It is necessary for legitimate interests of MEDEZE or any other persons or juristic persons other than the company.
- It is necessary for compliance with the company policy.
- MEDEZE shall not collect personal data from any other sources, apart from the data subject directly.
- MEDEZE shall not collect personal data such as political opinion, religious or philosophical beliefs, sexual behavior, disability, trade union information, or any other information which may affect the data subject in the same manner as specified by the Personal Data Protection Committee.
3. Policy of Use or Disclosure of Personal Data
- MEDEZE shall not use or disclose personal data without consent from the data subject unless it is the data which falls within the exceptions to request consent under Section 24 or Section 26 of the Personal Data Protection Act.
- In the event that MEDEZE sends or transfers personal data to a foreign country; the destination country or international organization that receives such personal data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of personal data as prescribed by the Personal Data Protection Committee.
- Disclosure of personal data to third parties may be done as necessary to comply with the purposes specified in this policy. MEDEZE may disclose personal data to the following persons;
- Agents of the affiliate company or related domestic or international company.
- Agents, contractors, or outsource service providers who provide services to MEDEZE and data subject such as cargo shipper, storage and warehouse service provider, logistic service provider, document preparation and shipment service provider including catalogue or birthday card, consultants, doctors or medical specialists of hospital or clinic who will treat the data subject, telecommunication service provider, information technology service provider, marketing and promotion service provider. Therefore, MEDEZE shall have appropriate measures to ensure that personal data is protected and safely secured from the third parties who MEDEZE will disclose personal data to, by having confidentiality agreement which the condition stated that the third parties have rights to use only the data specified in the agreement, or Non-Disclosure Agreement to secure the confidentiality of the collected data, etc.
4. Policy of Right Protection and Exercise of Data Subject’s Right
- The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as giving consent. MEDEZE shall protect the rights of data subject by providing data protection, considering the rights of data subject, and informing the data subject of such the consequences of consent withdrawal.
- The data subject has rights to access and request for a copy of their personal data, or request to disclose the acquisition of the personal data they have not consented. MEDEZE shall perform as requested, nevertheless, the request may be rejected where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
- The data subject has rights to receive the personal data concerning him or her from MEDEZE. In the event that MEDEZE has processed such personal data to be in the format which is readable or commonly used by ways of automatic tools or device, the data subject also has the following rights;
- The right to request access and obtain copy of the personal data related to him or her, which is under the responsibility of MEDEZE.
- The right to request MEDEZE to send or transfer the personal data to other Data Controllers.
- The right to object the collection, use, or disclosure of the Personal Data concerning him or her, at any time.
- The right to request MEDEZE to erase or destroy the personal data, or anonymize the personal data to become the anonymous data which cannot identify the data subject.
- The right to request MEDEZE to restrict the use of the personal data
- The right to request MEDEZE to ensure that the personal data remains accurate, complete, and up-to-date.
- The right to complain to MEDEZE or Personal Data Protection Committee when MEDEZE violates any right and causes any damage to the data subject.
- The right to request the disclosure of the acquisition of the personal data obtained without his or her consent.
- In the event that the data subject needs to make a request, the request shall be made in writing, therefore, MEDEZE shall do our best to perform within an appropriate period of time and not over the specified time by laws.
- Personal Data in clause 4.3 shall be the data which the data subject consent to collect use, or disclose under Personal Data Protection Act or it is permitted with the exceptions to request consent under section 24.
- The exercise of rights of the data subject in clause 4.3 shall not apply to the sending or transferring of personal data by MEDEZE which is the performance of a task carried out in the public interest, or for compliance with law, or such exercise of rights shall not violate the rights and freedoms of others. In the event that MEDEZE rejects the request by such reasons, MEDEZE shall make a record of such rejection of the request together with reasons in the record as prescribed in section 39.
- The data subject has the right to object the collection, use, or disclosure of the personal data concerning him or her, at any time.
- The data subject shall have the right to request MEDEZE to erase or destroy the personal data, or anonymize the personal data to become the anonymous data which cannot identify the data subject.
5. Policy of Security Protection of Personal Data, Data Destruction Specified by the Laws, and Procedures for Data Collected Prior to the Act.
Security Protection Measures of Personal Data
- MEDEZE collects personal data in the information system, and store the original document in a safe place with appropriate security measures for preventing the loss, unauthorized or unlawful access, use, alteration, correction or disclosure of personal data. Such measures shall be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety.
- MEDEZE has set up account for document withdrawal by requesting permission from the superior (Chief/Manager) before using the information or document. Each department shall have operation manual concerning document request and document retention clearly provided to the employee step by step.
- The responsible staffs audit the information system regularly, perform data backup, maintain backup media in an appropriate place where is not risky for data breach, and test for data restoration. Thus, MEDEZE has established backup and recovery measures in the Information Technology Security; IT Security Procedure.
- MEDEZE erases the data every time when changing or handling laptops or portable communitive devices, sets up password for computer access, and backs up data in the system whenever we are having new staffs. Moreover, antivirus program is installed on each laptop to prevent data theft, and the information security risks are audited and assessed in every quarter.
- In the event of data breach, Data Protection Officer (DPO) appointed by MEDEDE shall notify the Personal Data Protection Committee within 72 hours after becoming aware of it unless such personal data breach is unlikely to result in a risk to the rights and freedoms of the persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the Data Protection Officer shall also notify the personal data breach and the remedial measures to the data subject without delay.
- Remedial measures in the case of data breach shall be in accordance with the rules and methods prescribed and announced by the Personal Data Protection Committee.
MEDEZE performs risk management to control and secure personal data in compliant with the standard. The risks are defined in risk management report proposed to Management Meeting and Board of Directors in every quarter. Personal data protection risk in the risk management report with primary details are as follows;
Risk 1 Personal Data Protection Risk Assessment
Risk 2 Collection, Use, or Disclosure of Personal Data
Risk 3 Operational Surveillance
Risk 4 Preventive Actions for Data Leakage and Violation Report
Risk 5 Data Send or Transfer
Risk 6 Operations per Data Subject Request
MEDEZE performs personal data risk assessment, monitors and limits authorized access of users, and controls careful use or disclosure of sensitive personal data such as religion, disability, etc. MEDEZE also established preventive measures for data leakage, and remedial measures in the event of data breach. Personal data send or transfer has adequate personal data protection standard, both sender and recipient (domestic/international), therefore, the rights of data subject shall be followed in accordance with the law. Details of personal data risks are included in risk management report of every quarter.
Personal Data Deletion per Specified Period of Time
- MEDEZE puts in place the examination system for personal data erasure or destruction after the retention period ends. The customers’ personal data collected in electronic system, and important document such as Hire Purchase Agreement and other related documents shall be collected per the agreement term and condition. When account is completely closed, MEDEZE may collect some accounting data for 5 more years. MEDEZE shall destroy the contract document and some unnecessary information which is not needed to be collected for accounting or management statistic by using paper shredders such as ID card copy and other identity document.
- In the event that the customer violates the agreement, leading to litigation or prosecution; MEDEZE shall retain documents and database in the system for use in litigation until final judgment, and the debt is fully paid, then later destroy such personal data.
- According to Accounting Act B.E. 2543 (2000), MEDEZE shall collect accounting and tax information for not less than 5 years.
- Data Protection Officer (DPO) appointed by MEDEZE is responsible to ensure that each party destroys the personal data document within the specified period or at an appropriate time.
- Personal data deletion or destruction per request, details in 4.7.
The data subject may submit a request for personal data access per the Policy of Right Protection and Exercise of Data Subject’s Right (Clause 4.3.9) by email, phone call, or direct talk (in the event of request submission by direct talk, the officer shall request the data subject to make such request in written document, so that MEDEZE can perform correctly as requested, and the document can be used as evidence required by law) or in any written format to;
- Address: MEDEZE Cosmeceutical Co., Ltd. 28/9 Moo 8, Phutthamonthon Sai 4 Road, Krathumlom, Samphran, Nakhon Pathom 73220
- Phone number: (+66)9 1599 9999
- Email: firstname.lastname@example.org