Data Privacy Policy
Ubis (Asia) Public Company Limited. and Ubis Primatech Company Limited.

       Ubis (Asia) Public Company Limited. and Ubis Primatech Company Limited. (hereinafter referred to as the “Company” or “we” or “us”) recognizes the importance of personal data protection (Data Privacy) of data subject, who is an employee, a staff or job applicant of the company, considered as a fundamental right under the law. This policy shall establish the rules for setting up a system and to strictly control and supervise the securities of the personal data of data subject and the data processing, including to collect, use or disclose the personal data transparently and complying with the standards set forth by the governmental agencies. With respect to this privacy notice, the purpose is to inform the data subject about our practices to your personal data, such as, collection, use, disclosure, as well as any rights of the data subject and so forth. Accordingly, this policy shall be applied to all activities of the Company in connection with the personal data.

1. Definition

       In this Policy,

       “Company” means Ubis (Asia) Public Company Limited. and Ubis Primatech Company Limited.;

       “Person” means a natural person;

       “Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular;

       “Sensitive Data” means any person data may leading to unfair discrimination, in this policy wherein means, racial, religious beliefs, sexual behavior, criminal records, health data, disability, genetic data, biometric data, or of any data classified by law;

       “Incompetent Person” means a person who is a minor, an incompetent person or a quasi-incompetent person subject to the Thai Civil and Commercial Code;

       “Data Protection Officer” means a person appointed by the Company to work as a data protection officer under the Personal Protection Act B.E. 25622562;

       “Data Subject” means a natural person who is a personnel, staff, employee, job applicant or any related person, customer, service user, website visitor, visitor of the Company’s mobile application, including executive of the Company and any person who has a legal relation with the Company, hereinafter referred to as a “Data Subject”;

       “Website” means a website of the Company which belongs to the Company or service provider, as a case may be;

       “Application” means any applications provided by the Company, in addition to the applications that have been changed, updated, updated or supplemented thereafter;

       “Data Controller” means the Company having the power or duties to make decision regarding the personal data, obtaining from Data Subject or service provider of Data Subject or performance of contractual obligation with Data Subject, whether directly or indirectly;

       “Data Processor” means a person or juristic person who operates n relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller;

       “Collection” means an acquisition of personal data;

       “Data Processing” means any actions which act on the personal data, whether by automated method or not, such as collecting, recording, organizing, storage, use, disclosing, changing or any other actions causing an availability, compilation, or destruction of personal data.

2. Objectives

       This policy is provided to protect personal data of the Data Subject, who transacts, uses a service, has an interest with the Company under following objectives:

  1. 2.1. To define the roles and duties of organizations, executives, personnel involved in the personal data.
  2. 2.2. To determine procedures, security measures or other measures to protect the personal data pursuant to the law.
  3. 2.3. To establish a performance guideline of personnel related to the data processing or other operations in relation to the personal data.
  4. 2.4. To build a confidence in the security of personal data to persons, customers, partners, service users, as well as other persons who have an interest or involved in the personal data.

3. The Collection of Personal Data

       The collection, use or disclosure of personal data shall be consistent with the principle of personal data protection as required by the law, that is

  1. (1) the personal data shall collected, used or disclosed with lawfulness, fairness and transparency
  2. (2) the personal data shall collected, used or disclosed subject to the objectives specified by the Company and the Company shall not use or disclose the personal data under limited purposes where is provided therein
  3. (3) the personal data shall collected, used or disclosed sufficiently, relevantly and as necessary for the purposes of such collected, used and disclosed (Data Minimization)
  4. (4) the personal data shall collected, used or disclosed accurately and up-to-date, as it is necessary (Accuracy)
  5. (5) the personal data shall collected, used or disclosed as it is necessary (Storage Limitation) and,
  6. (6) the personal data shall collected, used or disclosed under appropriate security measures (Integrity and Confidentiality), nonetheless, the collection, use or disclosure of personal data shall be carried out pursuant to the purposes and only where is necessary under the limited purposes, or for the direct benefits related to the purposes of collection, which will be notified to the Data Subject prior to or at the time of collection of personal data, including the details as follows:
    1. 3.1 The Company will collect personal data for the purposes
      1. (1) for providing services, improving services and quality of sale, carrying out marketing activities, education, data analysis, and to improve the quality of company service to be more efficient
      2. (2) for the benefit of Data Subject to offer a privilege pursing to the interest of Data Subject
      3. (3) for the procurement regarding personnel activities and,
      4. (4) for legal obligations and if there is any change of new objective, the Company will inform the Data Subject instantly.
    2. 3.2 The Company will collect personal data, such as first name, surname, address, date of birth, gender, educational background, phone number, E-mail, Identification number, credit or debit card information, bank account number or other information regarding banking or payment, IP number, service number, Cookies, MAC Address, service account, service usage information, record of communication between the Data Subject and the Company and any other information that may occur while using the service with the Company, etc. Personal data will be retained for a period as necessary for the purposes of data processing and in accordance with applicable law. After such a period expires or the Company has no right to retain, or the Company is unable to claim a lawful basic for data processing of personal data, the Company will destroy such personal data by appropriate and legal means.
    3. 3.3 In the event that the data subject has to provide personal data to comply with the law or contract, or to enter into a contract, the Company will also notify the significant effect of not providing personal data to the data subject.
    4. 3.4 The Company may disclose personal data collected to individuals or entities, such as disclosure of data by law, security, providing services, etc. This must be disclosed only to the extent necessary.
    5. 3.5 The Company will collect personal data of the data subject directly when the consent given by the data subject, whether voluntarily or expressly, and by one of the following methods:
      1. 3.5.1 Service request form or the processing of submitting a request when for the exercising of rights.
      2. 3.5.2 Questionnaire survey or e-mail correspondence.
      3. 3.5.3 Via the Company’s Website or Mobile Application of the Company.
      4. 3.5.4 SMS
      5. 3.5.5 Other communication channels between the data subject and the company as provided by the Company.
    6. 3.6 The Company has a Cookies Policy as specified by the company.
    7. 3.7 Some of personal data collected by the Company may be sensitive data, which the Company will request for express consent, for example, racial, religious beliefs, health data, criminal records, labor union etc. And the Company will collect these data where is necessary abiding by the laws and regulations. In obtaining consent, the Company will request for a consent from the data subject, prior to or at the time of collection, use and disclosure of personal data; unless,
      1. 3.7.1 For the achieving of education, research or statistics, to protect the right and freedom of subject data;
      2. 3.7.2 For preventing or suppressing a danger to life, body or health of data subject or other persons;
      3. 3.7.3 For the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
      4. 3.7.4 For the performance of a task carried out in the public interest or for the exercising of official authority;
      5. 3.7.5 For legitimate interests overriding all the Company’s operation;
      6. 3.7.6 For the compliance with the judgement adjudicated by the court or required by the law, such as Communicable Disease Act, Computer-related Crime Act, Cyber Security Act, Anti-money Laundering Act and so forth.;
      7. 3.7.7 It is regarded as a legally public information.
    8. 3.8 In the event that the data subject provides personal data of any third parties, i.e., spouse, family members or friend etc. to the Company, for example, may specify as an emergency address contact, the data subject shall certify and warrant that the data subject has consent to the collection, use and disclosure of such personal data as set forth in this policy.
    9. 3.9 In the event that the company collects, uses or discloses the personal data on the ground of consent basic or express consent, the request of consent must be carried out expressly, either in written form or through an electronic system; unless on the condition that a consent cannot be given by such means. In obtaining a consent, the Company shall inform the objectives of collection, use or disclosure of personal data and the request must be clearly separated from other content with a form or statement, which accesses and understands easily, including using a simple language that undoubtedly comprehends and not be deceiving or misleading the data subject of such objectives.

       In obtaining the consent of data subject, the Company will consider the independence of data subject giving a consent, entering a contract, or providing any service by the Company without non-necessary conditions or not relevant entering a contract or providing that service. Furthermore, the data subject may withdraw a consent given to the Company at any time by any convenience mean; unless there is a restriction on the right to withdraw consent by the law or contract benefiting to the data subject. Despite the withdrawal of consent does not affect the previous collection, use or disclosure of personal data given a rightful consent, the Company will accordingly notify the data subject of the impact of consent withdrawal in the case that such withdrawal is influenced to the data subject in any concerns.

       To obtain a consent of minor to collect, use or disclose personal data, who is underage by marriage or has reached the age of majority under Section 27 of the Civil and Commercial Code, incompetent, quasi-incompetent person, or the withdrawing of consent of such persons, the Company will proceed in accordance with the laws on personal data protection.

4. Use and Disclosure of Personal Data

       Use or disclosure of personal data shall be according to the purposes or as necessary for the direct benefits related to purpose of collection. The Company may disclose the personal data of data subject to any persons, agencies or to any third person, such as the Department of Labor Protection and Welfare, Legal Execution Department, Student Loan Fund, Technology Crime Suppression Division, or security agencies, etc., where is necessary and required by the law only.

5. Objectives of Personal Data Processing

        The Company processes the personal data under the objectives and legal basic as follows:

  1. 5.1. Processing data on the contract basis, for example,
    1. 5.1.1 When customers, contractual parties and service users contact about the service or entering into a contract with the Company, it is necessary to request for the personal data of such persons to the Company for processing to provide a service, enter into a contract, communicate with such persons, follow up and notify about the performance of the contract.
    2. 5.1.2 Upon the recruitment with the Company or conducting a transaction related to the Company through any channels, personnel are required to provide their personal data to the Company in order to process regarding selection, approval of employment, calculation of entitlement under the employment contract, due date for a payment, salary, communication with personnel and notification of benefits and rights that have been changed, answering inquiries and other notification of changes.
  2. 5.2. Processing data on the consent basis, for example,
    The Company may use the personal data of the customers, contractual parties, and service users for processing in order to enter into a contract with such persons. The Company may require processing sensitive data appearing on the identity documents (e.g., religion) for the purpose of person identification, and assist person in the event that such person is ill or need an emergency assistance, including, facilitate personnel in the regard of life insurance. However, the Company will not process such personal data without the consent of customers, contract parties, service users and personnel.
    Additionally, provided that customers, contractual parties, service users and personnel desire to withdraw their consent in data processing thereon, customers, contractual parties, service users and personnel may contact the Company to request for the withdrawal of consent.
  3. 5.3. Processing data on the legitimate interest of data controller basic, for example, the Company processes the personal data of its customers, contractual parties and service users for business administration and relationship management, including but not limited to, issue an invoice in accordance with the internal records, internal management, audit, reporting, submission or filing requirements, data processing or other related to or similar activities. However, the Company may process the personal data for the management and internal reporting of the Company, maintaining the work and service standards, tax and risk management, auditing, submission or filing the information, data processing or other related to or similar activities.
  4. 5.4. Processing data on the legal obligation basic, the Company may use personal data of customers, contractual parties and service users to process in compliance with the applicable laws or orders of legal authorities according to the obligations prescribed by law and/or internal processes, fraud detection, legal or other regulatory investigations.
    In addition, the Company may process the personal data of personnel in compliance with laws on employment and business operations, such as, Labor Protection Act B.E. 2540, Student Loan Fund Act B.E. 2560, Thai Provident Fund B.E. 2530 etc., as well as any other laws required for a disclosure of personal data.

6. Securities for Personal Data

       For the benefit of confidentiality, integrity, and availability of personal data, the Company has established and implemented measures to maintain the security of personal data according to following:

  1. 6.1 Providing the authentication measures, determining the rights (Authorization), and recording all activities (Accounting) concerning accessing, using, disclosing, and processing personal data in accordance with the Information Security Policy provided by the Company strictly.
  2. 6.2 In the event that the Company sends or transfers personal data to other countries or retains the personal data to other databases located in other countries, the sufficient measures for personal data protection or equivalent to measures under this policy shall be provided, unless it is required by law or under the consent of data subject.
  3. 6.3 In case of violation of the Company's security measures and causing a violation of personal data or leakage of personal data to the public, the Company will notify the data subject immediately, including inform the remedy of damage from such violation or leakage; provided, a failure of the Company affecting the rights and freedoms of data subject. Nevertheless, the Company shall not be liable for any damage arising from the use or disclosure of personal data to third parties, including but not limited to, neglect to log out from the system by data subject or any actions of the data subject or other persons pursuing to the consent of data subject.
  4. 6.4 The Company has established regulations for all personnel obligated when accessing personal data of customers, contractual parties, service users and personnel. The persons, who can access such personal data, will be the person required to be informed to perform their duties only, such as, personnel of human resources section or personnel who supervises and manages a contract between the Company and parties, etc.
  5. 6.5 The Company conducts a review and evaluation of the efficiency of computer systems to maintain the personal data effectively.

7. Roles and Responsibilities

       The Company requires personnel or agencies related to personal data to pay attention and be responsible for collecting, using, or disclosing personal data pursuant to the Company's personal data protection policies and practices strictly by assigning the following persons or agencies, to supervise and examine that the Company's activities correctly and legally subject to the policies and laws on personal data protection.

  1. 7.1 Board of Directors shall be responsible for:
    1. 7.1.1 Establishing the policies and practices for personal data protection and privacy.
    2. 7.1.2 Supervising the implementation of policy in a concrete manner.
  2. 7.2 Executives at all levels shall be responsible for:
    1. 7.2.1 Providing rules and regulations to collect the personal data appropriately for each company in accordance with the policies, practices, laws and international standards.
    2. 7.2.2 Arranging a responsible person, such as, agencies or personnel who is responsible to oversee the operations in accordance with the regulations.
    3. 7.2.3 In the event that the Company employs a natural person or juristic person in order to carry out the processing of the data, a standardized data protection system shall be provided for screening.
    4. 7.2.4 Supervising the implementation of policies, guidelines and regulations, as well as developing and improving such implementation to be more efficient and also ensuring that there is a performance report provided pursing to such policies, guidelines and procedures.
  3. 7.3Section or person designated as a collector, user or discloser of personal data shall be responsible for:
    1. 7.3.1 Operating and controlling the processing of personal data, including notification, requesting for a consent, collecting, using, or disclosing of personal data in accordance with the regulations of personal data protection and as required by the law.
    2. 7.3.2 Implementing and controlling the appropriate security measures, to prevent loss, access, use, alteration, or disclosure of personal data without authorization or misuse of personal data as set forth in the regulations of Personal Data Protection, including notifying the data controller to aware of the incidents of personal data breaches.
    3. 7.3.3 Operating and controlling the deletion or destruction of personal data after the retention period has expired, or that is not related to or beyond the necessity for the purposes collected or as requested by the data subject.
    4. 7.3.4 Checking and controlling the personal data to be accurate and up-to-date.
    5. 7.3.5 Immediate notifying the PDPA working group when there is any violation of personal data.
    6. 7.3.6 Controlling data records and reporting to relevant person who is responsible for it.
    7. 7.3.7 Assessing the risk concerning the personal data which is under theirs responsibility, managing and implementing a measure for reducing risk.
  4. 7.4 The PDPA working group shall be responsible for:
    1. 7.4.1 Providing advice to the data controller or data processor, including employees in connection with the compliance with the Personal Data Protection Act.
    2. 7.4.2 Examining the operations of the data controller or data processor regarding the collection, use or disclosure of personal data complying with the law.
    3. 7.4.3 Coordinating and cooperating with the Office of the Personal Data Protection Commission in case of issues concerning the collection, use or disclosure of personal data carried out by the data controller data processor.
    4. 7.4.4 Maintaining the confidentiality of personal data perceived or acquired in the course of performing their duties.
  5. 7.5 Data Protection Officer shall be responsible for:
    1. 7.5.1 Providing advice in various fields relating to the protection of personal data for executives, employees, and business partners of the Company.
    2. 7.5.2 Supervising and monitoring the operations of data controller and data processor.
    3. 7.5.3 Coordinating and cooperating with the Office of the Personal Data Protection Commission; supposing that, there is a problem concerning the collection, use or disclosure of personal data of the Company, its customers, its partners, or any other related person.

8. The Rights of Data Subject

       The Company provides a channel and facilitates the data subject or the person having the authority to act on his/her behalf in exercising the rights of data subject in accordance with the law on personal data protection, which entitles the data subject to exercise his/her rights as following:

  1. 8.1 Right to access and request a copy of personal data, which is under the responsibility of the Company, as well as request for disclosing the acquisition of personal data that have not obtained the consent given by the data subject.
  2. 8.2 Right to data portability by requesting for the personal data which is collecting by the Company; provided that, supposing that such personal data is in readable form or common use by general or automatic equipment and can be also used or opened automatically, including the right to request for the personal data sent or transferred directly to another data controller, unless it is unable to do so due to a technical condition.
  3. 8.3 Right to object to collect, use or disclose the personal data.
  4. 8.4 Right to erase, destroy or de-identify the personal data of data subject.
  5. 8.5 Right to restriction of personal data processing.
  6. 8.6 Right to rectification by requesting the Company to rectify the personal data to be complete, accurate, up-to-date and non-misleading.

Subject to the applicable laws, the Company may refuse such an exercising of data subject rights or his/her authorized person; provided that, it is not against the law.

9. Improvement, Review or Amendment the Data Protection Policy – Human Resources

       เThe Company may update, review, or amend this policy, whether in whole or in part or from time to time, to be consistent with the law, rules and regulations of authorized authorities, and the Company’s operations; provided that, this policy is amended.

10. Enforcement of Privacy Policy

       This policy is applied to all personal data collected, used and/disclosed by the Company, which is entitled by the Data Subject to the Company to collect and use such personal data (if any), in accompany with any personal data, that is currently collected and will be further collected in the future, in order to use or disclose to other persons pursuing to the scope and objectives stated herein.

11. Hiring of Data Processing

       The Company has established guidelines for entering a contract for personal data processing with a third party or juristic person, who is a personal data processor, as follows:

  1. 11.1 Prior to hiring a data processor, the Company must assess the service provider systems and personal data protection practices. Supposing that the service provider has no security system or such system is inadequate to entering into a contract, the data processor shall require the service provider to comply with the regulations or announcements specified by the Company.
  2. 11.2 The purpose of employment contract must be specified objectives, retention method, notification of the data subject, using, transmitting, transferring of data, and disposing or erasing the data.
  3. 11.3 The parties must sign a Data Processing Agreement (DPA) in accordance with the law or as specified by the Company's regulations.
  4. 11.4 Upon the hiring of data processor, the Company shall control its processing following the objective of hiring and control its operation in accordance with the relevant guidelines.
  5. 11.5 When the data retention period expires, the Company shall monitor and control the service provider to process that personal data, as well as to delete, destroy, or de-identify data (Anonymized Data) in accordance with the rules and regulations prescribed by the Company or agreed upon.

12. Training

       The Company recognizes the importance of training, provided to educate, and raise awareness concerning the compliance of personal data protection, to executive and all personnel. It is also an obligation of all supervisors to assign personnel related to the personal data in their sections to attend the training strictly, in connection with assessment and follow-up to ensure that such personnel will be able to perform their duties completely and accurately as required by the laws on personal data protection.

13. Privacy Notice of Other Website

        This Privacy Policy is applied only for the services of the company and use of the Company's website only, if the customers, contractual parties, service users and personnel have clicked to other websites (even through the Company's website), this policy and the terms and conditions of the Company shall not be binding to such customers, contractual parties, service users and personnel. In this regard, the customers, contractual parties, service users and personnel shall advise and abide by the privacy policy appearing on that website by themselves. The Company shall not be liable for the content or operation of such website due to not providing by the Company.

14. Personal Responsibility

       The Company appoints a person or agency who is related to the personal data. Such person or agency must pay attention to the importance and responsibility of collection, use or disclosure of personal data in accordance with this Privacy Policy strictly. Any intention or negligent ordering or performing their duties are considered as a violation of this policy and our personal data protection practices; provided, and/or any damage occurred, such person shall be punished pursuant to the Company’s rules and regulations, in addition to be subject to legal penalties stipulated for such offense. Nevertheless, if such offense causes damage to the Company and/or any other person, the Company may consider proceeding further legal action.

15. Contact Us

        If there is reasonable reason to doubt or believe that there is any violation of personal data, complaint, or the exercise of Data Subject rights under this policy or the Personal Data Protection Act B.E. 2562, you can contact the company by:

Head of working group on Personal Data Protection Act
Phone : (+66)2-683-0008
Fax : (+66)2-294-2013
E-mail : DPO@ubisasia.com