ANCOR Thailand
Data Protection Policy
Date of Issue: 20 January 2021
Introduction
This is the Data Protection Policy for Parker Bridge Recruitment Co., Ltd. and Ancor Outsourcing Co., Ltd. (“ANCOR Thailand”). This policy set out ANCOR Thailand’s approach to implementing and maintaining an effective data protection program and practices and ensure compliance with data protection law in Thailand, Thailand Personal Data Protection Act 2019 (Thailand PDPA), and other jurisdictions where relevant. It applies to personal information processed or held by ANCOR Thailand’s business and operations.
Personal Identifiable Information (PII) is any information related to an identified or identifiable natural person, or Data Subject, and Sensitive PII is more intimate personal data relating to specific areas: religious & philosophical beliefs, health, sexual orientation & preferences, political and trade union memberships, crime & justice, ethnicity & race, biometric & genetic information. PII and Sensitive PII must be protected according to Thailand PDPA. The data processing includes collection, store, use and disclose of PII and Sensitive PII.
ANCOR Thailand will maintain a privacy and compliance framework that assures effective privacy risk management, and establishes and maintains internal practices, procedures and systems that demonstrate compliance with the relevant legislation and regulations.
Data Protection Principles
All data processing of personal data must be fair, lawful and transparent and comply with the following principles:
Lawfulness, fairness and transparency: PII and Sensitive PII will only be processed with legitimate business purposes and comply with regulatory requirements. Individuals will be made aware of the processing to their data, unless there is a lawful and reasonable basis for not doing so.
Purpose limitation: Personal data will only be processed where it is necessary for specified, explicit and legitimate business purposes, and not further processed without the consent of the individual in a manner that is incompatible with those purposes.
Data Minimization: PII processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected or processed.
Data Accuracy: Adequate measures will be taken to ensure personal data are accurate and, where necessary, kept up to date. Any significant set of records or database containing personal data will be owned by a specified Business Leader.
Storage limitation: PII and Sensitive PII must be kept in a form which is authorized for no longer than is necessary for the purposes for which the data are processed and comply with regulatory requirements.
Data Security: PII and Sensitive PII must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures. (refer to Appendix G - Data Protection Technical Measures.)
Accountability: ANCOR Thailand will maintain a privacy and compliance framework that assures effective privacy risk management, and establishes and maintains internal practices, procedures and systems that demonstrate compliance with the relevant legislation and regulations.
Data Processing
The data processing of ANCOR Thailand covers these three main areas, Recruiting Services, Outsourcing Services and internal supporting processes. Refer to Appendix A - Data Flow and Appendix B - Data Processing Activities as of 20 January 2021.
Marketing
Marketing communications will be sent directly to individuals when the service relates to similar services that an individual has previously contracted or shown an interest in, and the individual has not indicated that they do not wish to receive marketing communications or the individual has provided a specific consent to receive marketing message
Data Subject Rights
Data Subject is the individuals who are the subject of the personal data being processed and/or collected and they have rights to exercise according to Thailand PDPA. ANCOR Thailand has a process and procedure to allow individuals to exercise their rights in the following ways:
- To know what information about them
- To receive a copy of their personal data
- To rectify or correct their information
- To erase or destroy their information
- To restriction of processing their data
- To withdraw their consent given
- To receive the data concerning them in the readable and common format
- To know the source of personal data used to directly market to them
- To exercise the right to object the collection, use, or disclosure of the Personal Data concerning them
Refer to Appendix C - Data Subject Access Right Procedure.
Training
All employees will receive adequate data protection matters to ensure they have an awareness of Thailand PDPA and data protection principles and related areas as appropriate. Refer to Appendix D - Data Protection Awareness Training Pack
Data Breach
ANCOR Thailand will maintain the procedure to ensure any data breach which may result in serious harm and risk to individuals and their rights is reported to Thailand PDPA Authority within 72 hours and to the data subject if the event causes a high risk to the individual. Refer to Appendix E - Data Breach Report Procedure
Third Parties
Any processing of personal data by a third party on behalf of ANCOR Thailand will be governed by a written agreement commensurate with the levels of service that provides sufficient assurances that appropriate technical and operational measures exist. The vendor list shall be reviewed and maintained on a regular basis. Refer to Appendix F - Third Party Data Protection Controls and Appendix G - Data Protection Technical Measures.
International Data Transfers
International transfers of personal data between ANCOR Thailand and ANCOR HQ will be governed by internal agreements that provide mutual assurance of the safeguards in place to protect personal data. International transfers of personal data to external parties should be governed by an enforceable contractual arrangement that requires the recipient to protect personal data and individual’s rights to the same extent set out in this Policy.
Appendix A - Data Flow and Appendix B - Data Processing Activities (as of 20 January 2021) Refer to the data processing activity ID in the data flow diagrams in Appendix A, the data processing activities can be shown in the table here. Their more details are documented in the Data Processing Activities excel file.
Recruiting Services
Internal Supporting processes
Appendix C - Data Subject Access Right Procedure
Appendix D - Data Protection Awareness Training Pack - in the separate document.
Appendix E - Data Breach Report Procedure
