Personal Data Protection Policy

 Meta Corporation Public Company Limited

Clause 1 Rational Criterion

Personal Data Protection Act B.E. 2562 (2019) was established for protection of personal data to be more efficient and putting forth efficiency measures to remedy personal data subjects from infringement of personal data rights. In this regard, the enactment of this act duly complies with the conditions provided in section 26 of the Constitution of the Kingdom of Thailand

Meta Corporation Public Company Limited is committed to conduct business with ethics, respect and responsible to comply with all applicable laws which the company was aware of the privacy information regarding with personal information and herein committed to protect personal data. The company announces this policy to be a principle of personal data protection and was acknowledged of required safeties in proceeding transactions and retention of personal data. Therefore, we respect the right of personal data of individuals and protect personal data by establishing policies, regulations and various criteria in operating work with strict measures to protect the security of personal data and also to ensure the personal data that the company obtained will be applied to meet individual requirements and legitimate.

Clause 2 Personal data

2.1     Collection of personal data

The company might collect personal data in many channels i.e.

  • When the data subject applies for a job with us through website or by phone including as an employee of the company, the company requests to know the necessary information in applying job as follows: name, surname, telephone number, email address, education history, etc.
  • When the data subject makes inquiries or interested in the Company’s services, the company may request information about the owner of the information, such as name, email, phone number, etc.
  • The company may store log files of the data subject by storing information as follows: IP number (IP Address) or access time, etc.

2.2     Personal data

Means any information relating to a person which enables the identification of such person, whether directly or indirectly such as

  • Personal data that individuals provide to the company directly or receive through other channels which caused by using service, visit, search, digital channels, website, call center, assigned person, or any other channel
  • Personal data that the company obtained or accessible from a source other than directly from you, such as parents, children, spouses, siblings, government agencies, companies in the financial business group, financial institution, financial service provider, business partner, credit information company and data service providers, etc., the company will collect information from other sources under your consent as law required unless necessary as permitted by law for the personal data to be collected, use and/or disclose such as
  • Personal data i.e. name, surname, age, birth date, marital status, identification no., passport no.
  • Contact information i.e. address, workplace, telephone no., email, id line
  • Financial information i.e. bank account no., financial history, list of securities holding of oneself and related persons (father, mother, son, daughter, spouse, siblings)
  • Transaction information such as bank statement, payments, loaning, investing in securities of oneself and related persons (father, mother, son, daughter, spouse, siblings)
  • Information of equipment or tools i.e. IP Address, MAC Address, Cookie ID
  • Other information such as website usage, sound, photographs, animation and any other information that is considered as personal data under Privacy Law
  • Cookies; company website may use cookies in some certain instances. Cookies are small files that store information that is exchanged between the data subject’s computer and our website. We use specific cookies to store information that may be useful to the data subject for the next time return to the company’s website. When the data subject uses the web browser service, the data subject can set to accept all cookies or reject all cookies or notify the data subject when cookies are being sent. The data subject can go into the menu settings “Help” in the browser to learn how to change the data subject ‘s use of cookies. Please note that disabling cookies may affect the use of certain services of data subject.

2.3     Sensitive Data 

means any information relating to a particular person that the law required as specific law which includes data regarding sexual behavior, health data, political opinions, religious or philosophical beliefs, etc. which the company will only gather, use and/or disclose personal data that have sensitivity under express consent from the particular person only or in case that the company have necessity to disclose personal data under permitted law which the company might gather, use and/or disclose personal data, biometric data such as fingerprint copy  for the purpose of proving and confirming the identification of a person that enter the company’s area (Hereafter in this Policy, if not specifically stated, personal data and sensitive personal data regarding with the particular person as above mentioned will be referred together as “Personal data”)

Clause 3 Objectives and details of collecting, usage and/or disclose personal data

The company shall collect personal data for the purpose of benefit in operating business according to its objective including compliance with the legal obligations that the company or a person shall comply with as well as for any purpose that prescribed in this policy as follows.

3.1     For the company to operate business according to its objectives

3.2     To comply with the related law or legal obligation) such as

  • To comply with the order of authority person
  • To comply with the financial institution’s law, Security of Exchange Commission’s law, Life insurance’s law, non-life insurance’s law, tax law, anti-money laundering law, Terrorism and Proliferation of Weapons of Mass Destruction Financing law, computer law, liquidation law, and other law that the company shall comply with for both domestic and overseas as well as announcement and regulations that notified by the law as mentioned.

3.3     To operate necessary work under the Legitimate Interest without exceeding the limits that a person can expect reasonably such as

  • Recording CCTV when exchanging access card before entering the company’s area
  • Maintain relationship with clients such as managing complaints, evaluating satisfaction, customer care service by the company’s employee
  • Manage risk, supervise auditing, internal management
  • Making personal data to be a data that can’t specify personal identification (Anonymous Data)
  • Prevent, encounter, reduce risk that might occurred from corruption, cyber threats, default of loan payment or contract (such as liquidation), lawbreaking (such as money laundering, Terrorism and Proliferation of Weapons of Mass Destruction Financing, offence in assets, life, body, freedom or reputation) including sharing of personal data in order to raise the work standard in office for protection, encounter, reduce risk as above mentioned
  • Collecting, usage and/or disclose of personal data of directors, authorized person, representative of client’s juristic person
  • Contact, recording videos, voice in the meeting, seminar, recreation, or exhibition booth
  • Collecting, usage, and/or disclose of personal data of the person whose court has a receivership order
  • Receiving-Sending parcels

3.4     Personal data that the company classified according to the legal base as follows

  • Contract
  • Vital Interest
  • Legal Obligation
  • Public Task
  • Legitimate Interest
  • Consent

If there has any changes in objectives of personal data usage (legitimately), the company shall inform within 30 days

3.5     For personal data that the company use for saving log, personal data of each department shall save log according to usage as follows

  • If general use according to company’s objectives, you don’t have to save log in personal data usage
  • If usage of data was aside from the objectives, it shall have personal usage record by adding usage objectives and request consent from the personal data subject once again
  • In case of personal data usage that is essential and use occasionally, saving of usage log shall be considered in order to keep user’s data and to be acknowledged in usage details
  • Has access log for examining accessors, usage time, so that if any data leak, it will be traceable
  • Has access control that limit person’s access in using personal data

Clause 4 Evaluation of data by outsiders

The company may need to send or transfer personal data to third parties to evaluate, the company will take care of the transmission or transfer of personal data in accordance with law and will take measures to protect personal data that deems necessary and appropriate comply with confidentiality standards such as Data fragmentation before sending personal data, having a confidentiality agreement with the recipient of such information, or the company may choose to implement a personal data protection policy that has been audited and approved by the relevant legal authority and will proceed to transmit or transfer personal data to third parties to evaluate in accordance with the aforementioned personal data protection policy instead of proceeding according to legal required.

Clause 5 Disclosure of personal data

The company may disclose personal data to others under the consent of individual according to consent form or under the principal of law permission to disclose

Clause 6 Transmission or transferring of personal data to other countries

The company may need to send or transfer personal data to company networks that are in other countries or to other recipients of data which is a part of the company’s normal business operations, such as sending or transferring personal data to a server / cloud in different countries.

In the event that the destination country has insufficient standards, the company will take care of transmission or transferring of personal data in accordance with the law and will take measures to protect personal data that deems necessary and appropriate in accordance with confidentiality standards such as  confidentiality agreements with recipients in that country or if the recipient is a company in the company’s network in other countries, the company may choose to have a Personal data protection policy reviewed and approved by the relevant legal authority and will proceed to transmit or transfer personal data to the company

The company’s network in overseas can be complied with the personal data protection policy instead of proceeding as prescribed by law

Clause 7 Cookies policy

When you enter our website, any information related to your access to this website will be stored in the form of cookies. This Cookie Policy explains its meaning, functionality, purpose, including deleting and refusing to store cookies of your privacy. By accessing this website, it deems that you provide consent to our use of cookies in accordance with the cookie policy detailed below.

7.1    What is cookie

Cookies are small files collecting information by storing on computer device and / or communication device accessed by you, such as tablet, smartphone via web browser while entering our website. Company’s website may use cookie in some cases. Cookies are small files that store information that is exchanged between computer of the personal data subject and our website. The company use cookie only when storing information that might be useful to the personal data subject for the next usage when accessing company’s website. When the personal data subject accesses the web browner, the personal data subject can set accept or deny all cookies or notice the personal data subject when there has sending of cookies. The personal data subject can set on the menu “Help” in the browser to be acknowledged for changing method in using cookies. Please be informed that if you close cookies, it might affect some services of the personal data subject

7.2    How to use cookie

We use cookies to improve your experience and satisfaction by allowing us to quickly understand your feature usage and make our website easy to be accessed and more convenient. In some cases, we may require a third party to take action which may require Internet Protocol Address (IP Address) and Cookies for Statistical Analysis as well as linking information and evaluate according to marketing objectives

7.3    Types of cookies used

Types of cookies

Details

Sample

Persistent cookies

These cookies help to continually improve your website experience, such as remembering your login, remembering the information you provide on the website.

o    • JSESSIONID

o    • dc_gtm_UA-15158362-1

o    • cfduid

o    • CSRFToken

o    • accessToken

Analytical/Performance cookies

These cookies allow us to measure performance, for example: processing number of pages you have accessed, the number of user group attribute. The information as mentioned will be used to analyze user’s behavior patterns.

o    • Google Analytics

o    • Adobe

o    • CloudFlare

Advertising cookies

This type of cookie will be saved on your device to store access information and the links you have visited and followed. Third-party cookies may also use information transmitted to online media and the content collected from the service in order to understand the needs of the users with the purpose of website customization and advertising campaigns to suit your interests

o    • Adnuntius

o    • Adobe Audience Manager

o    • Adobe Target

o    • Cxense

o    • Google Analytics

o    • Relay42

Functional cookies

These cookies provide convenience when you return to the website. We will use the information to customize the website according to your usage.

o    • Google Analytics

7.4    Manage cookies

You can delete and deny collection of cookies by referring to the instructions provided for each web browser you use.

7.5    Changing cookies policy

This Cookie Policy may be revised occasionally to comply with the regulations. Therefore, we suggest you to make sure you understand the changes therein.

Clause 8 Personal data retention period

The Company will retain personal data according to necessary period, to conduct business according to the objectives or to achieve relevant objectives in this policy during necessary period which may need to be kept for later as required or permitted by law such as storing in accordance with the law on the prevention and suppression of money laundering, keep it for the purpose of verifying and investigating in the event that a dispute may occur within the validity prescribed by law for a period not exceeding 10 years

Clause 9 Personal data protection and evaluate risk and effects 

The company will keep personal data properly in accordance with technical measures and administrative measures (Organizational Measure) in order to maintain the security of the appropriate processing of personal data to prevent personal data breach. The company has set rules and regulations related to the protection of personal data and assess the risks and impacts of personal data protection such as the security standards of information technology systems, measures to prevent recipients of information use or disclose information aside from the purpose or without authority or improperly. The company has regularly updated the regulations, rules and assessments of risks and impacts of such personal data protection as necessary and appropriate in assessing the risks and impacts of the protection of personal data including the loss of credibility, reliability, customer’s trust, disadvantage in market competition and trade, prosecution. Aside from this law, directors, personnel, contractors, agents, consultants and recipients of information from the company has a duty to maintain the confidentiality of personal data in accordance with the Company’s confidentiality measures. The company requires to notify the personal data breach to the personal data subject within 72 hours of personal data infringement.

Clause 10 Rights of data subject related with personal data

Rights of data subject related with personal data is a right according to law that shall be acknowledged. The data subject is able to use rights under law regulation and policy that currently determined or additional amendment in the future as well as principles that the company determined and in the event that the person is not of legal age or limited capacity, shall proceed legal juristic acts which the person can use rights by giving parents, guardian or authorized person to act on behalf of the person who inform intention.

10.1    Rights to be informed

If the person has to give consent to the company to collect, use and / or disclose personal data, that person shall has right to know the details of objectives, collecting, using and/or disclosing personal data. Requesting data is a case that data subject may or may not provide information or if the law required to provide information.

10.2    Right to withdraw consent

If the person has given consent for the company to collect, use and / or disclose personal information (Either the consent given by the person before the date of the Personal Data Protection Law comes into force or after), that person has the right to withdraw that consent at any time throughout the period of personal data with the company. Unless there is a limitation of that right by law or there is a contract that benefits people.

10.3    Right of access

A person has the right to request access to the personal data of that person which is under the responsibility of the company and request company to make copies of such information to that person as well as requests the company to disclose the source of personal data.

10.4    Right to data portability

A person has the right to obtain personal data in case the company made personal data in a form of readable or usable by means of an automated tool or device and can use or disclose personal data by automated means including rights to ask the company to transmit or transfer such personal data to another data controller when it is possible to do so by automated means and has the right to obtain personal data that the company transmit or transfer the personal data in such form directly to another data controller unless it cannot be proceeded because of technical reasons.

However, the personal data of the above mentioned must be a personal data with the consent for the company to proceed for collection, use and / or disclosure or is a personal data that the company has necessity to collect, use and / or disclose in order to be able to perform the contract as intended or other personal data as required by lawful authorities.

 10.5   Right to object collection, use of personal data

Any individual has the right to object to the collection, use and / or disclosure of personal data at any time. If the collection, use and / or disclosure of personal data made for the necessary operations under legitimate interest of the company or as required by law without exceeding the extent that a person can reasonably expect or to carry out the mission for the public benefit. If a person submits objection, the company will continue to collect, use and / or disclose personal data especially only that the company is able to show reason according to law that is more important than your fundamental rights or according confirmation of legal rights, legal compliance or legal action battle under each case by case.

10.6    Right to erasure or destroy data

Individuals have the right to request erasure or destruction of personal data or make personal data as anonymous data or if the individual believes that the personal data that has been collected, used and / or disclosed in unlawful manner, or that the company has no necessity to retain it under the objectives involved in this policy or when a person has exercised the right to withdraw consent or exercise the right to objection as stated above.

 10.7   Right to restrict processing

The individuals have the right to request temporary suspension of the use of personal data in the event that the company is in the process of reviewing the request to exercise the right to amend personal data or objection of the person or in any other event that the company has no necessity and must be delete or destroy personal data in accordance with applicable law.

 10.8   Right of rectification

Individuals have the right to request correction of personal data, to be in present, complete and not misleading

 10.9   Right of complaint

Individuals have the right to lodge a complaint to the relevant legal authority if individuals believe that collection, use and / or disclosure of your personal data is in a manner that violates or fails to comply with applicable laws.

 10.10 The limitation of right  

The exercise of the rights of the aforementioned persons may be limited under applicable law and there are cases where it is necessary that the company may refuse or fail to proceed with the above request such as having to obey law or court order for public benefit. Exercise of the rights may violate the rights or liberties of others. If the company rejects the above request, the company will inform the individual the reason for the rejection as well. The company will proceed with the request for the exercise of rights within 30 days from the date that the individual submits the application and supporting documents to the Managing Director of the Company in full.

Clause 11 Person Responsible for Personal Data Protection

The company appoint personal responsible for personal data protection and set the role of a personal data protection supervisor as follows:
11.1   Data Controller refers to a person or juristic person who has the authority to make decisions about the collection, use or disclosure of personal data

11.2   Data Processor Means any person or juristic person that processes personal data collection, use or disclosure in accordance with order or on behalf of the Personal Data Controller. However, the person or entity doing so is not the controller of personal data.

Clause 12 Penalty

If a person responsible for the implementation of any matter in accordance with his or her duties neglected or ignored or not to perform or instruct, or perform any of their duties which is a violation of the policy and guidelines on personal data until causing an offense under the law and / or more damage, such person is subject to disciplinary action in accordance with the company’s regulations, and the company will not compromise on any offenses of the responsible person that committed and that person must be punished by the law for the offense occurred. If such an offense causes damage to the company and / or any other person, the company may consider further legal proceedings.

Clause 13 Policy review

The company will review the policy at least once a year or in any event that the law has changes.

Clause 14 Contact center

Meta Corporation Public Co., Ltd.

Address :  33/4 36th floor, Building A, The Ninth Tower Grand Rama IX, Rama IX road, Huai Khwang sub-district, Huai Khwang district, Bangkok 10310

Tel. no. : 02-01309076-7

E-mail :  PDPA@metacorp.co.th