Personal Data Protection Policy
Meta Corporation Public Company Limited
Clause 1 Rational Criterion
Personal Data Protection Act B.E. 2562 (2019) was established for protection of personal data to be more efficient and putting forth efficiency measures to remedy personal data subjects from infringement of personal data rights. In this regard, the enactment of this act duly complies with the conditions provided in section 26 of the Constitution of the Kingdom of Thailand
Meta Corporation Public Company Limited is committed to conduct business with ethics, respect and responsible to comply with all applicable laws which the company was aware of the privacy information regarding with personal information and herein committed to protect personal data. The company announces this policy to be a principle of personal data protection and was acknowledged of required safeties in proceeding transactions and retention of personal data. Therefore, we respect the right of personal data of individuals and protect personal data by establishing policies, regulations and various criteria in operating work with strict measures to protect the security of personal data and also to ensure the personal data that the company obtained will be applied to meet individual requirements and legitimate.
Clause 2 Personal data
2.1 Collection of personal data
The company might collect personal data in many channels i.e.
- When the data subject applies for a job with us through website or by phone including as an employee of the company, the company requests to know the necessary information in applying job as follows: name, surname, telephone number, email address, education history, etc.
- When the data subject makes inquiries or interested in the Company’s services, the company may request information about the owner of the information, such as name, email, phone number, etc.
- The company may store log files of the data subject by storing information as follows: IP number (IP Address) or access time, etc.
2.2 Personal data
Means any information relating to a person which enables the identification of such person, whether directly or indirectly such as
- Personal data that individuals provide to the company directly or receive through other channels which caused by using service, visit, search, digital channels, website, call center, assigned person, or any other channel
- Personal data that the company obtained or accessible from a source other than directly from you, such as parents, children, spouses, siblings, government agencies, companies in the financial business group, financial institution, financial service provider, business partner, credit information company and data service providers, etc., the company will collect information from other sources under your consent as law required unless necessary as permitted by law for the personal data to be collected, use and/or disclose such as
- Personal data i.e. name, surname, age, birth date, marital status, identification no., passport no.
- Contact information i.e. address, workplace, telephone no., email, id line
- Financial information i.e. bank account no., financial history, list of securities holding of oneself and related persons (father, mother, son, daughter, spouse, siblings)
- Transaction information such as bank statement, payments, loaning, investing in securities of oneself and related persons (father, mother, son, daughter, spouse, siblings)
- Information of equipment or tools i.e. IP Address, MAC Address, Cookie ID
- Other information such as website usage, sound, photographs, animation and any other information that is considered as personal data under Privacy Law
2.3 Sensitive Data
means any information relating to a particular person that the law required as specific law which includes data regarding sexual behavior, health data, political opinions, religious or philosophical beliefs, etc. which the company will only gather, use and/or disclose personal data that have sensitivity under express consent from the particular person only or in case that the company have necessity to disclose personal data under permitted law which the company might gather, use and/or disclose personal data, biometric data such as fingerprint copy for the purpose of proving and confirming the identification of a person that enter the company’s area (Hereafter in this Policy, if not specifically stated, personal data and sensitive personal data regarding with the particular person as above mentioned will be referred together as “Personal data”)
Clause 3 Objectives and details of collecting, usage and/or disclose personal data
The company shall collect personal data for the purpose of benefit in operating business according to its objective including compliance with the legal obligations that the company or a person shall comply with as well as for any purpose that prescribed in this policy as follows.
3.1 For the company to operate business according to its objectives
3.2 To comply with the related law or legal obligation) such as
- To comply with the order of authority person
- To comply with the financial institution’s law, Security of Exchange Commission’s law, Life insurance’s law, non-life insurance’s law, tax law, anti-money laundering law, Terrorism and Proliferation of Weapons of Mass Destruction Financing law, computer law, liquidation law, and other law that the company shall comply with for both domestic and overseas as well as announcement and regulations that notified by the law as mentioned.
3.3 To operate necessary work under the Legitimate Interest without exceeding the limits that a person can expect reasonably such as
- Recording CCTV when exchanging access card before entering the company’s area
- Maintain relationship with clients such as managing complaints, evaluating satisfaction, customer care service by the company’s employee
- Manage risk, supervise auditing, internal management
- Making personal data to be a data that can’t specify personal identification (Anonymous Data)
- Prevent, encounter, reduce risk that might occurred from corruption, cyber threats, default of loan payment or contract (such as liquidation), lawbreaking (such as money laundering, Terrorism and Proliferation of Weapons of Mass Destruction Financing, offence in assets, life, body, freedom or reputation) including sharing of personal data in order to raise the work standard in office for protection, encounter, reduce risk as above mentioned
- Collecting, usage and/or disclose of personal data of directors, authorized person, representative of client’s juristic person
- Contact, recording videos, voice in the meeting, seminar, recreation, or exhibition booth
- Collecting, usage, and/or disclose of personal data of the person whose court has a receivership order
- Receiving-Sending parcels
3.4 Personal data that the company classified according to the legal base as follows
- Vital Interest
- Legal Obligation
- Public Task
- Legitimate Interest
If there has any changes in objectives of personal data usage (legitimately), the company shall inform within 30 days
3.5 For personal data that the company use for saving log, personal data of each department shall save log according to usage as follows
- If general use according to company’s objectives, you don’t have to save log in personal data usage
- If usage of data was aside from the objectives, it shall have personal usage record by adding usage objectives and request consent from the personal data subject once again
- In case of personal data usage that is essential and use occasionally, saving of usage log shall be considered in order to keep user’s data and to be acknowledged in usage details
- Has access log for examining accessors, usage time, so that if any data leak, it will be traceable
- Has access control that limit person’s access in using personal data
Clause 4 Evaluation of data by outsiders
The company may need to send or transfer personal data to third parties to evaluate, the company will take care of the transmission or transfer of personal data in accordance with law and will take measures to protect personal data that deems necessary and appropriate comply with confidentiality standards such as Data fragmentation before sending personal data, having a confidentiality agreement with the recipient of such information, or the company may choose to implement a personal data protection policy that has been audited and approved by the relevant legal authority and will proceed to transmit or transfer personal data to third parties to evaluate in accordance with the aforementioned personal data protection policy instead of proceeding according to legal required.
Clause 5 Disclosure of personal data
The company may disclose personal data to others under the consent of individual according to consent form or under the principal of law permission to disclose
Clause 6 Transmission or transferring of personal data to other countries
The company may need to send or transfer personal data to company networks that are in other countries or to other recipients of data which is a part of the company’s normal business operations, such as sending or transferring personal data to a server / cloud in different countries.
In the event that the destination country has insufficient standards, the company will take care of transmission or transferring of personal data in accordance with the law and will take measures to protect personal data that deems necessary and appropriate in accordance with confidentiality standards such as confidentiality agreements with recipients in that country or if the recipient is a company in the company’s network in other countries, the company may choose to have a Personal data protection policy reviewed and approved by the relevant legal authority and will proceed to transmit or transfer personal data to the company
The company’s network in overseas can be complied with the personal data protection policy instead of proceeding as prescribed by law
Clause 7 Cookies policy
7.1 What is cookie
Cookies are small files collecting information by storing on computer device and / or communication device accessed by you, such as tablet, smartphone via web browser while entering our website. Company’s website may use cookie in some cases. Cookies are small files that store information that is exchanged between computer of the personal data subject and our website. The company use cookie only when storing information that might be useful to the personal data subject for the next usage when accessing company’s website. When the personal data subject accesses the web browner, the personal data subject can set accept or deny all cookies or notice the personal data subject when there has sending of cookies. The personal data subject can set on the menu “Help” in the browser to be acknowledged for changing method in using cookies. Please be informed that if you close cookies, it might affect some services of the personal data subject
7.2 How to use cookie
7.3 Types of cookies used
Types of cookies
These cookies help to continually improve your website experience, such as remembering your login, remembering the information you provide on the website.
o • JSESSIONID
o • dc_gtm_UA-15158362-1
o • cfduid
o • CSRFToken
o • accessToken
These cookies allow us to measure performance, for example: processing number of pages you have accessed, the number of user group attribute. The information as mentioned will be used to analyze user’s behavior patterns.
o • Google Analytics
o • Adobe
o • CloudFlare
This type of cookie will be saved on your device to store access information and the links you have visited and followed. Third-party cookies may also use information transmitted to online media and the content collected from the service in order to understand the needs of the users with the purpose of website customization and advertising campaigns to suit your interests
o • Adnuntius
o • Adobe Audience Manager
o • Adobe Target
o • Cxense
o • Google Analytics
o • Relay42
These cookies provide convenience when you return to the website. We will use the information to customize the website according to your usage.
o • Google Analytics
7.4 Manage cookies
You can delete and deny collection of cookies by referring to the instructions provided for each web browser you use.
7.5 Changing cookies policy
Clause 8 Personal data retention period
The Company will retain personal data according to necessary period, to conduct business according to the objectives or to achieve relevant objectives in this policy during necessary period which may need to be kept for later as required or permitted by law such as storing in accordance with the law on the prevention and suppression of money laundering, keep it for the purpose of verifying and investigating in the event that a dispute may occur within the validity prescribed by law for a period not exceeding 10 years
Clause 9 Personal data protection and evaluate risk and effects
The company will keep personal data properly in accordance with technical measures and administrative measures (Organizational Measure) in order to maintain the security of the appropriate processing of personal data to prevent personal data breach. The company has set rules and regulations related to the protection of personal data and assess the risks and impacts of personal data protection such as the security standards of information technology systems, measures to prevent recipients of information use or disclose information aside from the purpose or without authority or improperly. The company has regularly updated the regulations, rules and assessments of risks and impacts of such personal data protection as necessary and appropriate in assessing the risks and impacts of the protection of personal data including the loss of credibility, reliability, customer’s trust, disadvantage in market competition and trade, prosecution. Aside from this law, directors, personnel, contractors, agents, consultants and recipients of information from the company has a duty to maintain the confidentiality of personal data in accordance with the Company’s confidentiality measures. The company requires to notify the personal data breach to the personal data subject within 72 hours of personal data infringement.
Clause 10 Rights of data subject related with personal data
Rights of data subject related with personal data is a right according to law that shall be acknowledged. The data subject is able to use rights under law regulation and policy that currently determined or additional amendment in the future as well as principles that the company determined and in the event that the person is not of legal age or limited capacity, shall proceed legal juristic acts which the person can use rights by giving parents, guardian or authorized person to act on behalf of the person who inform intention.
10.1 Rights to be informed
If the person has to give consent to the company to collect, use and / or disclose personal data, that person shall has right to know the details of objectives, collecting, using and/or disclosing personal data. Requesting data is a case that data subject may or may not provide information or if the law required to provide information.
10.2 Right to withdraw consent
If the person has given consent for the company to collect, use and / or disclose personal information (Either the consent given by the person before the date of the Personal Data Protection Law comes into force or after), that person has the right to withdraw that consent at any time throughout the period of personal data with the company. Unless there is a limitation of that right by law or there is a contract that benefits people.
10.3 Right of access
A person has the right to request access to the personal data of that person which is under the responsibility of the company and request company to make copies of such information to that person as well as requests the company to disclose the source of personal data.
10.4 Right to data portability
A person has the right to obtain personal data in case the company made personal data in a form of readable or usable by means of an automated tool or device and can use or disclose personal data by automated means including rights to ask the company to transmit or transfer such personal data to another data controller when it is possible to do so by automated means and has the right to obtain personal data that the company transmit or transfer the personal data in such form directly to another data controller unless it cannot be proceeded because of technical reasons.
However, the personal data of the above mentioned must be a personal data with the consent for the company to proceed for collection, use and / or disclosure or is a personal data that the company has necessity to collect, use and / or disclose in order to be able to perform the contract as intended or other personal data as required by lawful authorities.
10.5 Right to object collection, use of personal data
Any individual has the right to object to the collection, use and / or disclosure of personal data at any time. If the collection, use and / or disclosure of personal data made for the necessary operations under legitimate interest of the company or as required by law without exceeding the extent that a person can reasonably expect or to carry out the mission for the public benefit. If a person submits objection, the company will continue to collect, use and / or disclose personal data especially only that the company is able to show reason according to law that is more important than your fundamental rights or according confirmation of legal rights, legal compliance or legal action battle under each case by case.
10.6 Right to erasure or destroy data
Individuals have the right to request erasure or destruction of personal data or make personal data as anonymous data or if the individual believes that the personal data that has been collected, used and / or disclosed in unlawful manner, or that the company has no necessity to retain it under the objectives involved in this policy or when a person has exercised the right to withdraw consent or exercise the right to objection as stated above.
10.7 Right to restrict processing
The individuals have the right to request temporary suspension of the use of personal data in the event that the company is in the process of reviewing the request to exercise the right to amend personal data or objection of the person or in any other event that the company has no necessity and must be delete or destroy personal data in accordance with applicable law.
10.8 Right of rectification
Individuals have the right to request correction of personal data, to be in present, complete and not misleading
10.9 Right of complaint
Individuals have the right to lodge a complaint to the relevant legal authority if individuals believe that collection, use and / or disclosure of your personal data is in a manner that violates or fails to comply with applicable laws.
10.10 The limitation of right
The exercise of the rights of the aforementioned persons may be limited under applicable law and there are cases where it is necessary that the company may refuse or fail to proceed with the above request such as having to obey law or court order for public benefit. Exercise of the rights may violate the rights or liberties of others. If the company rejects the above request, the company will inform the individual the reason for the rejection as well. The company will proceed with the request for the exercise of rights within 30 days from the date that the individual submits the application and supporting documents to the Managing Director of the Company in full.
Clause 11 Person Responsible for Personal Data Protection
The company appoint personal responsible for personal data protection and set the role of a personal data protection supervisor as follows:
11.1 Data Controller refers to a person or juristic person who has the authority to make decisions about the collection, use or disclosure of personal data
11.2 Data Processor Means any person or juristic person that processes personal data collection, use or disclosure in accordance with order or on behalf of the Personal Data Controller. However, the person or entity doing so is not the controller of personal data.
Clause 12 Penalty
If a person responsible for the implementation of any matter in accordance with his or her duties neglected or ignored or not to perform or instruct, or perform any of their duties which is a violation of the policy and guidelines on personal data until causing an offense under the law and / or more damage, such person is subject to disciplinary action in accordance with the company’s regulations, and the company will not compromise on any offenses of the responsible person that committed and that person must be punished by the law for the offense occurred. If such an offense causes damage to the company and / or any other person, the company may consider further legal proceedings.
Clause 13 Policy review
The company will review the policy at least once a year or in any event that the law has changes.
Clause 14 Contact center
Meta Corporation Public Co., Ltd.
Address : 33/4 36th floor, Building A, The Ninth Tower Grand Rama IX, Rama IX road, Huai Khwang sub-district, Huai Khwang district, Bangkok 10310
Tel. no. : 02-01309076-7
E-mail : PDPA@metacorp.co.th