Banpu Power Public Company Limited
Announced on 27 May 2021
Principle and Reason
The Company suggests that Data Subjects read and understand this Policy, which describes the manner by which the Company treats Personal Data of the Data Subjects, including their rights, as follows:
“Company” refers to Banpu Power Public Company Limited and its subsidiaries in Thailand.
“Data Subject” refers to a person to whom such Personal Data refers.
“Data Controller” refers to a person or a juristic person with the power and duties to make decisions regarding the collection, use or disclosure of Personal Data.
“Data Processor” refers to a person designated by the Company who proceeds with the collection, use or disclosure of Personal Data under the orders given by or on behalf of a Data Controller, and the person who proceeds as such is not a Data Controller.
“Act” refers to the Personal Data Protection Act B.E. 2562 (A.D. 2019)
2. Scope of the Policy
This Policy shall apply to any persons to whom such Personal Data refers and/or any persons disclosing, possessing and/or having access to, Personal Data, including the Board of Directors, the Company’s management, staff at all levels of the Company and its partners, and also apply to such persons whose activities involve their Personal Data with the Company.
3. Principle and Types of Personal Data Collected, Used and Disclosed by the Company
The Company shall collect, use or disclose Personal Data with limitations according to the purpose and scope which are lawful, necessary and fair, whereby such Personal Data to be protected shall include, but not limited to, the following information:
3.4 Telephone number;
3.5 Identification number;
3.6 Images, photographs;
Personal Data shall not be collected, used or disclosed without consent of the Data Subject given in advance or at that time, unless permitted by law.
The request for such consent (1) shall be made expressly in writing or by electronic means, except where such consent may not be obtained by such means; (2) shall inform the purpose of collection, use or disclosure of Personal Data; and (3) shall be clearly and simply separated from other contents.
The Data Subject reserves the right whether to give his/her consent or to withdraw his/her given consent; the right of access to Personal Data; the right to data portability; the right to object to the collection, use or disclosure of Personal Data; the right to erasure or destruction of Personal Data or rendering it unidentifiable, as per the details in Clause 7.
4. Purposes of Collection, Use, Processing and Disclosure of Personal Data
The Company shall limit the collection, use, processing or disclosure of Personal Data to the extent as necessary and fair for sustainable business operations, taking into account the personal rights and liberty and security of Personal Data as appropriate and sufficient for the following purposes:
4.1 Operation or business purposes, such as, production, trading, distribution, exchange, hire of service, hire of work, provision of services, digging, transportation, provision or receipt of consultation, investment, borrowing of loans, receipt or payment of money, in the interest of the Company’s business operations for sustainable growth;
4.2 Sales or marketing purposes, such as, promotional campaigns for marketing activities, sales promotion, survey and evaluation, in order to improve the efficiency and effectiveness of the provision of services and/or management of client or customer relations;
4.3 Advertisements, public relations and communications, such as, inquiries, notifications, review, survey of opinions, data verification, news update or any other arrangements as necessary to better understand the Company’s business and services;
4.4 Keeping records, storage of data, statistics and research, such as, monitoring, review, processing and analysis of data, in order to improve, rectify, develop and present new products and/or services to suit the requirements of the market, investors, customers, business partners and/or those involved with the Company;
4.5 General administration, health, safety and environmental management as well as human resources management, such as, procurement and engagement, acceptance and delivery of goods, recruitment, employment, health insurance, social security, workmen compensation fund, provident fund, hazard prevention and security, occupational healthcare, quality and environmental care and/or risk management, both under normal circumstances and during crisis caused or to be caused by accident, in order to ensure that these tasks are efficient and cover all parties concerned;
4.6 Compliance with terms and conditions, exercise of contractual rights and/or legal requirements, such as, compliance with rules, regulations, requirements or provisions of law, including orders or practices and requirements of the state, government, authorities, regulatory bodies, in order to ensure that the Company’s operations comply with contractual provisions, legal provisions and good governance principles;
4.7 Compliance with policies and work rules and regulations, such as, various policies of the Company, operating manuals, the Company’s regulations, work rules and/or access control for the Company’s office or premises, etc., in order for the Company’s various administration works to be more efficient and effective;
4.8 Any other arrangements, such as, secretarial works, meetings, information on the Company’s directors, shareholders or securities, corporate governance, activities for common or public interest, announcement or other activities within and outside the organizations, etc., for being engaged in security and sustainability.
The Company shall not disclose such Personal Data so collected without consent of the Data Subject given in advance or at that time, unless permitted by law.
5. Security of Personal Data
In case there is a breach of security standard of the Company which results in breach of rights to Personal Data, the Company will immediately inform the respective Data Subject of a remedy plan for damages arising from such breach.
6. Cross-border Personal Data Transfer
In the event that the Company transmit or transfer Personal Data abroad, the Company shall take necessary steps to ensure that the receiving country, international organization or the data recipient abroad has adequate standard in regards of personal data protection.
7. Rights of the Data Subject
The Company respects the Data Subject’s rights as follows:
7.1 Right to withdraw consent: The Data Subject shall have the right to withdraw his/her consent given to the Company at any time during the period his/her Personal Data remains in the Company’s possession.
7.2 Right of access: The Data Subject shall have the right to access his/her Personal Data and request the Company to make a copy of such Personal Data, and also request the Company to disclose how the Data Subject’s Personal Data was collected without his/her consent to the Company.
7.3 Right to data portability: The Data Subject shall have the right to request a transmission or transfer of his/her Personal Data provided to the Company to another Data Controller or the Data Subject.
7.4 Right to object: The Data Subject shall have the right to object to the collection, use, processing or disclosure of Personal Data, if he/she finds it invalid, inapplicable or unfair.
7.5 Right to rectification: The Data Subject shall have the right to request the Company to rectify any information to be up-to-date, correct or complete.
7.6 Right to erasure: The Data Subject shall have the right to request the Company to erase or destroy his/her Personal Data or render it unidentifiable to the Data Subject, due to the absence of its power to collect the same or when it is not necessary.
7.7 Right to restriction of processing: The Data Subject shall have the right to restrict the use of his/her Personal Data pending data verification or when it is no longer necessary.
The Company shall have no right to deny the Data Subject’s exercise of any of the above rights, except where the laws expressly entitle the Company not to proceed with such request.
Once the Act is fully effective following the expiry of the grace period granted by the Royal Decree Establishing Organizations and Businesses that the Data Controllers are Exempted from the Applicability of the Act B.E. 2564 (A.D. 2021) Number 2, Data Subject shall be able to access to channel given by the Company to exercise its rights.
8. Change in the Policy
The Company may consider reviewing the Policy to be in line with the Act, ministerial regulations, notifications, practices and other relevant rules. Upon any change in the Policy, the Company shall keep you informed of such change by way of announcement on the Company’s website. Should there be any discrepancy between the new and the existing Policy, the new Policy shall prevail.
Should this Policy not cover anything addressed by any ministerial regulation or announcement which will be subsequently issued under the Act, such ministerial regulation or announcement shall apply as if it were an integral part of this Policy.
9. Contact with the Data Protection Officer (DPO)
The Data Subject who has provided the Company with his/her Personal Data may contact the Company’s Data Protection Officer (DPO) in order to exercise his/her rights under Clause 7 above (as per the details in the “Contact Channels” below).
Details of the Data Protection Officer (DPO)
DPO: Vice President-Corporate Compliance and/or acting personnel in such capacity
27th Floor, Thanapoom Tower, 1550 New Petchburi Road, Makkasan, Ratchathewi, Bangkok 10400, Thailand
Telephone: +66 2694 6600
Facsimile: +66 2207 0696-7
10. Applicable Law
This Policy is governed by and construed in accordance with Thai laws, and Thai courts shall have the competent jurisdiction over any dispute arising from this Policy.