list property
Th En

Personal Data Protection Policy
(Privacy Policy)

Asset World Company Limited

This Personal Data Protection Policy is established by Asset World Company Limited (“the Company”) to demonstrate that the Company respects privacy rights and prioritizes the protection and security of data subjects’ personal data. This includes, but is not limited to, individuals who have a direct relationship with the Company and/or personal data of employees, staff, consultants, interns, financial auditors, accountants, partners, investors, shareholders, contractors, and others.

The Company may process personal data of each data subject for various purposes. However, when collecting, using, or disclosing such personal data, the Company will request the data subject's explicit consent before or during collection. The Company will only collect such data after receiving explicit consent from the data subject, except in cases where the law permits the Company to collect, use, or disclose data without requiring prior consent from the data subject. Nevertheless, when using or disclosing collected personal data, the Company will only do so as necessary for the purposes specified to the data subject before and during collection, and will comply with all relevant legal requirements.

The Company, as a data controller, has implemented appropriate security measures for processing personal data to prevent loss, unauthorized access, use, storage, alteration, modification, or disclosure to others. In cases where the Company entrusts another person to process personal data on its behalf, the Company will establish suitable and adequate control, prevention, and supervision measures to ensure that the data subject's data is protected with strict, appropriate, and sufficient measures under the effective and amended personal data protection laws.

Any data subject who suffers damage or any adverse effects from the Company's actions can report or file a complaint to request the Company to rectify and/or cancel any action that is not in accordance with the provisions of the personal data protection law or any action that causes damage or adverse effects, as specified in this policy.

The Company's policy is to promote and support its personnel, including directors, executives, employees, staff, contractors, and interns, to be thoroughly aware, understand, and recognize the importance of this Personal Data Protection Policy. This is to ensure that the Company can effectively protect, maintain, and secure the data subject's personal data without causing any adverse effects or damages to them.

Clause 1. Definitions

Unless otherwise specified in this policy, the following words or phrases have the meanings set forth below:

“Person”
Means a natural person.
“Personal Data”
Means any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the data of a deceased person. Examples include name, surname, nickname, address, telephone number, national ID card number, passport number, social security number, driver's license number, taxpayer identification number, bank account number, credit card number, email address, car registration number, land title deed number, IP Address, Cookie ID, Log File, etc. However, the following are not considered personal data: business contact information that does not identify a specific person, such as company name, company address, company registration number, work telephone number, work email address, company-related email address, anonymous data, or pseudonymous data that has been technically rendered unidentifiable, and data of a deceased person, etc.
“Sensitive Personal Data”
Means personal data that is inherently private but is sensitive and poses a risk of being used for unfair discrimination, such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any other data that similarly affects the data subject as announced by the Personal Data Protection Committee.
“Biometric Data”
Means personal data resulting from the use of techniques or technologies related to using a person's unique physical or behavioral characteristics to confirm their identity in a way that is unlike anyone else, such as facial recognition data, iris scan data, and fingerprint scan data.
“Data Subject”
Means the individual who owns the personal data, which must be a natural person only.
“Processing”
Means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, or adaptation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Data Controller”
Means a person or legal entity who has the power and duty to make decisions regarding the collection, use, or disclosure of personal data.
“Data Processor”
Means a person or legal entity who performs the collection, use, or disclosure of personal data on behalf of or under the instruction of the data controller. The person or legal entity performing such actions is not the data controller.
“Customer”
Means a person who contacts, conducts transactions, or has any relationship with the Company, regardless of whether such relationship results in a legal relationship, contractual obligation, or any agreement with the Company. This includes, but is not limited to, debtors, guarantors, payment providers, or those offering to pay on behalf of debtors and/or guarantors, etc.

Clause 2. Data Collection

The Company will collect, use, or disclose a data subject's personal data only in cases where the Company has informed the data subject of the purpose of such collection, use, or disclosure, and the Company has received explicit written consent or consent through an electronic system before or during the processing of such personal data.

In cases where the data subject is a minor, an incompetent person, or a quasi-incompetent person, the Company can collect, use, or disclose the data subject's personal data only after receiving consent from the person with parental power, the curator, or the guardian who has the authority to give consent as required by law.

The Company may collect the data subject's personal data for the following purposes, and the Company will inform the data subject of the purpose of collection, but may not be required to receive consent from the data subject:

  1. To achieve purposes related to research, studies, or statistics, for making archives, historical records, and for public interest. In such operations, the Company will provide appropriate protection measures for such personal data as required by law.
  2. To prevent or suppress danger to a person's life, body, and health.
  3. To fulfill a contract or agreement to which the Company and the data subject are parties, or to proceed with the data subject's request before entering into such a contract.
  4. It is necessary for the performance of a duty in the public interest of the Company or the exercise of state authority granted to the Company, such as withholding personal income tax, deducting social security contributions, etc.
  5. For the legitimate interests of the Company or another person or legal entity, unless such interests are less important than the fundamental rights of the data subject's personal data.
  6. To comply with the Company's legal obligations, such as reporting financial transactions or property-related transactions to the Anti-Money Laundering Office (AMLO), etc.

Clause 3. Personal Data Collected by the Company

The personal data collected by the Company includes:

  • 3.1 Personal data for human resources management
  • 3.2 General personal data

Clause 4. Personal Data for Human Resources Management

Personal data for human resources management means data related to personnel within the Company and/or individuals who wish to establish a relationship with the Company to work as employees. This starts from applying to become personnel in the organization by submitting an application and supporting documents in person at the Company's office, sending an application letter, or sending a resume or CV (Curriculum Vitae) via the Company's website, or sending an application via email, etc. This also includes hiring, salary adjustments, performance evaluations, promotions, development and training, disciplinary actions, and termination of employment.

The Company's personal data for human resources management refers to the personal data of the following individuals:

  1. Directors and executives of the Company.
  2. Employees, staff under employment contracts.
  3. Consultants, experts, and contractors who work for the Company under service contracts.
  4. Job applicants and individuals intending to apply for a job with the Company who have submitted documents containing personal data, such as a resume or Curriculum Vitae, to the Company, whether submitted in person, sent via email, submitted through the Company's website or applications, or submitted through an agent or recruitment service provider, etc.
  5. Students who have been accepted for an internship with the Company and/or students who have expressed their intention to apply for an internship with the Company by submitting personal documents and evidence to the Company.
  6. Customers or the general public who are interested in contacting the Company via email, the Company's website or applications, or through an agent.

Clause 5. Purposes of Collecting Personal Data for Human Resources Management

The Company will collect, use, or disclose personal data for human resources management of the data subject for the following purposes:

  1. Recruiting personnel to work as employees, staff, consultants, experts, or other named positions for the Company.
  2. Hiring, probation, appointment, transfer, defining career paths, seminars, development and training, and conducting various employee activities.
  3. Managing wages, salaries, benefits, and providing welfare for employees, such as life insurance, health insurance, accident insurance, etc.
  4. Considering and approving leave requests, absences, and disciplinary actions against employees.
  5. Complying with legal obligations accurately and correctly, such as withholding personal income tax, deducting social security contributions, Workers' Compensation Fund, Skill Development Fund, and employing people with disabilities.
  6. Ensuring the safety of the life, body, and property of the Company, employees, and third parties who contact the Company, or for maintaining order in the workplace or during employees' work.
  7. Managing safety and occupational health in the workplace.
  8. Accepting students for internships and managing the work of interns.
  9. For internal communication, dissemination, and public relations of the Company, and/or through other communication methods and tools.
  10. To comply with a subpoena, court order for a witness or document, to give testimony, and provide information and facts to an inquiry officer or a government official who performs duties and powers under the law.
  11. Other matters necessary for human resource management and for the Company's analysis and research.

Clause 6. Personal Data for Human Resources Management Collected by the Company

The personal data for human resources management collected by the Company includes:

  1. Personal data documents and evidence that the Company receives before or during employment, such as name-surname, age, date of birth, gender, nationality, religion, marital status, a copy of the national ID card, a copy of the house registration, evidence of name or surname change, evidence of military service, family members, father and mother's names, marriage certificate, divorce certificate, birth certificate, or child certificate, a copy of the national ID card, a copy of the house registration of minor children and of parents whom they support, a copy of a car or motorcycle driver's license, a copy of the Bar Council membership card, license number to be a lawyer, pre-employment medical examination results and medical certificates, results of tests for knowledge, ability, language proficiency, computer skills and various computer programs, interview records, etc.
  2. Education history, educational records, work history, criminal records, training history, diplomas, certificates, loan information from the Student Loan Fund (SLF), provident fund contribution data, work guarantee money, documents, and reference evidence for job applications, and entering into employment contracts, etc.
  3. Work time records, leave records, investigation records, performance evaluations, salary and wage increases, promotions, disciplinary actions, annual health check reports, opinion surveys, meeting minutes, medical records, and medical certificates during the time of being an employee, staff, or working for the Company.
  4. Communication data such as telephone numbers, email addresses, LINE ID, name, surname, address, occupation, telephone number, contact channels for guarantors, references, or individuals to be contacted in case of necessity or emergency, including beneficiaries, maps showing the location of domicile or residence, etc.
  5. Bank account numbers for paying wages, salaries, and other benefits.
  6. Biometric data such as a sample of a signature, fingerprint scan, facial recognition data, iris scan data, for the purpose of recording work time and access to and from the workplace, and ensuring security in the workplace.
  7. Sensitive personal data for which the Company has received explicit consent from the data subject as required by law.

Clause 7. Purposes of Collecting General Personal Data

In addition to the personal data for human resources management collected by the Company, the Company will collect general personal data for the following purposes:

  1. To verify and identify individuals (KYC) before establishing a relationship or entering into any transactions or legal acts, or to answer any questions, provide any information to debtors and individuals who pay on behalf of or with debtors.
  2. To improve and develop the Company's services in line with technological changes for efficiency in providing services that meet customer needs.
  3. For the Company's advertising and public relations.
  4. To provide any reports as required by government agencies or bodies that have the duty and authority to regulate or audit the Company's operations under the law, such as the Bank of Thailand, the National Credit Bureau Co., Ltd., etc.
  5. To report transactions as required by law, such as reporting transactions under the Anti-Money Laundering Act.

Clause 8. General Personal Data Collected by the Company

The general personal data collected by the Company includes:

  1. A copy of the national ID card, a copy of the house registration, a copy of the marriage certificate, domicile or place of residence, divorce certificate, evidence of name and/or surname change, first name, last name, age, date of birth, gender, nationality, religion, and marital status.
  2. Occupation, income, history of lawsuits or legal proceedings, type of loan, debt burden, financial status, payment history, financial statements, a copy of a salary certificate or income certificate, business registration certificate, tax identification number, a copy of a document proving ownership of a car and/or other vehicles, a copy of a stock certificate, a copy of various types of bills of exchange.
  3. Communication data such as telephone numbers, email addresses, LINE ID, name, occupation, telephone number, contact channels for guarantors, references, or individuals to be contacted in case of necessity or emergency, including beneficiaries, maps showing the location of domicile or residence, conversation records, etc.
  4. Biometric data such as fingerprint scans, facial recognition data, and iris scan data, for the purpose of recording transactions on any of the Company's electronic devices.
  5. Sensitive personal data for which the Company has received explicit consent from the data subject as required by law.

Clause 9. Source of Personal Data Collected by the Company

In collecting personal data, the Company will collect it directly from the data subject. However, due to the nature of the Company's core business, it is necessary for the Company to collect and compile personal data that is not collected directly from the data subject. The collection of such personal data is necessary for the performance of a contract to which the data subject is a party.

Clause 10. Collection of Sensitive Data

The Company will not collect personal data that is sensitive unless it has received explicit consent from the data subject beforehand, or unless there is a legal reason that allows the Company to collect it without needing to request or receive prior consent from the data subject. Examples include data that is made public with the data subject's explicit consent, data that is necessary for the establishment of legal claims, the exercise of legal claims, or the defense against legal claims, or data that is necessary to comply with the law to achieve the purposes of labor protection, social security, etc.

The Company will not collect personal data related to political attitudes, ideologies, or opinions, religious or philosophical beliefs, or sexual behavior.

Clause 11. Sending or Transferring Data Abroad

The Company has no transactions conducted abroad, and the Company does not send personal data abroad by any means whatsoever.

In the event that the Company has a reason or necessity to send or transfer any person's personal data abroad, the Company will ensure that the destination country has adequate and appropriate standards for personal data protection. However, if the recipient country does not have adequate and appropriate personal data protection measures and the Company has an urgent need to send or transfer personal data, the Company must adhere to the exceptions under the criteria set by the Company without violating the law.

Clause 12. Disclosure of Data to Others

The Company will not disclose personal data to others without the data subject's prior consent, unless such data is personal data that the law allows the Company to collect without the data subject's consent.

The Company may need to disclose personal data to external service providers (Outsourcing) that the Company hires and assigns to act on its behalf. This is necessary for exercising legal claims that the Company has against the data subject. In such cases, the Company will implement appropriate and sufficient measures to protect the data subject's personal data. The Company will only use service providers that have appropriate and sufficient measures to protect personal data. In addition, the Company will specify conditions or requirements in the service contract that the external service provider must have correct and complete measures to protect personal data, and must strictly comply with personal data protection laws.

Clause 13. Personal Data Retention Period

The Company will retain the data subject's personal data for a period that is only necessary to carry out the purposes stated in this policy. The retention period for each data subject may vary due to reasons and necessities to preserve legal rights, such as personal data that must be used as evidence for exercising legal claims or legal proceedings, for inspection by internal auditors, or for inspection by agencies that have the duty and authority to audit the Company's operations, such as the Bank of Thailand, government agencies, or for inspection by other government agencies, such as the Revenue Department, etc. However, the Company will collect and retain the data subject's personal data for a maximum period of no more than 10 years from the date the relationship ends, or for a longer period as required by law.

Clause 14. Erasure and Destruction of Personal Data

After the personal data retention period specified in this policy has expired, the Company will proceed to erase and/or destroy the data subject's personal data from the Company's storage systems, or make the data subject's personal data no longer identifiable.

The erasure or destruction of the data subject's personal data will be carried out by a committee or working group appointed or assigned by the Company to specifically oversee and supervise such erasure and/or destruction. This is to ensure that the process is honest, transparent, builds confidence for the data subject, and can be audited.

Clause 15. Method for Withdrawing Consent

The data subject has the right to inform the Company to cancel or withdraw the consent to process data that the data subject has given to the Company at any time.

Clause 16. Data Subject Rights

The data subject has the following rights which are guaranteed and protected by law and/or this policy:

  1. Right to be informed of the purpose of data processing

    The data subject has the right to be informed of the purpose of personal data processing, which includes the collection, use, and disclosure of personal data, before or during the data collection, unless such details and purposes are generally known.

  2. Right to rectification

    The data subject has the right to request the Company to rectify their personal data to be accurate, current, and not misleading. This request for rectification must be made in good faith and not contradict the provisions of the law.

  3. Right to withdraw consent

    The data subject has the right to cancel or withdraw consent given at any time, unless the right is limited by law or by the terms of a contract or agreement. Such cancellation or withdrawal of consent will not affect the processing of personal data to which the data subject has already lawfully given consent.

  4. Right to restrict processing

    The data subject has the right to request the Company, as the data controller, to restrict the processing of the data subject's personal data.

  5. Right to access, request a copy, or request disclosure of the source of personal data

    The data subject has the right to access, including the right to request a copy of their personal data from the Company, and to request the Company to disclose the source of their personal data. This right to access data must not contradict the provisions of the law and must not violate the rights and freedoms of others.

  6. Right to data portability

    In preparing personal data, the Company has prepared it in a format that is generally easy to read or use by automated tools or devices and processed by automated means. The data subject has the right to request personal data from the Company, including the right to have the Company send or transfer personal data directly to another data controller, unless it is technically impossible to do so, or unless it would violate the provisions of the law or the terms of a contract or agreement, or infringe upon the rights and freedoms of others.

  7. Right to object to the collection, use, or disclosure of personal data

    The data subject can object to the Company's processing of personal data, such as the collection, use, or disclosure of personal data, by making a request to the Company using the channels and methods specified in this policy.

Clause 17. Right to Erasure or Destruction of Personal Data

In cases where the personal data is no longer necessary for processing according to its purpose, or the controller has published the data publicly, or it is data that other people can easily access, the data subject has the right to request the Company to erase or destroy the data subject's personal data, or to make it unidentifiable. The data controller must bear the costs and the responsibility for this action.

Clause 18. Right to Complain

In the event that the data subject finds that their personal data has been stored, disclosed, or used for purposes other than what the Company has declared, or finds that the Company has violated or failed to comply with the law on this Personal Data Protection Policy or has failed to comply with this policy correctly, the data subject has the right to dispute, object, or file a complaint about such incidents with the Company's Personal Data Protection Committee at any time to consider and rectify the matter, using the address and contact phone number specified in this policy.

To report or file a complaint as mentioned in the previous paragraph, the data subject can make a direct request through the Company's website, which will have a menu or window labeled "File a Complaint" or similar text, or the data subject can file a complaint in writing or by a complaint letter, along with a copy of their national ID card with a certified true copy, and send it to the Personal Data Protection Committee at the Company's address specified in this policy.

The Company will consider the data subject's complaint and inform them of the results of the consideration in writing within 30 days from the date the Company received the complaint and all related information and documents.

In the event that the data subject disagrees with the Company's decision, the data subject has the right to take any action to receive protection under the law immediately.

Clause 19. Training and Education for Employees

The Company has a policy to organize training and education for all directors, executives, employees, and personnel of the Company to inform them of the provisions of the personal data protection law, as well as the various impacts that may occur to the Company and its directors, executives, employees, and relevant officers. This is to ensure that these individuals are aware of their duties and the importance of collectively protecting the data subject's personal data, and to ensure that the Company's personnel can appropriately take care of, prevent, and protect the data subject's personal data.

Clause 20. Policy Updates

The Company stipulates that the privacy policy will be reviewed as necessary and appropriate, with a commitment to continuously update it, both in terms of practices and control systems for protecting personal data.

The Company will review and amend this Personal Data Protection Policy annually or at an appropriate earlier time, to ensure that the policy is current and in line with technology, innovation, and changes in the legal context.

Each time the Personal Data Protection Policy is amended, added to, or changed, the Company will notify this on its website at [email protected]

Clause 21. Compliance with the Personal Data Protection Policy and Contacting the Company

In the event that the data subject has any questions, issues, or wishes to file a complaint regarding personal data protection or compliance with this Personal Data Protection Policy, they can inquire and/or file a complaint with the Company's Personal Data Committee via the Company's website at [email protected] or contact in person at the following address:

    680 Prom Rachada Hotel Building 2, 5th Floor
    Soi Nathong, Din Daeng Subdistrict, Din Daeng District, Bangkok 10400  

This policy is effective as of October 1, 2024.

ADDRESS

680 โรงแรมพร้อม รัชดา อาคาร 2 ชั้นที่ 5 ซอยนาทอง แขวงดินแดง เขตดินแดง กรุงเทพฯ 10400

CONTACT US

POLICY

© 2020 Asset World All Rights Reserved.