“Personal Data” means any information relating to a natural person which enables the identification of such person, whether directly or indirectly, but excludes information of deceased persons in particular.

“Sensitive Personal Data” means personal data specified under the PDPA as sensitive data, such as data relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health information, disability, labor union information, genetic data, biometric data, or any other data which may similarly affect the data subject as prescribed by the Personal Data Protection Committee.

“Data Subject” means a person who has a relationship with the Company and is the owner of personal data.

“Persons Having a Relationship with the Company” include:

(1) Customers who are natural persons of the Company
(2) Trade partners or contractual parties who are natural persons of the Company
(3) Directors, authorized persons, representatives, agents, shareholders, employees, or other persons in similar roles of juristic persons that have a relationship with the Company
(4) Directors, executives, employees, or contractors of the Company, including family members of such persons
(5) Shareholders, investors, including any natural persons who are interested in investing in the Company
(6) Data Controllers, meaning a person or juristic person having the authority to make decisions regarding the collection, use, or disclosure of personal data
(7) Visitors or users of the website www.ydmthailand.com including systems, applications, devices, or other communication channels controlled by the Company
(8) Other natural persons whose personal data is collected by the Company, such as individuals contacting the Company, job applicants, family members of job applicants, or persons referenced in job applications

“Affiliated Companies” means the Company’s parent companies, subsidiaries, and associated companies, and includes persons acting on behalf of such entities.

“Processing of Personal Data” means any operation performed on personal data, such as collection, recording, copying, organizing, storing, maintaining, modifying, changing, using, retrieving, disclosing, transferring, publishing, transmitting, combining, deleting, or destroying.

Scope of Application

This policy applies to any personal data of the data subjects (both present and future) that the Company, its executives, employees, and/or contractors process. Such processing shall be carried out only to the extent necessary for the Company’s operations and in accordance with the purposes of processing personal data arising from transactions or communications between the Company and the data subjects through any channel, method, or format, including websites, systems, applications, documents, or other communication or service channels under the Company’s control.

Personal Data the Company May Collect

The Company may collect or obtain the following personal data (including sensitive personal data, for which the Company will obtain explicit consent from the data subject prior to collection unless otherwise permitted by law).

• Personal identification information such as title, first name, last name, middle name, nickname, signature, national identification number, nationality, driver’s license number, passport number, household registration information, etc.

• Personal characteristics such as date of birth, gender, height, weight, age, marital status, military status, photographs, spoken languages, behavioral data, preferences, bankruptcy status, status as an incompetent person or quasi-incompetent person, etc.

• Contact information such as telephone number, fax number, email address, mailing address, social media account names, map location of residence, etc.

• Employment and education information such as employment history, educational history, type of employment, occupation, rank, position, duties, expertise, work permit status, professional license number, social security number, taxpayer identification number, bank account number, reference persons, salary information, employment start date, employment termination date, performance evaluations, welfare and benefits, educational institutions, academic qualifications, academic results, and graduation date, etc.

• Insurance policy information such as insurer, insured person, beneficiary, policy number, policy type, coverage amount, and information relating to claims under the policy.

• Social relationship information such as political status, holding of political positions, holding positions as directors in any juristic person, etc.

• Information relating to the use of the Company’s online services such as username, password, PIN number, Single Sign-on (SSO ID), OTP codes, computer traffic data, location data, photographs, videos, audio recordings, usage behavior data, search history, cookies or similar technologies, device ID, device type, connection details, browser information, language settings, operating system used, etc.

Cookies and the Use of Cookies

The Company collects and uses cookies and other similar technologies on websites under the Company’s control, such as www.ydmthailand.com, or on the devices of data subjects in order to ensure that the website functions properly and/or to facilitate the experience of website visitors. Website visitors may manage or delete cookies through their browser settings on their devices.

Purposes of Personal Data Collection

The Company collects personal data for multiple purposes depending on the nature of the relationship between the data subject and the Company, and the type of products, services, or activities involved. However, the collection of personal data must be within the scope of the following purposes and legal bases and/or as otherwise permitted by law.

• To prevent or suppress dangers to life, body, or health of a person.

• To perform a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into such contract.

• For the legitimate interests of the Company or other persons, such as business management and development, operations necessary for efficient business operations, risk assessment and management, fraud and corruption prevention and investigation, human resource management, procurement, customer and/or partner relationship management, maintenance and operation of information technology systems, security protection, marketing activities, data analysis or marketing research, and the exercise of legal claims.

• To comply with the laws applicable to the Company.

• In cases where consent has been obtained from the data subject, where the Company is required to obtain consent for certain operations or services requested by the data subject. If the data subject refuses to provide such consent, the Company may not be able to perform or provide certain services requested by the data subject in whole or in part.

Disclosure of Personal Data

Under the purposes stated in Clause 5 above or other purposes permitted by law, the Company may disclose personal data of the data subject to affiliated companies, business partners, or other persons. In cases where the law requires consent from the data subject, the Company will obtain explicit consent from the data subject prior to such disclosure. Additionally, the Company will ensure that recipients of personal data implement appropriate personal data protection measures and process such personal data only as necessary, and will take actions to prevent unauthorized processing of personal data.

Transfer of Personal Data to Foreign Countries

The Company may transfer personal data of data subjects to affiliated companies, business partners, or other persons located in foreign countries. The destination country receiving the personal data must have adequate personal data protection standards in accordance with the criteria prescribed under the PDPA, except where:

• It is required for compliance with the law.

• Consent has been obtained from the data subject in cases where the destination country does not have adequate personal data protection standards.

• It is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into such contract.

• It is carried out under a contract between the Company and another person for the benefit of the data subject.

• It is necessary to prevent or suppress dangers to life, body, or health of the data subject or other persons when the data subject is unable to provide consent at that time.

• It is necessary for carrying out activities in the public interest.

Personal Data of Minors, Incompetent Persons, and Quasi-Incompetent Persons

Where the Company becomes aware that the data subject is a minor, incompetent person, or quasi-incompetent person and consent is required for the processing of personal data, the Company will not process such personal data until consent has been obtained from the person exercising parental power, guardian, or curator (as the case may be), in accordance with the conditions prescribed by law.

Retention Period of Personal Data

The Company will retain personal data only for as long as necessary for the purposes of collection. The retention period will depend on the purposes for which the data was collected, such as the duration of contractual relationships and legal prescription periods. Once the retention period has expired and the personal data is no longer necessary for the stated purposes, the Company will delete, destroy, or anonymize the personal data so that it can no longer identify the data subject.

Security Measures

The Company implements security measures for personal data protection to prevent loss, unauthorized access, use, alteration, modification, or disclosure of personal data. Access to personal data is restricted to employees or authorized persons who have a legitimate need to access such data in accordance with the purposes of processing that have been notified to the data subject. Such persons are required to strictly comply with the Company’s personal data security measures and maintain the confidentiality of personal data obtained in the course of their duties.

Rights of Data Subjects

• Once the PDPA becomes fully enforceable, data subjects shall have the following rights under the PDPA:

• Right to withdraw consent – Data subjects have the right to withdraw their consent at any time unless there are legal restrictions or contractual conditions that benefit the data subject.

• Right of access – Data subjects have the right to request access to and obtain a copy of their personal data held by the Company or request disclosure of how such personal data was obtained where consent was not given. The Company may refuse such request only where permitted by law or court order and where disclosure may adversely affect the rights and freedoms of others.

• Right to data portability – Data subjects have the right to obtain personal data relating to them from the Company where the Company has made such personal data available in a format that can be read or used by automated tools or devices and can be disclosed by automated means (such as electronic formats). Data subjects also have the right to request that the Company transmit such personal data to another data controller where technically feasible or request to receive personal data that the Company has transmitted to another data controller directly, unless technically impossible. The exercise of such rights shall be subject to conditions prescribed by law.

• Right to object to processing – Data subjects have the right to object to the processing of personal data relating to them at any time under the conditions prescribed by law. In such cases, the Company shall cease processing such personal data and clearly separate the objected personal data from other data immediately upon receiving the objection unless the Company demonstrates legitimate grounds for processing which override the rights of the data subject or for the establishment, exercise, or defense of legal claims, or where processing is necessary for carrying out tasks in the public interest.

• Right to erasure – Data subjects have the right to request that the Company delete, destroy, or anonymize their personal data so that it can no longer identify the data subject, subject to conditions prescribed by law.

• Right to restriction of processing – Data subjects have the right to request restriction of the processing of personal data in the following circumstances:

• When the Company is in the process of verifying the accuracy of personal data as requested by the data subject.

• When the personal data must be deleted or destroyed due to unlawful processing but the data subject requests restriction of use instead.

• When the personal data is no longer necessary for the purposes of collection but the data subject requires the Company to retain the data for the establishment, exercise, or defense of legal claims.

• When the Company is in the process of verifying whether legitimate grounds override the data subject’s objection in accordance with Clause 11.4.

  • Right to rectification – Data subjects have the right to request that the Company correct their personal data to ensure that it is accurate, up-to-date, complete, and not misleading.

Personal Data Protection Officer

The Company has appointed a Personal Data Protection Officer to provide advice and monitor the Company’s operations, including those of employees and contractors, regarding personal data processing, as well as to coordinate and cooperate with the Office of the Personal Data Protection Committee and perform other duties as prescribed by the PDPA.

If any data subject has questions regarding this Personal Data Protection Policy or wishes to exercise their rights under this policy or applicable laws, please contact the Personal Data Protection Officer at:

Personal Data Protection Officer

Address: 139/26 Soi Ladprao 53 (Chokchai 4), Saphan Song, Wang Thonglang, Bangkok
Email: thanipha@ydmthailand.com
Telephone: 02 5386729

Review of Personal Data Protection Policy

The Company may review and update this Personal Data Protection Policy or related practices from time to time to ensure compliance with applicable laws.

This Personal Data Protection Policy shall be effective from 1 September 2022 onward.