This Amity’s Group Data Protection Policy (“Data Protection Policy”) stipulates the rules for personal data protection in Amity Corporation Ltd. and its affiliated companies (“Amity” and the “Amity’s Group”).
Our Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.
With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
This Data Protection Policy reflects the data privacy rules required by the GDPR and other applicable laws including but not limited to Thailand Personal Data Protection Act B.E. 2562 (“PDPA”).
Through the implementation of the Data Protection Policy across the companies within Amity’s Group, the risks of, and arising from, breaching data protection will be minimised.
2. Who is covered under the Data Protection Policy?
Employees of our Amity’s Group and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.
3. Policy elements
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.
Amity collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.
Our data will be:
- Accurate and kept up-to-date
- Collected fairly and for lawful purposes only
- Processed by the company within its legal and moral boundaries
- Protected against any unauthorized or illegal access by internal or external parties
Our data will not be:
- Communicated informally
- Stored for more than a specified amount of time
- Transferred to organizations, states or countries that do not have adequate data protection policies
Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities)
4. Lawful Bases and Personal Data Processing Purposes
The personal data processing within Amity’s Group will always be based on lawful bases, which include the consent to the personal data processing, compliance with a legal obligation, the performance of a contract and/or Amity’s data processing agreement, the legitimate interest, the public interest or the protection of the interests of the data subject.
5. Personal Data Transfer
Amity’s Group may only make personal data available to third parties (including a personal data transfer within the Amity’s Group) under certain conditions. Personal data may only be available to a third party acting as a processor based on Amity’s data processing agreement or any contract likewise. Personal data may also be available to another third-party acting as a controller or a joint-controller based on relevant contractual agreements.
In case there are requirements for rectification or erasure of the personal data or for processing restrictions, under certain circumstances, Amity will notify the relevant third parties to which the personal data were made available, unless this is not feasible or requires an inadequate effort.
Amity will inform a data subject on the third parties to which the concerned personal data were disclosed, only if required to do so by the data subject.
Under certain conditions, Amity can also transfer personal data within Amity’s Group or to any third countries outside the European Economic Area (EEA) or the European Union or Thailand or to international organisations to the extent that data processing which needs to be performed and completed by Amity’s Group. To assess legal conditions under which personal data may be transferred to third countries or to international organisations, Amity will address the Data Protection Officer (DPO) for consultations. Please contact the appointed Data Protection Officer at the following email address email@example.com.
6. Responsibilities of Amity’s Group and its Employees
Amity’s Group and its employees are obliged to process the personal data in compliance with the Amity’s Group’ internal policies, the GDPR, the PDPA and other applicable data privacy laws and regulations.