CPL Group Public Company Limited
Declaration of protection of personal data of data subjects according to the privacy protection policy
1. Scope and purpose of this notice
CPL Group Public Company Limited ( the “ Company ”) realizes the importance of protecting personal data of personal data subjects in accordance with the Personal Data Protection Act B.E. The Company’s personal information, therefore, the Company has prepared this notice. Its purpose is to explain how it is collected. Use and disclose personal data of personal data subjects in relation to providing any services of the Company. Please read this document to know and understand the purposes for which the Company has collected it. Use and disclose personal information of the personal information subject in accordance with this notice.
“ Personal Information ” means information about the subject of personal data which enables it to be identified either directly or indirectly. This does not include the information of the deceased. Juristic Person Information or information obtained through the process of making it into information The identity of the owner of the personal data cannot be identified.
“ personal data subject ” means a natural person with contact or doing various transactions and employees of the Company which have a personal data protection notice separate from this announcement.
“ Sensitive Personal Data” means personal information about race, ethnicity political opinion cult religion or philosophy sexual behavior criminal record Which affects the owner of personal data in a similar way as determined by the committee, that the company will collect, use and / or disclose sensitive personal information only when the company has received your express consent. or in cases where the Company is necessary as permitted by law, the Company may be required to collect, use and/or disclose personal biometric data such as facial image data. fingerprint mockup iris simulation data audio identity information For the purpose of proving and verifying the identity of the service user who requests to apply and/or transacting through various channels
“ Processing personal data ” means any operations of the Company on the personal data of the personal data subject including the collection, use and disclosure of personal data. and deletion of personal information
2. Persons using personal data of the personal data subject
The Company is the “ personal data controller ” of all personal data subjects. Therefore, it is responsible and responsible for the processing and security of personal data of the personal data subject. The processing of personal data will be done to the extent necessary for the purposes, scope and methods of use as required by law.
In addition, the company may send your personal information to agencies or third parties to process on the basis. “ personal data processor ” acting on behalf of the company
3. Personal data of the personal data subject that the Company may collect
To process personal data for the purpose The Company is obliged to collect, use or disclose personal information as the case may be. by such personal data such as Personal data provided in the application, contract, transaction documentation or other personal data obtained in connection with the performance of the purpose, rights or compliance with the law.
In addition, the Company also processes personal data about the use of information technology systems, including CCTV, building access systems. and computer traffic data under the Computer Crime Act
The Company generally collects almost all personal data directly from the personal data subject. through the contract or transaction process, however, the Company may collect additional information from other sources such as: external service provider Securities registrar, etc. The information obtained from other sources will be verified or certified that it can be used for the purposes of this notification.
The Company may process personal identifiable information of the personal data subject in documented form. and/or pictures and/or electronic form
4. Why does the company use the personal information of the personal data subject?
The Company uses the personal data of the personal data subject for the operations of the Company in connection with the provision of the Service or the use of the Service. by the company processing personal data of the owner
personal data for reasons (data processing base), which may be based on one or more reasons Can be combined as follows:
4.1 because the company has a duty to comply with the contract: process according to the contract ( Contract)
so that the company can perform the contract or conducting transactions in accordance with the purposes for which the personal data subject is a party to the Company, for example:
- commercial product referral , payment of compensation, etc.
- take any other action for the purpose of providing contractual services, such as receiving complaints risk management
- Organizing the Annual General Meeting of Shareholders holding a meeting of the bondholders, including various actions for the benefit of shareholders or bondholders such as dividend payments Implementation of rights requirements, etc.
4.2 Because the Company is obliged to act in accordance with its legitimate interests: Processing on the basis of Legitimate Interests
The Company may use the personal data of the personal data subject for processing for management purposes. Auditing and preparation of internal reports of the company Maintaining the system to maintain service standards including the company’s risk management and normal operations within the company for legitimate interests such as
- Surveillance cameras ( CCTV)
- Enterprise risk management, audit, internal management
- Controlling, preventing, mitigating or transferring risks that may arise from fraudulent actions cyber threat default or breach of contract illegal activities (eg. Prevention and Suppression of Money Laundering financial support for terrorism and proliferate weapons of mass destruction offenses relating to property, life, body, liberty or reputation), including sharing personal data in order to enhance the standard of work of companies in the financial business group to control, prevent, mitigate or transfer the above risks.
- Collection, use and/or disclosure of personal information of directors person with authority to act on behalf representative of the legal entity
- Contact, video recording, sound recording arising from meetings, trainings, recreation or booths
4.3 Because the company is obliged to comply with the law : Process according to the legal obligation basis .
The Company may process the personal data of the personal data subject for processing in accordance with the law of the agency. that supervises the company’s business operations, such as the Bank of Thailand Securities and Exchange Commission Stock Exchange of Thailand Office of the Consumer Protection Board Anti-Money Laundering Office Office of Economic Affairs, Ministry of Finance Office of the National Anti-Corruption Commission Office of the Personal Data Protection Commission, etc., including laws governing transactions such as the Cyber Security Act, B.E. 2562, the Anti-Money Laundering Act, B.E. 2542 or other laws that the company is required to submit information both in Thailand and abroad. including announcements and regulations issued under such laws, such as the Civil Procedure Code which gives the court the power to order the parties to submit documents or information in the trial, etc.
4.4 Because the company has received the consent of the owner of the personal data: processed according to the consent ( Conent)
The Company will obtain consent to the processing of personal data from the personal data subject to: for stated purposes only. In some cases, the Company may consider that personal data can be processed. for other related and non-contradictory purposes or in addition to the original purpose But in the event that the company It is necessary to process the data for purposes other than the original purpose. The company will request new consent to the use of information for that new purpose
If the data subject wishes to withdraw consent to such processing You can contact the company and make a request according to Article 11. Withdrawal of consent may affect the performance of the purpose, therefore, for the benefit of the owner of the personal data should be studied. or inquire about the impact before revoking consent
5. Disclosure of personal information to third parties
The Company may disclose personal data of personal data subjects to third parties to the extent necessary for the processing of the data in accordance with contractual or legal obligations. or with the consent of the owner of the personal data The Company may transmit personal data of the personal data subject. to third parties as follows:
- Agents and Contractors or third-party service providers, in order to enable these individuals and/or entities to provide services to companies and owners of personal data such as financial business groups, advisors
- expert and Service providers in fields such as information and communication technology, companies Travel coordinator for seminars meeting organizer Thailand Securities Depository Person performing duties related to the issuance and offering of securities, etc.
- regulators government agency or a regulatory agency such as the Bank of Thailand Securities and Exchange Commission Office of the Consumer Protection Board Office of Economic Affairs, Ministry of Finance Anti-Money Laundering Office, Revenue Department, National Anti-Corruption Office, Legal Execution Department, Ministry of Justice Royal Thai Police Any person to whom the Company must disclose information to the extent required by applicable law or regulation. or in other specific cases, such as in accordance with a court order
- for the establishment of contractual or legal claims of the Company or raising the defense of legal claims
- The Company may transmit or transfer the data of the Personal Data Subject to foreign countries in order to comply with the contract between the Company and other persons or entities for the benefit of the Personal Data Subject. or to meet legal requirements The country of destination receiving the data must be judged by the Personal Data Protection Board that there is adequate protection for personal data. Or the agency or organization that receives the information must be inspected and certified by the Office of the Personal Data Protection Commission that there are appropriate personal data protection measures.
6. Processing process by automation
Subject to the express consent of the personal data subject The Company may use the personal data of the personal data subject for automatic processing. for collecting other information If the subject of personal data wishes to withdraw his consent, you may contact the Company for revocation of your consent in accordance with Article 11.
7. Rights to personal data of the personal data subject
The personal data subject has the right to the personal data, whereby the personal data subject can apply for various rights. available under the provisions of the law and the announcements set forth now or to be amended in the future as follows:
- Right to be informed by being informed of the processing of personal data collection method Person to receive information Reason and duration of storage of personal data
- ( Right of Access) by being able to obtain a copy of the personal data of the personal data subject under the Company’s responsibility and check whether the company has legally processed the data
- Right to data portability The Company provides personal data in a format that can be read or generally used by a device or device that works automatically. and processed by automatic methods The owner of the personal data can request the company to send or transfer the personal data to another person by automatic means. or obtain personal information that the company sends or directly transfers to other people unless by technical condition it is not possible
- The right to object to the processing of personal data ( Right to object) . The owner of the personal data can object in the event that the Company processes the personal data of the personal data subject.
- Right to request removal or destruction Right to erasure Right to be forgotten ( Right to erasure Right to be forgotten) , the owner of the personal data can request that the data be erased or destroyed, or the personal data is not identifiable. person
- Right to restrict processing of personal data The owner of the personal data can request to suspend the use of personal data . When the company is in the process of reviewing the request of the data subject to correct the personal data or when the Company is in the process of proving or verifying the request to exercise the right of objection of the Personal Data Subject
- Right of rectification , the data subject can request to correct, complete and up-to-date. If the data subject finds that the data subject’s personal data is inaccurate, complete and current
The owner of the personal data has the right to submit an application to exercise his or her rights to the company. In some cases, the company may refuse to exercise the rights of the personal data subject for reasons that will be notified later. The personal data subject can complain to the Office of the Personal Data Protection Commission if the personal data subject does not agree with the reasons given by the company.
Any request for the exercise of the data subject’s rights as stated above must be done in writing And the company will use its best efforts to take action or clarify within 30 days or not more than the time limit specified by law. The company will comply with the legal requirements. relating to the rights of the personal data subject as the personal data subject In the event that the personal data subject requests the Company to delete, destroy, dispose of the processing of personal data temporarily suspended Transform personal data into information that does not identify the owner of the personal data. or withdraw consent May cause restrictions on the company in conducting transactions or providing services to the subject of personal data.
The Company reserves the right to charge relevant and necessary expenses for the processing of personal data as requested by the personal data subject.
8. Duration of storage of personal data
in accordance with the principle of collecting personal data as necessary The Company will store your personal information as for as long as is necessary for the statutory data collection purpose. Personal data of the personal data subject will be collected for the duration of the contract or a person transacting with the company and not more than 10 years from the date of the expiration of the contractual period or the transaction or as required by law
9. Methods used by the Company to protect the personal data of the personal data subject
The Company has managed to protect personal data in accordance with the “ Information Security Management System Standards.
The Company may consider reviewing the Personal Data Protection Notice of the Personal Data Subject. If there is a change The Company will notify you on the Company’s website. and according to the channels that will be notified as appropriate
11. How to contact the company
In the event that the owner of the personal data wishes to exercise his or her rights or withdraw the consent to the processing of personal data of the personal data subject or have questions about the Company’s processing of personal data You can contact us at:
Telephone 02 709 5633-8
Contact location :
CPL Group Public Company Limited
Contact location : No. 700 Moo 6 , Sukhumvit Road, Bang Pu Mai Subdistrict, Mueang District, Samut Prakan Province
Telephone 02 709 5633-8
Email address Personal Data Protection Officer DPO@cpl.co.th
If the Personal Data Subject deems that the Personal Data Subject’s personal data is processed Not in accordance with the Personal Data Protection Act B.E. (2019), the owner of the personal data has the right to lodge a complaint to the Office of the Personal Data Protection Commission.
This notice is effective from 1 June . B.E. 2022 onwards
However, if the enforcement of personal data protection according to the Personal Data Protection Act B.E. 2019 has postponed the enforcement. This notice will also be postponed to come into force on the same day as the date the said Personal Data Protection Act comes into force.
Mr. Puvasith Wongcharoensin
Chief Executive Officer
CPL Group Public Company Limited