Legalese

Privacy Notice of Personal Data Protection and Guidelines

 

Oryx Stainless (Thailand) Co., Ltd (aware of the importance of personal data and compliance with the personal Data Protection Act
2019, therefore, the guidelines are developed it to deal with collection, use, disclosure all transmissions of the personal data, as
well as security of the personal data as follow:

Definition


“Company” means Oryx Stainless (Thailand) Co., Ltd.
“Customer” means a person who juice to service or purchase things the company products, including accessing the company website or contacting the company.
“Supplier” means a person who sells products or provide service to the company including using the company's website or contacting the company.
“Affiliates” means affiliates such as oryx Stainless Holding BV Company Limited, Oryx Stainless BV company Limited, Oryx Stain
AG Company Limited, etc.
“Personal data” means information about an individual that enable that individual may be identified either directly or indirectly, including specifically the information of the decease.
“Personal data controller” means a person or entirely having decision making power regarding collection, use or disclosure of
personal data.
“Personal data processor” means a person or entity who performs collections, use or disclosure of personal data on the order or on
behalf of the personal data controller.
“Person” means a natural person.
“Personal data protection officer” Oryx Stainless (Thailand) Co.,Ltd. “Head Office”
92/8-9 Moo 1, T. Homsin, A.Bangpakong, Phone +66 38 571 960
Chachoengsao Province 24130 Fax +66 38 571 961
“Committee” means the personal data protection committee of the
office of the personal data protection committee.

1. Collection of Personal Data.


The company collects personal data and sensitive data with the following details and exceptions:

1.1 General Personal Data

1.1.1 Job applicant information, employee’s information, intern’s information. When the personal data subjects apply for the
job or applies for the internship with the Company. The company will ask for necessary data such as name, surnames, nationality, status, Photo, ID card number, passport number, telephone number, electronic mail, address, educational background, and family background work record, ETC.

1.1.2 Customer and supplier information. when the personal data subject contract company through the website or by phone,
by electronic mail, social media, or by any other means, The Company will ask for the necessary information Such as name, surname, phone number, electronic mail, address, and bank account for money transfer, ETC.

“Cookies”. Our website uses cookie in the same case. Cookies are small data files that retain information that are exchanged between
computers of the data subject and the Company’s Website. The company uses the cookies only to retain information that may benefit
the data subject for the next time the data subject visits the company’s website. If the data subject does not wish the company to
collect the use of cookies, then he or she can set up the website to refuse the use of cookies.

1.2 Exceptions to General Personal Data Collection

The company will obtain a consent of the data subject before collecting it, except in the following cases.

1.2.1 To achieve the objectives relating to preparation of historical documents or archives for the public benefit or in connection with
research or statistics, where appropriate safeguards are in place to protect the rights and liberty of personal data subjects as
prescribed by the committee.

1.2.2 To prevent or suppress a danger to life, body, or health of a person.

1.2.3 In a necessary case to follow the contract in which the personal data subject is a party or to be used to perform the request of the personal data subject prior to entering into that
contract.

1.2.4. In a necessary case to perform duties for the public benefit of the personal data controller or perform duties to exercise the
power or the state given to the personal data Controller.

1.2.5 In a necessary case for the legitimate interests of the Personal Data Controller or of other persons or juristic person who are not the personal Data Controller unless such benefits are less important than the basic rights of the data subject.

1.2.6 To comply with the law by the company as a personal data controller.

1.3 Sensitive Data

The company will obtain consent all personal data subject before collecting sensitive personal data, except in the case of exemption by law with details as follows:

1.3.1 Job applicant’ s data, employee’s data, intern’s data, such as race, religion, criminal history, health information, labor union
information and biological data (fingerprint or face scan), ETC.

1.3.2 Customer and supplier information said as ethnicity, religion, criminal history, health information, labor union information and
biological data (photo or fingerprint or face scan), ETC.

1.4 Exceptions and collection of the sensitive data

The company is allowed, through legal exception, for collectingsensitive data without the consent with personal data subjects in the
following case:
1.4.1 To prevent or suppress a danger to the life, body, or health of a person, which the personal data subject is unable to give a consent for any reason.

1.4.2 To carry out legitimate activities with appropriate protections of foundations, associations or non-profit organizations with objectives relating to politics, religion, philosophy, or labor union for members without disclosing that personal data outside the foundations, associations, or non-profit organizations.

1.4.3 It is the data that is disclosed to the public with the express consent of the personal data subject.

1.4.4 It is necessary for creation of legal claims, compliance or the exercise of legal claims or raising to defend the legal claims.
1.4.5 It is necessary to comply with the law.

1.5 Data Collection for Other Sources

Collection of data from sources other than those directly from the personal data subject, the Company will notify the data subject and obtain the consent of the data subject within 30 days from the date of
collection unless it is personal data that is exempt from requiring consent.

1.6 Identifying and recording sources and Types of Personal Data

Retention of personal data, the company has identified the source of the personal data collected by the Company (Record of Processing: Data Flow), name of the data collector, record of activity of the data, collection, storage, use, disclosure, erasure, and types of personal data to manage the data in compliance with the law, for example, Data Map, etc.

1.7 Notification of Personal Data Protection Details

The Company has prepared a Privacy Policy on the Company’s website and has announced a personal data protection policy
(Privacy Notice) and guidelines for handling personal data from management of the organization.


2. Period of retention of personal data

 

The Company will retain personal data for different periods as necessary and according to the purpose of collection with appropriate
security measures in place to prevent unauthorize access, collection, use, disclosure, copying, modification, disposal of data or similar
risks, After the expiration of such period, the company will delete or destroy the personal data classified by the following types of data.


2.1 Job application data/internship data: the Company will retain the data for consideration on admission to work of accept an
internship within a period of 30 days for the date the company receives such data. If the company is unnecessary to use such
data, the company will delete or destroy the data.


2.2 Data of employees/ internship students: the company will retain data throughout the period of being an employee internship
student and will continue to retain after termination of the employment internship for a period of 2 years.


2.3 Customer and supplier data: The company will keep the data for as long as the purpose of using the service for communication
and accomplishing the purposes of the data subject and will continue keeping for another period of 2 years or according to the
period specified by law.


3. Purpose of Collection of personal Data


The company will use the personal data of the personal data subject according to the consent of the data subject to carry out the purposes of operation and provision of services in accordance with the transactions agreed between the personal data subject and the company. The company will not use the personal data received from the personal data subject for any purpose other than those specified while obtaining the content to collection of such data. If the company has necessity to use the personal data other than the purposes specified, the company will ask for a consent from the personal data subject again. The company will collect data for the following purposes:


3.1 For use in applying for a job/internship of the data subject or keeping as an employee registration.
3.2 For trading operations or contact for service or answer questions as requested by the data subject.
3.3 For collection of data as a database of the Company or statistical data about the number of visitors to the website.
3.4 Other actions as consent of the data subject.
3.5 For legal compliance or legal exception.


The Company will process personal data only with consent of the data subject. The Company may collect data to create a customer
database and supplier database of statistics and to be analyzed for research for marketing benefits or to offer new services. But if the
data subject does not allow the Company to process the data as previously permitted, the data subject may notify his/her intent to the Company (see further details on participation of the personal data subject), unless the processing of such personal data is under the statutory exception which the company may collect and process it without consent as follows:


(1) Contract: when the personal data subject has agreed to a transaction or contacted the Company through the website, by
electronic mail, by telephone or by any other means, the Company will process the personal data of the data subject in relation to the
goods or services in order to contact or offer services or provide services according to the objectives of the contract further.


(2) Legitimate Interests: The Company may process the personal data in order to perform necessary tasks under lawful interests.


(3) Vital Interest: The Company may process the personal data in order to prevent or suppress any danger to life, body or health of
personal data subject


(4) Legal obligation


4. Disclosure of personal data


The company may disclose the personal data for the above-mentioned purposes to the related third party as necessary such as
person, juristic person, related agency, serviced provider, Bank hospital, consultant, and outside agencies such as revenue
department, Social Security Office and customs, etc. The company will not disclose the personal data to any agency or
other person that not related, except in the following cases:


4.1 Obtaining a consent from the personal data subject:


4.2 Orders of the court, officials, or the law to disclose such data. The company may share the personal data of the data subject
between its affiliates in order to provide services to the personal data subject efficiently and to achieve its objectives by the shared data such as name, surname, address, telephone number, fax number, electronic mail, name of company (organization), job title and
information related to trading or providing services or Human Resource management, etc. The company’s website may contain
links to other websites. The company shall not be responsible for the practices of personal data processed by websites others than the Company’s own website.


5. Security of personal Data


The company recognizes the importance of maintaining the security of personal data that is collected, used and disclosed. To prevent
loss, access, destruction, use, modification, rectification or disclosure of personal data that are appropriate as follows:


5.1 Awareness building and training to strengthen the security of personal data for its employees and related persons through
disseminating information, providing training and guidelines for strict compliance with the law.

5.2 Restricting access to personal data (Access control) only for employees and related persons who need to know that data in
order to process the data as a performance of responsibility or their position, provided that such persons must strictly comply
with the confidentiality requirements of the contract.


5.3 Strict and appropriate measures for security of sensitive personal data or data that may affect the public feeling, order and
moral.


5.4 Regular audits and assessments on security risks of the personal data.


5.5 In the event that the company employs a third party of other company to provide services to company and assign third party or
such company to be responsible for handling of the personal data., the Company will select suitable subcontractors and require
such third party or company to sigh document, contracts or agreements necessary to manager and maintain security of the
personal data. In addition, the company takes all security measures as required by law.


5.6 There is a network and internet security system (firewall) to prevent access from outside the network. And there is an
authentication system before using the company’s network. And there is a system to retain traffic data vis computer (Log files)
5.7 There is a backup system to prevent personal data loss or destruction.


5.8 If necessary and appropriate, the company may redesign the
business process to reduce the risk of illegal practice.


6. Involvement of the personal data subject


The company, realizing the importance of the data subject Rights, has prepared a “Personal information Request Form”(as per
attachment 4) for the personal data subject to communicate to the company of its intention in writing via postal mail, via electronic e-mail (E-mail): HrTH@oryx.com or via fax: 038-571-961. Then, the company will process the request of the personal data subject within 30 days for the date receipt of the request. The personal data subject may notify his/her intention to the Company under the following rights:


6.1 Objection or withdraw consent: The personal data subject has the right to object or oppose the collection, use or disclosure of data. The company will proceed with the request of the data subject and will not collect, use, disclose and transmit the personal data of such personal data subject. Such withdraw consent may result in the company being unable to provide services to the personal data subject without the consent of the data subject. In this regard, the company will notify the result of withdraw consent after company has received such withdraw request.


6.2 Access to personal data: the personal data subject may request a copy of the personal data concerning the personal subject.
Then, the company shall deliver the personal data subject within 30 days from the data the company receives the request.


6.3 Rectification of personal data: the personal data subject may ask the Company to rectify any errors or add mission information
in the personal data.


6.4 Request to restrict of use of disclose the personal data.


6.5 Request for erasure personal data: The personal data subject may request the Company to erase or destroy his/her personal
data.


6.6 Request for disclosure of acquisition of the personal data.


6.7 Request for transfer of personal data of the data subject.


7. Data Protection Officer (DPO) under the Personal Data Protection Act B.E. 2562(2019)


The Company has appointed a working group which is a personal data protection officer under the personal data protection Act B.E.
2562(2019) to give advice, audit the process of collection, use or disclosure of personal data, coordinate and cooperate with the
personal data protection committee as follows:

7.1 Director of the company is the responsible for making decisions related to collection or disclosure of personal information.


7.2 Officers of each of the following departments are responsible for data processing, i.e. Human Resources responsible for raking
actions related to collection, use or disclosure of the personal data in accordance with the order of the directors. This is an
action on behalf of the company.


7.3 The company has appointed a working group under the personal Data Protection Act B.E. 2562(2019) consisting of

7.3.1 Human Resources Department: Ms. Panita Jindasatthawat
7.3.2 Commercial Department: Mrs.Chaweewan Meesri
7.3.3 Accounting and Finance Department: Ms.Sirina Kongnual
7.3.4 Safety Department: Mr.Natthawat Phongchai


The company requires the working team according to 7.3 to have a follow-up mission, arrange a meeting as appropriate for the case and report the meeting results to the Director for further consideration and acknowledgement.


8. Contact Channels


Oryx Stainless (Thailand) Co.,Ltd
No. 92/8-9 Moo 1, T.Homsin, A.Bangpakong, Chachoengsao
Province 24130 Telephone : 038-571-960 Fax : 038-571-961 (E-
mail) : HrTH@oryx.co Ms.Phannatda Konpoothorn (DPO)

This is from now on. This announces on 17 June 2022.

Note:

  • Changes in Privacy Policy: The Company may amend the privacy policy without prior notice by announcing on the website with
    specifying the date of the last amendment. This shall be deemed that you have accepted the amended policy. The company will not notify you of such amendments individually.
  • Guidelines to follow Personal Data Protection ACT, B.E. 256
By clicking the SUBMIT button you agree to our Privacy Policy