Privacy Policy
Legal basis and objectives of data collection Legal basis: Personal Data Protection Act B.E. 2562: Section 19: Requires explicit consent from users for data collection and must clearly inform the purpose, scope, and use of the collected data. Section 26: Personal data must be collected lawfully and fairly and cannot be used for purposes other than those originally intended without user consent. Section 28: Users have the right to know the purpose of data collection, usage, retention period, and details of data sharing. Purpose of Collection: Location data is collected for the following specific purposes. Searching for nearby second-hand products. Providing services and advertisements tailored to users. Route recommendations and guidance Enhancing transaction security. Location-based alerts and updates. User behavior analysis and service improvement. Creating location-based statistics. Collection and Use of Location Data Collected Data: Various types of location data are collected to provide location- based services. Specifically, the collected data includes: GPS Data: Collected Data: Real-time location coordinates (latitude and longitude) through the user's device GPS sensor. Objective: Real-time tracking and personalized service provision. Wi-Fi Access Information: Collected Information: SSID, BSSID, and signal strength of the Wi-Fi network the user is connected to. Objective: Indoor positioning and proximity-based services. Cell Tower Data: Collected Data: Position and signal strength of the cell tower that the user's device is connected to. Objective: Network-based positioning and service continuity. Bluetooth Beacon Data: Collected Data: Signal information from nearby Bluetooth beacons. Objective: Indoor positioning and proximity-based services. IP Address: Collected Data: The IP address assigned to the user's device when connecting to the internet. Purpose: Approximate location identification and security. User-entered Data: Collected Data: Location information manually entered by the user within the app. Objective: Providing services according to the location specified by the user. Data collection methods: Location data is collected through various methods: During the application installation: Description: Explicit consent for location data collection is obtained when the application is installed and used for the first time. Collection method: Obtain user consent for using location data during the initial setup process. Background location tracking: Description: Location data is continuously collected even when the user is not actively using the application. Collection method: Periodic collection of GPS and network data when the user permits background location tracking. Front Position Tracking: Description: Collecting position data while the user is actively using the application. Collection Methods: Real-time position data is collected when the user uses the map function or location-based search. Wi-Fi and Bluetooth Scanning: Description: Scanning Wi-Fi and Bluetooth signals to collect location data when the user is in a specific place. Collection Method: Gathering data from networks and nearby de- vices when Wi-Fi or Bluetooth is enabled. Event-based collection: Description: Collecting location data when a specific event occurs (e.g., when the user reaches a designated location). Collection method: Recording and analyzing location data when user-defined events occur. User input: Description: Collecting location data manually entered by the user. Collection method: Transmitting and storing location data entered by the user on server. User Consent and Notifications Consent Procedures: Explicit Consent: Users must provide explicit consent for the collection and use of location data during the installation and initial use of the application. Withdrawal of Consent: Users can withdraw consent for the collection of location data at any time, and the collected data will be deleted immediately upon withdrawal of consent. Notification Obligations: Transparent Notification: Users will be clearly informed about the purpose, usage, storage duration, and data sharing policies related to location data collection. Data Security and Protection. Security Measures: Encryption: Location data will be encrypted during storage and transmission to ensure security. Access Control: There are strict access control policies to prevent unauthorized access. Regular Security Audits: Regular security audits are conducted to maintain data protection standards. Legal Requirements: Thailand's Personal Data Protection Act, Section 32: Requires technical and administrative security measures to prevent unauthorized access, destruction, or alteration of personal data. Section 34: Requires maintaining the security of personal data processing systems and preventing unlawful breaches. Storage and Disposal of Location Data Retention Period: Minimum Retention Principles: Location data will be retained only for the period necessary to achieve the purpose of collection or as required by law. To ensure that user location data is not retained longer than necessary. Periodic Review: Data Protection Officer (DPO) The retention period of the data will be reviewed periodically, and unnecessary data will be promptly deleted. This process will be conducted semi-annually, assessing the necessity of the retained data. Compliance with the Law: To comply with the Personal Data Protection Act B.E. 2562 (2019), Section 37 The company will adhere to the retention period prescribed by law and securely dispose of personal data after such period. Storage Methods: Encrypted Data Storage: Location data is securely stored using the latest encryption technology. This measure ensures data integrity and prevents unauthorized access. Physical Security: The servers storing location data are located in access-controlled areas, equipped with CCTV cameras and access control systems. Access Control: Only authorized personnel can access location data, and all access will be logged and regularly audited. Disposal Procedures: Immediate Disposal: Location data will be immediately disposed of once the collection purpose is fulfilled or when the user withdraws consent, ensuring no unnecessary personal data is retained. Irrecoverable destruction: All positional data will be destroyed using methods that prevent recovery. Electronic files will be permanently deleted, and paper documents will be shredded or burned. Electronic files: Permanently deleted using data erasure software. Paper Document: Destroy using a high-security shredder or burn in a secure location. Inspection and Recording of Disposal: Disposal Inspection: Disposal activities will be inspected by responsible personnel, who will report to the DPO. Record Keeping: All disposal activities will be recorded and maintained for at least three years. Records include the type of data disposed of, the disposal date, the disposal method, and the signature of the responsible personnel. Legal Compliance: Thailand's Personal Data Protection Act, Section 37: Establishes requirements for the secure storage and management of personal data, including technical and administrative measures to ensure that all personal data is stored securely, including location data. Section 41 and 42: Mandate the secure and permanent disposal of personal data and specify legal responsibilities for non-compliance. These sections outline the correct methods and procedures for disposal, and the legal consequences of non-compliance. Legal Responsibilities: Fines and Penalties: Failure to comply with data retention and disposal procedures may result in fines of up to 5million Baht under the Personal Data Protection Act B.E. 2562 (2019). Criminal Liability: Severe violations that result in significant breaches of privacy may lead to legal proceedings and criminal charges. Civil Liability: The company may be liable for damages if users suffer harm due to a violation of privacy User Rights and Control. Right to Access and Rectification Right to Access: Description: Users have the right to access their location data to understand how it is being used. Legal Basis: Personal Data Protection Act B.E. 2562, Section 30 Grants users the right to access their personal data. Example: If a user requests their location history, the company will provide that information after proper identity verification. Right to Rectification: Description: Users have the right to rectify incorrect positional data. Legal Basis: Personal Data Protection Act B.E. 2562, Section 30 Allows users to correct inaccurate personal data. Example: If users encounter issues due to incorrect positional data, the company will rectify the data immediately and inform the users of the correction. Right to Withdraw Consent and Data Deletion Right to Withdraw Consent: Description: Users can withdraw consent for the collection and use of location data at any time. Legal Basis: Personal Data Protection Act B.E. 2562, Section 32 Grants users the right to withdraw consent. Example: If users withdraw consent through the app settings, the company will immediately stop collecting location data and delete any existing data. Right to Erase Data: Explanation: Users have the right to request the deletion of their location data. Legal Basis: Personal Data Protection Act B.E. 2562, Section 33 allows users to request the deletion of their personal data. Example: If users request the deletion of their location data. The company will act on the request promptly and confirm the data deletion to the user. Right to restrict and object to processing Right to restrict processing: Description: Users can restrict the processing of their location data under certain conditions. Legal basis: Personal Data Protection Act B.E. 2562, Section 35 Grants users the right to request restriction of processing. Example: If the user requests a temporary restriction on the processing of location data, the company will approve and act upon that request. Right to object to processing: Description: Users have the right to object to the processing of their location data for specific purposes. Legal basis: Personal Data Protection Act B.E. 2562, Section 34 Allows users to object to the processing of data for specific purposes. Example: If the user objects to advertising based on location. The company will stop processing the user's location data for advertising purposes. Right to data portability Explanation: The user has the right to transfer their location data to another data controller. Legal Basis: Personal Data Protection Act B.E. 2562, Section 36 Grants users the right to data portability. Example: If a user wishes to change platforms, the company will support the secure transfer of user data to the new platform. User Responsibilities Providing Accurate Information: Explanation: Users are responsible for providing accurate and up-to-date location information. Users may be held accountable for issues arising from providing incorrect information. Example: If a user intentionally provides incorrect location information, causing issues in transactions, the user may be held responsible. Security: Description: Users are responsible for maintaining the security of their accounts and location data. It is recommended to use strong passwords and change them regularly. Example: If users share their account details with others and a security breach occurs, the company will not be liable, and the users will be held responsible. Compliance with Privacy Policy: Description: Users are responsible for complying with the company's privacy policy. Violations of these policies may result in restricted access to services. Example: If a user violates the company's data collection and usage policy, the user's access to services may be restricted. Legal basis: Personal Data Protection Act B.E. 2562 Section 30: Guarantees the rights of users to access and manage their personal data. Personal Data Protection Act B.E. 2562 Section 32: Grants the right to withdraw consent for the processing of personal data. Personal Data Protection Act B.E. 2562 Section 33: Allows users to request the deletion of their personal data. Personal Data Protection Act B.E. 2562 Section 34: Allows users to object to the processing of personal data for certain purposes. Personal Data Protection Act B.E. 2562 Section 35: Grants the right to restrict the processing of personal data. Personal Data Protection Act B.E. 2562 Section 36: Grants the right to data portability. Data Protection Officer (DPO) and Legal Compliance Appointment and Role of the Data Protection Officer (DPO) Appointment: Appointment Procedure: Buy and Sell Co., Ltd. officially appoints Hoyeon Kim as the Data Protection Officer (DPO) in accordance with the Personal Data Protection Act B.E. 2562, Section 41. Official Record: Appointment of DPO. Officially recorded in the company's internal records and may be reported to relevant government agencies. Roles and Responsibilities: Policy Development and Implementation: DPO Responsible for developing and implementing the company's data protection policies, including policies related to location data. Compliance with the Law: DPO Ensure compliance with the Personal Data Protection Act of Thailand and oversee the lawful processing of personal data. Incident Response: In the event of a data breach, the DPO will respond promptly and take appropriate measures in accordance with relevant laws. Protection of User Rights: The DPO ensures that users can exercise their rights to access, rectify, delete, and withdraw consent for their personal data as specified in Thailand's Personal Data Protection Act, Section 30. Training and Awareness: Training Program: DPO Conduct training for all company employees on data protection. Emphasizing the importance of data privacy and compliance with company laws and policies. Regular Training: Regular training sessions are conducted to keep employees updated on legal and policy updates. Compliance Audits and Assessments Regular Assessments: Internal Audit: Data Protection Officer (DPO) Conduct regular internal audits to evaluate compliance with the company's data protection laws. The audit results will be reported to senior management and necessary improvements will be implemented. External Audit: External experts may be hired to assess the adequacy of data protection policies and procedures, with improvements made based on audit results. Legal Compliance: Policy Compliance Audit: DPO Regular audits to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019) and related regulations. Remedial Actions: If any legal compliance issues are found, the DPO will take immediate corrective actions. Responsibility for Non-Compliance Legal Responsibility: Fines and Penalties: Non-compliance with data protection regulations may result in fines of up to 5 million baht under the Personal Data Protection Act B.E. 2562 (2019), Section 83. Severe violations may incur additional penalties as prescribed by law. Criminal Liability: Severe privacy violations resulting from breaches of data protection laws may lead to legal proceedings and criminal charges. Civil Liability: Compensation for Damages: If a user suffers damage due to a data breach, the company is obligated to compensate the affected user in accordance with Thai civil and commercial law. Protection of User Rights: The company must take appropriate measures to protect users' personal data. Failure to do so may result in civil lawsuits. Other Liabilities: Damage to Reputation: Failure to comply with data protection regulations can severely damage the company's reputation, leading to a loss of customer trust. Threats to Business Continuity: Legal issues and financial losses arising from non-compliance can threaten the company's business continuity. Legal basis: Personal Data Protection Act B.E. 2562 (2019) Section 41: Requires the appointment of a Data Protection Officer (DPO) to ensure compliance with data protection requirements. Personal Data Protection Act B.E. 2562 (2019) Section 83: Specifies fines and penalties for violations of data protection laws. This policy ensures that Buy N Sell Co., Ltd. complies with the Personal Data Protection Act B.E. 2562 (2019) of Thailand. Legal Basis and Objectives of Collection Legal Basis: Personal Data Protection Act B.E. 2562: Section 19: Requires explicit consent from users for data collection and must clearly inform the purpose, scope, and use of the collected data. Section 26: Personal data must be collected lawfully and fairly, and cannot be used for purposes other than those originally intended without the user's consent. Section 28: Users have the right to know the purpose of data collection, usage, retention period, and details of data sharing. Purpose of collection: Identification card information is collected for the following specific purposes: User Authentication: Description: National ID card information is collected to verify user identity for the purpose of identity verification. Usage: The collected national ID card information will be used solely for verifying user identity during the authentication process. Collection and Use of ID Card Information Information Collected: ID Card Details: Full Name, ID Card Number, Issue Date, Expiry Date, and other relevant information as displayed on the user's ID card. Collection Methods: During the application installation: Description: Obtain explicit consent for collecting ID card information during the first installation and use of the application. Collection Methods: Request user permission to use ID card information during the initial setup process. Initial user verification: Description: Users can voluntarily provide their ID card information for identity verification. Collection Methods: Users submit ID card details through the secure interface of the application. Usage: For identity verification only: Description: The ID card information collected will be used solely for the purpose of user identity verification. Immediate disposal: When the identity verification process is completed, ID card information will be immediately disposed of and will not be retained by Buy and Sell Co., Ltd. User options: Voluntary submission of information: Description: Users have the option to voluntarily provide their ID card information. The choice to use ID card verification is entirely at the user's discretion. No penalties for not submitting information: Users who choose not to provide their ID card information for verification will not face any penalties or adverse consequences. Example: Users who choose not to submit their ID card information can still access all services and features of the platform without any restrictions or disadvantages. Data Security and Protection. Security Measures: Encryption: National ID card information will be encrypted during storage and transmission to ensure security. Access Control: Strict access control policies are implemented to prevent unauthorized access to personal identification data. Immediate disposal: Once the identity verification process is complete Personal identification data will be securely deleted using data erasure soft- ware to ensure it cannot be recovered. Legal requirements: Thailand's Personal Data Protection Act, Section 32: Requires technical and administrative security measures to prevent unauthorized access, destruction, or alteration of personal data. Section 34: Establish measures to ensure the security of personal data processing systems and prevent unlawful breaches. Elimination Procedures Immediate Elimination: Procedure: Identification card data will be eliminated immediately after the authentication process is completed. Method: Use data erasure software for permanent deletion of electronic data. Physical documents will be destroyed using high- security shredders or incinerated in a secure location. Inspection and Record Keeping: Disposal Inspection: Disposal activities will be monitored by responsible personnel, who will report to the DPO. Record Keeping: All disposal activities will be recorded and maintained for at least three years. Records include the type of data disposed of, the date of disposal, the method of disposal, and the signature of the responsible personnel. Rights and Responsibilities of Users User Rights: Right to Access: Description: Users have the right to access their personal data to understand how it is being used. Legal Basis: Personal Data Protection Act B.E. 2562, Section 30 Grants users the right to access their personal data. Example: If a user requests to view their submitted ID card information, the company will provide that information after proper identity verification. Right to Rectification: Explanation: Users have the right to correct inaccurate personal information. Legal Basis: Personal Data Protection Act B.E. 2562, Section 30 Allows users to correct inaccurate personal data. Example: If a user finds an error in their ID card information, the company will correct the error immediately and notify the user. Right to Withdraw Consent and Delete Data: Explanation: Users can withdraw their consent for the collection of their ID card information at any time. Legal Basis: Personal Data Protection Act B.E. 2562, Section 32 Grants users the right to withdraw consent. Example: If users withdraw their consent. The company will immediately stop using the users' ID card information and delete the stored data. User Responsibilities: Providing Accurate Information: Explanation: Users are responsible for providing accurate and up-to- date identification card information. Users may be held accountable for issues arising from providing incorrect information. Example: If a user intentionally provides incorrect identification card information, causing verification issues, the user may be held accountable. Security: Description: Users are responsible for the security of their ID card information. It is recommended to use secure methods when transmitting their information. Example: If users share their ID card details with others and a security breach occurs, the company will not be liable, and users will be responsible. Legal Basis: Personal Data Protection Act B.E. 2562 Section 30: Guarantees the rights of users to access and manage their personal data. Personal Data Protection Act B.E. 2562 Section 32: Grants the right to withdraw consent for the processing of personal data. Personal Data Protection Act B.E. 2562 Section 33: Allows users to request the deletion of their personal data. Personal Data Protection Act B.E. 2562 Section 34: Allows users to object to the processing of personal data for certain purposes. This policy ensures that Buy N Sell Co., Ltd. complies with the Personal Data Protection Act B.E. 2562 (2019) of Thailand. To protect users' national ID card information and safeguard their privacy and rights. Legal basis and objectives of data collection Legal basis: Personal Data Protection Act B.E. 2562: Section 19: It is required to obtain explicit consent from users for data collection and to clearly inform the purpose, scope, and use of the collected data. Section 26: Personal data must be collected lawfully and fairly and cannot be used for purposes other than those originally intended with- out user consent. Section 28: Users have the right to know the purpose of data collection, usage, retention period, and details of data sharing. Criminal Procedure Code of Thailand: Section 18: Allows law enforcement agencies to use personal data for investigative purposes through legal processes. Purpose of collection: Photographs of second-hand goods and conversation content will be collected for the following specific purposes: Dispute Resolution: Description: Used as evidence in resolving disputes between users. Example: If there is a conflict regarding the agreed condition or terms of a transaction, photos and conversation content can be reviewed to resolve the issue. Service Improvement: Description: Data analysis to improve user experience and service quality. Example: Feedback and conversation content will be analyzed to improve the user interface and customer support services. Compliance with the law: Description: Data retention to comply with legal requirements and respond to legal issues. Example: Providing necessary information to law enforcement agencies upon request for investigative purposes. Data collection and retention Information Collected: Collected Data: Second-hand product photos: All photos uploaded by users for transactions. Conversation content: All conversation records between users. Collection Methods: Image Upload: Description: Collected when users upload images for second-hand goods transactions. Collection Method: Users upload images directly through the application. Conversation Records: Description: Collected through the application's conversation function. Collection Method: All conversation content is stored in real-time on the server. Data Retention and Protection Retention Period: Minimum Retention Principles: Images and conversation content will be retained only for the period necessary to achieve the collection purposes or comply with legal requirements. Retention period: Data is typically retained for one year. However, the period may be extended according to legal requirements or user requests. Regular audits: DPO Regularly review data retention periods and promptly dispose of unnecessary data. Compliance with the Law: To comply with the Personal Data Protection Act B.E. 2 562 (2019), Section 37 The company will comply with the retention periods prescribed by law and securely dispose of personal data after such periods. Storage methods: Encrypted storage: Images and conversation content will be securely stored using the latest encryption technology. Physical Security: The data storage server is located in an access-controlled area with CCTV and access control systems. Access Control: Access to the data is restricted to authorized personnel only, and all access will be logged and regularly audited. Data Procurement and Disposal Procedures User Requests: Description: Data can be procured upon user request to resolve disputes between users. Example: In the event of a dispute regarding the condition of goods being traded, upon user request, photographs and conversation content related to the transaction can be procured to assist in resolving the dispute. Legal Requests: Description: Information can be provided upon request from Thai law enforcement agencies or judicial authorities for investigative purposes. Legal basis: According to the Criminal Procedure Code of Thailand, Section 18 Personal data can be provided for investigative purposes in accordance with legal procedures. Example: If the police request to record the conversation for investigation through a court order, the necessary information will be provided. Disposal Procedures: Immediate Disposal: Data will be disposed of immediately after the purpose of collection is fulfilled or when the user withdraws consent. Irrecoverable destruction: All data will be destroyed using methods that prevent recovery. Electronic files will be permanently deleted, and paper documents will be shredded or burned. Electronic files: Permanently delete using data erasure software. Paper documents: Destroy using a high-security shredder or burn in a secure location. Inspection and recording of disposal: Disposal inspection: Disposal activities will be inspected by responsible personnel, who will report to the DPO. Record Keeping: All disposal activities will be recorded and maintained for at least three years. Records include the type of data disposed of, the date of disposal, the method of disposal, and the signature of the responsible personnel. Rights and Responsibilities of Users User Rights: Right to Access: Description: Users have the right to access their images and conversation content to understand how their data is being used. Legal Basis: Personal Data Protection Act B.E. 2562, Section 30 Grants users the right to access their personal data. Example: If a user requests their conversation content, the company will provide it after proper identity verification. Right to Rectification: Explanation: Users have the right to correct inaccurate information. Legal Basis: Personal Data Protection Act B.E. 2562, Section 30 Allows users to correct inaccurate personal data. Example: If a user finds an error in their conversation content, the company will correct it immediately and notify the user. Right to Withdraw Consent and Delete Data: Explanation: Users can withdraw their consent for data collection and usage at any time. Legal Basis: Personal Data Protection Act B.E. 2562, Section 32 Grants users the right to withdraw consent. Example: If users withdraw their consent. The company will immediately cease data collection and delete the stored data. User Responsibilities: Providing Accurate Information: Explanation: Users are responsible for providing accurate and up-to-date information, images, and conversation content. Users may be held accountable for issues arising from providing incorrect information. Example: If a user intentionally provides misleading images about second-hand products, causing issues in transactions, the user may be held responsible. Security: Explanation: Users are responsible for securing their accounts and information. They should use strong passwords and change them regularly. Example: If a user shares their account details with others and a security breach occurs, the company will not be held liable, and the user will be responsible under legal grounds: Personal Data Protection Act B.E. 2562 Section 30: Guarantees the rights of users to access and manage their personal data Personal Data Protection Act B.E. 2562 Section 32: Grants the right to withdraw consent for the processing of personal data Personal Data Protection Act B.E. 2562 Section 33: Allows users to request the deletion of their personal data. Personal Data Protection Act B.E. 2562, Section 34: Allows users to object to the processing of personal data for certain purposes Criminal Code of Thailand, Section 18: Allows law enforcement agencies to request personal data for investigative purposes through legal processes. This policy ensures that Buy and Sell Co., Ltd. complies with the Personal Data Protection Act B.E. 2562 and the Criminal Code of Thailand to protect second-hand product photos and user conversation content, and to safeguard the privacy and rights of users. Legal Basis and Objectives Legal Basis: Personal Data Protection Act B.E. 2562: Section 37: Requires appropriate technical and organizational measures to protect personal data from unauthorized access, destruction, alteration, or disclosure, and to promptly address various incidents. Section 41: Mandates the appointment of a Data Protection Officer (DPO) to oversee data protection strategies and ensure compliance with PDPA. Section 83: Specifies penalties for non-compliance with data protection requirements, including fines and potential criminal liability. Objectives: The objective of this regulation is to define the roles, responsibilities, and access rights of personnel authorized to manage personal data to ensure data security and compliance with legal requirements. Appointment of Authorized Personnel Data Protection Officer (DPO): Appointment: Hoyeon Kim has been appointed as the Data Protection Officer (DPO) of Buy and Sell Co., Ltd. Responsibilities: Policy Implementation: Develop and implement data protection policies in compliance with Thai law and company standards. Compliance Monitoring: Ensure continuous compliance with the Personal Data Protection Act of Thailand and related regulations. Incident Response: Oversee the response to data breaches and implement appropriate corrective actions. Training and Awareness: Conduct regular training sessions for employees on best practices for data protection and privacy. Team Establishment and Management: Establish and manage teams, if necessary, to efficiently handle data collection, storage, and disposal tasks. Authorized Personnel: Appointment: Only employees authorized by the DPO are allowed to access personal data according to their roles and responsibilities. Responsibilities: Data Management: Access and manage personal data within the necessary scope of their job duties. Confidentiality: Maintain the confidentiality of personal data and avoid unauthorized disclosure. Safety Guidelines: Follow the prescribed safety protocols to protect personal data from unauthorized access, disclosure, or breach. Access Control and Management Access Rights: Principle of Least Privilege: Access to personal data is granted only as necessary to ensure that employees have the minimum access required to perform their duties. Access Level: Read-only access: Granted to employees who need to view personal information but do not need the ability to modify it. Read-write access: Granted to employees who need to modify or update personal information as part of their job responsibilities. Authorization Process: Request and Approval: Access requests must be submitted to the DPO, who will assess the necessity and approve access according to job requirements. Access Review: Regular access rights reviews are conducted to ensure that only authorized personnel continue to have access to personal data. Access rights will be immediately revoked upon a change in job role or termination of employment. Recording and Auditing: Audit Logs: All access to personal data will be recorded, including the date, time, user ID, and purpose of access. Audit: Data Protection Officer (DPO) Regularly review access logs to identify and investigate unauthorized or suspicious access. Security Measures Technical Measures: Encryption: All personal data will be encrypted during storage and transmission to prevent unauthorized access. Multi-Factor Authentication (MFA): Used for all systems accessing personal data to enhance security. Regular Security Audits: Conduct actions to identify vulnerabilities and ensure the robustness of security measures. Organizational Measures: Training and Awareness: Regular training programs for all employees on data protection principles, legal obligations, and best security practices. Incident Response Plan: Establish protocols for responding to data breaches, including immediate control, notification, and remediation steps. Roles and Responsibilities of the Data Protection Officer (DPO) Responsibilities of the DPO: Policy Development: Develop comprehensive data protection policies and ensure policy implementation. Compliance Monitoring: Continuously monitor compliance with PDPA and relevant laws. Incident Management: Respond to data breaches and ensure appropriate corrective actions. Training: Provide continuous training and updates to employees regarding data protection policies and procedures. Team Establishment and Management: Establish and manage teams, if necessary, to efficiently handle data collection, storage, and disposal tasks. Reporting: Internal Reporting: Regularly report the status of data protection activities, compliance issues, and various incidents to senior management. External Reporting: Communicate with regulatory agencies as required by law, including reporting data breaches and compliance audits. Civil and Criminal Liability: Civil Liability: If a data protection officer neglects their duties. Resulting in a data breach or violation of regulations, they may be held civilly liable under Section 83 of the Personal Data Protection Act B.E. 2562 affected individuals may claim compensation for damages. Criminal Liability: Serious violations of data protection laws may result in criminal liability, including fines of up to 5 million baht or imprisonment. Legal basis: Personal Data Protection Act B.E. 2562, Section 37: Requires security measures to protect personal data. Personal Data Protection Act B.E. 2562 Section 41: Requires the appointment of a data protection officer. Personal Data Protection Act B.E. 2562 Section 83: Specifies penalties for non-compliance. Example: Situation: An employee with read-write access discovers a potential data breach. Action: Employees report incidents immediately to the Data Protection Officer (DPO). DPO Response: Hoyeon Kim initiates the incident response plan by containing the breach, notifying affected users and regulatory authorities, and conducting a post-incident review to prevent future occurrences. This policy ensures that Buy and Sell Co., Ltd. complies with the Personal Data Protection Act B.E. 2562 Protecting users' personal data by establishing clear regulations for personnel authorized to access such data. Legal Basis and Objectives Legal Basis: Personal Data Protection Act B.E. 2562: Section 37: Establish appropriate technical and organizational measures to protect personal data from unauthorized access, destruction, modification, or disclosure, and establish measures for incident response. Section 41: Appoint a Data Protection Officer (DPO) to oversee data protection strategies and ensure compliance with the PDPA. Section 82: Establish regulations for notifying data owners and the Personal Data Protection Committee (PDPC) in case of data breaches. Objectives The objective of this article is to establish comprehensive measures to prevent personal data breaches and detailed procedures. In responding effectively to events to comply with Thai law and protect the rights of individuals. Measures to Prevent Personal Data Breaches Technical Measures: Encryption: Encrypt all personal data during transmission and storage to ensure protection. Access Control: Use Multi-Factor Authentication (MFA). For systems managing personal data, enforce strict access control procedures to restrict access to authorized personnel only. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security weaknesses. Automated Monitoring System: Utilize automated systems to detect unusual activities or unauthorized access attempts, with real-time alerts to the security team. Organizational Measures: Data protection training: Conduct regular training for all employees on policies, procedures, and best practices for data protection. Clear data management policy: Define and enforce clear policies regarding the management, storage, and disposal of personal data. Incident Response Team: Establish an incident response team led by the DPO with clear roles and responsibilities for managing data breaches. Physical Measures: Secure Physical Access: Restrict physical access to servers and data storage locations to authorized personnel only. Surveillance System: Install a surveillance system to monitor and record access to data storage areas. Data Destruction: Ensure the secure destruction of physical documents containing personal information by shredding or burning. Incident Response Procedures Immediate Response: Control: Immediately control breaches to prevent unauthorized access or further data loss. Disconnect affected systems from the network if necessary. Assessment: Quickly assess the scope and impact of the breach, including identifying the type of data compromised and the number of individuals affected. Notification: Notify the incident response team and senior management about the breach. Initiate the incident response plan. Notification Procedures: Internal Notification: Notify the DPO and relevant internal stakeholders within the company. External Notification: Notify the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the breach. PDPC Contact Information: Website: https://www.pdpc.or.th Phone: +66-2-142-1033 Email: pdpc@mdes.or.th Affected Individuals: Notify affected individuals without delay providing information about the nature of the breach, potential impacts, and steps they can take to mitigate damage. Detailed Response Plan: Detection and Reporting: Detect violations through monitoring systems or internal reporting. Report violations immediately to the DPO and the incident response team. Containment and Eradication: Contain the violation by isolating the affected systems. Eradicate the cause of the violation by identifying and removing malware, fixing vulnerabilities, etc. Impact Assessment: Assess the scope and impact of the violation, including the type of data and individuals affected. Record the results of the assessment and all actions taken during the assessment. Notification and Communication: Notify the PDPC and affected individuals according to legal requirements. Prepare and distribute a public statement if necessary, to maintain transparency and trust. Remediation and Correction: Recover the system and data that has been compromised. To ensure that the system is secure and operational again. Implement corrective actions to prevent future breaches. Post-incident review: Conduct a thorough post-incident review to identify lessons learned and improve response strategies. Revise policies and procedures based on review results. Post-incident review: Conduct a thorough post-incident review to identify lessons learned and improve response strategies. Revise policies and procedures based on review results. Responsibilities and Liabilities: Responsibilities of the DPO: Ensure timely and effective execution of the incident response plan. Coordinate communication with regulatory agencies and affected individuals. Oversee problem resolution and post-incident review. Employee Responsibilities: Comply with established regulations in reporting and responding to intrusions. Participate in training and awareness programs. Implement recommended security practices in daily activities. Civil and Criminal Liability: Civil Liability: Failure to prevent or respond appropriately to data breaches may result in civil liability under Section 83 of the PDPA, with affected individuals having the right to claim compensation. Criminal Liability: Serious violations of data protection laws may result in criminal penalties, including fines of up to 5 million baht or imprisonment for up to 3.5 years. Secondary damage prevention: Audit: Continuously monitor for signs of repeated violations or misuse of compromised information. Support for affected individuals: Provide guidance and support to affected individuals on how to protect themselves from fraud or identity theft. Enhancing Security Measures: Increase security measures and protocols to prevent similar incidents from occurring again. PDPC Data Breach Response Protocol Personal Data Protection Committee (PDPC) of Thailand has established clear protocols for responding to data breaches. These protocols include the following steps: Initial Response: Reporting: Report the breach to the PDPC as soon as it is known. Reporting must be done within 72 hours after discovering the breach. PDPC Contact Information: Website: https://www.pdpc.or.th Phone: +66-2-142-1033 Email: pdpc@mdes.or.th Content: The report must include detailed information about the nature of the breach, the type of data affected, the cause of the breach, and the initial response taken. Incident Investigation: PDPC Investigation: PDPC will investigate reported violations to determine the cause and impact. Additional information may be requested as necessary. Incident Response: Notification to affected individuals: Follow PDPC guidelines to notify affected individuals about the breach, providing information on damage mitigation. Corrective actions: Implement corrective actions as recommended by PDPC to eliminate the cause of the breach and prevent future incidents. Follow up action Final report submission: Submit the final report to PDPC. Including details about the cause of the breach, the type and scope of affected data, the response, corrective actions taken, and future breach prevention plans. Report content: Root cause analysis of the breach. Type and scope of affected data. Detailed description of response and corrective actions. Future prevention plan. PDPC Review: PDPC will review the submitted report to assess the adequacy of the response and corrective actions. Additional measures or improvements may be required. PDPC's Suggestions: PDPC will provide suggestions and may request additional measures or improvements if necessary. Internal Audit: Conduct internal audits to evaluate the effectiveness of incident response processes and corrective actions. Audit Results: Use internal audit results to identify areas for improvement in policies and procedures to enhance future incident response effectiveness. Continuous Improvement: Incorporate feedback from PDPC and internal audit results to continuously improve data protection policies and incident response procedures. Legal Responsibilities: Civil Responsibilities: Affected individuals can claim compensation for damages caused by data breaches under Section 83 of the Personal Data Protection Act B.E. 2562. Criminal Liability: Severe violations of data protection laws may result in criminal penalties, including fines of up to 5 million baht or imprisonment. Ongoing measures for Buy N Sell and DPO (Hoyeon Kim) Compliance activities: Regular internal audits: DPO Internal audits should be conducted regularly to ensure compliance with policies and procedures for data protection, identify and rectify potential vulnerabilities. Continuous training program: Provide continuous training to all employees on best practices for data protection and privacy awareness to enhance compliance and awareness. Policy Update: Regularly update policies and procedures to reflect changes in regulations and emerging security threats. Additional Responsibilities of the DPO: Risk Assessment and Management: Conduct regular risk assessments to identify and manage potential risks related to data protection. Response to External Audits: Be prepared to respond to requests from regulatory agencies or external audit firms by maintaining necessary documentation and providing information. Enhancing Security Infrastructure: Continuously improve data protection infrastructure by adopting the latest security technologies and best practices. Best Practices: Data Minimization: Collect only the personal data necessary for specific purposes and ensure that unnecessary data is destroyed immediately. Use of Multi-Factor Authentication (MFA): Implement MFA for accessing critical systems and data to enhance security. Regular Penetration Testing: Invite external experts to conduct regular penetration testing to identify and fix security vulnerabilities. Incident Response Drills: Regularly test the incident response plan through scenario-based drills to improve response capabilities. Legal Basis: Personal Data Protection Act B.E. 2562, Section 37: Requires security measures to protect personal data. Personal Data Protection Act B.E. 2562 Section 41: Mandates the appointment of a data protection officer. Personal Data Protection Act B.E. 2562 (2019) Section 82: Specifies the requirements for notification in case of data breaches. Personal Data Protection Act B.E. 2562 Section 83: Specifies penalties for non-compliance. This policy ensures that Buy and Sell Co., Ltd. Comply with the Personal Data Protection Act B.E. 2562 (2019) of Thailand by establishing clear regulations to prevent personal data breaches and respond effectively when they occur, while also protecting personal data and individual rights. Purpose of Data Collection We collect identification documents (ID cards, driver's licenses, passports) and facial recognition data to verify members during business hours. Data Retention and Deletion Submitted data will be deleted within 4 hours after successful verification. If the submitted data (ID card, driver's license, passport, or facial recognition photo) is unclear or cannot be accurately identified, we will contact the user directly to confirm its purpose and ensure proper verification. The data will be retained until the verification process is complete. Once verification is completed, the data will be deleted within 4 hours. Personal Data Manager Kamolwan Wattananupong Email: buynsellthai@gmail.com, kamolwan.w@buynsellthai.org
Contact Information
Data Protection Officer: Kamolwan Wattananupong