top of page

Personal Data Protection Policy

Soft Square Group (“the Company”) recognizes the importance of protecting personal data in compliance with the Personal Data Protection Act B.E. 2562 (2019) and its amendments (the “PDPA”). This Personal Data Protection Policy outlines the principles and practices the Company follows to ensure lawful, fair, and transparent processing of personal data across all relevant operations.

 

This Policy applies to all personal data processed by the Company, including processing carried out by third parties, systems, or devices on behalf of the Company. It does not apply to personal activities of Company personnel unrelated to Soft Square Group operations (e.g., household use).

 

The Company may also establish internal operational regulations, guidelines, or manuals (“Internal Procedures”) to supplement and enforce this Policy in day-to-day operations.

 

This Policy will be reviewed and updated in accordance with changes to the PDPA or related regulations to ensure ongoing compliance.

Definitions

  • “Personal Data”: Any information that can directly or indirectly identify an individual, as defined by the PDPA.

  • “Sensitive Data”: Personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, health, disability, criminal records, trade union membership, genetic or biometric data, or other data as defined by law.

  • “Data Subject”: An individual who can be identified from the personal data.

  • “Data Processing”: Any operation performed on personal data, whether or not by automated means, including collection, use, disclosure, or destruction.

  • “Data Breach”: Any unauthorized or unlawful access, use, alteration, disclosure, or loss of personal data.

  • “The Office”: The Personal Data Protection Commission (PDPC) of Thailand.

Roles and Responsibilities

 

  • Board of Directors :Responsible for overseeing the Company’s compliance with the PDPA and for approving this Policy and related internal procedures.

  • Data Governance Team: Ensures all employees, executives, and departments comply with this Policy. Coordinates internal policy creation, staff training, and monitors compliance activities. Also maintains a record of processing activities and advises on legal and operational matters.

  • All Departments Handling Personal Data: Must collaborate with the Data Governance Team to create procedures, provide staff training, and ensure appropriate IT systems are in place to protect personal data.

  • All Employees: Must strictly follow this Policy and internal procedures, and immediately report any suspected personal data breach to their supervisor and the Data Governance Team.

 

Data Protection Officer (DPO)(If applicable)

Will be appointed when legally required. The DPO will:

 

  • Monitor compliance with this Policy and related laws

  • Provide advice to staff and departments

  • Coordinate with the PDPC

  • Report directly to top management

  • Maintain confidentiality of all accessed data

Principles for Personal Data Processing

  • Process personal data only when necessary, for lawful and clearly defined purposes.

  • Ensure a valid legal basis for processing, such as consent, contract, legal obligation, or legitimate interest.

  • Provide clear and accessible information to data subjects regarding the purpose of data collection.

  • If processing for new purposes or processing sensitive data, ensure an appropriate lawful basis or obtain explicit consent.

  • Allow data subjects to easily provide or withdraw consent, and inform them of the consequences of withdrawal.

  • In the case of minors or legally incapacitated persons, ensure compliance with civil and commercial laws regarding consent.

Cross-Border Data Transfers

Personal data transferred outside of Thailand must go to a destination country or organization with adequate data protection standards, in accordance with the PDPA. Transfers within the same business group may follow the Company’s internal data transfer policy, subject to PDPC review.

Data Retention and Deletion

 

The Company retains personal data only as long as necessary for the specified processing purposes. Once the retention period ends or the relationship with the data subject is terminated, data will be securely deleted or destroyed in accordance with internal guidelines and legal requirements.

Data Security Measures

The Company implements organizational, technical, and physical security measures to protect personal data from unauthorized access, loss, or misuse, in line with PDPC standards (B.E. 2565). These include:

  • Access controls

  • Encryption and secure storage

  • Regular security reviews and audits

 

Security protocols will be updated when regulations change or system upgrades are implemented.

Data Subject Rights

The Company provides accessible channels for data subjects to:

  • Request access, correction, or deletion of their data

  • Object to or restrict processing

  • Request data portability

 

Requests will be processed promptly, and responses will be issued within the legal timeframe. Any refusal will be documented with reasons for compliance audits.

Data Breach Notification If a personal data breach occurs:

  • Staff must report it to the responsible department immediately

  • The Data Governance Team or DPO will assess and contain the incident

  • If the breach poses a risk, the PDPC will be notified within 72 hours

  • If the breach poses a high risk to individuals, affected data subjects will also be notified with remediation guidance

Effective Date

This Personal Data Protection Policy was approved by the Board of Directors on March 28, 2023 and has been effective since March 29, 2023.

 

bottom of page