HR Privacy Notice
SCB DataX Company Limited
We, SCB DataX Company Limited ("DataX", "we", "our", or "us") care about the privacy of our employees, applicants, contractors, interns, and other individuals as described below ("you"). Thus, we provide this privacy notice to inform about the collection, use and disclosure of your personal data in accordance with the Personal Data Protection Act B.E. 2562 (“PDPA”). This privacy notice describes how we collect, use and/or disclose your personal data, what and why we collect, use or disclose your personal data, how long we hold it, who we disclose it to, your rights, what steps we will take to make sure your personal data stays private and secure, and how you can contact us.
There are also statutory requirements and other contractual requirements we have to comply with in relation to your employment or service. If we are not able to carry out the processing activities described in this privacy notice from your failure to provide certain personal data, we may not be able to enter into or comply with crucial aspects of your contract of employment or service, and in exceptional cases, we may not be able to continue your employment or service.
This privacy notice applies to:
(1) Employees of DataX pursuant to employment agreements;
(2) Current and former Managers, Executives, Directors;
(3) Contractors and service providers of DataX including their employees or staffs under the agreements with DataX, e.g., service agreement, hire of work agreement, agency contract;
(4) Job applicants and interviewees;
(5) Interns;
(6) Former employees or former personnels, of whom DataX needs to retain or use their personal data as required by laws;
(7) Related persons of the above, e.g., parents, descendants, relatives, spouses, beneficiaries, references persons, emergency contacts, etc.;
(8) Any natural person entering into contract or participating in any activity (whether directly or indirectly) with DataX for the purposes stated in this privacy notice, e.g., speakers and lecturers for training courses.
HR Privacy Notice
1. How we collect, use, or disclose your personal data
We only collect, use or disclose your personal data where it is necessary or there is a lawful legal basis for collecting, using or disclosing it. Except in limited instances where we indicate that certain information is processed based on your consent, we collect use, and/or disclose your personal data on the legal basis of (1) contractual basis, for performance of activity in relation to our relationship with you; (2) legal obligation, for fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties, proportionate to your interest and fundamental rights and freedoms to the protection of your personal data; (4) vital interest, for the prevention or suppression of danger to a person's life, body, or health; (5) public interest, for the performance of task carried out in the public interest or for exercising of official authorities duties; and/or (6) the reason for an establishment and defenses of legal claims in the future.
1.1 The purposes on which we rely on your explicit consent.
We may collect, use, and disclose the following sensitive data in order to:
-
Health information, for consideration of hiring; for providing welfare and health benefits as stipulated in the employee work regulations, such as sick leave, compensation benefits for medical expenses, life insurance and non-life insurance; for payments and reimbursements of medical expenses; for activities and relevant welfare, e.g., preparation of meals; for human resource development and work assessment.
-
Race and religion, for identification and authentication process in which race and religion data may appear in the identification documents and we may process your identification documents for identity authentication and verification or use it as a supporting document for entering into an agreement; for submission of VISAs and work permits application.
-
Criminal records, for background check and consideration of hiring; for establishment and exercise of legal claims.
-
Disability, for consideration of hiring; for provision of related facilities.
Where legal basis is consent, you have the right to withdraw consent at any time. This can be done so, by contacting us through channels as specified in "How to contact us". The withdrawal of consent will not affect the lawfulness of the collection, use and disclosure of your personal data and sensitive data based on your consent before it was withdrawn. You are well aware that if you withdraw your consent for the collection, use and disclosure of personal data for purposes set out above, we may not be able to perform certain contractual obligations we have with you, or to pursue certain actions per your request.
1.2 The purposes on which we rely on other legal bases.
We may collect, use, and disclose your personal data for the following purposes:
(1) Job application, recruitment, interview, consideration, assessment, and conclusion of employment agreement, onboarding process (including visa and work permit process), applicant referencing, or transfer of employees from companies within SCBX Group;
(2) Communication and delivery of related documents;
(3) Assessment of payroll and calculation of salaries, welfares, and other benefits, including those of the beneficiary, for instance, the provision of provident fund and yearly health check;
(4) Preparation of payroll, salaries or compensations to be paid by DataX to you;
(5) Arrangement of welfare, benefits, and reimbursements concerning welfare programs, including health insurance and flexible benefits;
(6) Comply with applicable laws and employment-related requirements along with the administration of those requirements, such as income tax, social security, insurance deductions, health and safety, and employment and immigration law, tax payment;
(7) Undertake and record of disciplinary action, make criminal report, give statements or information to the police, competence officer, court and other competent authorities;
(8) Take action relating to disputes, dispute resolution including establish, exercise, or defend the legal claim;
(9) Communications and announcements to employees and related personnels;
(10) Identity proofing and authentication;
(11) Performance review and job assessment, consideration of KPIs;
(12) Maintenance of security and safety;
(13) Manage and keep the record for internal human resource management of DataX as well as track and record working hours;
(14) Provision of trainings, seminars, e-learning courses, tests, and record of relevant results;
(15) Internal and external report preparation;
(16) Provision of access to building and controlled premise;
(17) Consideration of termination, termination process;
(18) Arrangement of equipment, suppliers, and access to work environment, including access rights.
(19) Communication of welfares and products to employees.
(20) for other purposes as are reasonably required by us in connection with your employment/contract such as to proceed with the activities or operation for us or on behalf of us and as set out in your employment/contract agreement, the work rules, or any documents related to HR management and development;
(21) for protection of your vital interests or that of another individual;
(22) for business organization such as merger, sale, purchase, joint venture, assignment, transfer or other disposition of our business, assets, or stock, or rehabilitation, capital venture, or any similar transaction, we may disclose your personal data to our assignee(s) of rights as part of such transactions.
(23) Preparation of salary certificate, income statement, work certificate, or other certificates concerning employment.
(24) for corporate communication, public relations, and other internal and external activities and events of DataX.
2. What personal data we collect, use, or disclose
The type of personal data which we collect, use, and/or disclose may vary depending on the objectives, necessities, and the relationship between you and us. The type of personal data shall include but not limited to:
3. Sources of your personal data
Normally, we will collect your personal data directly from you, but sometimes we may get it from other sources.
Personal data we collect from other sources may include but not limited to:
a. Data obtained by us from companies in SCBX Group (including shared services for applicant referencing, transfer of employees, hospital-related data, etc.),
b. Data obtained by us from business partners (e.g., consultants, insurance companies, hospitals etc.), third-party service providers, and/or any other persons who we have relationship with;
c. Data obtained from publicly available sources (e.g., LinkedIn, JobsDB);
d. Data obtained by us from persons related to you (e.g., your family, friends, referees) that is necessary for us to proceed with the relevant employment, benefits and welfare purposes;
e. Data obtained by us from governmental authorities, regulatory authorities;
f. Information you have asked us to collect for you.
4. Your rights
The PDPA aims to give you more control of your personal data. You can exercise your rights under the PDPA, details as specified below, through the channels prescribed by us:
4.1 Right to access and obtain copy
You have the right to access and obtain copy of your personal data holding by us, unless we are entitled to reject your request under the laws or court orders, and if such request will adversely affect the rights and freedoms of other individuals.
4.2 Right to rectification
You have the right to rectify your inaccurate personal data and to update your incomplete personal data.
4.3 Right to erasure
You have the right to request us to delete, destroy or anonymize your personal data, unless there are certain circumstances where we have the legal grounds to reject your request.
4.4 Right to restrict
You have the right to request us to restrict the use of your personal data under certain circumstances (e.g. when we are pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary as you have necessity to retain it for the purposes of establishment, compliance, exercise or defense of legal claims).
4.5 Right to object
You have the right to object the collection, use or disclosure of your personal data in case we proceed with legitimate interests basis, or for the purpose of scientific, historical or statistic research, unless we have legitimate grounds to reject your request (e.g. we have compelling legitimate ground to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise legal claims, or for the reason of our public interests).
4.6 Right to data portability
You have the right to receive your personal data in case we can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request us to send or transfer your personal data to third party, or to receive your personal data which we sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.
4.7 Right to withdraw consent
For the purposes, you have provided your consent to us to collect, use, and/or disclose personal data, in certain cases you may have the right to withdraw your consent at any time pursuant to the methods and means prescribed by us. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.
4.8 Right to lodge a complaint
You have the right to make a complaint to the Personal Data Protection Committee or their office in the event that we do not comply with the PDPA.
5. How we share your personal data
We may disclose your personal data to the following parties:
a. Group company: companies within SCBX Group (including its shared services). You acknowledge to further review relevant privacy notices of companies within SCBX Group (including its shared services) where applicable.
b. Business partners and service providers: business partners, service providers, suppliers, agents and other entities where the disclosure of your personal data has a specific purpose and under lawful basis, as well as appropriate security measures. The said service provider shall include, but not be limited to, insurance company, hospital, human resources operation service providers, training institute, consultant, bank and financial institution, work permit and visa related service providers, platform service provider for employees to conduct tests, cloud and/or information technology service providers. You acknowledge that each service provider may have its own privacy notice that governs the processing of their data. In the event that the service provider is acting in a capacity of a data processor, we will have in place an appropriate data processing agreement to limit their scope of processing and responsibilities pursuant to the laws;
c. Governmental authorities: governmental authorities and/or supervisory or regulatory authorities, which shall include, but not be limited to, Revenue Department, Social Security Office, Ministry of Labour, Immigration Bureau, Department of Skill Development, Royal Thai Police Department, and Thailand Board of Investment (BOI).
d. Others: any persons whom we are required or permitted by laws, regulations, or orders to share personal data, your attorney, sub-attorney, authorized persons or legal representatives who have lawfully authorized power, persons or juristic persons you requested us to disclose your personal data to, the exercise of rights to inspect records from CCTV, Thai embassy abroad, the general public, and/or other public disclosures.
e. Assignee of rights and/or duties: we may undergo business reorganization, to which we may be required to disclose your personal data to the assignee(s) of rights and/or duties.
6. International transfer of personal data
In case where it is necessary for DataX to transfer your personal data internationally (e.g. to Cloud service provider for data storage, to Thai embassy abroad for purposes as are reasonably required by us in connection with your employment/contract, to companies within SCBX Group abroad for applicant referencing, or transfer of employees between companies within SCBX Group), we will ensure that your personal data is securely transferred and that the receiving parties have in place an appropriate level of data protection standard or other derogations as allowed by the PDPA, and to take a step to ensure that there is no unauthorized or unlawful processing of your personal data.
We will request your consent where consent to cross-border transfer is required by law, including the case where you are informed of the inadequate personal data protection standards of the destination country.
7. Retention period of personal data
We will keep your personal data for as long as you still have a relationship with us for the purposes specified in this privacy notice. We may continue to keep your personal data if it is necessary for any other lawful grounds or as allowed by applicable laws or there is a dispute.
The period we keep your personal data may be linked to the prescription period or the period under the relevant laws and regulations.
8. Information about third parties
If you provide us with personal data about third parties (e.g., parents, descendants, relatives, spouses, beneficiaries, references persons, emergency contacts) for the purposes set forth in the privacy notice, it is your responsibility to inform them of this privacy notice and their rights herein as applicable to them. You are also responsible for obtaining any required consent of these persons, and ensuring that you have the right to provide their personal data to us so we could legally collect, use and/or disclose their personal data for the purposes set forth in this privacy notice.
9. Minors, incompetent person, or quasi-incompetent person
In some cases, as required by the applicable law, we cannot collect, use or disclose the personal data of a minor, incompetent person, or quasi-incompetent person without the consent of the person with parental authority, guardian, or curator. As such, if you are under the age of 20 and have not yet become sui juris, an incompetent person, or a quasi-incompetent person, you must ensure that you have obtained consent from parents, guardian, or curator (in the case where consent is required). In the case where we unintentionally collect personal data of a person under the age of 20 and has not yet become sui juris, an incompetent person, or quasi-incompetent person, without consent from the parent, guardian, or curator (as the case may be), we will delete that personal data without delay, or will collect, use and/or disclose such personal data only if we can rely on legal bases other than consent, or as permitted by law only.
10. Security Measures
We use systems, policies, and measures to protect your personal data from access to, use, alteration, modification, or disclosure of personal data unlawfully or without authorization and pursuant to the requirements under the applicable laws. Such measures include limiting access to appropriate personnel who have a legitimate business need to access personal data.
11. How to contact us
If you have any questions or would like more details about our privacy notice, please contact us through the following channels:
SCB DataX Company Limited
No.18 SCB Park Plaza West B, 7 Floor,
Ratchadapisek Road, Chatuchak, Bangkok 10900 Thailand
Tel.: 027951636
SCB DataX Data Protection Officer
Email: dpo@data-x.ai
12. Changes to this privacy notice
We may change or update this privacy notice from time to time and we will upload such updated privacy notice on DataX Intranet. In case there is a material change to you as a data subject, we will notify you of such changes within the appropriate time before we apply such revised privacy notice.
Version March 2024