General Data Privacy Notice

This Notice details policies and procedures regarding a collection, use, store and disclose (“Processor”) of the personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019). This Notice applies to general data subjects (“The Data subjects”). Please read the privacy notice (“Notice”) carefully to understand the University policies and procedures pertaining to the personal data.

  1. Definition

“Personal Data” under this Notice refers to any information related to a person, which enables the identification of such person, whether directly or indirectly, including identifiable data such as number of national identification card, address, online information, any physical identity data, socio economical or cultural data.

  1. Personal Data Collected by the University
    1. Personal Data

The University shall collect, use, disclose the personal data as follows:

  • Personal Information (for example, Contact Details, Photograph and E-mail Address) as given to the University by filling in any document or  sending through website of the University.
  • Personal Information (for example, Full Name, Position, Business Contact Details, including Address, Telephone Number and Email Address), for employees or representatives of alliances and business partners of the University.
  • Information given on surveys administered by the University for research purposes.
  • Other information disclosed or sent to the University via email.
  • Information collated from history of website access or from identifiable IP Address and Browsers.
  • Any other information deemed important and necessary to be collected, used, disclosed or processed.

In addition, for the personal data collection process, the data subjects may be requested to provide the University with additional information as follows:

  • Health data or disability
  • Nationality
  • Gender
  • Religion or other related information to confirm or certify the qualifications/attributes
  1. Special Category Personal Data

The University shall collect special category personal data in accordance with Section 26 of the Personal Data Protection Act B.E. 2562 (2019), pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data, biometric data or of any data. The University shall access, collect, use, disclose or control of the personal data with carefulness and in accordance with related laws/rules and regulations. In addition, the University shall notify the data subjects prior to or during the collection, use or disclosure of the special category personal data, for compliance with related laws.

  1. Personal Data relating to criminal convictions and offences

The data subjects acknowledge that, in an event where criminal convictions and offences take place, be it civic or criminal offences or any other offences, the University reserves the right to collect or use information relating to criminal convictions and offences. The University shall carefully access, collect, use, disclose or control the Personal Data to the extent required by laws.

  1. The University shall collect, process or use the personal data from external resources, as follows:

The University hereby wishes to inform the data subjects that, in order to protect and safeguard the security of the data subjects and to protect the interests of the University, the University has set up closed circuit television system (“CCTV”) to ensure and safeguard the safety on the premises of the University. In this regard, the University or Service Providers  outsourced by the University shall collect, use or process information from your still pictures or motion pictures or personal data when being present on the premises of the University, for safety of the University and other data subjects.

  1. Personal Data Processed by the University

The University shall collect, use, disclose and process the personal data of the data subjects collected directly from the data subjects or from the external sources as described in Item 2.

In some cases, the University may request additional information from the data subjects, in order for the University to carry out contractual obligations or any other requests. The University shall notify the data subjects when such needs arise. In this regard, failure to provide required information may result in a termination of contract or the University may unable to carry out related requests by the data subjects.

  1. Purpose and Legal Obligations to Process the Personal Data

The University shall process the personal data for the purposes as follows:

  • To carry out requests as obliged.
  • To carry out obligations with alliances and business partners of the University as obliged.
  • To comply with required laws/rules/regulations.
  • To offer services/products or amenities.
  • To respond to/to improve related systems.
  • To manage and improve website system and internet connectivity.
  • The University may have to process the personal data in order to comply with the laws. In case of the special category personal data pertaining to  (1) racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, trade union data (2) biometric data and genetic data and (3) health data and  sexual behavior, the University is obliged to analyze the personal data whether or not (i) the University receives the consent of related data subjects to proceed; (ii) the University is required by law to process the personal data; or (iii) the University is to protect the interests of the University.
  • The data subjects may request for further information from the  Data Protection Officer (“DPO”) when the University processes sensitive data with the data subjects' given consent. The data subjects may withdraw their consent at any time under the terms and conditions as specified by the University by contacting the DPO . In the event where the consent is withdrawn, the University may  process the personal data as required by law or as to protect the interests of the University. However, when there is a withdrawal of consent, the University shall inform the data subjects accordingly which information is to be processed as required by laws or as to protect the interests of the University.    
  • In addition, the University shall process the personal data for other purposes, including for historical research, statistics or science for archives, and for public interest. When possible, for these purposes, the University shall avoid using any identifiable data or the University shall limit the use of the personal data for research purposes or for collecting secondary data, including the use of pseudonymization, in order to avoid a violation of personal data.    
  1. Receiver of the Personal Data

The University realizes a significance of an assurance of confidentiality of the personal data and assures a limit of access of the personal data to only those with related-duties, personnel and staff of the University and third-party service providers who are affiliated with the University. The University shall disclose and share only necessary information in order to process information related to service offering and to protect the interests of the University, and the University hereby agrees to protect the personal data from any unauthorized access . The data subjects may contact the DPO for further information pertaining to the 3rd party service providers to whom the personal data is disclosed. The University may disclose the data subjects' contact details as listed to other university personnel and the general public. However, the data subjects are entitled to request for a deletion of their personal data under the terms and conditions and within a period as specified by the University.

The University shall disclose the personal data to other universities or affiliated offices for related-university business and activity, travel arrangement, or activity coordination, professional affiliations and research. The University may also disclose the personal data to government agencies related to immigration, tax and revenue, national security and crime, or any other activities required by laws.

The data subjects agree the University to disclose or transfer the personal information to affiliates or alliances and business partners of the University in order for business operation, compliance of policies, and legitimate interest of the University, including any other cases announced by the University from time to time.

  1. Transfer of the Personal Data to the Third Country

The University may transfer the personal data to the Third Country for research purpose, as deemed necessary. The data subjects agree to the transfer the personal data to countries outside of Thailand or to affiliated persons or offices or under the jurisdiction of other countries whether or not the personal data protection laws of those countries meet  the legal standards of Thailand. The University shall proceed any appropriate procedures which have the same standards applicable in Thailand for personal data protection.

  1. Data Retention Period

The University shall collect the personal data as required and as necessary during the period required by law. The data subjects may contact the DPO of the University to check the data retention period.

  1. The Rights to Personal Data

At any time, the data subjects have the rights to the personal data, as follows:

  • Rights to access the personal data
  • Rights to request to edit inaccurate/ incomplete personal data
  • Rights to know/inquire about the receiver of the personal data
  • When possible and applicable, the rights to know about the data retention period. OR in the event when it is not possible, the rights to information about the requirements for data retention period
  • Rights to request for a deletion of the personal data per case-by-case basis, for example, when it is deemed unnecessary to store and retain the information to meet the requirement of data retention or in the event when there is a withdrawal of consent for the collected personal data, or an objection to the process of the collected personal data
  • Rights to a limit to the process of the personal data in the event when the personal data is inaccurate, or when the data subjects are entitled to request for a deletion of their personal data but wish to limit the processor of the personal data instead, or in the event when it is deemed unnecessary for the University to retain the personal data as it served the purpose for data retention but still required for the purpose related to legal investigation/obligation
  • Rights to request for a copy of the personal data in electronic forms in an intelligible format, which you may forward to the 3rd party directly or you may request the University to forward such information
  • Rights to object to the analysis of the personal data
  • Rights to object to the use of personal data when it is an automated decision carried out by the computer. In this regard, the use of the personal data owner’s rights shall be in accordance with related rules and regulations, announcements as issued and specified by the University and pursuant to related laws pertaining to Personal Data Protection.
  1. Data Protection Officer

If the data subjects wish to make a request to any of the items listed in Item 8 or to request further information related to the collection, use or disclosure of the personal data collection, they may contact the DPO as detailed below.

The Data Protection Officer

The Committee for Personal Data Protection of Bangkok University

Address: 9/1 Phahonyothin Road, Klong Nueng Sub-district, Klong Luang District, Pathum Thani Province 12120

Tel: 02 407 3888

Email: pdpc@bu.ac.th

  1. A Withdrawal of Consent

If the data subjects no longer allow the University to collect, use, process or disclose the personal data, they may withdraw their consent by submitting a request for a withdrawal of consent to the DPO of the University.

A withdrawal of consent must be carried out under the terms and conditions of related rules and regulations, announcements pertaining to the personal data protection policies and procedures as determined/specified by the University.

 

Attention: Personal Data Owners

          Bangkok University recently conducted an investigation, revealing a breach of some personal data that occurred on November 28, 2023, affecting some individuals who applied for admissions and job positions. It is crucial to note that no sensitive personal information or financial data has been compromised in this incident.

          Following the discovery of this personal data breach, the University promptly reported the incident to the Office of the Personal Data Protection Committee and expedited an investigation to determine the cause of the breach. It was identified that the data breach occurred due to a Ransomware attack on the University's computer systems, resulting in the unauthorized extraction of data from the server. The University has since suspended the Ransomware's access, implemented Two-Factor Authentication, adjusted Firewall Policies, enhanced the Intrusion Prevention Systems (IPS), updated antivirus software, and restricted PowerShell commands to elevate the level of data security.

          Additionally, the University has announced and facilitated a password reset for all personnel’s information systems access. The University’s operation and personal data owners have not suffered any adverse consequences from the Ransomware attack.

          Moreover, to mitigate potential damages arising from the leakage of personal data, the University has taken legal action against the perpetrators and successfully suspended the dissemination of the leaked personal information.

          This is for your information.