Bangkok University Announcement
No. 9/2564
Policies on Personal Data Protection of Bangkok University B.E. 2564 (2021)
..........................................................................
Whereas, the University has duties to collect, use, process or disclose the personal data of personnel, students or affiliated/related persons for the purposes relating to the University’s operation and business, and whereas, the University is aware of the responsibilities in accordance with the Personal Data Protection Act. Pursuant to Section 43 (1) of the Private Higher Institution Act B.E. 2546 (2003), the President of Bangkok University hereby issues the Policies on the Personal Data Protection of Bangkok University B.E. 2564 (2021), detailing policies for collection, use, process and disclosure of the personal data to be administered by the University, as follows:
“Personal Data” refers to any information relating to an identified or identifiable data subjects, whether directly or indirectly, including but not limited to a name, an identification number, address, an online identifier, online information, or to one or more factors specific to the physical, mental, economic, cultural or social identity of that person.
“Data Subjects” refers to the persons identifiable by the personal data.
“Personal Data Protection Act” refers to the Personal Data Protection Act B.E. 2562 (B.E. 2019), including any amendments, royal decrees, ministerial regulations, announcements, orders or any laws pertaining to the personal data protection.
In order to collect, use, process or disclose the personal data of personnel, students or any affiliated persons, the University as a Data Controller and Data Processor of the Personal Data is obliged to comply with the personal data protection laws, as follows:
(2) To support personal data protection.
(3) To provide appropriate security measures and confidentiality of the personal data in accordance with the standards as required by laws.
(4) To manage a collection, use, processing or disclosure of the personal data with a consideration of the privacy of the data subjects.
4. The University shall collect and process the personal data under 6 principals, as follows:
(1) The University shall collect, use, process or disclose the personal data lawfully, fairly and in a transparent manner.
(2) The University shall collect, use, process or disclose the personal data in accordance with explicit and legitimate purposes, legal authorization, scope of jobs/duties specified in contracts or the University’s business or operation only.
(3) The University shall collect, use, process or disclose the personal data as necessary and only when that processing is related to specified purposes , unless it is required by law to further processing or in order to protect legitimate interest of the University.
(4) The University shall examine and update the personal data to be up-to-date and, where necessary, corrected without delay when found to be inaccurate.
(5) The University shall retain the personal data only as necessary or as required by law for the purposes as specified by the University, unless it is required for additional collection to protect the legitimate interest of the University.
(6) The University shall provide the appropriate security measures which meet the standards for personal data protection in order to protect the controlled personal data against any unlawful/unauthorized access and use, loss, or destroying by any third party
In some cases, the University may request additional information from the data subjects, in order for the University to carry out contractual obligations or any other requests. In this regard, failure to provide required information may result in a termination of contract between the University and the data subjects, or the University may not be able to carry out related requests for the data subjects.
The University shall collect, use, process the personal data for the purposes related to the University’s operation or business, education, research and statistics, in order to improve the University services, to record the personal data, to comply with the law, for public interest and for lawful interest of the University.
The consent by the data subjects must be given voluntarily in writing either on paper or in electronic form (via computer, mobile device, social media/networking, or telecommunication). The data subjects, in some cases, may also give a verbal consent, and the University shall record such verbal consent every time.
The data subjects who do not wish the University to collect, use, process, or disclose the personal data may withdraw their consent by submitting their request to the Data Protection Officer of the University.
A withdrawal of consent shall be carried out under the terms and conditions and in accordance with the announcements or rules and regulations and laws pertaining to the personal data protection and policies and practices and other related measures on the personal data protection as determined by the University.
The University realizes a significance of an assurance of confidentiality of the personal data and assures a limit of access of the personal data to only those with related-duties, personnel and staff of the University and the contracted third-party service providers who are affiliated with the University. The University shall disclose and share only necessary data in order to process the data related to service offering and to protect the interest of the University, and the University hereby agrees to protect the personal data from any unauthorized access.
The University shall disclose the personal data to other universities or affiliated offices for related-university business and operation, travel arrangement, or activity-coordination, professional affiliations and research. The University may also disclose the personal data to relevant government agencies in relation to immigration, tax and revenue, national security and crime, or any other activities required by laws.
The data subjects agree the University to disclose or transfer the personal information to affiliates or alliances and business partners of the University in order for business operation, compliance of policies, and legitimate interest of the University, including any other cases announced by the University from time to time.
At any time, the data subjects have the rights to the personal data, as follows:
In this regard, in order to exercise the rights to the personal data as prescribed above, the data subjects shall comply with related rules and regulations, announcements as issued and specified by the University and in pursuant to related laws pertaining to the personal data protection and the policies and procedures pertaining to the personal data as specified by the University.
(1) The administration of the personal data via people
(2) The administration of the personal data via the process of the personal data protection
(3) The administration of the personal data via personal data protection technology.
The University shall arrange for an evaluation of the effect on personal data privacy for administration of the projects undertaken by the University in order to identify the risk to the privacy of data subjects and make appropriate plans to reduce such risks.
15. Confidentiality of the Personal Data
The personal data is deemed confidential and shall not be used without an authorization. The use, process or disclosure of the personal data by unauthorized persons is deemed wrongfully.
The University shall limit access to the personal data to only those who are affiliated with the University to carry out their duties such as personnel of the University including the individuals who are service providers of the University offering services relating to the process of the personal data, and other partners receiving and processing the personal data on behalf of the University. The University shall disclose and share the personal data with service providers only when it is deemed necessary in order to offer services, to carry out the University’s operation and business or to protect the interest of the University. The service providers agree to protect the personal data from unauthorized access, unauthorized use or unauthorized disclosure of the personal data.
16. The University may transfer the personal data to any person located in the countries outside of Thailand in accordance with the purposes specified in clause 10 of this announcement whether or not the personal data protection laws of those countries meet the legal standards of Thailand. The University shall proceed any appropriate procedures which have the same standards applicable in Thailand for personal data protection.
17. The University shall collect the personal data as necessary period or during the period required by law.
18. The University has the policies on personal data protection and has security measures for technology which meet international standards to safeguard the confidentiality and safety of the personal data and to prevent loss, unauthorized access, unauthorized disclosure or unauthorized process.
19. The University complies with the personal data protection laws by appointing the Data Protection Officer toensure that the University complies with related personal data protection laws.
If the data subjects wish to inquire further, file a complaint, or request any information related to the collection, use or disclosure of the personal data, they may directly and immediately contact the Data Protection Officer as detailed below.
The Data Protection Officer
The Committee for Personal Data Protection of Bangkok University
Address: 9/1 Phahonyothin Road, Klong Nueng Sub-district, Klong Luang District, Pathum Thani Province 12120
Tel: 02 407 3888
Email: pdpc@bu.ac.th
Announced on March 19, 2021.
Mr. Petch Osathanugrah
President