Bangkok University Announcement

No. 9/2564

Policies on Personal Data Protection of Bangkok University B.E. 2564 (2021)

..........................................................................

 

Whereas,  the University has duties  to collect, use, process or disclose the personal data of personnel, students or affiliated/related persons for the purposes relating to the University’s operation and business, and whereas, the University is aware of the responsibilities in accordance with the Personal Data Protection Act. Pursuant to Section 43 (1) of the Private Higher Institution Act B.E. 2546 (2003), the President of Bangkok University hereby issues the Policies on the Personal Data Protection of Bangkok University B.E. 2564 (2021), detailing policies  for collection, use, process and disclosure of the personal data to be administered by the University, as follows:

 

  1. This announcement shall come into force on the announcement date.

 

  1. In this Announcement,

        “Personal Data” refers to any information relating to an identified or identifiable data subjects, whether directly or indirectly, including but not limited to  a name, an identification number, address, an online identifier, online information, or to one or more factors specific to the physical, mental, economic, cultural or social identity of that person.

        “Data Subjects” refers to the persons identifiable by the personal data.

        “Personal Data Protection Act” refers to the Personal Data Protection Act B.E. 2562  (B.E. 2019), including any amendments, royal decrees, ministerial regulations, announcements,  orders or any laws pertaining to the personal data protection.

 

  1. The University’s Policies

        In order to collect, use, process or disclose the personal data of personnel, students or any affiliated persons, the University as a Data Controller and Data Processor of the Personal Data is obliged to comply with  the personal data protection laws, as follows:

  1. To collect, use, process or disclose the personal data accurately, lawfully and in accordance with related laws.

(2)  To support personal data protection.

(3)   To provide appropriate security measures and confidentiality of the personal data in accordance with the  standards as required by laws.

(4)  To manage a collection, use,  processing or disclosure of the personal data with a  consideration of the privacy of the data subjects.

4. The University shall collect and process the personal data under 6 principals, as follows:

(1) The University shall collect, use, process or disclose the personal data lawfully, fairly and in a transparent manner.

(2) The University shall collect, use, process or disclose the personal data in accordance with explicit and legitimate purposes, legal authorization, scope of jobs/duties specified in contracts or  the University’s business or operation only.

(3) The University shall collect, use, process or disclose the personal data as necessary and only when that processing is related to specified purposes , unless it is required by law to further processing or in order to protect legitimate interest of the University.

(4) The University shall examine and update the personal data to be up-to-date and, where necessary, corrected without delay when found to be inaccurate.

(5) The University shall retain the personal data only as necessary or as required by law for the purposes as specified by the University, unless it is required for additional collection to protect the legitimate interest of the University.

(6) The University shall provide the appropriate security measures which meet the standards for personal data protection  in order to protect the controlled personal data  against any unlawful/unauthorized access and use, loss, or destroying by any third party

     

  1. The personal data required to be collected, used, or disclosed by the University includes the following information.
  1. Normal Personal Data includes but is not limited to only Name-Last name, Address, Telephone Number or Email Address, for example.
  2. Sensitive Personal Data, in accordance with Section 26 of the Personal Data Protection Act B.E. 2562 (2019), includes but is not limited to only race, ethnicity, political opinions, cult, philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data, biometric data or any other similar data. The University shall carefully access, collect, use, disclose or control the personal data as required by laws. In addition, the University shall inform the data subjects details related to the collection, use or disclosure of the sensitive personal data before or during the collection under the terms, conditions, and regulations as required by law.
  3. In the event of any offense in civil or criminal or any other law, the University reserves the rights to collect or use the personal data pertaining to the offences. However, the University shall carefully exercise the rights to access, collect, use, disclose or control the personal data under the conditions  as required by laws.
  4. In order to protect the interest of the University, the University has set up closed circuit television system (“CCTV”) to ensure safety on the premises of the University. In this regard, the University or Service Providers outsourced by the University shall collect, use or process information from the still pictures or motion pictures or personal data of the data subjects when being present on the premises of the University, for the safety of the University and other individuals.
  1. The University may collect, use, disclose or process the personal data collected directly from the data subjects or from external resources.

In some cases, the University may request additional information from the data subjects, in order for the University to carry out contractual obligations or any other requests. In this regard, failure to provide required information may result in a termination of contract between the University and the data subjects, or the University may not be able to carry out related requests for the data subjects.

 

  1. The University shall not collect, use, process or disclose the personal data without consent of the data subjects, unless it is required by laws; to carry out obligations; for public interest; or for the University-related business and operation; or for legitimate rights.

 

  1. The University shall process the personal data in the event when it is  authorized by laws. The type and scope of the processing of the personal data shall be limited as necessary and as determined by related laws, only for the University’s purposes of collection, use, or disclosure of the personal data or for the University-related business and operation as specified only.

 

  1. The University shall not collect, use, process or disclose the sensitive data, for example, race, ethnicity, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union data, genetic data or biometric data, without  the explicit consent from the data subjects, unless  and the University is authorized by any law basis in accordance with the personal data protection laws, for the following purposes:
  1. To prevent or suppress  any danger or harm to life, body or health of the data subjects, where the data subject is incapable.
  2. It is information that is disclosed to the public with the explicit consent of the data subject.
  3. It is necessary for compliance with a law to achieve with respect to   preventive medicine or occupational medicine.
  4. It is necessary for compliance with a law to achieve with respect to public interests, educational and scientific research, history, statistics or other public interests. The University shall inform the data subjects of the sensitive data required for collection, use, disclosure prior to or during the collection of personal data, in accordance with the rules and regulations as required by laws.

 

  1. Purposes for Collection, Use, Process of the Personal Data.

The University shall collect, use, process the personal data for the purposes related to the University’s operation or business, education, research and statistics, in order to improve the University services, to record the personal data, to comply with the law, for public interest and for lawful interest of the University.

 

 

  1. The Consent of the Data Subjects

The consent by the data subjects must be given voluntarily in writing either on paper or in electronic form (via computer, mobile device, social media/networking, or telecommunication). The data subjects, in some cases, may also give a verbal consent, and the University shall record such verbal consent every time.

The data subjects who do not wish the University to collect, use, process, or disclose the personal data may withdraw their consent by submitting their request  to the Data Protection Officer of the University.

A withdrawal of consent shall be carried out under the terms and conditions and in accordance with the announcements or rules and regulations and laws pertaining to the personal data protection and policies and practices and other related measures on the personal data protection as determined by the University.

 

  1. Receiver of the Personal Data

The University realizes a significance of an assurance of confidentiality of the personal data and assures a limit of access of the personal data to only those with related-duties, personnel and staff of the University and the contracted third-party service providers who are affiliated with the University. The University shall disclose and share only necessary data in order to process the data related to service offering and to protect the interest of the University, and the University hereby agrees to protect the personal data from any unauthorized access.

The University shall disclose the personal data to other universities or affiliated offices for related-university business and operation, travel arrangement, or activity-coordination, professional affiliations and research. The University may also disclose the personal data to relevant government agencies in relation to immigration, tax and revenue, national security and crime, or any other activities required by laws.

        The data subjects agree the University to disclose or transfer the personal information to affiliates or alliances and business partners of the University in order for business operation, compliance of policies, and legitimate interest of the University, including any other cases announced by the University from time to time.

 

  1. The Rights to Personal Data

        At any time, the data subjects have the rights to the personal data, as follows:

  1. Rights to access and obtain copy of the personal data
  2. Rights to request to edit inaccurate/ incomplete personal data
  3. Rights to request for a deletion or destroying of the personal data processed by the University except it is prohibited by laws or it shall be effect and cause any damage to the University.
  4. Rights to suspend or withhold the use of the personal data except it is prohibited by laws or it shall be effect and cause any damage to the University.
  5. Rights to request for a copy of the personal data in electronic forms if the personal data is processed in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. The data subjects may request the University to forward or transfer such personal data to the third- party directly except it is prohibited by laws or it shall be effect and cause any damage to the University.
  6. Rights to object to the use, collection, record, and disclosure of the personal data for other purposes except it  is prohibited by laws or it shall be effect and cause any damage to the University.
  7. Rights to suspend or withhold any processing of personal data carried out by the artificial intelligence (AI).

In this regard, in order to exercise the rights to the personal data as prescribed above, the data subjects shall comply with related rules and regulations, announcements as issued and specified by the University and in pursuant to related laws pertaining to the personal data protection and the policies and procedures pertaining to the personal data as specified by the University.

 

  1. The procedures for the personal data protection of the University are divided into 3 parts as follows:

(1)  The administration of the personal data via people

(2) The administration of the personal data via the process of the personal data protection

(3) The administration of the personal data via personal data protection technology.

The University shall arrange for an evaluation of the effect on personal data privacy for administration of the projects undertaken by the University in order to identify the risk to the privacy of data subjects and make appropriate plans to reduce such risks.

 

15.  Confidentiality of the Personal Data

      The personal data is deemed confidential and shall not be used without an authorization. The use, process or disclosure of the personal data by unauthorized persons is deemed wrongfully.

The University shall limit access to the personal data to only those who are affiliated with the University to carry out their duties such as personnel of the University including the individuals who are service providers of the University offering services relating to the process of the personal data, and other partners receiving and processing the personal data on behalf of the University. The University shall disclose and share the personal data with service providers only when it is deemed necessary in order to offer services, to carry out the University’s operation and business or to protect the interest of the University. The service providers agree to protect the personal data from unauthorized access, unauthorized use or unauthorized disclosure of the personal data.

 

16. The University may transfer the personal data to any person located in the countries outside of Thailand in accordance with the purposes specified in clause 10 of this announcement whether or not the personal data protection laws of those countries meet the legal standards of Thailand. The University shall proceed any appropriate procedures which have the same standards applicable in Thailand for personal data protection.

 

17.  The University shall collect the personal data as necessary period or during the period required by law.

 

18. The University has the policies on personal data protection and has security measures for technology which meet international standards to safeguard the confidentiality and safety of the personal data and to prevent loss, unauthorized access, unauthorized disclosure or unauthorized process.

 

19.  The University complies with the personal data protection laws by appointing the Data Protection Officer toensure that the University complies with related personal data protection laws.

        If the data subjects wish to inquire further, file a complaint, or request any information related to the collection, use or disclosure of the personal data, they may directly and immediately contact the Data Protection Officer as detailed below.

The Data Protection Officer

        The Committee for Personal Data Protection of Bangkok University

Address:  9/1 Phahonyothin Road, Klong Nueng Sub-district, Klong Luang District,  Pathum Thani Province 12120

Tel:  02 407 3888

        Email:  pdpc@bu.ac.th

 

          Announced on March 19, 2021.

 

 

Mr. Petch Osathanugrah
President