Corporate Privacy Policy
The Board of Directors of Aksorn Education Public Company Limited realizes the importance of processing personal data appropriately and legally. The Board therefore approved, certified and issued this announcement on corporate privacy policy. The objective is to establish a framework for processing personal data in various processes of Aksorn in order not to excessively affect the rights under the legal framework of each group of data subjects. This policy also regulates and manages such data processing to be valid according to standards stipulated by the regulators so as to require Aksorn's employees and related persons to adhere to and comply with under the following details.
- Clause 1 Personal data protection policy and manual
- This announcement is called “Aksorn's Announcement on Personal Data Protection Policy”, which shall be effective from the date of announcement by Aksorn onwards and shall be applicable to Aksorn Education Public Company Limited and all affiliates, namely Aksorn Charoen Tat A.C.T. (25) Company Limited, Aksorn Inspire Company Limited, Aksorn Nex Company Limited, Aksorn Logistics Co., Ltd., THAI ROME KLOA CO., LTD. and Comform Co., Ltd.
- By virtue of this corporate announcement, Aksorn may establish and announce a detailed operational manual in order to set practice guidelines for guaranteeing the validity and completeness for personal data processing protection to be correct additionally.
The said manual shall be in full force and effect in the same way as this announcement.
- Clause 2 Structure of management and supervision of personal data processing
For the valid supervision and management of personal data processing protection, Aksorn has established the following structure.
- The Board is mainly responsible for directing and supervising Aksorn's overall personal data processing, including managing various risks potentially arising from the processing of personal data. Major roles include reviewing and approving all sub-policies and guideline manual related to the processing of personal data.
- To supervise the performance of valid personal data processing according to the policy and in accordance with the legal framework, Aksorn has established a mechanism to supervise personal data processing protection under the 3 Lines of Defense structural model as follows.
- 1st Line of Defense: Risk Owner: Aksorn has assigned the department manager level and above to be directly responsible for overseeing personal data processing of employees within its unit to be valid and consistent with the policy and laws related.
- 2nd Line of Defense: Risk Control: The Data Protection Working Committee must be appointed, which comprises the heads of personal data processing departments in Aksorn, works together with the regulators. The work of such Working Committee must be carried out independently under the principle of maker-checker. Aksorn will issue a separate announcement on appointment of the said Working Committee's structure and prescribe the roles as well as duties of such Working Committee.
- 3rd Line of Defense: Risk Assurance, i.e. the Committee or Audit Department responsible for overseeing and reviewing personal data processing of all units again as usual. This may be the internal or external supervisory authority as deemed appropriate by the Board.
- Aksorn has specified the allocation of sufficient resources in terms of work systems, personnel and budgets to support the performance of each regulator's work according to the policies and standards for personal data processing protection in all parts.
- Clause 3 Assessment and management of personal data processing risk
- Aksorn requires that the Enterprise Risk Management Level be assessed and reviewed at least once a year or every time of significant changes in the personal data processing model.
- Aksorn requires each unit in the 1st Line of Defense stated under Clause 2.2 to have the duty and responsibility to assess, review and manage the personal data processing risks within its unit, including monitoring and reporting the risks to the Data Protection Working Committee for consideration.
- Aksorn has assigned the Data Protection Working Committee as being mainly responsible for Aksorn's personal data processing to collect and prepare assessment document as well as review the enterprise risk management process by taking into account the framework of “Acceptable risks related to personal data processing of Aksorn” and reporting to the Board for approving the enterprise risk management plan.
- Based on the enterprise risk assessment, for personal data processing at high risk of affecting the rights and freedoms of individuals possibly leading to significantly economic and social losses of data subjects or causing data subjects to be unable to have control over their personal data, Aksorn stipulates the Data Processing Impact Assessment (DPIA) only for such high-risk personal data processing activities before deciding to process personal data as mentioned. The report on such risk assessment must be created in writing for audit purposes.
The DPIA shall be performed under the following principles. (1) The scope of assessment, objectives and the necessity for such data processing shall be described in detail. (2) There must be a process of consultation with various stakeholders inside and outside the organization, including data subjects and relevant personal data processors. (3) There must be a clear description of the necessity and scalability of data processing. (4) There must be assessment of risks that will affect the rights and freedoms of data subjects by taking into account the “likelihood” and “severity”. (5) Required determination of detailed measures to reduce the identified risks and a description of appropriate measures to reduce such personal data processing risks to be in acceptable criteria set by Aksorn in the organizational risk assessment framework.
- Clause 4 Policy communication, publicity
- Aksorn attaches importance to communicating the policy and operational guidelines related to personal data processing to employees, including all external service providers of Aksorn involved in personal data processing by and on behalf of Aksorn. The established policy requires communication through all channels of contact with such employees and external service providers as normal, especially in case of material changes that also affect Aksorn's overall personal data processing.
- Aksorn stipulates that each personal data processing unit shall have a duty to communicate and organize training as well as create awareness of employees within its department, including external service providers under the unit's affiliation and supervision or such department. The purpose is to ensure that such persons are aware of the importance of data subjects' rights and the duty to maintain the security of all that information.
- Clause 5 Supervision and review mechanism
Aksorn has established a mechanism for monitoring compliance with the personal data processing policy under the principles as follows.
- Aksorn has established a mechanism to supervise personal data processing based on 3 Lines of Defense specified in Clause 2.2. The Data Protection Working Committee must monitor and review employees and external service providers' compliance with the stipulated corporate policy and report the results to the Board at least once a year or in case of violations significant to Aksorn's business or reputation.
- In case of detected violation of the personal data processing protection policy, the Data Protection Working Committee will receive complaints and act to check until the facts are known. If such violation or infringement is found to be true, the Working Committee will present to the Board for proceeding to determine disciplinary measures according to personnel management regulations.
- Clause 6 Reporting of personal data processing (Report of Processing)
- Aksorn assigns each unit in 1st Line of Defense specified under Clause 2.2 to be responsible for preparation and revision of such data processing items on a regular basis. This action must be taken alongside the evaluation and review of personal data processing risk assessment.
- Aksorn assigns the Data Protection Working Committee to provide knowledge, advice, supervise and review the reporting of personal data processing by each unit in 1st Line of Defense to ensure the validity, completeness and compliance with relevant standards and laws.
- Clause 7 Policy on disclosure of personal information to external agencies
- Aksorn has determined personal data management by classifying the confidentiality of such information as Strictly Confidential under the principles of confidentiality of Aksorn, especially for disclosure, forwarding of personal data to external agencies.
- Aksorn assigns all employees a duty to record the processing of personal data with personal data forwarded or disclosed to third parties. If disclosure of personal information to external agencies is required, the necessity and the risk of forwarding personal data and the reliability of the recipients of such personal data must be reviewed before. Each forwarding or disclosure requires consent of the supervisor according to the approval authority.
- For forwarding or receiving personal information from third parties, Aksorn has prescribed a policy on requiring the signing of contracts or agreements for personal data processing between Aksorn and such third parties. The objectives are to set the terms, conditions, rights and obligations for personal data processing between the contract parties and guarantee the security of such personal data.
- Employees who disclose or forward information to the outside must ensure compliance with the methods and procedures of transmission or disclosure determined by Aksorn to minimize security risks, including avoiding uncontrollable transmission through private channels.
- Clause 8 Policy on determined data retention period
- Aksorn has established the framework for determined personal data retention period according to the principles of necessity as follows.
- In case of legal period clearly stating the duration of storing any personal data, storage shall be based on that specified time. Besides, if retention of any personal data is subject to retention criteria of different laws, Aksorn has established a framework for personal data retention according to the maximum time frame stipulated by all laws.
- For personal information storage due to the necessity by considering various relationships of Aksorn with data subjects on contractual base, information shall be kept as necessary for the performance of contractual obligations of Aksorn with such data subjects, for example, for the duration of providing services or as long as the contracts or related relationships will be terminated, which may have a fixed duration or not, but have a clear storage period that can be expected by data subjects.
- As to information storage for the legitimate interests of Aksorn, such information shall be kept according to appropriate framework for using the lawful rights and benefits in each case under the following principles such as according to the statute of limitations of cases of litigation against rights. As for personal data storage based on legitimate interests, Aksorn has established important principles that must be considered as follows. Such personal data retention must not affect the rights of data subjects unreasonably and Aksorn shall entitle data subjects to object to personal data processing on such basis according to the rights.
- For personal data processing on the consent basis, data shall be kept as long as data subject has not exercised the right to withdraw consent. This independent right can be exercised by data subject at all times and Aksorn respects the right to make such decision.
- For sensitive personal data, e.g. criminal record or medical history or other biological data possibly kept by Aksorn with consent of data subject, Aksorn must exercise caution in storing personal information with higher standards by immediately deleting or destroying as soon as being no longer necessary.
- Aksorn requires notifying the retention period of each data base for each purpose so that each group of data subjects concerned is informed about the privacy policy that Aksorn will prepare and notify data subjects in writing.
- Upon expiration of the personal data retention period as specified in Clause 8.1, Aksorn will delete and destroy such personal data or will make the data become anonymous depending on the nature of data. Both information in the form of paper document and data in the system must be destroyed.
- Aksorn has established a process of reviewing the personal data retention period by assigning the relevant department directly responsible for such information and documents to review the information retention period according to the announced storage policy.
- If Aksorn hires an external service provider to destroy such no longer necessary personal data, Aksorn requires that a personal data processing agreement be entered into with that service provider so as to guarantee the valid data destruction with appropriate techniques.
- Aksorn has established the framework for determined personal data retention period according to the principles of necessity as follows.
- Clause 9 Personal data security
- Aksorn has prescribed personal data security under the principles of preventing wrongful loss, access, use, modification, editing or disclosure of personal data as follows.
- All information will be kept secure and confidential (Confidentiality) by considering all personal information, especially sensitive personal data as the highest confidential information.
- All data must be valid and reliable in accordance with information provided by data subjects without any unauthorized modification (Integrity).
- Information must be available as soon as it is needed. (Availability)
- Aksorn has prescribed measures for personal data security, which cover administrative protection measures through the established structure, technical protective measures and physical protection measures under the principles of controlling the conditions for access and access to personal data at each level of information through Authorization Matrix Role-Based System Management to enable back review of access, change, deletion or transfer of personal data, especially for sensitive personal data.
- Aksorn has required recording and storing evidence (logs) of accessing, changing personal data in various parts by stipulating as follows. (1) The head of department or related unit is responsible for reviewing Logs of employees under supervision of one's department or unit to regularly check Log irregularities. (2) The Data Protection Working Committee and the Audit Committee must review the said Log in order of Line of Defenses related.
- For the control and management of all personal data processing, Aksorn requires that action be taken within the Maker-Checker framework. Also, the performance of measures and mechanisms must be reviewed and tested regularly.
- Aksorn has set a policy framework requiring various units to process all personal data through electronic system that controls access and records access more than just paper storage. If personal data is required in the form of paper, records of data use must be prepared; required Clean Desk policy and paper containing personal data must not be Recycled; required proper storage in boxes that specify the period of such data storage. Besides, moving such data must follow the data security process.
- In case of Aksorn's use of any tools, equipment or information assets to store and process personal data of data subjects, Aksorn must complete the registration of such assets. In particular, the right to access personal data through information assets belonging to each employee (BYOD) must be clearly defined in order to have standards for personal data security on all information assets devices. The use of BYOD for storing or processing personal data should be limited to a minimum to prevent the risk of personal data violations or leakage.
- Aksorn has formulated a policy to back up all important personal data completely so that such personal data is available all the time without interruption within a reasonable timeframe as usual. In this regard, Aksorn stipulates that backup and data recovery process must be tested according to an appropriate timeframe based on assessed risks.
- Aksorn has prescribed the process of controlling and securing personal data processing by external service providers clearly. Standards are established, ranging from the selection process of external service providers, contracting, formulating security standards for information system possibly accessed by external service providers by limiting access and use to the extent necessary only as well as compliance with personal data security standards of such service providers to meet the same standards as Aksorn's standards.
The units that hire such service providers are obliged to monitor and review the performance of external service providers to conform to stipulated standards on a regular schedule. If any irregularities or violations are found, such service providers shall be punished immediately by ensuring no impact on the continuity of Aksorn's services.
- Aksorn must regularly review the policy and measures for personal data security according to risk assessment at least once a year.
- Aksorn has prescribed personal data security under the principles of preventing wrongful loss, access, use, modification, editing or disclosure of personal data as follows.
- Clause 10 Management of personal data violations
- 10.1 Aksorn has assigned the Data Protection Working Committee to formulate the policy and measures for managing incidents that may result in personal data violations by liaising with relevant units in the 1st Line of Defense and Audit Department.
- For infringement of personal data defined, Aksorn assigns the Data Protection Working Committee to receive notification of incidents and manage such incidents first as well as report such incidents to the Board to prepare report documentation submitted to the Office of Personal Data Protection Committee within the reporting period of 72 hours from the date of acknowledgment. Data subjects must also be notified if being affected.
- After termination of such infringement, the Data Protection Working Committee is responsible for checking and reviewing to determine Root Cause of such incident to report for presentation to the Board and to plan the revision as well as prevention of potential violations in the future.
- Aksorn must review the action plan to manage violations of personal data at least once a year and in case of change that affects the said plan.
- Clause 11 Policy review or revision
Aksorn stipulates the review or revision of this policy by the Company's directors based on the data processing management policy compliance report presented by the Data Protection Working Committee and the Audit Committee at least once a year or in case of changes significant to Aksorn's business or personal data processing so as to keep the policy up to date.
Announced on 11 May 2022