Personal Data Protection Policy
B. Grimm Joint Venture Holding Limited and Subsidiaries
Subsidiaries refers to companies or juristic person over which B. Grimm Group has, directly or indirectly under the chain of control, control, or B. Grimm Group holds more than 50 percent of the voting rights.
Personal Data refers to personal information that, directly or indirectly, is able to identify the data subject, but the information of the deceased is excluded.
Sensitive Personal Data refers to, under Section 26 of the PDPA, Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual orientation, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner.
Data Processing refers to the collection, use, or disclosure of the Personal Data.
- Personal Data Collection
Under the PDPA, B. Grimm Group statutorily collects the Personal Data as necessary, within the relevant company’s objectives and scope only. In regard, B. Grimm Group makes the data subject aware of and consent such in writing or electronically, in accordance with the requirements of the PDPA, subject to PDPA with regard to the collection of the Personal Data.
Types of Personal Data to be Collected
The types of personal data that may be collected by B. Grimm Group are under the characteristics of the activities, locations and method of collection, which may include the followings:
- the identifiable Personal Data such as name, surname, photograph, identification card number, passport number, driver’s license number, date of birth, occupation, position, name of workplace, nationality, gender, marital status, vehicle license plate, CCTV footage of the area under B. Grimm Group’s control, username and password in the system;
- the Sensitive Personal Data defined in clause 3.;
- personal contact information i.e. home address or work place, phone number, E-mail, or social applications such as LINE, Whatsapp, or Facebook;
- personal financial information such as bank accounts details or personal income tax information;
- employment information such as job interviews, performance appraisals, positions, salaries, employment benefits, social security, provident fund;
- other information i.e. technical information from the usage of B. Grimm Group’s websites or applications, activity usage and access to Log files, IP address, Cookies.
Source of Personal Data Collection
Basically, B. Grimm Group collects the Personal Data directly from the data subject. Nevertheless, B. Grimm Group may collect the Personal Data from other sources, rather than directly from the data, i.e.:
- public sources;
- share or securities registrar;
- any communication method, either face-to-face or via any communication tools;
- related persons of the data subject.
If, however, B. Grimm Group has to collect the Personal Data from other sources, it will do so in compliance with the PDPA.
- Objectives of Personal Data Protection
B.Grimm Group collects, uses or discloses the Personal Data for the following purposes:
- for the benefit of B. Grimm Group’s business operations under the statutory, contractual obligations and the legitimate interest;
- for the improvement and enhancement of business efficiency such as database preparation, analysis, and development of operating processes;
- for verification or identification when accessing digital systems;
- for legal verification of the data subject;
- for the fulfillment of purposes that has been informed to the data subject and consented by the data subject;
- for other purposes, which are not prohibited by the law, and/or for compliance with the laws, rules, announcements, or regulations relevant to the operation of B. Grimm Group;
- for the purpose of storing, recording, backing up, or destroying of the Personal Data.
B. Grimm Group will not act in contrary to the above purposes; provided that:
- it notifies the new purposes to the data subject and consent is obtained accordingly;
- it is for the purpose of PDPA or relevant laws compliance.
B.Grimm Group collects, uses, discloses and processes the Personal Data upon the prior or simultaneously express consent of the data subject in writing, or via electronic means, save it is not possible to obtain the consent accordingly.
In the case that B. Grimm Group collects, uses, or discloses the Sensitive Personal Data, it will obtain an explicit consent from the data subject, unless otherwise specified by laws.
The consent of the data subject refers to the data subject’s consent to B. Grimm Group to collect, use, disclose, or keep the Personal Data of the data subject by any person residing or juristic persons locating, either domestically or internationally as herein stated, unless otherwise specified by laws.
- Objection of Consent
The consent of the Personal Data is a voluntary action of the data subject. The data subject may object to a consent requested by B. Grimm Group. As a result, such objection may cause B. Grimm Group unable to enter into an agreement, obligation, or to give welfare, to grant to or accept any products or services from, the data subject, to proceed with the data subject’s requests, or to perform any contractual obligations, terms and conditions.
- The Usage and Disclosure of Personal Data
B.Grimm Group will neither use nor disclose the Personal Data to a third party without the data subject’s consent. The Personal Data is disclosed for the purpose(s) the data subject has been informed prior to or at the time of collecting such Personal Data, unless exempted by the PDPA, or statutorily required to disclosure. However, for the purpose of B. Grimm Group’s operations and rendering of services to the data subject, B. Grimm Group may disclose the Personal Data of the data subject, in and outside the country, to the following person:
- B. Grimm Group’s subsidiaries;
- shareholders or stakeholders;
- parties to the contracts, subcontractors, or service providers related to the operation of B. Grimm Group;
- any person consented by the data subject to use or be disclosed the data subject’s Personal Data;
- person or government agency according to the law, or by the court order, or any other competent authority.
In addition, B. Grimm Group procures that the abovementioned person treats the Personal Data as confidential and will not use it for any other purposes than stipulated herein.
- Security Measures
B.Grimm Group establishes the Personal Data collection, use or disclosure measures, as well as the security measures, which are in accordance with the PDPA, related regulations and guidelines, with which B. Grimm Group’s employees and other related person have to comply so that the protection of Personal Data is efficient and of security standard required by laws. The standard of security measures is the compliance to the Personal Data Protection Act, regulations, rules, laws, and practices on the protection of data for B. Grimm Group employees and related persons. In order to provide an effective and safe protection of personal data in accordance with the legal standards.
- Retention Period of Personal Data
B.Grimm Group will retain the Personal Data only for the necessary duration, and will collect, use and disclose the Personal Data, as defined in this Policy, in accordance with the duration criteria, namely the period during which the data subject is still related to B. Grimm Group, and may still retain the Personal Data as required for the purpose of statutory compliance or as per legal prescription, for the establishment of legal claims, legal compliance or exercise of legal claims, or defense of legal claims, or for other purposes in accordance with policies and the internal regulations of B. Grimm Group.
If it is not possible to specify the Personal Data retention period, B. Grimm Group will retain the Personal Data as may be expected per data retention standards (such as the longest legal prescription of 10 years).
- Data Subject Rights
The data subject has the following rights under the laws:
- The right to access, request a copy, or request of disclosure on unconsented data;
- The right to correct the Personal Data;
- The right to request for deletion, destroying, or anonymization of the Personal Data;
- The right to withdraw the consent;
- The right to obtain or transfer the Personal Data;
- The right to request the suspension of the use of Personal Data;
- The right to object to the collection, use, or disclosure of the Personal Data;
- The right to complain to official or the regulatory authority for the protection of the Personal Data.
The request of any rights shall neither affect the processing of Personal Data for which the data subject has lawfully consented, nor violate any statutory requirements to be complied by B. Grimm Group.
- Contact Information
In case the data subject has any questions about the Personal Data Protection Policy, or wishes to exercise the rights as specified in Section 11, please contact [email protected]
- Review and Update of the Personal Data Protection Policy
B. Grimm Group may review and update the Personal Data Protection Policy for the purpose of compliance with the applicable laws and regulations, and any comments or suggestions from any agencies, including personal data protection practices, and for the development of B. Grimm Group’s Personal Data protection procedures, which should be in accordance with the change of operations and technology to provide effective security measures. In this respect, B. Grimm Group will announce any changes in advance.
This Policy is effective from 31 May 2022 onwards.
Date of Announcement: 31 May 2022
(Dr. Harald Link)
Chairman of B.Grimm