Personal Data Protection Policy
Morinaga Asia Pacific Co., Ltd.


1. The principle and objective

Morinaga Asia Pacific Co., Ltd. (hereinafter referred to as the “Company”) is aware of the importance of personal data protection, therefore, it is committed to providing personal data protection according to the Personal Data Protection Act B.E. 2562 (2019).

In that regard, the company has provided a Personal Data Protection Policy to ensure that the Company operates its business according to the law and international standards concerning personal data protection, including data subject protection principles and measures to handle a breach of personal data protection effectively and properly. The company hereby announces its personal data protection policy to data subjects as below.


2. Implementation Scope

This Personal Data Protection Policy is based on the Personal Data Protection Act B.E. 2562 (2019). Its implementation covers the whole personal data processing process in the company’s business. It is applied to the board of directors, directors, executives, and personnel of the company, its business partners, service providers, and service receivers, including any person who comes to know personal data through the course of business and stakeholders of the company who are obliged to comply with this Personal Data Protection Policy and the law.

This Personal Data Protection Policy shall be implemented in all operations and activities of the company involving personal data such as all kinds of data storage whether in the verbal, document, or electronic forms, or any other use of personal data in the company’s operations under the defined scope and consent of the data subjects, as well as personal data protection measures employed by the company, and personal data shared by the company to other persons whether directly or indirectly, including through the following websites and/or applications.

Application

1. Line OA: Morinagathailand

Website

1. Manna: https://www.morinaga-ap.com/manna-shop/index.php
2. Morinaga AP: https://www.morinaga-ap.com
3. HI-CHEW Australia: https://www.hi-chew.com.au
4. HI-CHEW New Zealand: https://www.hi-chew.co.nz

Sales platform

1. Shopee: https://shopee.co.th/morinagathailandofficial
2. Lazada: https://www.lazada.co.th/shop/morinagathailandofficial
3. TikTok: https://www.tiktok.com/@morinagathailand

Morinaga social media

1. https://www.facebook.com/Morinagathailand
2. https://www.facebook.com/hichewthailand
3. https://www.instagram.com/morinaga_thailand
4. https://twitter.com/MorinagaTH
5. https://www.instagram.com/hichew_anz
6. https://www.facebook.com/hichew.anz

There may be links to other websites that use different personal data protection policies. Therefore, to ensure that you, as a data subject, understand how such websites handle your personal data and other relevant matters differently, the company encourages you to read this policy and the policies of other websites. By using the services or making a transaction, it shall be regarded as you, as a data subject, have read, accepted, and acknowledged this policy in detail.

For personal data collected before the Personal Data Protection Act B.E. 2562 (2019) became effective, the company may continue to store and use such personal data according to the original purpose. Disclosure and other services apart from the storage and use of such personal data shall comply with the Personal Data Protection Act B.E. 2562 (2019).


3. Definition

3.1 The “Company” shall mean Morinaga Asia Pacific Co., Ltd. as the data controller.

3.2 A “subsidiary company” shall mean a company in which Morinaga Asia Pacific Co., Ltd. is a shareholder of it, or it is a shareholder of Morinaga Asia Pacific Co., Ltd.

3.3 The “Personal Data Protection Policy” shall mean a policy prepared by the company to inform data subjects of the company’s data processing process and relevant detail as required by the Personal Data Protection Act B.E. 2562 (2019).

3.4 “Personal data” shall mean information that can be used to identify a person’s identity whether directly or indirectly, but not including information specific to a deceased person.

3.5 “Sensitive data” shall mean information concerning the nationality, race, political opinion, cult, religion, or philosophical belief, sexual behavior, criminal background, health record, disability, labor union, genetic code, bio data, or other similar information of a person as defined by the Personal Data Protection Committee in article 26 of the Personal Data Protection Act or other applicable laws.

3.6 “Data processing” shall mean the collection, use, and disclosure of personal data.

3.7 A “data subject” or “you” shall mean a natural person whom the personal data collected by the company or disclosed personal data.

3.8 A “data controller” shall mean a person or legal entity who is authorized to make the decision to collect, use, or disclose personal data.

3.9 A “data processor” shall mean a person or legal entity who collects, uses, or discloses personal data according to the instructions of a data controller, provided that such person or legal entity is not a data controller.

3.10 A “Committee Data Protection Officer” shall mean a committee who provides advice, management, and inspection to ensure that personal data is processed according to the Personal Data Protection Act B.E. 2562 (2019).


4. Role and responsibility

4.1 The role and responsibility of the company as a data controller or data processor according to the Personal Data Protection Act B.E. 2562 (2019) are as below.

Role

Responsibility

Data Controller

  • Provide proper security measures to prevent the loss of personal data, unauthorized or illegal access, use, modifications, or disclosure thereof, and review the measures when necessary or when the technology has been changed. 
  • Prevent unauthorized or illegal access use or disclosure of personal data by data receivers other than the data controller. 
  • Provide a system to check and delete or destroy personal data according to the Personal Data Protection Act B.E. 2562 (2019). 
  • Notify the Office of Personal Data Protection Committee and the data subject of a breach of personal data protection without delay. 
  • Maintain the logs according to the Personal Data Protection Act B.E. 2562 (2019). 
  • Provide a personal data processing agreement between the data controller and data processors assigned by the data controller to process personal data. 
  • Inform data subjects and the Office of Personal Data Protection Committee of the contact and communication channel of the Personal Data Protection Officer. 
  • Provide a Personal Data Protection Officer and support their operation.

Data Processor

  • Collect, use, or disclose personal data only as instructed by the data controller except when such an instruction is in contrast to the law concerning personal data protection or the Personal Data Protection Act B.E. 2562 (2019). 
  • Provide proper security measures to prevent the loss of personal data, unauthorized or illegal access, modifications, or disclosure thereof. 
  • Notify the data controller of a breach of personal data protection without delay. 
  • Maintain the logs of personal data processing.  
  • Inform data subjects and the Office of Personal Data Protection Committee of the contact and communication channel of the Personal Data Protection Officer. 
  • Provide a Personal Data Protection Officer and support their operation.

4.2 Role and responsibility of the executives, Committee data protection officer, and staff of the company

Role

Responsibility

Executive

  • Review and monitor to ensure that staff operate according to the Personal Data Protection Policy strictly.  

Staff

  • Strictly adhere to the Personal Data Protection Policy. 

Committee Data Protection Officer

  • Provide advice, manage, and inspect to ensure that the operations comply with the Personal Data Protection Act B.E. 2562 (2019). 
  • Report to the top management upon an issue. 
  • Coordinate and cooperate the Office of Personal Data Protection Committee. 
  • Notify the Office of Personal Data Protection Comittee the data subject of a breach of personal data protection without delay according to the company’s regulation to the extend permitted by the law. 
  • Prepare and review the Personal Data Protection Policy. 
  • Maintain confidentiality of personal information received or obtained through the course of duty. 
  • Perform other duties or assignments to the extent permitted by the law. 


5. Personal Data Collection

5.1 Sources of personal data

The company may obtain personal data through two sources as below.

5.1.1 All types of personal information that are collected directly from data subjects in all forms whether through a verbal, document, electronic, or other means upon signing an agreement, providing a service, receiving a service, filling an application form for a service or an online survey in the document or electronic form, using the company’s website, or other legal transactions with the company.

5.1.2 From sources other than the data subject such as a profile search through websites or a third party. The company shall inform the data subject in writing without delay before doing so, and obtain the explicit consent in writing from the data subject for such data collection except in cases where the consent is not required by law.

The collection, storage, use, and disclosure of personal data shall be done according to the purpose and scope, through legal and moral means, and limited to the extent necessary for the service under the purpose defined by the company. The data subjects shall be informed and requested to give their consent through an electronic means, or short message system, or other means determined by the company.

The company may collect the following personal information.

  • Identity information: Name, Date of birth, citizen identification card or passport number, or any other government-issued document that can be used to identify the identity of a person.

  • Contact information: Address, email, telephone number, and fax number.

  • Professional background: Employment status and job position.

  • Commercial and business credit information in detail including payment history and methods, transactions, prices, and other payment information when you purchase a product or service from the company.

  • Personal information provided to the company by you when you contact the company including but not limited to activities, competitions, lucky draws, registrations, sales promotions, surveys, customer satisfaction surveys, questionnaires, and opinions on the website and/or application.

  • Website and/or application access: Usernames and passwords logging on to online services and applications, and IP addresses.

  • Cookies information.

  • Marketing survey: Marketing analysis of statistical data of data subjects.

  • Sensitive information: Nationality, race, gender, religion, philosophy, health, criminal background.

  • Device and device location: GPS coordinates.

  • Closed circuit camera footage.

  • Telephone or electronic device communications.

  • Pictures.

  • Personal information collected by the company through an automatic and/or electronic system.

  • Or other information relevant to service agreements or transactions made with the company.

5.2 Purpose of data collection and use

5.2.1 The company shall only collect personal information necessary for its operation and various purposes such as:

  • For signing agreements and performing contractual obligations made between the company and data subjects.

  • To verify the identity of a person before providing a service or entering into an agreement.

  • To provide answers or assistance to customers or relevant persons.

  • To develop and improve the company’s services to meet the customer demand even more.

  • To provide information on the services or promotions through the marketing channels obtained from customers.

  • To comply with applicable laws such as withholding tax, customer identity verifications required by the law, or when requested by a government authority such as the Office of the National Anti-Corruption Commission, Royal Thai Police, or the Anti-Money Laundering Office.

  • For inspections such as analysis and document preparations as per the request of organizations relevant to the company’s business, business partners, or relevant persons.

5.2.2 If a data subject refuses to provide the personal information required to comply with the law, agreement provisions, or other regulations, it may cause the transactions or activities of the data subject to be suspended or stopped temporarily until the company has received the required information otherwise the company will not be able to process the information or will be prohibited to continue the transactions or activities.

5.2.3 The company shall collect personal information only as necessary to fulfill the legal purpose as informed to the data subjects before or upon collecting personal information with written consent from the data subjects before or upon collecting personal information except in the following cases where the company may collect personal information without consent.

  • To maintain the logs or archives for public goods, research, or statistics, provided that the company provides proper security measures to protect the rights and freedom of the data subjects.

  • To protect the vital interests of a person.

  • To fulfill contractual obligations where the data subjects are the contractual parties, or in answering to the request of the data subjects made before entering into the agreement.

  • To perform mandatory duties for public goods or as requested by a government authority.

  • When necessary to protect the legal interest of the company, other persons, or legal entities, except when such interest is inferior to the basic rights in personal data of the data subjects.

  • To comply with laws such as the Credit Information Business Act B.E. 2559 (2016), Civil and Commercial Code, or Criminal Code, etc.

5.2.4 When collecting sensitive personal data, the company shall obtain explicit consent from the data subjects before or upon collecting sensitive personal data according to the company’s regulations to the extent permitted by the law.


6. Personal data disclosure

6.1 The company may disclose your personal information to the following persons and entities under the defined purpose and the extent permitted by the law.

(a) Subsidiaries both inside and outside the country including their executives, directors, staff, employees, and/or personnel who are involved in the personal data processing and need to know your personal information.

(b) Business partners, service providers, and data processors who are hired or assigned by the company to manage/process personal data for the services of the company such as employee health checkups by a business partner, information technology services, data logging services, payment services, courier services, mailing services, printing services, healthcare, insurance, training, data analysis, research, marketing, or other services that may be beneficial to you or relevant to the company’s business such as commercial banks, hospitals, and insurance companies.

(c) Legal consultants of the company such as legal consultants, lawyers, accounting auditors, or other practitioners both internal and external.

(d) Government authorities who have the jurisdiction, legal power, or relevant permissions such as the Department of Labor Protection and Welfare, Department of Skill Development, Department of Empowerment of Persons with Disabilities, Revenue Department, Social Security Office, Department of Provincial Administration, Department of Business Development, Department of Intellectual Property, Securities and Exchange Commission, Stock Exchange of Thailand and its subsidiaries, Office of Personal Data Protection Commission, Trade Competition Commission, Royal Thai Police, Office of the Attorney General, justice courts, and Legal Execution Department, etc.

(e) Customers, business partners, and contractual parties of the company in your contact, your job responsibility, or other persons of similar nature.

(f) Persons or entities to whom you have given consent to receive your personal information.

6.2 The company shall disclose your information to other persons only for the defined purpose or as required by the law, and with your prior consent when required by the law.

6.3 The company shall disclose your personal information with proper security measures and personal data protection standards according to the law.

7. The retention period of the personal data

The company shall store personal data for the following durations.

1. The durations required by the laws specific to personal data storage such as the Accounting Act B.E. 2543 (2000), Anti-Money Laundering Act B.E. 2542 (1999), Computer-Related Crime Act B.E. 2550 (2007), and Revenue Code.

2. In the absence of a specific duration by law concerning personal data storage, the company shall determine a proper duration according to its operation.

After such durations have passed, the company shall delete or destroy the personal data, or make it become unidentifiable.

8. Cross-border Data Transfer

If the company is to transfer personal information to another country, it shall make sure that the destination country has an adequate level of personal data protection standards.

However, in the absence of an adequate level of personal data protection standards in the destination country, such personal data transfers shall be done according to the exemption rule defined by the company to the extent permitted by the law.

9. Rights of data subjects

This policy is provided to assure data subjects that they may exercise the following rights under the Personal Data Protection Act B.E. 2562 (2019).

9.1 The right to withdraw consent: Data subjects may revoke the consent for personal data processing given to the company at any time while in the possession of the company.

9.2 The right of access: Data subjects may gain access to their personal data, request a copy of their personal data from the company, and demand the company to reveal the source of personal data obtained without their consent.

9.3 The right to rectification: Data subjects may request the company to correct wrong information or add more information to make it complete.

9.4 The right to erasure: Data subjects may request the company to delete their personal data for a reason.

9.5 The right to restriction of processing: Data subjects may suspend the use of their personal data for any reason.

9.6 The right to data portability: Data subjects may transfer their personal data provided to the company to another data controller or themselves for any reason.

9.7 The right to object: Data subjects may object to the processing of their personal data for any reason.

However, the company may deny the use of the foregoing rights of data subjects according to the regulations defined by the company to the extent permitted by the law. The company shall provide communication channels specified in this policy for data subjects to exercise their rights as mentioned above. If the company denies such requests, the company shall inform the data subject of the reason.

Data subjects may file a complaint with the Personal Data Protection Commission if the company, data processor, their employees, or contractors fail to comply with the Personal Data Protection Act B.E. 2562 (2019) or announcements issued under the act.

10. Personal data security

The company provides proper security measures to prevent the loss of personal data, unauthorized or illegal access, use, modifications, alterations, or disclosure. The measures shall be in line with the policy and procedures of the company concerning information security.

If there is a breach of personal data security of the company that causes personal data to be tampered with or leaked, the company shall notify the data subject as soon as possible. And if the cause is the company’s fault, the company shall inform the data subject of the remedy and negotiate compensation for the damage caused by the breach of not over the contractual value. However, the company shall not be liable for any damage caused by the use, omission, negligence, or disclosure of such personal data of the data subject or other persons whom the data subject has given the consent.

If the company hires external organizations or entities to collect, use, or disclose personal data of the data subjects, the company shall ensure that such external organizations or entities maintain the confidentiality of the personal data, and prevent the personal data from being collected, used, or disclosed illegally or for purposes other than the hiring scope.

11. Personal data protection policy reviews and revisions

The company shall review and revise this policy when there is a situation that impacts the policy significantly.

The company reserves its right to revise this Personal Data Protection Policy from time to time to comply with changes concerning the processing of your personal data, the personal data protection law, or other applicable laws.

The company shall keep you informed of significant changes or revisions made to the policy through the company’s communication channels. Please check this policy from time to time for changes. If there is a change that jeopardizes your rights concerning sensitive information under this policy, the company shall obtain your prior consent, except where the law states otherwise.

12. Communication channels

Data controller’s contact:

Name : Morinaga Asia Pacific Co., Ltd.
Contact Address : 32/33, 12th Floor, Sino-Thai Tower, Sukhumvit 21 Road (Asoke),
Khlong Toei Nuea Subdistrict, Watthana District, Bangkok 10110, Thailand
Website : https://www.morinaga-ap.com
Other contact or news channel : PDPAteam@morinaga.com

Committee Data Protection Officer’s contact:

Name : Morinaga Asia Pacific Co., Ltd.
Contact Address : 32/33, 12th Floor, Sino-Thai Tower, Sukhumvit 21 Road (Asoke),
Khlong Toei Nuea Subdistrict, Watthana District, Bangkok 10110, Thailand
Website : https://www.morinaga-ap.com
Other contact or news channel : PDPAteam@morinaga.com

Announced on June 7th, 2024