1. Scope: This Personal Data Protection Policy must be applied to personal data in which the Company may collect,
gather, use, disclose or transfer. Such policy belongs to the Company, the Company’ s employees, personnel, staff,
representative and authorized person related to personal data analysis who acts according to order or on behalf of
2. Definition Referred to in this Policy
2.1 Processing refers to any operation in relation to personal data, for examples, data collecting, recording,
organizing, structuring, amending, recovering, disclosing, transferring, transmitting, declaring, consolidating, erasing
or damaging the data.
2.2 Personal Data refer to data of a person which help identify such person, whether directly or indirectly; for
examples, first name, last name, Email, telephone number, IP Address, photographs, nationality, religion, political
opinion, genetic data and Biometric data.
2. 3 Data Subject refers to a person who own such data which could be identified by their personal data, whether
directly or indirectly.
2.4 Data Controller refer to a natural or juristic person who proceeds with the processing.
2. 5 Data Processor refer to a natural or juristic person excluding the Company’ s employees which proceeds with the
collection, use, or disclosure of personal data according to the order or on behalf of the Company.
2.6 Company refers to Western Property Company Limited
3. 1 The Company shall organize the governance structure for the operation of personal data in compliance with the
laws as follows;
( 1) Organizational structure shall be conducted. Specific definition of roles, tasks and responsibilities of each
department and personnel shall be prescribed to enforce the governance, authority, obligation, procedure,
( 2) To appoint the Data Protection Officer of the Company, whose roles and tasks may be as specified in the
Company’s Personal Data Protection Policy announced by the Committee of Personal Data Protection.
3.2 The Company shall prescribe policy, standards, guidelines, procedures and document related to personal data
3.3 Performance management shall be implemented to regularly administrate the operation as to be in accordance
to the policy.
3.4 The Company may regularly conduct in-house trainings for its employees with the emphasis of the importance of
personal data. This is to ensure that any operation regarding personal data are performed by trained and experienced
4.1 The Company as a Data Controller and Data Processor shall operate the processing of personal data, unbiased,
transparent and on the emphasis of the validity of personal data. The scope and purposes of processing and data
retention period shall be justifiable by the laws and the Company’s guidelines. The Company shall enforce strict
protection measures for the validity and safety of personal data.
4.2 Procedures and regulations for personal data processing shall be in accordance with the laws and the Company’s
4.3 Record of Processing Activities (ROPA) shall be conducted on activities related to personal data processing and shall be as specified by the laws. The ROPA shall be amended once an amendment or related activities are executed.
4.4 Apparent process shall be regulated to ensure that the notice of purposes of the collection and processing of
personal data as well as the request of consent from Data Subject are in compliance with the laws. Strict measures
are created to operate and verify such process.
4.5 The measures for validation of personal data shall be established including the approach to amend and correct
4.6 In case of a transfer, transmit or disclosure of personal data to other parties, the Company will conduct an
agreement with the assignee who receives or uses personal data on the authority and obligation as prescribed by the
4.7 In case of an international transfer of personal data, the Company will strictly comply with the laws.
4.8 The Company will cease the storage of documents containing personal data once the retention period has come
to an end as is subject to relevant laws and regulations.
4.9 Risk assessment shall be executed and related policy be implemented for the reduction of risks and effects
which may occur by the assessment.
The Company shall process to establish measures, channels and procedures for Data Subject to exercise his/her rights
by laws and will keep any record and analysis of Data Subject’s request.
6.1 Adequate security policy shall be implemented and protection measures to prevent the breach and unauthorized
use of such data shall be conducted.
6.2 Corporate governance policy of incidents regarding personal data and response measures for such incidents
shall be executed for immediate identification and management of any incidents that may occur.
6.3 The Company may inform Data Subject including government officers, Data Controller (in case Company acts as
Data Processor or joint Data Controller) and related personnel as prescribed by the laws.
7.1 The Company shall monitor and inform Data Subject in case the amendment of laws is enforced and would, from
7.2 The Company shall review and amend the policy, standards, guidelines, procedures and document related to
personal data protection in compliance with the laws and circumstances during a particular period of time.
8. Roles, Obligation and Responsibilities
8.1 Committee are obliged to the roles and responsibilities as follows;
(1) To regulate the governance structure for personal data and related internal operation as prescribed by the
(2) To oversee and support the Company to effectively safeguard personal data in accordance to the laws.
to emphasize on the importance of awareness of such Policy to employees.
8.3 Data Protection Officer are, according to the laws, obliged to;
(1) Ensure that Data Controller is informed about the status of personal data protection and to give advice and
recommendations for the development of the Company’s protection measures in compliance with the laws.
(3) Inspect the operation of the Company’s institute to be as prescribed by the laws and the Company’s privacy
8.4 Employees are obliged to;
(1) Perform any task in accordance to the Company’s Personal Data Protection Policy, standards, guidelines,
procedures and document related to personal data protection in compliance with the laws and the Company’s
(2) Report any incident related to personal data protection and breaching of the laws and the Company’s
Penalty for Breach of the Company’s Personal Data Protection Policy
9. Contact Information
email@example.com or by the following address;
Western Property Company Limited
9th Floor, 1550 Thanapoom Tower, New Petchburi Road, Makkasan, Ratthewi, Bangkok 10400
Tel: +66 2 207 0789