Personal Data Protection Policy
(PDPA Policy)

Introduction

    The Eastern Economic Corridor Office of Thailand (EECO) recognizes the importance of personal data protection, respects the privacy rights of data subjects, and ensures that the collection, use, and disclosure of personal data are conducted in compliance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and other relevant laws and regulations. EECO has therefore established this Personal Data Protection Policy (“the Policy”) and announced it to all data subjects to ensure awareness, in accordance with Section 23 of the PDPA. EECO shall supervise and control all organizational operations and activities to ensure strict compliance with the provisions set forth in this Policy.

Scope and Objectives of the Policy

    This Policy has the following main objectives:

  • To inform data subjects of the practices EECO employs to protect personal data under its control, with details in accordance with the requirements of Section 23 of the PDPA.
  • To serve as a framework for establishing rules or guidelines governing operational procedures (Procedure and Guideline) and related documents to ensure the protection and security of all categories of collected personal data.

    The scope of this Policy covers all types of personal data of all individuals that EECO collects, uses, or discloses, whether as a data controller or data processor, as defined by the PDPA.

Definitions

Personal data means any information relating to an identifiable person, whether directly or indirectly, but excluding data of deceased persons.
Sensitive personal data refers to personal data as defined in Section 26 of the PDPA, such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, labor union membership, genetic data, biometric data, or any other data that may similarly affect the data subject, as prescribed by the Personal Data Protection Committee.
Data processing means the collection, use, or disclosure of personal data by EECO, whether as a data controller or data processor, as defined under the PDPA.

Collection of Personal Data

    EECO shall collect personal data by lawful and fair means, only as necessary within the scope of the PDPA and for the purposes of EECO’s operations.
    EECO shall ensure that data subjects are informed and provide consent in writing or through electronic means, in accordance with the PDPA, unless an exemption applies under the law.

Types of Personal Data Collected

    The types of personal data EECO may collect depend on the nature of the activities, locations, and methods of collection, which may include personal data of the following groups of individuals:

  • Members of the Eastern Economic Corridor Policy Committee (EECC), sub-committees, and working groups under the EECC or EECO.
  • The Secretary General, Deputy Secretaries General, Assistant Secretaries General, Special Advisors, Special Experts, or equivalent positions within EECO.
  • Employees, officers, and staff members of EECO.
  • Entrepreneurs, investors, or persons entering into legal agreements with EECO.
  • Officials from government agencies and public organizations involved in EECO’s operations.
  • Members of the general public who contact or interact with EECO.

 

    The types of personal data that EECO shall collect may include:

    Personally identifiable information such as name, surname, photograph, national identification card number, passport number, driver’s license number, date of birth, occupation, position, workplace name, nationality, gender, marital status, vehicle registration, images from CCTV within areas under EECO’s control, system usernames, passwords, etc.
      Sensitive personal data as defined in Section 3, which may include:

  • Contact information, such as home or work address, telephone number, email, and social media identifiers (e.g., LINE, WhatsApp, Facebook).
  • Personal financial information, such as bank account details and personal income tax information.
  • Data related to EECO’s mission, such as data related to EECO’s statutory functions under the Eastern Economic Corridor Act, B.E. 2561 (2018), including the development of model areas with systematic economic, social, and environmental development; the accumulation and application of modern technology for income generation and improving quality of life; proactive, integrated operations through close cooperation between the public, private, and community sectors; the development of efficient and systematically linked infrastructure and public utilities; appropriate land use; and the development of modern, international-standard cities.
  • Employment-related information, such as job interview data, performance evaluations, job titles, salary or other employment benefits, and data related to employment status with EECO.
  • Information technology data, such as EECO’s website or application usage logs, IP address, and Cookies.

Sources of Personal Data Collection

    EECO may collect personal data from the following sources:

  • Direct collection from data subjects during interactions or various activities, such as applications, registrations, employment processes, contract and document signing, surveys, or use of services or other service channels controlled by EECO, or when the data subjects communicate with EECO at its office or through other contact channels controlled by EECO.
  • Automatic collection when data subjects use the website or other services under contract or EECO’s mandate, e.g. by tracking website usage behavior via Cookies or software on data subjects’ devices.
  • Third-party sources, where such entities are legally authorized or have obtained consent from the data subject to disclose information to EECO. This can be done by, for instance, linking digital services of government agencies to provide integrated public services to data subjects, including the necessity to provide services under contract which may involve exchanging personal data with contracting agencies.

    Furthermore, this includes cases where you provide the personal data of a third party to EECO. In such cases, you are responsible for informing that person of the details of this Policy or service announcements, as applicable, and obtaining consent from that person if consent is required for disclosure to EECO.

    In the event that EECO needs to collect your personal data for the performance of a contract, compliance with a legal obligation, or for the necessity of entering into a contract, the data subject may refuse to provide the information as requested. However, failure to provide such information may prevent EECO from entering into a contract or commitment, provide benefits, processing services requested by the data subject, or perform its contractual duties or any required terms and conditions.

Purposes for Collecting and Processing Personal Data

    EECO collects, uses, or discloses personal data for the benefit of EECO’s operations, under the following legal bases:

  • For the performance of a task carried out in the public interest or in the exercise of official authority vested in EECO.
  • For research, statistical, or public-interest purposes.
  • To prevent or suppress a danger to the data subject’s life, body, or health.
  • For the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.
  • For legitimate interests pursued by EECO, except where such interests are overridden by the data subject’s fundamental rights.
  • For compliance with EECO’s legal obligations.
  • Based on the data subject’s consent.

    In the event that EECO needs to collect your personal data for the performance of a contract, compliance with a legal obligation, or for the necessity of entering into a contract, the data subject may refuse to provide the information as requested. However, failure to provide such information may prevent EECO from entering into a contract or commitment, provide benefits, processing services requested by the data subject, or perform its contractual duties or any required terms and conditions.

Use or Disclosure of Personal Data

    EECO shall not use or disclose personal data to other persons without the data subject’s consent and shall only disclose it for the purposes notified to the data subject before or at the time of collection, except in cases exempted from consent by the PDPA, and in cases where disclosure is requested by virtue of law. However, for the benefit of EECO’s operations and service provision to the data subject, EECO may disclose the data subject’s personal data to the following persons, both domestic and international:

  • Contractors, sub-contractors, and service providers engaged in EECO’s operations.
  • Persons or entities to whom the data subject has consented to disclosure.
  • Persons or government agencies as required by law, court order, or other legally authorized body.

    Furthermore, EECO shall ensure that any recipients of personal data maintain confidentiality and use the data only for the purposes specified by EECO.

    For cross-border transfers, EECO shall implement appropriate measures to ensure that the receiving country or organization maintains adequate data protection standards and shall inform data subjects of any potential risks prior to transfer.

Security Measures

    EECO shall implement appropriate technical and organizational measures to ensure the security of personal data, in compliance with the PDPA and related regulations. Security protocols shall be applied to EECO employees, contractors, and relevant parties to prevent unauthorized access, loss, or misuse of personal data.

Retention Period of Personal Data

    EECO shall retain personal data for as long as necessary to fulfill the purposes for which it was collected or as required by law. Data will be maintained for the duration of the data subject’s relationship with EECO and thereafter only as necessary. Upon expiration of the retention period, EECO shall delete, destroy, or anonymize the data.

Rights of Data Subjects

    Under the PDPA, data subjects are entitled to exercise the following rights:

  • Right to access and request a copy of personal data, or to request disclosure of its acquisition.
  • Right to rectify inaccurate or incomplete personal data.
  • Right to erase or destroy personal data, or to anonymize it.
  • Right to withdraw consent at any time.
  • Right to request data portability or transfer.
  • Right to request suspension of data processing.
  • Right to object to the collection, use, or disclosure of personal data.
  • Right to lodge a complaint with the competent authority or a data protection supervisory authority.

    The exercise of these rights shall not affect the processing of personal data for which the data subject has lawfully given consent, nor shall it affect compliance with any other legal requirements that EECO must observe.

Contact Information

    For inquiries regarding this PDPA Policy or to exercise data subject rights, please contact:

  • Email: pdpa@eeco.or.th
  • Website: https://www.eeco.or.th

Review and Update of the PDPA Policy

    EECO shall periodically review and, where necessary, update this Policy to ensure compliance with applicable laws, regulatory guidance, and best practices. Updates shall also reflect operational or technological changes to ensure effective personal data protection. All updates will be publicly announced by EECO.

Download file :

Personal Data Protection Policy (PDPA Policy) – EECO
ขนาดตัวอักษร
ขนาดตัวอักษร