1. Introduction and scope

For the performance of its activities AISIN POWERTRAIN (THAILAND) Co., Ltd. (hereinafter referred to as “AIPT”, the “Company”, “we”, “our” or, “us”) processes various data, both commercial and personal data. This policy concerns the processing of the personal data of different categories of identifiable persons such as employees, family member of employees, outsourced staffs, applicants or any other persons contacting AIPT.

AIPT understands the importance of the protection of personal data and the concerns of our employees, family members of employees, applicants and other persons with whom it has contacts regarding the processing of their personal data. AIPT always carefully considers the protection of personal data during the different personal data processing operations.

This policy is designed to provide a uniform minimum standard for the protection of personal data applicable to AIPT. This Policy will be applied by AIPT, except if other compulsory data protection legislation is applicable which contains stricter obligations and conditions.

The data controller for the purposes of this policy is AIPT, with registered office address at WHA Eastern Seaboard Industrial Estate 2 –WHA ESIE 2 890/2 Moo 3 Khao Khan Song Sub-district, Sriracha District, Chonburi 20110

2. Contact point for the protection of personal data

AIPT has created a PDPA contact point, to ensure the implementation and enforcement of the Personal Data Protection Act B.E. 2562 (2019) (referred to as the “PDPA”) and this policy.

To exercise any of your rights (see article 7 of this policy), or if you have any other questions about how AIPT processes your personal data, please contact to the Data Protection Working Group by E-mail or phone number below:

The Data Protection Working Group
E-mail: DPO@aipt.aisin-ap.com
Phone number: 033-085-111 ต่อ 6008

3. Definitions

The applicable data protection legislation uses specific language and refers to an abstract matter. Below you will find several definitions in order to enable you to better understand the terminology, and by extension, this policy.

a. Personal data

Personal data means any information relating to a natural person, also known as the data subject, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons. For example, a name, an identification number, location data, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

b. Data controller

Data controller means a natural person or juristic person (for example a company), having the power and duties to make decision regarding the collection, use, or disclosure of the personal data.

c. Data processor

Data processor means a natural person or juristic person who operates in relation to the collection, use, or disclose of the personal data pursuant to the orders given by or on behalf of the data controller, whereby such natural person or juristic person is not the data controller.

d. Processing personal data

Processing personal data means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means (e.g. software), such as collection, use, disclose by transmission, transfer, send, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

4. Principles applicable when collecting and processing personal data

The PDPA has several basic principles which every data controller and data processor must comply with in order to be in accordance with this legislation. In the event of doubt regarding the application of these principles in a concrete case, you can always contact the PDPA contact point for further explanations.

a. Lawfulness

The PDPA provides that personal data must be processed lawfully and fairly with respect to the data subject.

In order to process personal data lawfully, a legal basis must exist. In principle, the Company processes personal data only when:

  • The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • The processing is necessary for compliance with a legal obligation which is imposed upon the organization.
  • The data subject has given his or her consent. The Company shall inform the person concerned before or at the time the data is collected about the purpose for which consent is required, which personal data will be collected for the processing, the right to revoke consent, the possible consequences for the data subject in the context of automated individual decision-making and profiling, and transfer to third countries.
  • The processing is necessary for the purposes of the legitimate interests pursued the Company as a controller or the interests of a third party other than the data controller, except where the fundamental rights and freedoms of the data subject regarding the protection of his or her personal data override these interests.

Other than where justified by the legal basis above, the Company will usually process personal data where necessary for:

  • The processing is necessary for preventing or suppressing a danger to a person’s life, body, or health.
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company.
  • The processing is necessary for the achievement of the purpose relating to the preparation of the historical documents or the archives for the public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject rights and freedoms are put in place.

If you have given your consent for a specific processing purpose to AIPT in order to process your data for that purpose, you can withdraw this consent at any time. AIPT will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent. If AIPT processes your personal data for other purposes and in order to do so it refers to other legal bases, it will still be able to process your personal data.

AIPT ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. If you have questions about the applicable legal basis that AIPT is referring to, you can always contact the PDPA contact point.

Some categories of personal data are of a sensitive nature and data protection legislation also has a stricter regime for these special categories of personal data (also known as “sensitive personal data”). These are data concerning racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data which may affect the data subject in the same manner.

In principle, the processing of these sensitive personal data is forbidden unless the Company can refer to one of the exceptions. In a limited number of cases, should AIPT process sensitive personal data, the data subject will be informed in advance. For more information about the AIPT's handling of sensitive personal data, please contact the PDPA contact point.

b. Fairness

The data controller ensures that personal data shall be processed:

  • For specific, explicit and legitimate purposes and may not be processed further in a way incompatible with the initial purposes for which the data were collected.
  • This processing shall be limited to what is necessary for the purposes for which the data were collected. If possible, the data controller will anonymize the data or use pseudonyms in order to limit the impact for the data subject as much as possible. This means that the name or identifier will be replaced so that it is difficult or even impossible to identify an individual.
  • Limited in time and only as necessary for the specific purpose.
  • Accurately, and the data shall be updated where necessary. The data controller shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which they are processed.

c. Transparency (personal data collected and purposes for processing)

In principle, AIPT processes personal data it has received directly from the data subject or indirectly and shall inform him/her about the following matters:

  • Information, address, contact channel, details of the controller;
  • The purpose of the processing and its legal basis;
  • If the personal data processing is supported by a legitimate interest, an explanation of this interest;
  • The (categories of) receivers of the personal data;
  • The transfer of personal data to third countries (outside Thailand) or international organizations (+on what basis);
  • The time limit for the storage of personal data or the criteria used to determine the time limit;
  • The rights of the data subject (including the right to revoke consent);
  • The right to lodge a complaint with the related supervisory authority;
  • Explanation when the transmission of personal data is a contractual or legal obligation;
  • If the Company receives personal data from a third party, it shall inform the data subject about the categories of personal data which it received from this third party and will also make this third party known to the data subject.

When the data subject already has all the information, AIPT will not inform the data subject unnecessarily about the processing of his/her personal data.

If AIPT processes personal data for other purposes that are incompatible with the purposes for which they were initially collected (the new purpose is not described in the initial information note and the data subject cannot guess that his or her personal data will also be processed for this new purpose), the Company will take all the necessary measures to process such data lawfully and will inform the person concerned.

Specific legislation may contain exceptions or set additional requirements which the Company must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy.

d. Personal data to be processed and purpose of processing
The personal data that AIPT processes, and the purposes of processing may notably include the following information:

Order Category Purpose
1. Recruit and Hiring Process:
name-surname, nick-name, picture, gender, religion, blood-type, e-mail, telephone number, ID card related information, date and place of birth, household registration related information, educational background, marital status, social security number, financial and tax related information, conscript information, health and disability information, employment training information, birth and death certificate information, finger scan, etc.
To recruit and register employee to the Company’s employment system
2. Human Resource and General Administration Management:
name-surname, ID card related information, passport related information, age, gender, blood type, address, telephone number, status, weight and height, race and nationality, criminal record, health information, beneficiary information, bank account, employee number, invoice, picture, salary information, passport number, guarantor’s citizen card related information, company rental car related information, conscript information, educational background, sim card, copy of (1) ID card (2) birth and death certificate (3) marriage certificate (4) parent’s ID card (5) household registration and (6) medical certificate, etc.
To manage HR and GA matters such as internal and Japanese expats payroll, tax clarification, job performance evaluation, welfare reimbursement, in-house and external training, certificated internal trainer, intern recruitment, outsourcing agreement, CCTV management, air ticket reservation, employee health check-up, insurance, etc.
3. Whistleblowing Management: To receive reports, conduct investigations, report to the affiliated companies, and conduct corrective measures, etc.
4. Company Administrative Procedure:
name-surname, ID card related information, taxpayer ID, social security number, social security contributions, salary and benefit information, remitted tax amount, educational background, disability, nationality, picture, employee number, department and job position, training certificate, copy of ID card and passport etc.
To submit necessary document to the Social Security Office, Revenue Department, Office of Social Development and Social Human Stability, Department of Labor Protection and Welfare, Chon buri Institute for Skill Development, Department of Employment, Department of Alternative Energy Development and Efficiency, municipality office and other relevant government authorities.

e. Confidentiality and integrity

AIPT takes the required technical and organizational measures to ensure that the processing of personal data is always carried out with the appropriate safeguards to protect the data against unauthorized access or unlawful processing and against loss, destruction or damage, accidental origin. AIPT use a range of physical, electronic and managerial measures to ensure that it keeps personal data secure, accurate and up to date.

  • Education and training to relevant employees to ensure they are aware of our privacy obligations when handling personal data
  • Administrative and technical controls to restrict access to personal data on a need-to- know basis
  • Technological security measures
  • Physical security measures, such as staff security passes to access premises, locking filing cabinets etc.

f. Personal Information of others provided by you

In certain situations, including administration of health insurance programs and other benefits for employees, and as a contact in emergency, you may provide to AIPT personal data of others (e.g. your next of kin, beneficiaries). It is your responsibility to inform the nominated individual about the processing of their personal data for the described purposes and to confirm, if required by law, that they have given their permission.

5. Transfer of personal data

In some cases, AIPT may have to transmit personal data to third-party receivers, both inside and outside the Company's group. In any event, these personal data are only transferred on a need-to-know basis to these receivers who carry out the processing for specific purposes. AIPT shall always observe the necessary security measures when transferring the data and with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data

The transfer to third parties can take several forms, as described in more details below.

a. Transfer within the group of AIPT

Third-party transfers can only intervene if AIPT has respected the various principles and obligations imposed by PDPA. This means that the transferring Company can rely on a legal basis (legitimate interest, consent from the data subject, performance of an agreement, etc.) for this transfer.

In this further processing, the Company must also comply with the other principles listed in article 5 of this policy.

When your personal data are passed on to companies within the group, but which are located outside Thailand (i.e. Japan), AIPT will provide for the appropriate guarantees described in point c.

b. Transfer to third parties

Other than specified in the preceding paragraph, AIPT may send or transfer personal data to third parties including law enforcement agencies and other third parties that are our service assignees for recruitment services, healthcare services, accounting services, auditing services, banking services, insurance services and other professional consultancy services, etc.

c. Overseas Transfer

It is also possible that AIPT transfers personal data to parties that are based outside Thailand.

Such a transfer is possible if the country where the receiver is based has adequate data protection standard in accordance with the rules for the protection of personal data as prescribed by the Data Protection Committee.

In other cases, AIPT may send or transfer your personal data overseas if the Company provide appropriate safeguards which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Data Protection Committee.

Where this has not occurred or is not possible, AIPT may still transfer the personal data of the data subject, following the consent of the data subject. In order to allow the transfer, and therefore the processing, also in these cases, AIPT will ask the person concerned if he/she agrees to this transfer to third countries that may have inadequate personal data protection standards.

If more information for these international transfers are desired, the procedure as described under article 7 can always be followed.

6. Time limit for the storage of personal data

AIPT will securely store your personal data on our systems at least ten years after the expiration of the employment contract with you. Provided, however, AIPT may retain your personal data for a longer period if it is necessary for the longest of the following periods:

  • As long as is reasonably necessary for the relevant activity or services;
  • Any retention period that is required by law; or
  • The end of the period in which litigation or investigations might arise in respect to AIPT or by AIPT.

To determine the appropriate retention period of the personal data, AIPT will consider the amount, nature and sensitivity of such personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purpose for which the Company process the personal data and whether that Company can achieve those purpose through other means, and the applicable legal requirements.

After the final time limit has passed, AIPT shall delete or anonymize the personal data if the Company still wishes to use such personal data for statistical purposes and may retain it for a longer period of time for dispute management, study or archiving purposes.

7. Rights of individual data subjects

Data protection legislation provides for different rights for data subjects with respect to the processing of personal data so that the data subject can still exercise sufficient control over the processing of his or her personal data.

Through this policy, AIPT is already trying to provide as much information as possible to the data subjects in order to be as transparent as possible with respect to the processing of personal data.

AIPT understands that the data subject may still have questions or desire additional clarifications with respect to the processing of his or her personal data. AIPT thus understands the importance of the rights and shall therefore comply with these rights, considering the legal limitations in the exercising of these rights. The different rights are described in detail below.

a. The right of access

The data subject has the right to request access to and obtain a copy of your personal data, which is under the responsibility of the Company, or to request the disclosure of the acquisition of the personal data obtained without your consent. For any further copies requested by the data subject, the Company may charge a reasonable fee.

b. The right to rectification

When the data subject establishes that AIPT has incorrect or incomplete data about him or her, the data subject always has the right to inform AIPT of this fact so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the Company.

c. The right to erasure

The data subject can ask to have his or her personal data erased, or destroyed, if the processing is not in accordance with data protection legislation (Article 33 of PDPA).

d. The right to restriction of processing

The data subject may request the processing restricted if:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to check their accuracy;
  • the processing is unlawful, and the data subject opposes the erasure of the data;
  • AIPT is no longer needs the data, but the data subject requests that they not be removed, given that he or she needs them for the exercise or defense of legal claims;
  • the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

e. The right to data portability

The data subject has the right to obtain his or her personal data which he or she provided to AIPT in case where AIPT has arranged such personal data to be in the format which is readable or commonly used by ways of automatic tools and can be used or disclosed by automated means.

In addition, the data subject has the right to have those personal data transmitted to another data controller (directly by AIPT). This is possible if the data subject has consented to the processing.

f. The right to object

When personal data are processed for direct marketing purposes, the data subject can always object to this processing.

The data subject can also object to processing due to a specific situation regarding the data subject. AIPT shall stop processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests of the data subject or for the exercise or defense of legal claims.

g. The right to withdraw consent

If you have given your consent for a specific processing purpose to AIPT in order to process your data, you can withdraw this consent at any time by contacting the PDPA contact point. However, such withdrawal of consent shall not affect the processing of personal data that you have already given consent legally to the Company.

h. The right to complaint to the authority

The data subject has the right to file a complaint with the relevant data protection authority in the event that AIPT does not comply with the data protection legislation (the PDPA).

The data subject can exercise his/her rights provided in the a. to g. above by sending an e-mail or registered letter to AIPT’s PDPA contact point described in article 2 of this policy. AIPT may ask the data subject to identify themselves in order to ensure that the effective exercise of the rights is requested by the data subject.

In principle, AIPT shall respond to the request of the interested person within 30 days. Otherwise, AIPT informs the data subject of the reasons for their delay in the follow-up of the request.

8. Revision of this policy

AIPT reserves the right to adjust and review this policy when it deems necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection.

Page Top