Slide background

Personal Data Protection Policy of Customers, Partners and Visitors

1. Objective of the policy

NYK ( hereinafter referred to as the ” Company ” includes companies namely NYK RORO (Thailand) Co., Ltd., NYK Auto Logistics (Thailand) Co., Ltd. and Laem Chabang International Ro – Ro Terminal Ltd., registered as a separate juristic person under the laws of Thailand and each entity is a subsidiary of the parent company in Japan) as the Data Controller is committed to the protection of personal data in business operations appropriately and in accordance with “The Personal Data Protection Act B.E. 2562 of Thailand ( PDPA)” has established this policy for the processing and management of personal data of customers, partners and visitors which the company collects, uses and discloses.

2. Definitions

2.1 Personal data is defined as information about individuals which possible to identify that person directly or indirectly. Excluding corporate information and deceased persons which is particularly according to the Personal Data Protection Act B.E. 2562

2.2 Sensitive personal data is defined as information that can be directly or indirectly identifiable and it is the information specified in the Personal Data Protection Act B.E. 2562, Section 26, such as personal data relating to race, political views, religion or philosophy, sexual behavior, criminal record, health information, disability, labour union information, genetic information, biological information or any other information which affects the data subject in the same way as prescribed by the Commission.

2.3 Customer means a person who has entering into the contract with the company, such as trading contracts, service contracts or any other contract.

2.4 Partner means a person or entity that is a party to contracts such as work contract, service contract or other contracts with the company. As well as persons or entities who contact the company to negotiate or other related contract.

2.5 Visitors who represents customer, clients on behalf of customers or employees, or any person who enters the premises or property of the company which related to the business operation or operation of the company.

3. Scope of the Policy

3.1 Personal data in this policy cover and includes personal data of customer, partner and visitor that is in the possession or control of the company. Whether that information is recorded in the format or channel, or technology, such as electronic or digital publications.

3.2 This policy applies to related persons who are assigned by the company to perform their duties, both directly and indirectly and from the assignee according to the structure of the companies in the group company.

3.3 This policy covers the protection of personal data of customer, partner and visitor and related persons which the company had collected in the operation of the company.

4. The collection of personal data is limited and sparingly.

To collect information and keep personal data of customer, partner and visitor and other relevant persons, the company will use a lawful and fair method in collect, use and disclosure of personal data. The processing such personal data is limited as necessary for the purposes stated in clause 5 of this policy.

5. The purpose of the collection, use, disclose of personal data.

5.1 The company collects, uses, disclose personal data of customers, partners, and visitors to comply with the existing contracts, such as sales agreements, service contracts, lease contracts, goods handling contracts. Passengers contract, etc. , as well as for the purpose of processing the requests of customers, partners, visitors to enter into a contract or discuss or agree to a contract between each other for verification of documents and evidences of buyers, sellers, contractors, contractors involved in negotiations, dealing of contracting or the performance of contract.

5.2 The company collects, uses and discloses person data of customers, partners, visitors for the purposes of business, marketing, public relations and for the benefit in the operation of the company for study, research or statistics which is according to the purpose of company business and to improve the quality of the company’s services by electronic means or any other means to be more effective for data subject and for reporting and investigating complaints.

5.3 The Company collects, uses, discloses personal data of customers, partners and visitors to practical with the relevant law such as Transportation Laws, Tax, Customs, Factory laws, including the International Ship and Port Facility Security Code (ISPS CODE) and etc. and to comply with the lawful orders of competent officials, court orders.

5 .4 The company collects, uses and discloses personal data of customers and visitors for the benefit of management, research studies or statistics, for security of the company’s premises, assets, information technology systems , as well as for other legitimate interests of the company.
The company will not perform different from the purpose for the collection unless (1) has notified the data subject a new purpose and obtaining consent from the data subject (2 ) as required by law
Collection, usage and disclosure of personal data as the above purposes, the company is operated as conditions or due to legal requirements as specified clause 6.

6. Conditions or the law to collecting, using and disclosing personal data.

In principle, the company collects, uses and discloses personal data with the consent of the data subject by means of law. Unless the law stipulates conditions or other reasons that can be done without the consent of the data subject, such as performance under the contract, as the law, the legitimate interest of the data controller, benefit of the life, health or safety of another person, benefit of the investigation of the inquiry official or the judgment of the court, etc.

6.1 The company collects, uses and discloses personal data of customers, partners and visitors for business purposes, marketing, public relations, improve the management or work processes of the company and for other benefits of the company’s operations with the consent of the data subject.

6.2 The company collects, uses and discloses personal data of customers, partners and visitors without obtaining consent to enter into the agreement with the data subject which are customers , partners and visitors such as sales contracts, service contracts, lease contracts, goods handling contracts, passenger carriage contract, etc. for the purpose of processing the request of customers, partners, visitors to enter into a contract or agree to a contract between each other. To verification of documents and evidences of buyers, sellers, contractors, hires involved in negotiation, contracting or performance of a contract, as well as to discuss or agree to enter into a contract or perform a contract with a juristic person in which the data subject is represented or an authorized representative or an agent or person authorized to perform the said contract.

6.3 The company collects, uses and discloses personal data in order to perform legal duties without obtaining consent from the personal data subject , including for reporting to government agencies or related agencies as required by law and duties for the company to perform.

6.4 The company collects, uses and discloses personal data for the legitimate interest of the company without obtaining consent from the data subject such as,
- The collection, use, disclosure, verification or individual identification of partners, customers, visitors , who enter into the company premise or property or under the vessel contract, to visit, coordinate etc., in order to operate and maintain security in company property, premises, etc.
- To record of CCTV in the company property premises in order to prevent crime and the security of the company.
- Collection, use and disclosure the personal data of the related contract or transactions of the company to the entities or organizations to follow International Ship and Port Facility Security Code (ISPS CODE)
- Collection, use, and disclosure of personal data of customers, partners and visitors in order to detect fraud or unlawful acts or for the legal action.
- Collection, use, and disclosure of personal data to prevent or suppress any harm to life, body or health of a person, such as for the prevention of contagious diseases.
- Collection, use and disclosure of personal data for internal auditing, to audit and evaluate various standards for the usage within the group or company group.

6.5 Disclosure or transfer information out of the Kingdom
In the collection, use and disclosure of personal data for the purposes stated in Clause 5, the Company may disclose or transfer information of customers, partners or visitors outside of the Kingdom in accordance with the conditions stipulated in the Personal Data Protection Act B.E. 2562 and by the consent of the data subject as shown in clause 15.

7. To collection of personal data directly from the data subject

7.1 The company does not collect personal data from sources other than directly from data subject. Unless that can be done under the law. In the event that the company collects personal data other than the data subject, the company will notify the data subject of the collection from other sources and obtain the legal consent of the data subject.

7.2 In the event that the company collects, uses and discloses personal data of employees, workers, customers, representatives or entrusted persons of partners, customers, etc., the company does not require to obtain consent from such persons due to Section 24 prescribes. As such the legitimate interests corporate law on security Inspecting the entry and exit of company property or assets. The Company’s legitimate interest in complying with a contract with a customer or a business partner in which the data subject has the status of an employee, agent, or assignee, or the client ‘s. The legitimate interest in complying with the International Ship and Port Facility Security Code (ISPS CODE) ,etc. However, the company may request its partners, customers or visitors who are employers, agents, delegates , service providers, etc. as a data controller of such persons to send or show documents as the legal basis by which partners, customers or visitors is used to collect, use and disclose personal data of such person. In addition, if the company is unable to directly disclose the details of this policy to such person, the partner, customer, etc., who is the data controller of such person’s personal data is accepted that they will notify this policy to such person on behalf of the company. The company may request to submit or verify documents showing the acknowledgment of such person.

7.3 In the event that the company to collect, use, disclose personal data of employees, workers, customers, agents or delegates from partners, customers, etc. which is sensitive personal data. The Company may be called to partners, customers or visitors, which is the employer, principal, authority, service provider, etc., and as the data controller of the such person’s personal data to send or present documents about the consent that the data subject provides in the disclosure to the Company and for the Company to collect for the purpose of performing a contract or performing any related action between the Company and its partners, customers or visitors. If the company is unable to inform the details of this policy to such person and obtain consent from such person directly, partner, customer, etc., who is the data controller of such person’s personal data is agree to forward this policy to such persons and obtain consent on behalf of the company. The company may request to submit or verify documents showing the acknowledgment and consent of such person.

8. Personal data bureaus collect, use, disclose and duration of storage.

8.1 The Company collects, uses and discloses personal data of employees, customers, agents, representatives or assignee of partners, customers, etc. in order to perform contracts on behalf of partners, customers. The collected information includes name, surname, identification number, phone number, passports, contact information, etc., To keep for the period throughout the life of the respective contract and retained after the termination of the said contract for the period specified by law for the exercise of claims, prosecution, in connection with the said contract.

8.2 The company collects, uses, discloses information of customers, partners, visitors for the purposes of business, marketing, public relations. Improvements of work or management, etc. The collected information includes name, surname, ID card number, Telephone numbers of customers, partners, visitors. These will be stored for a period of 1 year or for the period required by law for the exercise of any relevant claim.

8.3 The company collects, uses and discloses information of customers, partners, and visitors for the purpose of performing legal duties of the company. The collected information includes name, surname, ID number, Phone number, Payment information, contact information, etc., and will be kept as per legal requirement.

8.4 The company collects, uses and discloses information of customer, partners and visitors including name, surname, ID card number, Phone numbers, contact information, photos, etc., for the purpose of building management security, company assets, information technology systems. For internal audits to comply with international standards pertaining to the Company’s business. To detect fraud for use within the group or group companies, etc. These will be kept for a period of 1 year or according to the period as required by law for the exercise of any relevant claim.

9. Security for personal data.

9.1 The company provides appropriate security measures for personal data of customers, partners and visitors in order to prevent the loss, access, use, alteration or disclosure of personal data by powerless or unlawful. To review such measures when necessary or when technologies change to provide effective security measurement at appropriate standards as minimum required by the Commission under the Personal Data Protection Act. B.E. 2562

9.2 The company has established measures for the security of personal data according to the standards announced by the Ministry of Digital Economic and Society, “Standards of the Safety Treatment of Personal Data B.E. 2563” by providing administrative safeguard, technical safeguard, physical safeguard measures as follows:
(1) Control of access to personal data and devices for storing and processing of personal data by considering the usage and security.
(2) To set the permission or rights to access personal data.
(3) User access management to control access to personal data only to authorized persons.
(4) To set user responsibilities to prevent unauthorized access to personal data by unauthorized person or disclose, copy personal data, theft of personal data storage or processing devices.
(5) To provide of means to enable traceability the access, change, deletion or transfer of the personal data and be consistent with the methods and materials used for collecting, using or disclosing personal data.
For security measures in accordance with information technology measures as per IT Security Policy.

9.3 The practical applications, including employees of the data processor or other assigned person by the company shall carefully carry out personal data within the scope of the implementation. According to the purpose and to comply with the security standards applicable to this policy. The company has made an agreement or contract with such person to determine the duty of personal data security.

9.4 In collecting, using and disclosing personal data of Employees and job applicants for the purposes of clause 5 and reason to clause 6, the company may have the data processer to collect, uses and discloses the personal data on behalf or by order of the Company, the data processer for such processing functions to have appropriate security measures in accordance with the details stipulated by law At a minimum, security measures in accordance with clause 9.2 and personal data must not be used or disclosed other than the purposes and instructions provided by the company.

10. The rights of data subject

10.1 In the event that the data subject wishes to know their personal data, the data subject can requests based on rules, procedures and request forms designated by the company. The company need to report the existence or details of such personal data to according to the request within a reasonable time.

10.2 If the data subject believes that any of their personal data is inaccurate, they can notify the company to correct, change or delete that personal data. For this purpose, the company will make a record of objection to the storage, accuracy or any action in relation to personal data as evidence.

10.3 Data Subject has the right to examine the availability, characteristics of personal data, purpose of using the information, existing of the company. They are also have the following rights,
1) Request a copy or a certified true copy of their personal data.
2) Request to correct or change the personal data to be corrected and complete.
3) Dispute or request suspension of use of their personal data.
4) Removal or destroy of their personal data.
5) Request to disclose the source where had acquisition of personal data in the case of information for which the data subject has not provided the consent for collection or storage.
In the event that the company collects, uses and discloses the personal data of the data subject for the purpose of the contract or for the legitimate interest of the company or to the duties of any legal. The company has the right to deny the rights under clause 3) and clause 4).

10.4 The company may deny the right of the data subject if required by law or the exercise of such rights is contrary to or inconsistent with the provisions of the law or affect the rights and liberties of other persons, or in the event that the personal data cannot be visible names or cannot identify the owner of the information.

10.5 In the event that the company collects, uses and discloses information for the purpose of which consent is required, the data subject has the right to withdraw the consent. However, such withdrawal may affect the benefits under the relevant contract or agreement as well as the opportunity to enter into a contract or other acts, depending on the nature of the contract as a case-by-case.

11. Formulation and review of policies, sub-policies, regulations and guidelines

11.1 The company may set a guideline for the protection of personal data of customers, partners, visitors to define details of the personal data protection policy. In addition, there may be additional regulations and guidelines to be in line with the Notification of the Personal Data Protection Committee and or with future amendments and other relevant laws.

11.2 The company may consider revising this privacy policy to comply with the privacy protection principles according to the Personal Data Protection Act B.E. 2562 and the announcement of the committee according to the aforementioned laws.

12. Collection, use and disclosure of sensitive personal data

12.1 The company will not collect, use and disclose sensitive personal data in accordance with Section 26 of the Personal Data Protection Act, such as personal data about race, ethnicity, political opinions, Creed Religion or philosophy, criminal record , health information, disability, labour union information, Genetic information, biological information or any other information required by law. Unless explicit consent is obtained from the data subject as specified in Article 1, 5, or as provided by law.

12.2 The company will collect, use and disclose sensitive personal data as part of the identification card in order to negotiate the contract with the consent of the data subject expressly stipulated in clause 15.

12.3 The company will collect, use and disclose sensitive personal data as part of the identity card including health information such as body temperature for the benefit of checking in and out of the company, security reason with the consent of the data subject expressly stipulated in clause 15.

12.4 In the event that the Company collects, uses and discloses sensitive personal data of employees, workers, customers, agents or entrusted persons of partners, customers, etc., the company may request the partner, customers who are the employer, author, authority, service provider etc. which is the data controller of such persons to send or present documents about the consent that the data subject has provided to the company and for the company to collect for the purpose of performing a contract or performing any related action between the company and its clients . In the event that the company cannot inform such person details under this policy and obtain consent from such person directly, the partner, customer, etc., who is the data controller of such person is agreed to bring this policy to inform such persons and obtain consent on behalf of the company. The company may request to submit or review documents showing the acknowledgment and consent of such person.

13. Contact channel with the data controller

You can submit questions, suggestions, complaints, exercise rights of the data subject by contacting at

Personal Data Protection Representative (PDPR)     Scope
Human Resources Manager

Tel. 02 022 6070

Email: ROROTH.ML.THA.PDPA@nykgroup.com

All activities related to collection, uses, disclose of the personal data in Thailand