Privacy Policy

1. Introduction

Asian Palm Oil Public Company Limited (hereinafter referred to as the “Company”) recognizes the importance of personal data and other information related to individuals (collectively referred to as “Data”) to ensure your confidence that we are transparent and responsible in collecting, using, or disclosing your personal data in accordance with the Personal Data Protection Act 2019 (“PDPA”) and other relevant laws. This Privacy Policy (“Policy”) has been prepared to inform you of the details concerning the collection, use, and disclosure (“Processing”) of personal data by the Company, including its officers and relevant personnel acting on behalf of or in the name of the Company. The content of this Policy applies to the Processing of personal data by the Company, its officers, employees under contract, business units, or other entities operated by the Company.

2. Scope of Policy

This Policy applies to the personal data of individuals who have a relationship with Asian Palm Oil Limited (hereinafter referred to as the “Company”), both in the present and in the future, which is processed by the Company, its officers, employees under contract, business units, or other entities operated by the Company. It also includes data processors acting on behalf of or in the name of the Company (“Data Processors”) under various products and services, such as websites, platforms, applications, documents, or services controlled and managed by the Company (collectively referred to as the “Services”).

Individuals who have a relationship with the Company include:

1. Customers

2. Officers or employees

3. Individuals who are natural persons and serve as suppliers and service providers

4. Directors, authorized representatives, agents, shareholders, employees, or other related individuals of legal entities related to the Company

5. Users of the Company’s products or services

6. Visitors or users of the website https://asianpalmoil.com, including systems, platforms, applications, devices, or other communication channels controlled and managed by the Company.

7. Other individuals from whom the Company collects personal data, such as job applicants, family members of employees, guarantors, beneficiaries, etc. Collectively, the above-mentioned points 1 to 7 are referred to as “you.”

Apart from this Policy, the Company may also provide a Privacy Notice (“Notice”) for specific products or services to inform data subjects who are users of the service about the personal data that is being processed, the purposes and legal basis for processing, the retention period of the personal data, and the data subject’s rights concerning the personal data in the contractual documents, products, or services.

In case of any material conflicts between the content of the Privacy Notice and this Policy, the content of the Privacy Notice for that particular service shall prevail.

3. Definitions:

• The Company refers to Asian Palm Oil Public Company Limited (hereinafter “the Company”).
• Personal Data refers to information related to an identified or identifiable natural person, whether directly or indirectly, but excluding data of deceased individuals.
• Sensitive Personal Data refers to personal data as defined in Section 26 of the Personal Data Protection Act 2019, including data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, or sect, sexual behavior, criminal records, health data, disabilities, trade union membership, genetic data, biometric data, or any other data which may affect the data subject in a similar manner as prescribed by the Personal Data Protection Committee.
• Data Subject refers to any natural person who is the owner of personal data that is collected, used, or disclosed by the Company.
• Data Controller refers to a person or legal entity with the authority and responsibility to make decisions regarding the collection, use, or disclosure of personal data.
• Personal Data Processor means a natural or legal person who processes personal data concerning the collection, use, or disclosure of personal data on behalf of the data controller. However, the person or entity conducting such processing is not the data controller.
• Individuals interested in working with the company” means any person who is interested in working as an employee under a labor contract with the company.
• Users refer to any individuals who use the services provided by the Company.
• Business Partners refer to any individuals who have a legal relationship, including but not limited to purchase or service agreements, with the Company.
• Platform refers to websites, applications, or any other systems of similar nature used by the Company in its business operations, including but not limited to social media platforms such as LINE, Facebook, or other social networking communication channels.
• Services refer to all services provided by the Company, whether registered with an account or not, and whether paid or not, including:
  – Contact Information, including name, address, postal code, email address, and phone number.
  – User Account Information, including login information, email address, and other information provided by the data subject through their user account.
  – Customer and/or Business Partner Information, including identification number, household registration, address, business location, and email address.
  – Information provided by the data subject to the Company, such as store information, employee data in stores, information filled in forms, or information given during interactions or surveys conducted by the Company.
  – The data mentioned below, which is related to the Company’s services, includes contract numbers, contract start dates, contract end dates, products sold, membership numbers and/or codes, as well as any other information specified in the contract.
  – Other data provided by data subjects to participate in promotions, exhibitions, and/or any activities related to the Company’s business.
• Processing refers to any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or making available in any other way, alignment, combination, blocking, erasure, or destruction.
• Documents related to contracts refer to purchase agreements, service agreements, lease agreements, rental agreements, interval rental agreements, loan agreements, sales and purchase agreements for agricultural products, or any other agreements and/or documents related to the Company’s business operations and services that any individual related may enter into with the Company.
• Products refer to certificates, documents, or any other documents issued by the Company, including documents related to contracts.

4. The sources of personal data that the Company may collect use, disclose, and process

The company may collect, use, disclose, or process personal data, including but not limited to various types of information, as illustrated in the following examples

• Personal information
  Name, Last Name, Date of Birth (Day/Month/Year), Age, Gender, Photograph, Data on the official government-issued identification card, Signature, Nationality, Marital Status, Marriage Registration, Personal information of family members.
• Sensitive personal data
  Sensitive personal data” includes information about race, ethnicity, political opinions, beliefs in ideologies or religion, sexual behavior, criminal history, health data, disabilities, labor union membership, genetic data, and biometric data (including facial images, fingerprint data, iris scans, voiceprints), or any other data that could impact an individual in a similar manner.
• Contact data
  Contact information” includes household registration, residential address, telephone numbers, email address, social media network contact information, as well as emergency contact details.
• Financial information
  Bank account number and tax-related information.
• Service usage data
  Registration data for using the company’s services includes the account name, user account information, username, password, and, if applicable, a secret PIN. Information displayed on user profile pages and various service registration pages, as well as data that users have modified or updated in their personal account. Data acquired from other user accounts that the company reasonably believes are under the control and supervision of the data subject. Service usage data, including user activity, questions, answers, interests, and feedback expressed through the company’s system.
• Technical data
  Data from website and system usage includes computer traffic logs, communication and contact data between you and other users, recorded usage data such as device identifiers, computer IP addresses, device ID, device type, mobile network data, connection data, geographic location data, browser type, login log, data from the accessed application or website before and after (referring website), system usage history, login log, transaction log, customer behavior, login statistics, access time, search data, usage of various system functions, and data collected through cookies or similar technologies by the company.
• Work-related information.

5. The methods for collecting and receiving personal data

1. The company collects and receives personal data from individuals through various channels as follows:
   (1) Personal data directly provided by you to the company:
   You may provide personal data directly to the company through various means. This can happen when you contact the company, engage in transactions, or have a relationship with the company through any available channels.
   (2) Personal data automatically collected by the company:
   The company may automatically collect certain technical information related to your devices, activities, and browsing patterns when you access the website. This can be done through the use of cookies and similar technologies.
   (3) Personal data received by the company from third parties:
   The company may receive personal data from third parties, such as individuals directly associated with the company’s services or publicly available sources. This may also include business partners and other individuals related to the data subject.
2. In collecting your personal data, you will receive notifications about the details specified in this personal data protection policy. This includes, but is not limited to, the legal basis for data collection, usage, disclosure, or processing of personal data for lawful purposes. In cases where data protection laws require explicit consent from you, the company will seek your clear and explicit consent to process your personal data.

6. The purposes and legal bases for collecting, using, disclosing, or processing personal data are as follows

The company will process your personal data for the following purposes and in compliance with the legal basis

1. Contractual necessity: Processing is necessary for the performance of a contract to which you are a party with the company or for taking steps at your request prior to entering into a contract.
2. Compliance with legal obligations: Processing is necessary to comply with the legal obligations of the company.
3. It is necessary for the legal benefit of the Company or any individual or legal entity other than the Company (“Legal Necessity”).
4. Vital interests: Processing is necessary to protect the vital interests of you or another individual, especially when it comes to life, body, or health.
5. Research or statistical purposes: Processing is necessary to achieve objectives related to research or statistical purposes, with appropriate safeguards to protect your rights and freedoms.
6. Consent: Processing may also occur based on your consent provided to the company, in cases where no other legal bases or exceptions under the data protection laws are applicable (including cases 1 to 5).
7. Specific consent: If the company requires specific consent from you for processing certain types of personal data, the company will process such data solely for the purposes for which consent has been given, and the company will handle sensitive personal data only if permitted by law or with your explicit consent.

(1) To fulfill legal obligations or comply with regulations that are applicable to the company.

• • Legal Obligation

To ensure compliance with the law, including fulfilling legal obligations and enforcing regulations applicable to the company, which may include, but not limited to:

• Laws related to computer-related offenses.
• Cybersecurity and data protection laws.
• Personal data protection laws.
• Tax laws.
• Labor laws.
• Factory laws.
• Energy business operation laws.
• Food and drug laws.
• Narcotics and drug laws.

(2) In order to provide services and ensure that the company can efficiently deliver such services to the data subjects and other individuals.

• Contractual basis
• Compliance with the law basis
• Legitimate interests basis

Users

• To benefit from verifying and confirming the identity of service users and their usage of the company’s services, and/or engaging in various transactions, contracts, and legal agreements through the company’s platform.
• To use the data for analyzing suitability, rationality, and feasibility in providing services, facilitating convenience in accessing and managing financial documents, financial transactions, assets, collateral, and enforcing agreements as per the financial documents of the service users.
• To provide system services, websites, platforms (including applications) related to service provision. Additionally, to learn online and offline behaviors relevant and interesting to users, including defining marketing strategies for their benefit. To offer, receive, arrange, or facilitate conveniences in services as deemed appropriate by the company.
• To record images and sounds, including recordings of conversations related to the provision of services by the company.
• To utilize device data, location information, usage history, and other personal data to prevent, detect, and combat fraudulent or unsafe activities.
• Basis of Consent.

Users

• For the purpose of verifying and confirming the identity of service users, enabling access to the company’s services, and facilitating transactions, legal agreements, and contracts through the company’s platform (for sensitive personal data such as biometric data, including facial images, fingerprint data, iris data, and voiceprints).
• To use the data for analysis of suitability, rationality, and feasibility in service usage, financial document processing, and enforcement of financial agreement terms (for sensitive personal data such as criminal history, history of labor contract violations, employer regulations, or violations related to work).

(3) Communication purposes, deep data analysis, service development by the company, to provide assistance regarding service requests, queries, or suggestions from you, and to ensure efficient delivery of the mentioned services to you and other individuals.

• Compliance with the law basis
• Legitimate interests basis

Users

• Contacting you through various platforms (including applications), phone calls, text messages (SMS), emails, or postal services, for inquiries, notifications, or to verify and confirm your account information, or to conduct surveys and gather feedback related to the company’s services.
• Managing your relationship with the company and delivering various services to you.
• To enhance efficiency and convenience in providing different services to you.
• Customer communication and service provisions, such as providing user support, considering and processing requests or complaints, offering technical assistance and troubleshooting, evaluating, developing, managing, and upgrading products, systems, and business operations, including necessary internal management for the company’s services, such as resolving software bugs and operational issues, data analysis, testing, research, tracking, and analyzing usage trends and activities for the benefit of the company, its subsidiaries, and business partners.
• Recording photographs, images, and audio, including recording conversations related to the provision of services by the company.

(4) Objectives in Marketing and Public Relations

• Legitimate Interest
• Consents

Users, Partners

• To send various news and information related to the organization and the company’s services, including marketing messages, to you.
• For other relevant benefits related to the company’s business, such as developing and marketing services, advertising to target business objectives, delivering content, promotional materials, public relations activities, events, promotions, as well as providing appropriate advice to ensure that different services meet your interests.
• For data analysis purposes, to provide efficient service to the data subjects, including evaluating interests or behaviors of service users towards products and services, data analytics, data cleansing, and profiling of customer interests or behaviors for marketing research, surveys, performance evaluations, statistics, and segmentation, formats, and trends related to service usage and consumption, to understand and design service formats that meet customer satisfaction, as well as to offer products, goods, services, special offers, strategies, or marketing programs that may be relevant to customer satisfaction and history.

(5) For the purpose of human resource management, to enable the company to make the best decisions in personnel recruitment and human resource management.

• Contract Legal Obligation
• Legitimate Interest

employee, Individuals interested in working with the company.

• For the purpose of considering qualifications, selecting candidates for employment, workers, interns, and/or scholarship recipients (as applicable), and for other human resource management purposes that may be beneficial to you, including advertising, public relations, recording photographs, capturing images and sound, recording conversations, sending job application information, internship applications, scholarship applications, and improving and developing the company’s candidate selection system, considering the company’s workforce rate.
• For the purpose of managing performance evaluations, salary payments, compensation, or other benefits according to the employment contract with you.
• For entering into and fulfilling the employment contract with the data subject, including compliance with the law, such as accounting and tax data collection and recording, tax withholding, labor protection, management of occupational health and safety, and the work environment, managing social security funds, and retirement funds for the data subject.
• For managing training, procurement of equipment, facilities, and benefits for the data subject, such as health insurance, medical expenses, and loans from employers.
• For maintaining and storing records of sickness and accidents for managing various welfare and checking compliance with the company’s personnel management regulations.

(6) Security measures and benefits in compliance with the law.

• Legitimate Interest

Data Subject

• For the purpose of verifying your service usage data to develop security standards in service usage, management, and protection of information technology infrastructure, such as data storage and data encryption.
• To use for risk management, detection, prevention, or elimination of fraud or any activities that may violate laws, related regulations, or terms and conditions of the company.
• To detect and prevent unauthorized behaviors, including the use of closed-circuit cameras, photography, recording images and/or sounds for monitoring and surveillance, reporting criminal offenses, and protecting the security and confidence of the company’s business or carrying out duties in the exercise of state authority.
• For organizational risk management, auditing, internal management, including sharing with affiliated companies (if any) for the mentioned purposes.
• To establish the right to claim under contracts or laws, including legal actions, such as exercising rights against employees, officers, or related agencies with authority, courts, or administrative courts.

(7) Purpose of restructuring, modifying, or changing the company’s business.

• Legitimate Interest

Data Subject

• Your personal data may be transferred to third parties for the purpose of auditing and analyzing the restructuring, modification, or change of the company’s business.

(8) Other purposes that the company notifies the data subject of at the time of data collection.

• as the case may be

Data Subject

• The company will inform you of any other purposes for which your personal data is required beyond those specified above. This includes instances when the company intends to change the original purposes stated or when it is necessary to seek your consent for specific processing of your personal data. The company will communicate such information through the contact details you have provided to us.

Remark :

1. Normally, the company processes personal data based on the legal bases for the purposes stated in the table above. However, the company may process personal data based on other legal bases not listed in the table, depending on the specific circumstances.
2. The reference to the data subject in the table above is for the convenience of considering the company’s processing of personal data under each specific purpose, and it directly relates to the types of data subjects involved.

7. Personal data of minors, persons with disabilities, and persons of limited legal capacity

In cases where the company becomes aware that the personal data necessary for collection belongs to minors, persons with disabilities, or persons of limited legal capacity, the company will not proceed with the data collection until obtaining consent from the legal guardian, guardian, or caregiver, as applicable, in accordance with the law.

If the company was initially unaware that the data subject is a minor, person with disabilities, or person of limited legal capacity, and subsequently discovers that it has collected such data without obtaining consent from the legal guardian, guardian, or caregiver, as applicable, the company will promptly delete or destroy such personal data, unless there is another legal basis beyond consent for data collection, use, or disclosure of such data.

8. Individuals or entities to whom personal data may be disclosed

1. The company may disclose or transfer your personal data to third parties within Thailand (transfers to other countries) who collect, use, or disclose personal data to individuals or organizations (“individuals or entities to whom personal data may be disclosed”) for the purposes specified in this Privacy Policy.
1.1 companies within the group and shareholders of companies within the group (if any)
Companies within the group, including parent companies, subsidiaries, affiliates, or companies related to the company (collectively referred to as “group companies”), including shareholders of companies within the group.
1.2 Individuals directly related to the company
The company may need to disclose the personal data of service users to individuals directly related to the company’s service provision. This includes identity verification and confirmation service providers, human resource management providers for service users’ employers, service providers authorized to make debt payments or deductions on behalf of service users, or service providers to the company and/or service users.
1.3 Service providers to the company and/or service users
The company may need to disclose the personal data of service users to service providers to the company and/or service users, such as the service providers listed below. These service providers will only use the personal data of service users as authorized by the company.

1. Service providers of various professions, such as financial consultants, legal advisors, and accountants.
2. Infrastructure and information technology service providers.
3. Data storage service providers, including cloud service providers.
4. Service providers related to payment systems and networks, payment agents.
5. Data analysis, research, and statistics service providers.
6. Marketing service providers, including event organizers and activities.
7. Advertising, public relations, and communication service providers, including customer service centers (e.g., call centers or similar service providers).
8. Financial institutions and other external entities used by the company for service provision.
9. Data processing service providers.
10. Identity verification service providers, including Dip Chip card verification service providers.
11. Data verification service providers, such as internet providers and the Department of Provincial Administration (DOPA).
12. Document or parcel delivery service providers.

1.4 Business Partners
Business partners of the company, including business groups in payment systems, electronic cards, debit cards, credit cards, cash cards, telecommunications, e-commerce, reward programs, and loyalty programs. Also, financial institution business groups (collectively referred to as “Business Partners”).

1.5 Persons as Mandated by Law
Other individuals as mandated by law, including government agencies, in cases where laws, regulations, rules, orders, or instructions of government agencies, regulatory bodies, or authorized entities, including court orders or judgments, or organizations with legal authority (whether within Thailand or abroad), require the company to disclose personal information. This includes entities such as the Bank of Thailand, the National Credit Bureau of Thailand Limited, the Office of the Consumer Protection Board, the Office of the Economic Committee of the Ministry of Finance, the Anti-Money Laundering Office, the Revenue Department, the Office of the Comptroller General, the Department of Special Investigation, the Ministry of Justice, the National Police Office, the Courts, and Administrative Courts, among others.

1.6 Transferees and/or Assignees
Transferees and/or assignees (including possible transferees) refer to external parties in the event of organizational restructuring, business consolidation, partial or total business transfers, sales, purchases, joint ventures, transfers, divestments, transactions similar in nature, whether in part or in whole. The transferees and/or assignees of the company shall comply with the provisions of this privacy policy or any other standards that provide a level of personal data protection not less than that of this privacy policy, in order to respect the personal data of the data subject.

Note : When referring to any legal entity under paragraph 8 (Persons or organizations to whom personal data may be disclosed), it includes directors, representatives, employees, staff, or any individuals acting on behalf of that legal entity.

9. Personal Data Protection Act

1. Laws governing personal data protection, you have the following rights
1.1 The right to withdraw consent: You have the right to withdraw your consent for the collection, use, disclosure, or processing of your personal data at any time. Once you have withdrawn your consent, it will not affect the lawfulness of any data processing that occurred based on your consent before the withdrawal.
1.2 Accessing data: You have the right to request access to and obtain a copy of personal data about you that the Company possesses or is responsible for. You can also request disclosure of the acquisition of personal data to which you have not given consent.
1.3 Requesting Personal Data: You have the right to obtain personal information about yourself from the Company. If the company has made personal data available in a format that can be read or used by automated tools and devices, and if such automated means can be used to disclose personal data, you also have the following rights :
(1) Request that the Company transfers or sends personal data in the aforementioned format to another person when it can be done automatically.
(2) Request to receive personal data that the Company transfers or sends directly to another person in the aforementioned format, unless it is technically impossible to do so.
1.4 Deprecation: You have the right to object to the collection, use, disclosure, or processing of personal data about yourself at any time.
1.5 Deletion or Destruction: You have the right to request the Company to carry out the deletion, destruction, or anonymization of personal data, so that the data can no longer identify you as the data subject, as required by the applicable law.
1.6 Suspension: You have the right to request the data controller to suspend the use of personal data in accordance with the provisions of the applicable law.
1.7 Correction: You have the right to request that the Company keeps your personal information accurate, current, complete, and not misleading. In case you make such a request, and the company fails to comply, the company is required to record your request along with the reasons, as mandated by law.
1.8 Complaint: You have the right to file a complaint with the relevant authorities as stipulated by the laws governing personal data protection, in the event Company , including its employees or contractors, violates or fails to comply with the laws concerning the protection of personal data.
2. The data subject acknowledges that the rights mentioned from section 1.1 to 1.8 above are subject to limitations as per the laws governing personal data protection and other relevant regulations. The Company may refuse to exercise these rights if there are lawful grounds for such refusal.

10. Data Security Measures.

The company is aware of the importance of maintaining the security of personal data provided by you. The company will exercise caution to prevent unauthorized access, destruction, usage, alteration, modification, disclosure, or any other unlawful action concerning personal data, throughout the duration of your engagement with Company or while having a relationship with the company. This will be in accordance with the policies and practices implemented by the Company for ensuring information technology security.

11. Other agreements

If you terminate any relationship with Company, whether it be as a customer canceling accounts for various services, a business partner terminating business relations, an employee ending their employment status as per the law, or an individual interested in working with Company terminating their interest, all data (including personal data) related to the aforementioned relationship will be processed in accordance with the laws governing personal data protection or other applicable laws, as well as this Privacy Policy and any other policies of Company.

However, the termination of any such relationship shall not be considered as a withdrawal of consent to this Privacy Policy or the revocation of any authorization or consent given to Company for the collection, use, disclosure, and processing of such data (where consent forms the basis), unless otherwise explicitly specified in writing.

Company shall not be liable for any damages incurred by the data subject related to this Privacy Policy or any other relationship between Company and the data subject, unless such damages result from willful or grossly negligent actions of Company

12. Contact Information for Company and Data Protection Officers of Company

In order to efficiently implement this Privacy Policy, the Company has appointed Data Protection Officers who will provide assistance regarding the management of your personal data. If you have any questions, suggestions, or wish to exercise your rights regarding personal data, you can contact Company using the following details:

Asian Palm Oil Public Company Limited
Address : No. 99 Moo 2, Ao Luek Tai Sub District, Ao Luek District, Krabi Province 81110
Email: [email protected]
Website: https://asianpalmoil.com
Phone number: 075-681354, 075-681355

Personal Data Protection Officer (DPO)
Email: [email protected]
Phone number: 075-681354 ext. 1400, 075-681355 ext. 1400

13. Changes to the Privacy Policy

The company may periodically update this Privacy Policy to align with legal requirements, service delivery, business operations, and feedback from you. Any changes to the Privacy Policy will be communicated to you in advance, and the company may provide direct notifications regarding such changes.

This Privacy Policy constitutes a binding agreement or contract between you and the company, as permitted by law.

Please be aware that you have the right to withhold your personal data from the company. However, if you choose not to provide your personal data, it may have various implications on your ability to conduct transactions or engage in relationships with the company.

Service for users :
The company may provide services to you on a limited basis and may not be able to provide services to you efficiently or effectively.

For employees and individuals interested in working with the company : 
It may result in the company not having sufficient information to consider your employment application or contact you effectively. It may also cause disruptions in human resources management and lead to potential legal liabilities (depending on the circumstances).

For partners :
It may prevent the company from establishing a business relationship with you.

You acknowledge, accept, and have read and fully understood the Privacy Policy in detail.

This policy was approved at the 1/2566 Company Board meeting on May 15, 2566.