Personal Data Protection Policy of Asia-Pacific International University
According to the Personal Data Protection Act, B.E. 2562 (2019), certain regulations have been established to govern the collection, utilization, and disclosure of personal data. It is mandatory to obtain the owner’s consent, and the intended purpose of the personal data must be explicitly communicated to the owner. Asia-Pacific International University recognizes the significance of safeguarding the privacy rights associated with personal data. Consequently, a comprehensive personal data protection policy has been formulated to ensure the protection of personal data collected, used, or disclosed by Asia-Pacific International University. This policy aims to enable data owners to become familiar with and comprehend the personal data protection policy, along with the various rights granted to them under the provisions of the Personal Data Protection Act, B.E. 2562.
Therefore, by virtue of Section 43 (1) of the Private Higher Education Institution Act, B.E. 2546, the announcement is hereby issued as follows:
This announcement is titled “Announcement of Asia-Pacific International University on Measures for Personal Data Protection of Asia-Pacific International University 2023.”
This announcement shall take effect from May 1, 2023 onwards.
Article 3. Definitions
“University” refers to Asia-Pacific International University.
“Personal Data” refers to information about an individual that can directly or indirectly identify them. In accordance with the law on personal data protection, personal data does not include information pertaining to a deceased person.
“Personal Data Subject” refers to individuals who are university employees, students, alumni, or individuals who utilize the university’s services or contact the university.
“Personal Data Protection Officer” refers to a university employee who is appointed by the university president.
“Personal Data Controller” refers to a university employee who is appointed by the university president.
Article 4. Collection, Use or Disclosure of Personal Data
The university shall collect personal data of its staff and students to the extent necessary and with the consent of the individuals concerned. Such collection shall be carried out with clear objectives, limited scope, and through lawful and fair means. The university will utilize the collected data solely for the purposes of providing educational services and facilitating educational activities, including any related electronic means. The university shall inform the data subjects and obtain their consent in accordance with the prescribed form and methods, except in the following circumstances:
(1) when necessary to fulfill contractual obligations between the university and the data subject, such as employment or educational management agreements for students.
(2) for the ordinary use of information within the specified purposes of the personal information system.
(3) when authorized by relevant university departments in accordance with their respective mandates.
(4) for the purposes of academic study, research, or statistical analysis, where personal information is anonymized or processed in a manner that does not disclose the identity of any individual.
(5) to prevent or mitigate threats to a person’s life, body, or health.
(6) when the university has legitimate interests that override the rights of the data subject and such interests are deemed significant.
(7) to comply with other applicable laws and regulations.
Article 5. Objectives of Storage, Use, or Disclosure of Personal Data
The university shall collect, use, and disclose personal information solely for the purpose of providing educational services and for the operation of the university. Such activities shall align with the objectives communicated to the personal data owner during the collection process. In the event of any announcements or amendments to the Personal Data Protection Act, the university reserves the right to revise and amend this policy to reflect such changes. The university shall promptly notify the data subject in such cases.
Article 6. Security of Information
Asia-Pacific International University realizes the importance of safeguarding personal information. In light of this, the university has implemented stringent measures to ensure the security of personal data. Access to personal data is restricted, allowing only authorized individuals with specific assignments or responsibilities, as informed to the data subject, to access such data. The university is committed to maintaining the confidentiality of personal data, preventing unauthorized or unlawful access, loss, alteration, or disclosure of personal data. Additionally, the university will take all requisite measures and necessary precautions to prevent the unauthorized use of personal information and protect the rights of data subjects.
Article 7. Storage Period
The university shall retain the personal data of the data subject for the duration necessary to fulfill the purpose for which it was collected, or as prescribed by relevant laws, or for a minimum period of 10 years following the termination of the relationship with the university. Nonetheless, the university reserves the right to continue retaining personal data beyond the aforementioned period if deemed necessary for the original purpose of collection or for other justifiable reasons, including but not limited to safeguarding legal rights, contractual obligations with the university, or the benefit of the personal data owner, etc.
Article 8. Rights of Personal Data Subjects
(1) Right of access: The data subject has the right to verify the existence of their personal data. They may obtain a copy of the data and request disclosure of the source of personal data collected by the university without their consent.
(2) Right to rectification: The data subject has the right to request the correction or amendment of their personal information to ensure its accuracy, completeness, and currency.
(3) Right to restriction of processing: The data subject has the right to request the suspension of the use or disclosure of their personal data.
(4) Right to erasure: The data subject has the right to request the erasure or destruction of personal data related to them. The university may deny such requests where required by law or by a court order, or where there are potential adverse effects on the rights and freedoms of others.
(5) Right to withdraw consent: The data subject has the right to withdraw their consent at any time during the period in which the university retains their personal data. However, the university may be subject to legal limitations that require the continued retention of the data.
(6) Right to object to the processing of personal data: The data subject has the right to object to the processing of their personal data, unless the university can demonstrate a legitimate reason to refuse the request.
(7) Right to data portability: The data subject has the right to receive or transmit their personal data from the university in a readable format or a commonly used format by automated
means or devices. This right applies where the personal data is processed or disclosed by automated means. However, the exercise of this right is subject to the conditions prescribed by law.
Article 9. Collection of Information from Closed Circuit Television (CCTV)
In order to ensure the safety and security of students, users of the university’s services, and university personnel, the university shall collect visual images, audio recordings, and related data when individuals enter areas within and around the university premises where closed circuit television (CCTV) systems are installed. The university shall collect, use, or disclose personal data in accordance with applicable law, for the following lawful purposes:
(1) Protection of life, body, personal safety, health, and/or personal property: Ensuring the safety and well-being of individuals, as well as safeguarding their personal belongings.
(2) Access control and building security: Managing and monitoring entry into the premises, ensuring the security of the building, students, personnel, employees, and visitors, as well as safeguarding our property and information located or stored within the premises
(3) Protection of premises, buildings, areas, and property: Mitigating damage, preventing disruptions, destruction, and other criminal activities that may pose a threat to our premises, buildings, areas, and property.
(4) Assistance in investigation, complaint handling, and whistleblowing: Supporting the investigation or processing of complaints, including instances of whistleblowing.
(5) Legal compliance and cooperation with authorities: Fulfilling legal obligations and cooperating with courts, regulatory government agencies, and competent authorities as required.
The university shall maintain the confidentiality of personal information obtained through CCTV and shall refrain from disclosing it unless necessary to fulfill the specified purposes outlined above. In certain circumstances, the university may disclose your personal information to law enforcement agencies, solely as required to comply with applicable laws.
Article 10. Data Protection Officer / Data Controller
The university operates in compliance with the Personal Data Protection Act, B.E. 2562 by appointing a Data Protection Officer (DPO) and a Data Controller responsible for overseeing the university’s operations. The collection, use, and disclosure of personal data are conducted in accordance with the Personal Data Protection Act, B.E. 2562, and other relevant laws pertaining to the safeguarding of personal data. Furthermore, the university has issued a directive mandating all relevant parties to undertake actions as prescribed, with the aim of facilitating the implementation of the personal data protection policy.
Article 12. Penalties for Violators of this Announcement and/or Infringement of Privacy Rights
(1) Any individual who deliberately or recklessly discloses, uses, or violates another person’s personal information for personal gain, regardless of whether it causes harm to the data owner or not, without authorization from the data controller or data subject, shall be deemed a serious offense. Such actions may result in termination of employment without any entitlement to compensation.
(2) Any person who violates or fails to comply with this announcement shall be held responsible for any resulting damages and shall be required to fully compensate for such damages as mandated by law.
Article 13. Contact Channels
For any inquiries or questions regarding the personal data protection notice, please contact: Asia-Pacific International University