Personal Data Protection Act Policy
NR Instant Produce Public Company Limited acknowledges the importance of protecting personal data, including that of customers, employees, suppliers/service providers, business partners, and sensitive personal data such as information relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, genetic data, and biometric data. This Privacy Policy has been established to outline the classification, use, and disclosure of personal data in accordance with legal requirements. This Policy has been approved by the Company’s Board of Directors.
1. Objective
This Personal Data Protection Act Policy is established to ensure compliance with the Personal Data Protection Act B.E. 2562 (PDPA), and to cover the impact arising from the said Act. The objective is to prevent the misuse or unauthorized use of personal data of data subjects related to the Company, including customers, employees, suppliers/service providers, and business partners, without their consent.
2. Categories of Protected Data
- 2.1 Personal Data Personal Data refers to any information that can identify an individual, either directly or indirectly, including but not limited to the personal data of customers, employees, suppliers/service providers, and business partners, as follows:
- 2.1.1 Name - Surname
- 2.1.2 Age
- 2.1.3 National identification number
- 2.1.4 Telephone number
- 2.1.5 Address
- 2.1.6 Email address
- 2.1.7 Photograph
- 2.1.8 Employment history
- 2.2 Sensitive Personal Data Sensitive Personal Data includes the following:
- 2.2.1 Race
- 2.2.2 Ethnicity
- 2.2.3 Political opinions, e.g., information shared on social media related to politics
- 2.2.4 Religious or philosophical beliefs, e.g., monkhood leave records
- 2.2.5 Sexual behavior
- 2.2.6 Criminal records
- 2.2.7 Health data or disability information
- 2.2.8 Trade union membership
- 2.2.9 Genetic data
- 2.2.10 Biometric data
- 2.2.11 Health data, e.g., health-related data appearing on health certificates
- 2.2.12 Other data that may significantly affect the data subject as prescribed by the Personal Data Protection Committee
3. Data Subject Rights
Data subjects shall be entitled to the following rights under the PDPA:
- 3.1 Right to be informed
- 3.2 Right to rectification
- 3.3 Right to data portability
- 3.4 Right of access
- 3.5 Right to object
- 3.6 Right to erasure ("Right to be forgotten")
- 3.7 Right to restriction of processing
- 3.8 Right to withdraw consent
4. Key Compliance Requirements Under the PDPA
- 4.1 Personal Data Protection Essentials
- 4.1.1 Collection, use, disclosure, and/or transfer of personal data must be based on valid consent, unless permitted by law.
- 4.1.2 Consent (if required) must be freely given, specific, and informed. The data subject must be able to withdraw consent at any time.
- 4.1.3 Data subjects must be informed of necessary details at the time of collection, such as the purpose of collection and potential disclosures or transfers.
- 4.2 Use and Disclosure
- 4.2.1 The use and disclosure of personal data must be in accordance with the purposes for which the data subject has given consent.
- 4.2.2 International data transfers must comply with the PDPA’s cross-border data transfer requirements.
- 4.3 Other Requirements
- 4.3.1 Ensure the exercise of data subject rights under the PDPA.
- 4.3.2 Implement appropriate data security measures.
- 4.3.3 Appoint a Data Protection Officer (DPO) if large-scale or sensitive data processing is conducted.
- 4.3.4 Conduct internal audits by appointed Expert Committees.
- 4.3.5 Maintain a Record of Processing Activities (RoPA).
- 4.3.6 Report personal data breaches to the office of Personal Data Protection Committee within 72 hours of awareness, and notify affected data subjects if the breach poses a high risk.
- 4.3.7 Ensure that data processors/sub-contractors comply with the PDPA.
5. PDPA Compliance
- 5.1 Identify and assess the legal basis for each data processing activity.
- 5.2 The data subject must always be informed of their rights, the details of the data processing, and the purposes of personal data collection. Consent must always be obtained from the data subject. Personal Data must be collected only to the extent necessary and erased when it is no longer needed or when the retention period has expired, as previously notified. It must also be ensured that the consent mechanism and the privacy policy comply with the criteria set forth under the PDPA
- 5.2.1 When requesting consent, the data subject must be able to:
- 5.2.1.1 Provide consent either in paper form or through an online system
- 5.2.1.2 Read and understand the consent form easily
- 5.2.1.3 Do not be misled or deceived in any way
- 5.2.1.4 Provide consent separately from other terms and conditions, and consent must not be tied to unrelated conditions
- 5.2.2 When withdrawing consent, the data subject must be able to:
- 5.2.2.1 Withdraw consent at any time
- 5.2.2.2 Withdraw consent through a process that is as easy as giving consent
- 5.2.2.3 Be informed of the potential consequences resulting from the withdrawal of consent
- 5.2.1 When requesting consent, the data subject must be able to:
- 5.3 The use and disclosure of personal data must always be based on the data subject’s consent and must be carried out strictly in accordance with the purposes that have been notified.
- 5.4 There must be accessible channels through which data subjects can access and correct their personal data, such as via a CRM web portal or call center.
- 5.5 Any transfer of personal data to a foreign destination must ensure that the receiving party provides an adequate level of personal data protection, such as in cases where data is stored on cloud platforms or servers located overseas.
- 5.6 Appropriate and standardized data protection systems must be implemented. In the event of a data breach, the data subject must be notified within 72 hours from the time the incident is discovered.
- 5.7 Contracts entered into between the Company and external parties must include stringent and appropriate personal data protection clauses.
- 5.8 Providing appropriate data management policies and conducting relevant training programs.
- 5.9 Regular reviews, risk assessments, and updates of relevant data and processes must be conducted to avoid unintentional errors or breaches.
- 5.10 Systems, equipment, and software used for the collection and use of personal data must be enhanced to ensure higher levels of security. There must also be a clearly defined process for deleting unnecessary data within an appropriate timeframe.
- 5.11 Cookies must be stored on users’ browsers. Cookies function as small files that store user data. If the website uses tracking or analytics tools such as Google Analytics, Facebook Pixel, or others, cookies will be used according to the specific purposes of each tool.
- 5.12 A cookie consent mechanism must be implemented to obtain the user’s consent for the use of cookies. The purposes for collecting and using cookies must be clearly explained. Users must be allowed to give and withdraw their consent at any time through a process that is as easy as when consent was initially given. Users must also be informed of any potential consequences related to such consent.
- 5.13 Integrating the efforts of its legal and information technology departments to ensure efficient, timely, and comprehensive data protection management.
6. Roles and Responsibilities
- 6.1 Central Functions
- 6.1.1 Data Controller: Determines the purposes and means of data processing.
- 6.1.2 Data Processor: Processes data on behalf of the Data Controller and must be a separate entity.
- 6.1.3 Data Protection Officer (DPO): Provides advice, monitors compliance, and coordinates with the Personal Data Protection Committee. DPO may be appointed across multiple departments depending on scale and sensitivity.
- 6.2 Departmental Functions
- 6.2.1 Legal Department: Drafts agreements and policies to ensure legal compliance.
- 6.2.2 Information Technology Department:
- 6.2.2.1 Implements minimum required security measures
- 6.2.2.2 Prevents unauthorized disclosure and ensures timely data deletion
- 6.2.2.3 Ensures cookie consent mechanisms meet PDPA requirements
- 6.2.3 Marketing Department: Conducts risk assessments on personal data it collects and determines data criticality.
- 6.2.4 Sales Department: Collects customer and prospect data and must obtain necessary consents.
- 6.2.5 Human Resources Department: Responsible for employee data, including applications, resumes, ID copies, and building access data.
Privacy Policy For CCTV
NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) has implemented closed-circuit television (CCTV) installations both within and around the Company premises for the security of the Company premises and property, as well as for the protection of life, body, and health of any person within and around the Company premises. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data through CCTV usage is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.
1. Definition
Vocabulary | Definition |
---|---|
Personal Data Protection Law | Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection |
Personal Data | any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular |
Sensitive Personal Data | Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee |
Data Subject | a person who has been identified by the Personal Data, whether directly or indirectly |
Data Processing/process | any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction |
Privacy Policy | This Privacy Policy For CCTV |
2. Type of Personal Data the Company Collected
The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:
Type | Example of Personal Data |
---|---|
Specific Personal Information and Information Relating to Personal Characteristics |
|
Nonetheless, the Company will not install CCTV in the area which may unduly infringe your fundamental rights, such as toilet, and rest area.
3. Purpose & Lawful Basis for Data Processing
The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:
No | Lawful Basis | Description |
---|---|---|
1 | Legitimate Interest | necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject |
2 | Legal Obligation | necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company |
3 | Vital Interest | an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health |
No | Lawful Basis | Description |
---|---|---|
1 | Ensuring security and safety of the Company’s buildings, facilities, and assets located within and around the premises | Legitimate Interest |
2 | Ensuring safety and prevent danger to your life, body, and health , including ensuring security in your property within and around the premises | Legitimate Interest Vital Interest |
3 | Assisting relevant authorities in enforcing law to suppress, prevent, investigate, and legal prosecution | Legal Obligation |
4 | Assisting in dispute resolution processes arise during disciplinary proceedings or grievance processes | Legal Obligation |
5 | Assisting in investigations, handling of complaints or processes related to initiating or defending legal actions, including but not limited to exercising claims in labor disputes. | Legal Obligation |
4. Disclosure of Personal Data
- 4.1 Generally, the Company will store and keep confidential any Personal Data from CCTV and will not disclose such Personal Data, unless there exists any necessity in order to achieve the Company’s purpose as prescribed in this Privacy Policy. In such case, the Company may disclose your Personal Data to internal and external party as follows:
Internal Departments and Affiliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.
Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations. This may include agents, contractors, and subcontractors of these service providers, such as security service providers to ensure the security of the Company, including CCTV vendors, for repair and maintaining CCTV, only in the case authorized by the Company.
Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.
- 4.2 The Company will assign the recipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.
5. International Transfer of Personal Data
- 5.1 Generally, the Company does not intend to transfer Personal Data from CCTV to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer such Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
- 5.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
- 5.3 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
6. Personal Data Retention Period
- 6.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 90 days from the date of collecting Personal Data.
- 6.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
- 6.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.
7. Security Measures of Personal Data
- 7.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
- 7.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
- 7.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.
8. Data Subject Rights and Exercise of Rights
- 8.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights | Description |
---|---|
Right to access and retrieve a copy of data |
|
Right to data portability |
|
Right to object to Data Processing |
|
Right to erasure/Right to be forgotten | You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
|
Right to restriction of Data Processing | You have the right to request the Company to restrict Data Processing in the following circumstances:
|
Right to rectification | You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading |
Right to lodge a complaint | You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law. |
- 8.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 10. to request to exercise Data Subject’s rights.
- 8.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.
9. Amendment to Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.
10. Contact Us
Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:
Contact the Company and DPO:
Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110
E-mail: DPO@nrinstant.com
Telephone Number: 034849576-80
11. Applicable Law
You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.
This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.
Announcements on 16 May 2025.
Privacy Policy For Customer
NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of Customer and people representing or act on behalf of Customer, including but not limited to executive, shareholder, authorized director, attorney-in-fact, substitute attorney-in-fact, employee, staff, and the representative of juristic person. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.
1. Definition
Vocabulary | Definition |
---|---|
Personal Data Protection Law | Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection |
Personal Data | any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular |
Sensitive Personal Data | Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee |
Data Subject | a person who has been identified by the Personal Data, whether directly or indirectly |
Data Processing/process | any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction |
Privacy Policy | This Privacy Policy For Customer |
Customer(s) | natural person or juristic person that the Company targets for sale of Company’s products or services, irrespective of whether a purchase has been made or is expected to make a purchase, including any other similar person, such as event participants, service requesters, website users, and survey respondents |
2. Type of Personal Data the Company Collected
The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:
Type | Example of Personal Data |
---|---|
Specific Personal Information and Information Relating to Personal Characteristics | Title, First Name, Family Name, Age, Birth Data, Sex, Nationality, National Identification Number, Taxpayer Identification Number, Picture, Signature |
Contact Information | Address, E-mail, Mobile Number, Workplace, Line ID |
Information Relating to Educational Backgrounds and Work Experience | Department, Position |
Financial Information | Salary, Bank Account Number |
Information used as Evidence for Legal Transaction | Business Card, Copy of Personal Identification Card |
Technical Information | IP Address, MAC Address |
Others |
|
Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.
3. Source of Personal Data
The Company may collect your Personal Data from various source as follows:
Type | Example of Source of Personal Data |
---|---|
Personal Data obtained directly from you |
|
Personal Data obtained automatically |
|
Personal Data obtained from other sources or third-person |
|
In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.
4. Purpose & Lawful Basis for Data Processing
The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:
No | Lawful Basis | Description |
---|---|---|
1 | Performance of Contract | necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract |
2 | Legitimate Interest | necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject |
3 | Legal Obligation | necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company |
4 | Vital Interest | an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health. |
5 | Consent | in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically. |
No | Purpose | Lawful Basis |
---|---|---|
1 | Facilitating communication and undertake any necessary operations, including completing internal procedures prior to entering into contract with you, such as preparing quotations and customer registration |
|
2 | Performing contractual obligation, process purchase orders, and discolose information to third parties as required for such purposes, including coordinating with you, invoicing for goods and services, and providing after-sales services |
|
3 | Carrying our activities related to the Company’s business operations, performing contractual obligation between the Company and you, and engaging with external party for purposes related to contractual agreements |
|
4 | Conducting marketing activity, facilitating communication about marketing initiatives that align with your needs, presenting marketing materials and product and service information, including mange activities related to customer service and promotional campaigns | Consent |
5 | Collecting and analyzing your behavior data and conduct satisfaction surveys as a basis for relationship management, improving services, and designing marketing activities that align more closely with your needs | Consent |
6 | Collecting communication in a database for ongoing correspondence and creating future business opportunities, including facilitating coordination and communication related to the Company | Legitimate Interest |
7 | Complying with applicable laws governing the Company’s operation, such as issuing withholding tax certificates, generating tax invoices, and disclosing financial data to auditors | Legal Obligation |
8 | Managing information technology systems, including performing data backups, recording access logs, and monitoring data traffic within the Company's information technology infrastructure |
|
9 | Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV |
|
10 | Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings | Legitimate Interest |
11 | Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings | Legal Obligation |
12 | Managing risks, monitoring, investigating, and reporting on financial crimes, fraud, misconduct, and other criminal activities | Legitimate Interest |
5. Disclosure of Personal Data
- 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:
Internal Departments and Affliates: the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.
Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, or insurance companies.
Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website and IT management providers, logistics service providers, and public relations service providers.
Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.
Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Revenue Department, Customs Department, Excise Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.
Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.
- 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.
6. International Transfer of Personal Data
- 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
- 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
- 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.
7. Personal Data Retention Period
- 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of termination of the customer’s relationship.
- 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
- 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.
8. Data Processing Under Original Purpose
The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.
9. Security Measures of Personal Data
- 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
- 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
- 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.
10. Data Subject Rights and Exercise of Rights
- 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights | Description |
---|---|
Right to withdraw consent |
|
Right to access and retrieve a copy of data |
|
Right to data portability |
|
Right to object to Data Processing | You have the right to object to Data Processing in the event that the Company process Personal Data
|
Right to erasure/Right to be forgotten | You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
|
Right to restriction of Data Processing | You have the right to request the Company to restrict Data Processing in the following circumstances:
|
Right to rectification | You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading. |
Right to lodge a complaint | You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law. |
- 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 10. to request to exercise Data Subject’s rights.
- 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.
11. Withdrawal of Consent & Consequence from Withdrawal
- 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
- 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.
12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person
- 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
- 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.
13. Amendment to Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.
14. Contact Us
Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:
Contact the Company and DPO:
Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110
E-mail: DPO@nrinstant.com
Telephone Number: 034849576-80
15. Applicable Law
You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.
This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.
Announcements on 16 May 2025.
Privacy Policy For Employee, Intern, and Job Applicant
NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of employee, intern, and job applicant. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.
1. Definition
Vocabulary | Definition |
---|---|
Personal Data Protection Law | Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection |
Personal Data | any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular |
Sensitive Personal Data | Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee |
Data Subject | any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction |
Privacy Policy | This Privacy Policy For Employee, Intern, and Job Applicant |
Job Applicant(s) | any person of Thai nationality or foreign nationality who applies for employment as a permanent employee, temporary employee or intern, working for the Company, as the case may be, whether such job application is submitted directly by the Job Applicant, through internal company recruitment, through referral by any other person, or through the operation of an employment service provider |
Employee(s) | Job Applicant who has been selected to enter into a contract to work for the Company as a permanent employee, temporary employee , employee during probationary period, or intern, and receive wage calculated on a monthly, daily, hourly, or price-rate basis, or calculated by other means, or as otherwise agreed between the Company and such Employee |
2. Type of Personal Data the Company Collected
The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:
Type | Example of Personal Data |
---|---|
Specific Personal Information and Information Relating to Personal Characteristics | First Name, Family Name, Sex, Nationality, Age, National Identification Number, Alien Identification Number, Taxpayer Identification Number, Signature, Photo, Marriage Status, First Name & Family Name of Father & Mother |
Contact Information | Address, Mobile Number, E-mail, Name of the company |
Information Relating to Educational Backgrounds and Work Experience | Education Background, Degree, Academic Qualifications, Training Background, Employee ID, Position, Department, Length of Service, Data and Time of Work Attendance, Employment Commencement Date, Performance Evaluation Score, Attendance Record, Reason for Resignation |
Financial Information | Wage Rate, Salary, Bank Account Number |
Information used as Evidence for Legal Transaction | Copy of Personal Identification Card, Copy of Bank Account, Vehicle Registration Number, Copy of Passport, Visa Documents, Work Permit, Alien Identification Card, Alien Work Permit Receipt, Copy of Disabled Person Idenficiation Card |
Technical Information | IP Address, MAC Address |
Sensitive Personal Data | Height, Weight, Wound Details, Disease Details, Medical Information, Medical Certificate, Health Examination Result, Underlying Disease, Disability Information, Criminal Record, Sexual Orientation, Fingerprint |
Others |
|
Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.
3. Source of Personal Data
The Company may collect your Personal Data from various source as follows:
Type | Example of Source of Personal Data |
---|---|
Personal Data obtained directly from you |
|
Personal Data obtained automatically |
|
Personal Data obtained from other sources or third-person |
|
In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.
4. Purpose & Lawful Basis for Data Processing
The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:
No | Lawful Basis | Description |
---|---|---|
1 | Performance of Contract | necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract |
2 | Legitimate Interest | necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject |
3 | Legal Obligation | necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company |
4 | Vital Interest | an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health. |
5 | Consent | in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically. |
If you are a Job Applicant, the Company will process your Personal Data for the following purposes and lawful basis as follows:
No | Purpose | Lawful Basis |
---|---|---|
1 | Undertaking the necessary actions for evaluating and selecting Job Applicants, assessing their suitability for the positions required by the Company, and considering their employment as the Company's Employee, including recruitments, testing, interviews, assessments, and extending employment offers to candidates. | Performance of Contract |
2 | Conducting background and qualification checks prior to employment including verifying essential information necessary for the Company's decision-making process regarding employment and the execution of employment contracts | Performance of Contract |
3 | Facilitating the Company’s internal management processes related to recruitment activities, such as sharing your information or reports with decision-makers, completing internal procedures prior to entering into contracts, and carrying out other essential preparations for onboarding new employees. | Performance of Contract |
4 | Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV |
|
If you are an Employee, the Company will process your Personal Data for the following purposes and lawful basis as follows:
No | Description | Lawful Basis |
---|---|---|
1 | Entering into employment contracts as requested by you or to perform contractual obligations where you are the party to the contract, such as preparing employment contracts and agreements, ensuring compliance with Company policies, organizing internal and external training, evaluating job performance, and considering remuneration and benefits |
|
2 | Registering Employees, preparing Employee identification cards, maintain Employee records, and manage information technology systems, such as creating usernames, passwords, and e-mail accounts, as well as provisioning necessary equipment such as computers and other tools to ensure that you are adequately prepared to perform their duties |
|
3 | Processing the issuance or renewal of visas, work permits, and other work- related permits for you, including the issuance of alien identification cards (pink cards), retention of work permit information, and preparation of Certificates of Identity and other work-related documents as required by law | Legal Obligation |
4 | Collecting health-related data, including pre-employment medical examination results, for assessing suitability for the positions |
|
5 | Conducting criminal background checks for the evaluation of qualifications and suitability for specific positions | Consent |
6 | Collecting data regarding disabilities for the purposes of labor protection, performance evaluation of disabled Employees, and submission of performance evaluation reports | Legal Obligation |
7 | Collecting fingerprint scan data for recording access to restricted Company areas, identity verification, ensuring internal security, and preventing criminal activities | Consent |
8 | Managing social security administration, including registering and de-registering insured persons, managing provident funds, and administering your tax matters, such as preparing supporting documents for accounting purposes (e.g., petty cash vouchers, tax invoices, and other tax deduction documents) | Legal Obligation |
9 | Managing salaries, wages, compensation, bonuses, overtime pay, housing allowances, travel expenses, and your benefits, in addition to processing related compensation considerations, such as leave requests, overtime records, and attendance verification through timekeeping systems or fingerprint scan data |
|
10 | Providing you appropriate welfare benefits, such as health insurance, expressway cards, fuel cards, annual health check-ups, health screenings for at-risk groups, medical care, a loan for residential purposes, and welfare provisions for employee who is an alien, such as assisting in opening bank accounts for foreign nationals |
|
11 | Appointing personnel for occupational safety roles, including Professional Safety Officers, Safety Officers at the Management Level, Safety Officers at the Supervisor Level, the Committee of Occupational Safety, Health and Environment of the Company, and other safety-related units | Legal Obligation |
12 | Organizing training programs, seminars, and meetings for the development of the Company’s personnel, in addition to off-site activities such as corporate social responsibility (CSR) initiatives and recreational activities | Legitimate Interest |
13 | Capturing image or video recordings of various activities, including ceremonial events, general event settings, and activities conducted within and outside the Company, as well as personalized or individual photography |
|
14 | Engaging with the government agents, grants authorization, carrying out labor-related processes, and submitting information to government systems, such as the electronic public service system of the Department of Skill Development under the Ministry of Labour |
|
15 | Evaluating the performance of employee during probationary period to determine their eligibility for permanent employees, assessing the performance of interns, and assessment of promotions, compensation adjustments, and additional benefits |
|
16 | Ensuring safety within production processes, manage measures for accident and hazard prevention and mitigation, and oversee other processes related to emergencies or risks to the life or body of Employees | Legitimate Interest |
17 | Managing information technology systems, including creating user accounts, performing data backups, recording access logs, and monitoring data traffic within the Company's information technology infrastructure |
|
18 | Preventing and suppressing danger to your life, body, and health such as emergency contact, hospital transfers, recording travel history, and implementing disease control measures |
|
19 | Managing risk, implementing internal controls, overseeing the administration of the Company and its affiliates, ensuring adherence to good corporate governance practices, internal and external auditing, including coordination with service providers responsible for governance and compliance oversight for the Company and its affiliates |
|
20 | Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV |
|
21 | Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings | Legitimate Interest |
22 | Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings | Legal Obligation |
5. Disclosure of Personal Data
- 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:
Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.
Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, insurance companies, or infirmary.
Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website and IT providers, event organizers.
Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.
Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Social Security Office, Department of Employment, Department of Skill Development, Office of Social Development and Human Security, the Revenue Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.
- 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.
6. International Transfer of Personal Data
- 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
- 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
- 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.
7. Data Retention Period
- 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period as follows:
Data Subject | Data Retention Period |
---|---|
Job Applicant who does not get selected to work for the Company, irrespective of the reasons, such as the Company rejects or Job Applicant rejects the offer | Not exceeding 6 months from the interview date |
Employee who is an intern | Not exceeding 5 years from the date of termination of internship period |
Employee who is not an intern and receive wage calculated on monthly-rate basis | For the duration of employment, and for a period of up to 10 years after the termination of the employment |
Employee who is not an intern and receive wage calculated on daily-rate basis | For the duration of employment, and for a period of up to 2 years after the termination of the employment |
- 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
- 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.
8. Data Processing Under Original Purpose
The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.
9. Security Measures of Personal Data
- 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
- 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
- 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.
10. Data Subject Rights and Exercise of Rights
- 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights | Description |
---|---|
Right to withdraw consent |
|
Right to access and retrieve a copy of data |
|
Right to data portability |
|
Right to object to Data Processing | You have the right to object to Data Processing in the event that the Company process Personal Data
|
Right to erasure/Right to be forgotten | You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
|
Right to restriction of Data Processing | You have the right to request the Company to restrict Data Processing in the following circumstances:
|
Right to rectification | You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading. |
Right to lodge a complaint | You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law. |
- 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
- 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.
11. Withdrawal of Consent & Consequence from Withdrawal
- 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
- 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.
12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person
- 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
- 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.
13. Amendment to Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.
14. Contact Us
Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:
Contact the Company and DPO:
Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110
E-mail: DPO@nrinstant.com
Telephone Number: 034849576-80
15. Applicable Law
You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.
This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.
Announcements on 16 May 2025.
Privacy Policy For Photography and Videography
NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of shareholders, directors, employees, interviewees/commentators, activity participants, award recipients, premises users, visitors, applicant to enter building, as well as customers, vendors, prospective vendors, and representatives of such persons. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.
1. Definition
Vocabulary | Definition |
---|---|
Personal Data Protection Law | Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection |
Personal Data | any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular |
Sensitive Personal Data | Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee |
Data Subject | a person who has been identified by the Personal Data, whether directly or indirectly |
Data Processing/process | any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction |
Privacy Policy | This Privacy Policy For Photography and Videography |
2. Type of Personal Data the Company Collected
- 2.1 The Company requires the processing of photographic data, whether it is an image or video recording, whereby your Personal Data may includes image or video recording of you during interviews, photographs of specific individuals during activities (individual photos), overview of activities or group photographs (group photos) upon completion of activities. Such data are stored electronically on the Company's recording device, which may include personal information of the Data Subject, such as first name, family name, position of the photo subject, and activity information, location, date, time appearing on the images.
- 2.2 In the event that image or video recording of you are recorded for commercial and/or public relations purpose, the Company will explicitly notify you and request your consent specifically when the Company has selected such image or video recording to disclose, disseminate, along with requesting permission to specify first name and family name to accompany such image or video recording for commercial and/or public relations purpose which the Company has obtained your consent.
3. Purpose & Lawful Basis for Data Processing
The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:
No | Lawful Basis | Description |
---|---|---|
1 | Performance of Contract | necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract |
2 | Legitimate Interest | necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject |
3 | Consent | in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically. |
No | Lawful Basis | Description |
---|---|---|
1 | Capturing of image or video recording which is not personalized or individual photography, and overview image of the event, exhibition, activity during the event, training session, meeting, for the communication purpose and dissemination across various medic channels, including social media or the Company’s communication channels | Legitimate Interest |
2 | Capturing of image or video recording which is personalized or individual photography, or using of first name and family name, or works associated with the person to accompany such image or video recording for appropriate business purpose and in adherence with the Company’s purpose | Consent |
3 | Data Processing of photography or videography, first name, family name, and works associated with the person according to Photography or Videography license agreement, where compensation has been provided | Performance of Contract |
4 | Capturing of image or video recording in case that the person is recorded as part of an award ceremony, either as a winner of a prize or as a selected recipient in any event | Performance of Contract |
5 | Capturing of image or video recording as an evidence for identity verification, internal audit, or other Company’s legitimate purpose | Legitimate Interest |
4. Disclosure of Personal Data
- 4.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:
Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.
Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.
Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.
- 4.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.
5. International Transfer of Personal Data
- 5.1 Generally, the Company does not intend to transfer Personal Data from photography or videography to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer such Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
- 5.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
- 5.3 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
6. Personal Data Retention Period
- 6.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of collecting Personal Data.
- 6.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
- 6.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.
7. Data Processing Under Original Purpose
The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 9.2.
8. Security Measures of Personal Data
- 8.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
- 8.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
- 8.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.
9. Data Subject Rights and Exercise of Rights
- 9.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights | Description |
---|---|
Right to withdraw consent |
|
Right to access and retrieve a copy of data |
|
Right to data portability |
|
Right to object to Data Processing | You have the right to object to Data Processing in the event that the Company process Personal Data
|
Right to erasure/Right to be forgotten | You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
|
Right to restriction of Data Processing | You have the right to request the Company to restrict Data Processing in the following circumstances:
|
Right to rectification | You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading |
Right to lodge a complaint | You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law. |
- 9.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 13. to request to exercise Data Subject’s rights
- 9.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.
10. Withdrawal of Consent & Consequence from Withdrawal
- 10.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
- 10.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.
11. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person
- 11.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
- 11.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on another lawful basis that do not require consent.
12. Amendment to Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.
13. Contact Us
Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:
Contact the Company and DPO:
Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110
E-mail: DPO@nrinstant.com
Telephone Number: 034849576-80
14. Applicable Law
You acknowledge and accept that this Privacy Policy is governed and construed in accordance with the laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.
This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.
Announcements on 16 May 2025.
Privacy Policy For Vendor
NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of Vendor, Prospective Vendors and people representing or act on behalf of Vendor and/or Prospective Vendor, including but not limited to executive, shareholder, authorized director, attorney-in-fact, substitute attorney-in-fact, employee, staff, and the representative of juristic person. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.
1. Definition
Vocabulary | Definition |
---|---|
Personal Data Protection Law | Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection |
Personal Data | any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular |
Sensitive Personal Data | Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee |
Data Subject | a person who has been identified by the Personal Data, whether directly or indirectly |
Data Processing/process | any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction |
Privacy Policy | This Privacy Policy For Vendor |
Prospective Vendor | any natural person or juristic person who may become a vendor of the Company, including those who have expressed intention to enter into a contract or register as a vendor of the Company, parties interested in business collaboration, parties operating jointly with the Company, or any other person requesting quotations or to whom the Company has submitted quotations for consideration |
Vendor | any natural person or juristic person who submits quotations for the sale of goods or services, or contract to perform work for the Company, whether registered as a vendor with the Company or not, trade partner, business participants, whether selling directly to the Company or participating in product or service development with the Company for distribution, service providers, service recipients, employers, contractors, consultants, experts, academics, speakers, contractual parties of the Company, and other persons of similar nature |
2. Type of Personal Data the Company Collected
The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:
Type | Example of Personal Data |
---|---|
Specific Personal Information and Information Relating to Personal Characteristics | First Name, Family Name, Age, Sex, National Identification Number, Alien Identification Number, Taxpayer Identification Number, Nationality, Signature, Photo |
Contact Information | Address, E-mail, Line ID, Mobile Number, Workplace |
Information Relating to Educational Backgrounds and Work Experience | Department, Position |
Financial Information | Bank Account Number |
Information used as Evidence for Legal Transaction | Copy of Personal Identification Number |
Technical Information | IP Address, Mac Address |
Others |
|
Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.
3. Source of Personal Data
The Company may collect your Personal Data from various source as follows:
Type | Example of Source of Personal Data |
---|---|
Personal Data obtained directly from you |
|
Personal Data obtained automatically |
|
Personal Data obtained from other sources or third-person |
|
In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.
4. Purpose & Lawful Basis for Data Processing
The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:
No | Lawful Basis | Description |
---|---|---|
1 | Performance of Contract | necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract |
2 | Legitimate Interest | necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject |
3 | Legal Obligation | necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company |
4 | Vital Interest | an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health. |
5 | Consent | in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically. |
No | Purpose | Lawful Basis |
---|---|---|
1 | Evaluating qualifications and suitability of vendor registration applicants and registered vendors, establishing new vendor relationships, and carrying out procedures related to vendor registration processes, such as background verification, identity validation, and processing your various requests within the Company's system, including modifications to your information |
|
2 | Facilitating procurement and selection processes, assessing qualifications and suitability in accordance with the Company's procurement procedures, and price comparison activities | Legitimate Interest |
3 | Entering into contract and completing procedures prior to entering into contracts as requested by you, such as including but not limited to employment agreements, service agreements, commercial contracts, memoranda of understanding (MOU), non-disclosure agreements and others, as well as managing Company in compliance with contractual obligations |
|
4 | Carrying our activities related to the Company’s business operations, communicating essential information as a performance of contractual obligation between the Company and you, facilitating business communications, and providing services in the capacity of Vendor | Performance of Contract |
5 | Publicizing information regarding Company operations, news production, and creating of public relations announcement | Legitimate Interest |
6 | Collecting communication in a database for ongoing correspondence and creating future business opportunities | Legitimate Interest |
7 | Collecting payments or outstanding debts owed to the Company, executing transactions, processing payments, including implementing various measures to successfully complete transactions, verifying account accuracy, and issuing accounting documentation for both accounts payable and accounts receivable, such as tax invoices, payment vouchers, receipts, and withholding tax certificates |
|
8 | Managing risk, implementing internal controls, overseeing the administration of the Company and its affiliates, ensuring adherence to good corporate governance practices, internal and external auditing, including coordination with service providers responsible for governance and compliance oversight for the Company and its affiliates |
|
9 | Managing information technology systems, including performing data backups, recording access logs, and monitoring data traffic within the Company's information technology infrastructure |
|
10 | Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV |
|
11 | Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings | Legitimate Interest |
12 | Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings | Legal Obligation |
13 | Managing risks, evaluating your credibility for the purpose of monitoring, investigating, and reporting on financial crimes, fraud, misconduct, and other criminal activities | Legitimate Interest |
5. Disclosure of Personal Data
- 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:
Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.
Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, or insurance companies.
Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website and IT management providers.
Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.
Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Revenue Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.
Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.
- 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.
6. International Transfer of Personal Data
- 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
- 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
- 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.
7. Personal Data Retention Period
- 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of termination of the customer’s relationship.
- 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
- 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.
8. Data Processing Under Original Purpose
The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.
9. Security Measures of Personal Data
- 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
- 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
- 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.
10. Data Subject Rights and Exercise of Rights
- 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights | Description |
---|---|
Right to withdraw consent |
|
Right to access and retrieve a copy of data |
|
Right to data portability |
|
Right to object to Data Processing | You have the right to object to Data Processing in the event that the Company process Personal Data
|
Right to erasure/Right to be forgotten | You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
|
Right to restriction of Data Processing | You have the right to request the Company to restrict Data Processing in the following circumstances:
|
Right to rectification | You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading. |
Right to lodge a complaint | You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law. |
- 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
- 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.
11. Withdrawal of Consent & Consequence from Withdrawal
- 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
- 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.
12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person
- 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
- 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.
13. Amendment to Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.
14. Contact Us
Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:
Contact the Company and DPO:
Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110
E-mail: DPO@nrinstant.com
Telephone Number: 034849576-80
15. Applicable Law
You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.
This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.
Announcements on 16 May 2025.
Privacy Policy For Visitor and Applicant to Enter the Building
NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of Visitor and Applicant to Enter the Building. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.
1. Definition
Vocabulary | Definition |
---|---|
Personal Data Protection Law | Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection |
Personal Data | any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular |
Sensitive Personal Data | Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee |
Data Subject | a person who has been identified by the Personal Data, whether directly or indirectly |
Data Processing/process | any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction |
Privacy Policy | This Privacy Policy For Visitor and Applicant to Enter the Building |
Visitor/ Applicant to Enter the Building | any person who notifies the Company of their intention to request access to services, visits, perform work, or carry out any transactions with the Company within buildings, factories, operational facilities, or restricted areas within the Company's premises |
2. Type of Personal Data the Company Collected
The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:
Type | Example of Personal Data |
---|---|
Specific Personal Information and Information Relating to Personal Characteristics | First Name, Family Name, Age, National Identification Number, Signature |
Contact Information | Name of the Company, Department |
Information used as Evidence for Legal Transaction | License Plate |
Others | Image, Video Recording, and Audio Recording captured by CCTV |
Sensitive Personal Data | Sickness, Injury |
3. Source of Personal Data
The Company may collect your Personal Data from various source as follows:
Type | Example of Source of Personal Data |
---|---|
Personal Data obtained directly from you |
|
Personal Data obtained automatically | Image, Video Recording, and Audio Recording captured by CCTV within the Company’s premises |
Personal Data obtained from other sources or third-person |
|
In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.
4. Purpose & Lawful Basis for Data Processing
The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:
No | Lawful Basis | Description |
---|---|---|
1 | Performance of Contract | necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract |
2 | Legitimate Interest | necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject |
3 | Legal Obligation | necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company |
4 | Vital Interest | an operation to protect vital interest of Data Subject, such as prevent or suppress of danger to a Data Subject’s life, body, and health. |
No | Purpose | Lawful Basis |
---|---|---|
1 | Managing your access to buildings, factories, operational facilities, or restricted areas within the Company's premises, including monitoring, preventing and deterring, as well as varying of any unauthorized access, as well as facilitating any necessary processes such as card exchange, registration, and recording your necessary information | Legitimate Interest |
2 | Ensuring safety and prevent danger to your life, body, health and your property, including security of the Company’s buildings, factories, operational facilities, or restricted areas within the Company's premises, in addition to implementing necessary internal process prior to any performance of work within the Company |
|
3 | Controlling access to the Company’s information technology systems and databases, including monitoring preventing and deterring, as well as verying of any unauthorized access. | Legitimate Interest |
4 | Managing hygiene and safety standards and ensuring compliance with applicable laws related to workplace safety and public health benefits |
|
5 | Preventing and suppressing danger to your life, body, and health such as emergency contact, hospital transfers, recording travel history, and implementing disease control measures |
|
6 | Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings | Legitimate Interest |
7 | Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings | Legal Obligation |
5. Disclosure of Personal Data
- 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:
Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.
Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as security guard service provider.
Professional Consultants the Company may disclose your Personal Data to corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.
Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.
- 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.
6. International Transfer of Personal Data
- 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
- 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
- 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.
7. Personal Data Retention Period
- 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 4 years from the date of collecting Personal Data.
- 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
- 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.
8. Data Processing Under Original Purpose
The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.
9. Security Measures of Personal Data
- 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
- 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
- 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.
10. Data Subject Rights and Exercise of Rights
- 10.1 Under Personal Data Protection Law, you, as a Data Subject, has the following rights:
Data Subject Rights | Description |
---|---|
Right to withdraw consent |
|
Right to access and retrieve a copy of data |
|
Right to data portability |
|
Right to object to Data Processing | You have the right to object to Data Processing in the event that the Company process Personal Data.
|
Right to erasure/Right to be forgotten | You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
|
Right to restriction of Data Processing | You have the right to request the Company to restrict Data Processing in the following circumstances:
|
Right to rectification | You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading. |
Right to lodge a complaint | You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law. |
- 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
- 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.
11. Withdrawal of Consent & Consequence from Withdrawal
- 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
- 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.
12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person
- 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
- 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.
13. Amendment to Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.
14. Contact Us
Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:
Contact the Company and DPO:
Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110
E-mail: DPO@nrinstant.com
Telephone Number: 034849576-80
15. Applicable Law
You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.
This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.
Announcements on 16 May 2025.