1. Purpose

The purpose of this policy is to ensure transparency, build trust, and comply with the Personal Data Protection Act B.E. 2562 (the “PDPA”) by explaining how personal data of customers, healthcare professionals, pharmacists, drugstore owners, test subjects, business partners, vendors, visitors, job applicants, and web users (collectively referred to as “External Individuals”) is collected, used, stored, and protected by Daiichi Sankyo (Thailand) Ltd. (the “Company”, “DSTH”, “we”, “us”, or “our”)

2. Personal Data Processed by the Company

• Basic Information: full name, gender, phone number, email address, postal address, title and position, identification number or passport number;

• Health-Related Data: medical history, prescription information, healthcare provider details, diagnoses and treatment plans, information on adverse events or side effects, participation in clinical trials;

• Professional Information (for Healthcare Professionals): professional licenses or certifications, clinic or hospital affiliations, academic position, areas of specialization, professional contact information;

• Financial information: bank account, payment related information, transaction information, billing and invoicing information;

• Communication and Feedback Data: customer inquiries or complaints, survey or feedback responses, preferences for marketing communications;

• Marketing data: all marketing with us through our event arrangement, including seminar, webinar or training activities;

• Photographs, Videos, or Voice Recordings: from CCTV, the Company’s events, and calls;

• Technical information/ Registration data: IP address, Browser type and device information, unique device identifier, cookies and other data linked to a device and data about usage of our website; and

• Job applicant data: Data provided by job applicants or others on our websites or offline means in connection with recruitment process, such as CV, work experience, educational background.

3. Objectives of Personal Data Collection, Usage and Disclosure

We will process your personal data: (i) to perform contractual obligations, (ii) to comply with legal obligations, (iii) for the legitimate interest, or (iv) for the purpose relating to research or statistics. We will use personal data for the abovementioned purposes and scope, including the following purposes:

(1) Regulatory Compliance
• To comply with laws and regulations, such as clinical trials, and safety monitoring.
• To report adverse drug reactions and ensure product safety.
• To meet legal requirements for data retention and government reporting.

(2) Customer and Patient Services
• To provide information about medications, products, or healthcare services.
• To process orders, deliver products, and handle inquiries or complaints.
• To maintain communication about prescriptions, refills, or follow-up services.

(3) Healthcare Professional Engagement
• To manage relationships with healthcare professionals, such as doctors, pharmacists, and researchers. • To organize training sessions, events, or professional education programs. • To conduct surveys or gather feedback on products or services.

(4) Clinical Research and Development
• To conduct clinical trials and research studies.
• To manage test subject participation, including informed consent and study-related communication.
• To analyze data for developing new pharmaceutical products or improving existing ones.

(5) Marketing and Communications
• To send updates, newsletters, or promotional materials (with consent). • To tailor marketing campaigns based on user preferences and feedback. • To provide information about events, webinars, or product launches.

(6) Business Operations
• To manage contracts and relationships with customers, business partners, suppliers, and vendors.
• To process payments, invoices, and other financial transactions.
• To maintain records for audits, legal disputes, or compliance checks.

(7) Website and Digital Platform Usage
• To analyze website traffic, user behavior, and improve online services.
• To provide user-specific content and a personalized experience.
• To ensure security and prevent fraud in digital platforms.

(8) Recruitment and Employment
• To process job applications and assess applicants.
• To maintain records for onboarding, training, and employment.
• To propose the new opportunities which may be suitable for unsuccessful applicants

(9) Safety and Security
• To protect physical premises through CCTV or visitor logs.
• To verify the identity of individuals accessing sensitive areas or data.
• To ensure the safety of products, staff, and visitors.

(10) Consent Management
• To obtain and record consent for specific activities, such as clinical trials or marketing communications.
• To handle requests for data access, rectification, or deletion.

3In certain cases, we may need to process your personal data to fulfill our contractual obligations to you or comply with applicable legal and regulatory requirements. Failure to provide the requested personal data may result in our inability to deliver certain services or fulfill our obligations effectively. Rest assured that we only collect and process personal data necessary for these purposes and in accordance with the PDPA.

4. Source of Personal Data

The Company collects personal data through the following means:

(1) Personal data provided directly by the data subject, including when you register or apply for attending the Company’s activities or using any services of the Company
(2) Personal data received from the affiliates
(3) Personal data received from a third party such as a representative, a shop or a company that provide data collection services, a business partner, an alliance, or an affiliate etc.
(4) Personal data collected from a website visit and social media.
(5) Personal data obtained from public and legitimate non-public records.
(6) Personal data provided by government agencies and regulators.

5. Personal Data Disclosure

The Company will not disclose your personal data without a lawful basis. Your data may be disclosed, or transferred to governmental organizations, regulatory bodies or third parties including:

• The Company’s affiliates and parent company for purposes of internal management and auditing
• Business partners and alliances to offer benefits and services provided by the Company or its business partners, as well as to develop and manage customer relationships
• Domestic and overseas service providers, including but not limited to marketing analysis companies, auditors, recruitment agencies, and advisors, for supporting parts of our services and operations
• State agencies and regulatory bodies to comply with applicable laws and legal requirements

If the Company permits a third party or an outsourced service provider, as its data processors, to collect, use, or disclose personal data on its behalf, such data processors must implement personal data protection measures that are appropriate and equivalent to the Company’s standards, as stipulated in our security policy. Additionally, the Company will enter into agreements with data processors to ensure compliance with applicable laws. These agreements will:

• Clearly specify the purposes or instructions for the collection, usage, or disclosure of personal data.
• Include measures to prevent the data processor from collecting, using, or disclosing personal data beyond the determined purposes or instructions.

The Company is committed to ensuring that any personal data processing performed by third parties aligns with our security and compliance standards.

6. Delivery or Transferring Personal Data Abroad

In certain cases, the Company may need to transfer or move personal data overseas (including, but not limited to, Japan). To ensure the protection of such data, the Company will establish agreements and/or business contract with the receiving agency. These agreements will adhere to widely accepted standard contractual clauses for cross border transfer and comply with applicable laws, ensuring that the transferred personal data is appropriately safeguarded.

7. Personal Data Protection

To manage risks associated with personal data breaches, alterations, and loss, the Company adheres to its IT security policies and internationally recognized IT security standards. Additionally, the Company ensures its business practices comply with applicable laws. The Company implements measures to protect the privacy of personal data subjects by restricting access to personal data. Only authorized personnel, such as employees who require the data to deliver the Company’s products and services, are granted access. Authorized individuals must strictly adhere to the Company’s privacy policy and maintain the confidentiality of personal data.

The Company employs both physical and electronic safeguards to protect personal data in compliance with established data protection standards.

When entering into contracts or agreements with third parties, the Company incorporates appropriate personal data security standards to ensure the security and confidentiality of the data being processed.

8. Rights of Data Subject

Data subjects have the following rights regarding their personal data:

(1) Right to access and receive a copy of their personal data
(2) Right of rectification
(3) Right to object
(4) Right to restrict processing
(5) Right to erasure (also known as right to be forgotten)
(6) Right to data portability
(7) Right to withdraw the consent given to the Company. Note: withdrawal of consent will not affect the collection, usage or disclosure of personal data that occurred before the withdrawal

To exercise these rights, please submit your request through the contact channels provided below. The Company will review and respond to the request within 30 days of its receipt. However, the Company may refuse the request under certain circumstances as permitted by law or contractual obligations.

Deleting, destroying, or anonymizing personal data, or withdrawing consent, must comply with applicable laws and contractual terms. Please note that such actions may impact the fulfillment of contractual obligations or the provision of services, as certain services require personal data for execution. Consequently, the data subject may no longer receive certain benefits, services, or updates from the Company.

9. Retention Period and Personal Data Storage

The Company will retain personal data for as long as necessary to fulfill the purposes for which it was collected and processed, in compliance with applicable laws and regulations, with a maximum retention period of 10 years unless a longer period is required by law.

Even after the data subject ceases to interact with the Company, personal data may be retained for a specified period as required by applicable laws. The Company will store the data in an appropriate location, based on the type of data and its sensitivity.
In certain circumstances, the Company may need to retain personal data beyond the legally prescribed period, such as during ongoing legal proceedings or other exceptional cases where data retention is justified.

10. Cookie

The Company will use cookies to collect information about user activity for statistical purposes, research, trend analysis, and to improve and manage its websites and/or applications. Please note that the data collected through cookies is anonymous and does not identify individuals.

11. The Connection to External Websites

The Company’s website may contain links to third-party websites, which operate under their own privacy policies that differ from the Company’s. Data subjects are advised to review the privacy policies of these third-party websites to understand their personal data protection practices before disclosing any personal data. Please note that the Company is not responsible for the content, policies, damages, or activities of third-party websites.

12. Enquiry of Privacy Policy

If anyone has an enquiry or doubt regarding the privacy policy or personal data management, please contact:

Contact person Data Protection Officer (DPO)
Email [email protected]
Telephone 02-631-2070

13. Contact Information

If you have any suggestion or inquiries regarding the Company’s privacy policy and the data collected by the Company, or it you wish to exercise your right, please contact:

Company name Daiichi Sankyo (Thailand) Ltd.
Address 24th Floor, United Center Bldg., 323 Silom Road, Silom, Bangrak, Bangkok 10500
Website https://www.daiichisankyo.co.th
Call Center +66 2631 2070
Email [email protected]

14. Supervisory Authority

In case you view that the Company fails to comply with any provision of the PDPA, you may file a complaint to the Office of Personal Data Protection Committee (PDPC) at the following contact details:

Email [email protected]
Telephone +66 2111 8800

15. Effective Date

This policy shall be effective from July 15, 2021 (as amended on December 31, 2024)