1. General Provision
1.1 Person data protection in this policy involves the personal data of an individual customer.
1.2 The company requires DPO(s) revises the policy every 2 years or when there is a significant change affecting work performance according to this policy. The company will publicize any changes on the company’s website at www.daiichisankyo.co.th
1.3 The company will collect, use or disclose personal data after receiving permission from the subject. However, this is exceptional if the company makes the personal data unidentifiable or legitimated as follows:
(2) Legal Obligation
(3) Legitimate Interest
(4) Public Task / Official Authority
(5) Vital Interest
(6) Public task/Research
1.4 The Company collects personal data based on necessity under legitimate purpose. Personal data subjects will be informed of the details of personal data collection according to the laws.
1.5 The Company can delete personal data or make it unidentifiable when it is beyond the storage limitation or the purpose of personal data collection, or when it is requested, or the consent is withdrawn by a personal data subject. It is exceptional for legitimate interest or official regulations causing the company to continue storing personal data.
1.6 The company not only protects personal data and considers the privacy of a personal subject but also keeps the personal data confidential.
2. Request for Consent from Data Subject
2.1 The company must request for consent to collect, use or disclose personal data from a data subject explicitly in document or electronic form. In other cases that the normal consent request is impossible, the company must provide reliable evidence showing the consent of a personal data subject.
2.2 Personal data subject must be informed about the objectives of personal data collection, usage or disclosure explicitly. Additionally, the objectives must be easy to understand and not deceive or mislead a personal data subject. The personal data subject must also have freedom to give consent.
2.3 In case that a personal data subject is a minor or does not reach legal age by marriage, the company will request for consent from an authorized parent.
2.4 In case that a personal data subject is an incompetent person, the company will request for consent from an authorized curator.
2.5 In case that a personal data subject is a quasi-incompetent person, the company will request for consent from an authorized custodian.
2.6 In case a personal data subject or an authorized person stated in 6.3, 6.4, and 6.5 must withdraw consent, it is possible. The personal data subject must be informed of the effects from the data withdrawal.
2.7 The company must collect, use, or disclose personal data according to the purposes given to a person data subject only. If there is a new purpose, the company must inform the personal data subject and get a consent from the personal data subject before collecting, using, or disclosing the data.
3. Purposes of Personal Data Collection
3.1 To use personal data for the operation of the company under the laws or official regulation terms.
3.2 To collect personal data, the data subject must be informed of the following details;
(1) The purposes of data collection for particular use or disclosure
(2) The necessity for providing personal data to perform according to laws or make a contract agreement.
(3) The personal data and period of data storage
(4) The type of a person or an agency whose personal data is being disclosed as well as its name list (case by case)
(5) The legitimate rights of a personal data subject
(6) The information of the company and data protection officer, and contact information.
3.3 Person data collected from a subject must be complete, accurate and up to date.
3.4 In order to collect sensitive personal data, an explicit consent must be received from the personal data subject, except for when it is approved legally by an authority.
3.5 A personal data subject must be informed of personal data collection from other sources within 30 days including the day the data is collected, and the consent must be given by the subject except for legitimate interest approved by an authority.
3.6 The purposes of data collection must be recorded and include the details of a personal data controller, storing period, the data access and the conditions of an authorized person to access personal data as well as other details required by laws and able to be inspected by the personal data subject or PDPC.
4. Personal Data Access
4.1 The company employee can access personal data based on necessity for operation and the rights of the company. In case that the company employee needs to access personal data beyond the limitation, he/she must be approved by an authority.
4.2 The company employee must use personal data according to the stated purposes or the consent from a personal data subject except for legitimate interest.
4.3 A system administrator and owner must allow the company employee to access personal data of the company employee only according to the right or approval from the authority.
The company collects personal data as follows.
5.1 Personal data directly received from the data subject
5.2 Personal data received from the affiliates
5.3 Personal data received from a third party such as a representative, a shop or a company that provide data collection services, a business partner, an alliance, or an affiliate etc.
5.4 Personal data received from a website visit such as the name of an internet service provider and IP address, date and time and URL directly connected to the company website.
5.5 Personal data received from public records and non-public records that the company has rights to collect legitimately.
5.6 Personal data received by a government agency and a regulator.
6. Personal Data Disclosure
6.1 Personal data disclosure to a third party must be performed under the consent obtained from a personal data subject except for regulatory compliance.
The company will disclose personal data to affiliates, third parties and/or agencies in the following cases.
(1) An authorized person as a mediator such as a shipping company, a data collecting service provider, a system development and maintenance company to perform any activities of the company.
(2) Business partners, alliances, affiliates and/or outsource service providers provide the benefits and other services of the company to a personal data subject under the personal data confidentiality agreement such as data analysis, data processing, IT services and preparation of associated basic structure, development of customer service platform, emails/ SMS, website and mobile application development, satisfaction surveys and researches and customer relation management. In case of a legal entity, the standard of personal data protection must be provided.
(3) State agencies, government, or other legal agencies to perform according to laws, any commands and requests to coordinate with any associated agencies regarding legal issues.
(4) The company may disclose personal data involving drugstores to marketing analysis companies on the purpose of post-sale survey and in order to understand the operation of the company, to develop and respond to customers’ needs for benefits of patients.
(5) The personal data to disclose includes names, addresses of drugstores.
6.2 The personal data received from a third party or an outsource agency must be inspected to ensure that it is based on legitimate basis and approved by the Personal Data Protection Committee except for the legal and official regulatory performance.
The company will collect the personal data provided by the subject or received from other services of the company through the following channels.
(1) The data received when a personal data subject registers or applies for attending the company’s activities or using any services of the company. The personal data includes first names, last names, personal identification number or other personal ID cards, telephone numbers, dates of birth, addresses and emails etc.
(2) Subscription data or attendance records, accounts in which personal profiles are created and provided to the company in order to use the company’s services including mobile application and/or the company’s website such as online accounts or application accounts, as well as application forms provided in websites or other channels.
(3) Data from application for receiving news, surveys or attendance of activities such as satisfaction, interests, consuming behavior etc.
(4) Data regarding transactions with the company or affiliates such as data of job application, representative application, quotation, credit/debit cards, bank account numbers or other information regarding bank payments, payment dates and time depending on transaction types of personal data subjects.
(5) Information from a visit of the company website or the websites of affiliates or company’s application, information of social media usage and correspondence of company’s online advertisements, series and types of computer programs to visit the websites, types of devices to access services, PC, Laptop or smartphones, information of operating systems and platforms, IP addresses, information of location, information of products and services which a personal data subject visit or search for.
(6) Data obtained from the records when the data subject contacts the company at the company’s customer service center in a form of service recipient records, satisfaction assessment, research and statistics or conversation or CCTV records, as well as research media such as SMS, social media, applications, or emails etc.
(7) Social Media Credential such as Facebook, Twitter, and Line to connect to any company’s services such as Social Media Account ID, Interests, Likes and a friend list of personal data subjects. The subject can control privacy setting in the social media accounts.
(8) Enquiry via letters, faxes and emails from a customer and after-sale enquiry. The company will record telephone enquiry for accuracy. The personal data may be used for maintaining good relationship with customers such as examining of investigation and answers to questions, and studying such as contact with medical agents, notification, and reports to government agencies etc.
6.3 In case that the company allow a third party or an outsource company to collect, use or disclose personal data on behalf of the company, the personal data processors must provide personal data protection measure appropriate and equal to the company’s standard according to the security policy in managing external IT service providers and an agreement for controlling the performance of personal data processors in accordance with laws. The company will determine purposes or orders for personal data collection, usage or disclosure and provide the information to the data processor clearly. It will also provide a measure to prevent the personal data processor from collecting, using or disclosing the personal data received from the company beyond the determined purposes or orders.
7. Delivery or Transferring Personal Data Abroad
In case that the company needs to transfer or move one’s personal data overseas. It will determine the standards of agreement and/or business contract with the agency that will receive the data. The standards must be widely accepted and compliant with associated laws to ensure that the personal data will be protected, for example
7.1 In case that the company needs to store and/or transfer or move personal data for storage.
7.2 For data processing in Cloud, the company will consider an agency with international security standards and store the data with encryption methods or other methods that make personal data unidentifiable etc.
8. Personal Data Protection
To ensure personal data subject the risk management of the company on data breach, changes and disappearance, the company performs in accordance with IT security policy and international standards of IT security and administers its business compliant with the laws.
When the company makes a contract or an agreement with a third party, it will issue an appropriate personal data security standard to ensure the security of personal data.
9. Rights of Data Subject
The rights of personal data subjects are as follows
(1) Right to be informed the existence and types of personal data and the purposes of the data usage
(2) Right to access and receive a copy of personal data - the company has appropriate steps of personal identification.
(3) Right of rectification or changing personal data to make it up-to-date and not mislead.
(4) Right to object personal data collection, usage or disclosure as well as personal data processing
(5) Right to restrict processing personal data usage or disclosure
(6) Right to erasure (also known as right to be forgotten) delete or demolish personal data or make the data anonymous.
(7) Right to request for declaration of the personal data sources in case that the personal data subject do not give consent for data collection or storage.
(8) Right to withdraw the consent given to the company for collecting, using, or disclosing that personal data. The withdrawal of consent will not affect the collection, usage or disclosure of personal data done before.
The company provides contact channels to use one’s right in the item 20. The company will proceed and consider the request within 30 day(s) (from the request date). However, the company may refuse to proceed with the request by the personal data subject according to the laws or agreements.
Deleting, destroying, or making the personal data anonymous or withdrawing the consent must be proceeded according to the laws and contract only. It may also affect the contract or other services due to the anonymity of the personal data and limit some service access that needs personal data. The personal data subject will not be able to receive benefits, services and news from the company anymore.
10. Retention Period and Personal Data Storage
The company will store personal data as long as its necessity according to the purposes of data collecting and processing as well as the performance of the laws and regulations. The company will continue to store the personal data for a particular period according to the prescription in associated laws after the personal data subject does not have an interaction with the company. The company will store the data in an appropriate place depending on the type of the data. The company may need to continue to store the personal data even though it is over the prescription for example it is during legal proceedings.
11. Personal Data Usage Related to Healthcare Professionals
Besides the aforementioned purposes and in accordance with laws, the company will use the personal data related to medical personnel on the following purposes
(1) To provide, collect, review and communicate information on the proper use of drugs, medical devices, drug samples, and other goods and products handled
(2) To provide, collect, review and communicate information on quality, safety or effectiveness of company’s Products.
(3) To survey after-sale satisfaction, to understand the business operation of the company, to develop and respond to the customers’ needs for the benefits of patients
(4) To request, implementation, and support for clinical research.
(5) To Provide, collecting, and examining information in the fields of medicine and pharmacy for business development
(6) To research support related to medicine and pharmacy.
(7) To make notifications and reports to government and other public offices and agencies according to regulations regarding quality and safety of pharmaceutical products certification
(8) To examine, proceed and respond to enquiry or comments on the company’s pharmaceutical products
(9) To communicate with medical personnel on business operation purposes
12. The purposes for personal data usage regarding drug stores
(1) Implementation of business communications and responses
(2) Understanding where to use pharmaceuticals, medical devices, etc.
(3) Collection and examination of information in the fields of medicine and pharmacy
Providing with personal data including names and addresses of drug stores.
The company will use Cookie to collect the usage of personal data subject to collect statistical data, research, analyze tendency and improve and control websites and/or applications. However, the data from Cookie is anonymous.
14. The Connection to External Websites
15. Data Protection Officer
The company has appointed a data protection officer to examine and collect, compile, use or disclose in accordance with Personal Data Protection Act B.E.2562 and the policy, regulations, announcements, and orders, of the company.
Name-Surname Mr. Sarawut Bunsua (DPO)
Tel 02-631-2070-9 ext.242 or ext.112
17. Contact Information
Company name Daiichi Sankyo (Thailand) Ltd.
Address 24th Floor, United Center Bldg., 323 Silom Road, Silom, Bangrak,
Call Center +66 2631 2070-9 ext. 242 or 112
18. Appropriate Authority
If anyone wants to make a complaint or feels dissatisfied, he/she can contact and/or complain to Office of the Personal Data Protection Committee (PDPC), Electronic Transactions Development Agency (ETDA)
Telephone +66 2142 1033
19. Effective Date
This policy shall be effective from July 15, 2021