MR. D.I.Y. Holding (Thailand) Public Company Limited
EN TH

This Privacy Notice was last updated on 31 May 2023.

1. INTRODUCTION

MR. D.I.Y. Holding (Thailand) Co., Ltd. (collectively referred to as “Company”, “we”, “us” or “our”) respects individual privacy, and is committed to protecting Personal Data in accordance with the Personal Data Protection Laws. This Privacy Notice applies to every person who interacts with us as a Whistleblower or related person (referred to as "you" or "your"). Please read this notice carefully, as it explains how we process your Personal Data and informs you about your privacy rights.

2. DEFINITIONS

In this Privacy Notice, the following definitions have the meanings below:

  1. “Personal Data” means any information relating to a natural person, which enables the identification of such person, whether directly or indirectly.
  2. “Personal Data Protection Laws” mean all laws and regulations related to data privacy protection in Thailand, including the Personal Data Protection Act, B.E. 2562 (and any future amendments thereto).
  3. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording. organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. DATA CONTROLLER

The Company is the controller of your Personal Data and is therefore responsible for processing it in accordance with the Personal Data Protection Laws. Should you have any questions about this matter, please contact us via one of the channels below.

E-mail at: th.dpo@mrdiy.com

Post to:

MR. D.I.Y. Holding (Thailand) Co., Ltd.

777 WHA Tower, 12th Floor, Debaratna Road (Bangna-Trad) KM.7, Bang Kaeo, Bang Phli, Samutprakarn, Thailand 10540.

4. CATEGORIES OF PERSONAL DATA WE PROCESS

If you report concerns through our whistleblowing channels about any act of misconduct or fraud involving us, or suspicions thereof, or provide any information, we will ask you for Personal Data, in particular information about your identity (such as your name, telephone number, address and email address). If you are worried about being identified as a Whistleblower, you can remain anonymous; however, we may not be able to investigate your concerns effectively without these details.

We do not request or process sensitive Personal Data (such as an individual's racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, cult membership, sexual behaviour, criminal or medical records, disabilities, or genetic & biometric data).

5. THE PURPOSE OF AND LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

In order to investigate all reports fairly and impartially, it is necessary for us to process your Personal Data to verify your identity and contact you by post, email or telephone so we can request more information if it is required. 'The legal basis for processing your Personal Data is that it is in our legitimate interest to prevent or detect any misconduct or fraud within our organization. We will not use your Personal Data for any other purpose than the one stated above, unless we obtain your prior consent.

6. SHARING AND DISCLOSURE OF YOUR PERSONAL DATA

Your Personal Data will be shared among a limited number of persons within our organization to investigate and respond to your concerns. If it is necessary for the investigation, we may engage external advisors to review a particular issue. In this case, we may have to share your Personal Data with them. We will also have to disclose your Personal Data if it is required by the authorities under the relevant law or by a court order.

7. DATA SECURITY

We have put in place appropriate security measures to protect your Personal Data from loss or unauthorized use, access, alteration or disclosure, and review these measures on a regular basis to ensure that they are appropriate. Moreover, access to your Personal Data is limited to authorized persons who have a justified need to know the details. These persons will only process your Personal Data on our instructions and are subject to a duty of confidentiality.

We have also put in place procedures to deal with any suspected Personal Data breach, and will notify you and the relevant regulator if a breach has occurred and we are legally required to do so.

8. DATA RETENTION

We store your Personal Data only as long as it is necessary to process your report, unless we have a legitimate interest to retain it. However, all Personal Data will be deleted from the whistleblowing database not later than five (5) years after a case has been closed, with the exception of information that must be retained in accordance with the relevant laws and regulations.

9. YOUR DATA PROTECTION RIGHTS

You have the following rights under Personal Data Protection Laws:

  1. Right to withdraw consent: If you have given us consent to process your Personal Data, you have the right to withdraw your consent at any time.
  2. Right to access: You have the right to access and obtain copies of your Personal Data. In addition, you have the right to know any source through which your Personal Data may have been acquired without your consent.
  3. Right to data portability: You have the right to request that your Personal Data collected by us be transferred to another data controller, or directly to you, in certain circumstances.
  4. Right to object: You have the right to object to our processing of your Personal Data, in certain circumstances.
  5. Right to erasure: You have the right to request that your Personal Data be erased, in certain circumstances.
  6. Right to restriction: You have the right to request that the processing of your Personal Data be restricted, in certain circumstances.
  7. Right to rectification: You have the right to request that your Personal Data be rectified if it is inaccurate or incomplete.

If you wish to exercise any of these rights, please contact us by email at: th.dpo@mrdiy.com. The Company will respond to your request as soon as possible but not later than 30 days after receiving it. Please note that the Company may ask you to verify your identity before responding to a request in order to ensure the security of your Personal Data.

You also have the right to file a complaint with the Personal Data Protection Commission (the related authority) if you believe that your Personal Data has not been processed in compliance with Personal Data Protection Laws.

10. UPDATES TO THIS PRIVACY NOTICE

This Privacy Notice may be revised from time to time. The date at the top of this Privacy Notice will be amended, and the revised version will apply from then. If we make any material changes to this Privacy Notice, you will be notified in accordance with Personal Data Protection Laws.