Sojitz Kaset Dee X Co., Ltd.
KDX Connect User Privacy Notice
We, Sojitz Kaset Dee X Co., Ltd. (hereinafter referred to as the “Data Controller”), fully recognize the importance of protecting personal data. We believe that properly processing personal data is part of our social responsibility and declare that we strive to protect personal data in accordance with the following principles and the Personal Data Protection Act of 2019 (including, its sub-regulations and guidelines, hereinafter referred to as the “PDPA”). This privacy notice is provided to explain how we collect, retain, use, disclose and/or transfer (hereinafter collectively referred to as the “Data Processing”) your personal data (hereinafter collectively referred to as the “Personal Data”) in connection with (1) agricultural advice/support service (including satellite analysis), (2) finance service promotion, (3) the services related to the foregoing and (4) other services relevant to agricultural business and community development, to be provided by the Data Controller via thisapplication services and website and other related channel operated by the Data Controller (the “Services”).
This privacy notice applies to users of the Services, including but not limited to this application services.
1. Personal Data
Personal Data collected by us includes, without limitation, the following information collected directly from you and indirectly from other sources (including, but not limited to, the business partners which participate in or are involved in the Services):
(1) General information, such as name, nickname, username, address, domicile (including, village name), birthdate, gender, marital status, nationality, belonging group name, and facial photograph, and government issued documents including an identification card [(including religion)], passport, visa, work permit, driving license and taxpayer card;
(2) Contact information, such as telephone number, email address and ID and password for access to your personal page or website;
(3) Financial information, such as information of bank account including account number, account name, commercial name and branch name of bank, information of credit card including credit card number, financial contract information including amount of finance and contract type, and billed, unbilled or outstanding amount relating to debt collection and information on commercial revenue and income as necessary;
(4) Device information, such as Internet Protocol (IP) address, cookies, type of browser and other information linked to a device, and information about usage of the accounts, websites and online properties of the Data Controller;
(5) Farmersinformation, such as mill-related information (including buyer’s name and address and purchase unit price), farming experience, farm size, farm location, plot address, plot rental price, plot’s facility, plot’s previous yield, plot’s soil analysis result, plot’s photo, harvester’s work fee, crop type, crop variety, cultivation activity record data (including cultivation date, activity type, photo and irrigation and other agricultural costs), optimized cultivation activity data (including cultivation date, activity type and yield simulation result), distributed agricultural material and equipment data (including request date and delivering date), harvester activity data (including order date, accept order date, scheduled work date, actual work date, harvester fee, outsourced partner, unit price and selling date); and
(6) Other information, such as information collected, used, or disclosed in connection with the Services (including the result of survey and feedback thereto).
2. Legal basis and purpose of Data Processing of Personal Data
(1) When the Data Controller performs the Data Processing of the Personal Data for some purpose, we will rely on your consent and/or one or more following legal basis(es) under the PDPA:
(a) To prevent or suppress the danger to a person’s life, body or health;
(b) To be necessary for the performance of a contract to which you are a party, or in order to take any actions upon your request prior to entering into a contract;
(c) To be necessary for legitimate interests of the Data Controller or any other person or juristic person other than the Data Controller, except where such interests are overridden by your fundamental rights concerning your Personal Data;
(d) To be necessary for compliance with the law by the Data Controller; and
(e) To be necessary for the performance of a task carried out for the public interest by the Data Controller, or for the exercising of official authority vested in the Data Controller.
(2) The Data Controller will perform the Data Processing of the Personal Data in whole or in part for the following purposes:
(a) To provideor procure products orservices, such as consideration for the execution of the agreement for provision or procurement of products or services (including the provision of the Services), and consideration for the details and method of such provision or procurement of products or services, in connection with the services that Data Controller is or may be involved in, including background checking;
(b) To manage payment and exercise other legal rights,such as sending you invoices, notifying the payment, preparing receipts and tax invoices, collecting payment for the Services, asking for payment, and exercising rights of claim as necessary;
(c) To make data analytics andconduct assessment, such as conduct of data analytics for development and improvement of production, harvest and delivery instruction and other services, assessment of behavior of farmers for improvement of services and development and planning of new products and services of the Data Controller and/or business partners of the Data Controller (including, without limitation, the business partners which participate in or are involved in the Services; the same shall apply hereinafter);
(d) To carry out marketing activities, such as market research and analysis for, and planning and implementation of, marketing campaigns or activities of the Data Controller and/or business partners of the Data Controller;
(e) To communicate with persons, such as communication between the Data Controller and you with respect to the Services (including handling of queries, request, feedback, complaint, claims and disputes) or for update of your information within the group companies of the Data Controller;
(f) To managesafety and security, such as management of safety and security in the premises, accounts, applications and websites and other information systems, including operation, maintenance and audit of IT security;
(g) To have a third party take over an agreement, such as transfer, assignment or replacement of the agreement to which the Data Controller is a party or other similar nature of transaction, whether under a novation agreement or newly executed agreement, for a third party to take over the agreement; and
(h) To implement corporate transactions, such as merger, amalgamation, business transfer, reorganization, share transfer or joint venture relevant to the Data Controller, or sale or transfer of shares or any other receivables, assets or interests directly or indirectly owned by the Data Controller or other similar nature of transactions.
If you refuse to provide Personal Data or withdraw consent for the Data Processing of the Personal Data without reasonable cause, such action may cause the inability to achieve, in whole or in part, the purposes set forth in this Clause 2, whereby, among others, causing the impact in the decision to execute or renew the relevant agreements, or causing trouble in providing the Services to and performance of any other obligations owed to you.
3. The parties to whom Personal Data is disclosed and transferred
The Data Controller will disclose and transfer the Personal Data to any person or juristic person including the following person or juristic person in order to achieve the purposes as prescribed in Clause 2 above:
(1) Accounting firms, law firms, IT system service providers, software vendors, communication service providers, printing service providers and other professional advisors and service providers entrusted by the Data Controller;
(2) Parent company, subsidiary, group company or affiliated company of the Data Controller (including Sojitz Corporation, Sojitz (Thailand) Co., Ltd. and Sojitz Management (Thailand) Co., Ltd.), and directors, employees and other persons listed in item (1) above of such parent company, subsidiary, group company or affiliated company of the Data Controller;
(3) Suppliers and business partners of the Data Controller, financial institutions who participate in the Services and other persons or juristic persons who are necessary to communicate with the Data Controller in the course of the business operation of the Data Controller to achieve the purposes as prescribed in Clause 2 above;
(4) Any third party who will be involved in the corporate transactions such as merger, amalgamation, business transfer, reorganization, share transfer or joint venture relevant to the Data Controller or sale or transfer of shares or any other receivables, assets or interests directly or indirectly owned by the Data Controller or other similar nature of transactions; and
(5) Courts, government authorities, supervision authorities or regulators.
In the case where the Data Controller discloses and transfers the Personal Data to any person or juristic person, the Data Controller will examine such person rigorously, and perform proper supervision to ensure that such person keeps the Personal Data confidential.
4. Period for collection and retention of Personal Data
The Data Controller will retain the Personal Data throughout the term of the Services and for the period as appropriate and necessary for the purposes as specified in Clause 2 above. In addition, the Data Controller may retain the Personal Data for a longer period to comply with its legal or regulatory obligations according to the applicable laws and regulations or internal rules or policies of the Data Controller or to respond to legal claims from or against any relevant party.
5. Contact detail of Data Controller
Please direct any inquiries regarding the Data Processing of the Personal Data or requests to the Data Controller regarding the Personal Data to the following contact address.
|
Data Controller |
No. 1 Q. House Lumpini Building, 19th Floor, South Sathon Road, Thung Maha Mek Sub-district, Sathon District, Bangkok +66(0)2227-9200 kdx-pdpa@sojitz-kdx.com |
The Data Controller may ask you to provide your identity information and, as applicable, a power of attorney to respond to such inquiries or requests.
6. Cross-border transfer of Personal Data
In connection with the Data Processing, the Data Controller may transfer the Personal Data to Japan or to other destinations outside Thailand, including, but not limited to, Singapore, the United States, and Indonesia. In some cases, the data protection standards in the country to which the Personal Data is transferred may not meet the standards that the competent authority prescribes under the PDPA.
When the Data Controller makes a cross-border transfer of the Personal Data to the country not meeting said data protection standards, the Data Controller will request your consent or implement appropriate safeguard measures in accordance with the regulations announced by the competent authority (including, an execution of data sharing, transfer or processing agreement) or may rely on any derogation applicable to the specific situation as provided in PDPA.
7. Your rights
You have the following rights with respect to the Personal Data as stipulated under the PDPA:
(1) Right to withdraw consent
You have the right to withdraw consent for the Data Processing of the Personal Data by the Data Controller at any time throughout the collection and retention period of the Personal Data.
(2) Right to access
You have the right to access and obtain the copy of the Personal Data which are under the supervision of the Data Controller. Also, if the Personal Data is collected without consent, you shall have the right to request the Data Controller to disclose the acquisition of such Personal Data.
(3) Right to request the portability
You have the right to receive the Personal Data concerning you from the Data Controller in case where the Data Controller arranges the Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automatic means. You shall also have the right to request the Data Controller to send or transfer the Personal Data in such format to other data controllers if it can be done by the automatic means and to request to obtain the Personal Data in such format which the Data Controller sends or transfers to other data controllers, unless it is impossible due to technical circumstances.
(4) Right to object
You have the right to object to the Data Processing of the Personal Data by the Data Controller in certain circumstances.
(5) Right to erase, destruct and anonymize
You have the right to require the Data Controller to erase, destruct and anonymize the Personal Data in certain circumstances.
(6) Right to restrict the use
You have the right to request the Data Controller to restrict the use of the Personal Data in certain circumstances.
(7) Right to update
You have the right to request the Data Controller to ensure the Personal Data remains accurate, up-to-date, complete and not misleading.
(8) Right to file a complaint
You have the right to file a complaint with the relevant official authority in the event that the Data Controller including the employees or the entrusted persons thereof violates or does not comply with the PDPA.
Request to exercise any of the rights listed above must be addressed to the Data Controller’s contact address as stipulated in Clause 5 above.
8. Safety Management Measures for Personal Data
(1) The Data Controller will work to store and manage the Personal Data in an accurate and up-to-date manner, and will take the necessary safety control measures to prevent unauthorized access or leakage of the Personal Data.
(2) The Data Controller will take the following specific security management measures:
(a) Organizational Safety Management Measures: to clarify the employees involved with the Data Processing of the Personal Data as well as its scope, to establish a system for reporting and contacting the manager if evidence or indications of violations of the PDPA or internal rules is/are detected and, to, in addition to regular self-inspections regarding the Data Processing of the Personal Data, undergo audits conducted by outside departments and third parties;
(b) Human Security Management Measures: to provide training to employees regarding precautions in the Data Processing of the Personal Data and to include the provisions concerning the confidentiality of the Personal Data in the employee regulations;
(c) Physical Safety Management Measures: to place appropriate restrictions on employee access to, and on equipment that can be brought into, the office where the Data Processing of the Personal Data is performed, to implement measures to prevent unauthorized persons from viewing the Personal Data, to take measures to prevent the theft or loss of equipment, electronic media, and documents, etc., and to take measures to ensure that the Personal Data is not easily revealed when such devices or electronic media are transported, including within our premises; and
(d) Technical Safety Management Measures: to implement access restrictions in order to limit the scope of employee access to the Personal Data (including the database where such Personal Data are stored) and to implement a system to protect information systems that perform the Data Processing of the Personal Data from unauthorized outside access or harmful software.
(3) The Data Controller may outsource the storage of information, including some Personal Data, to a cloud services provider. The Personal Data may be stored in Singapore, the United States, and Indonesia and other countries under the management of the said provider. In such case, in addition to the security management measures stipulated in item (2) above, the Data Controller will implement safety management measures based on its understanding of the personal data protection laws and regulations in the applicable jurisdiction.
9. Cookies
In order to improve the Services to you, the Data Controller sometimes uses a cookie. A cookie is a small amount of data that the web server of the Data Controller sends to your web browser when you visit certain parts of the application of the Data Controller and the use of which is intended to assist the Data Controller’s understanding of your interest in such application. The Data Controller may use the cookies to provide any recommendations, advertisements and communications to you so that they would fit your interests. Some of business partners of the Data Controller whose content is incorporated into or linked to from the application of the Data Controller may also use cookies. However, the Data Controller has no access to or control over these cookies or their business partners’ websites.
10. Others
(1) The Data Controller will not use the Personal Data in a manner that may encourage or induce illegal or unlawful activities.
(2) The Data Controller has formulated a compliance program for the protection of the Personal Data (including preparation of internal rules) and will keep our employees and other interested parties fully informed of such program, and execute and maintain such program, as well as strive to properly manage the Personal Data through ongoing review and improvement.
(3) The Data Controller bears no responsibility whatsoever for the Data Processing of the Personal Data on any other web platforms linked from this application services and other related channel operated by the Data Controller.
Sojitz Kaset Dee X Co., Ltd.