BSRU PDPA

Personal Data Protection Policy

Bansomdejchaopraya Rajabhat University

Announcement from Bansomdejchaopraya Rajabhat University Regarding the Personal Data Protection Policy (Click to read)

Announcement from Bansomdejchaopraya Rajabhat University Regarding the Personal Data Protection Policy
It is deemed appropriate to establish the Personal Data Protection Policy of Bansomdejchaopraya Rajabhat University in accordance with the Personal Data Protection Act B.E. 2562 (2019) to ensure that the operations of the university are orderly, effectively protect personal data, and comply with legal standards.

By virtue of Section 27 of the Rajabhat University Act B.E. 2547 (2004), the President of Bansomdejchaopraya Rajabhat University hereby establishes the Personal Data Protection Policy as follows:

Section 1. In this announcement:
– University means Bansomdejchaopraya Rajabhat University.
– Personal Data means information related to a person that enables the identification of that person, directly or indirectly, such as personal data of personnel, students, pupils, alumni, and service recipients, but does not include data of deceased persons.
– Electronic Transactions means transactions conducted using electronic means, in whole or in part.
– Personal Data Controller means a person or juristic person with the authority to decide on the collection, use, or disclosure of personal data.
– Personal Data Protection Officer means a data protection officer as per the Personal Data Protection Law.
– Personnel means civil servants in higher education institutions, university staff, government employees, permanent employees, as well as personnel of affiliated agencies and research projects of Bansomdejchaopraya Rajabhat University.
– Student means undergraduate and graduate students of Bansomdejchaopraya Rajabhat University, including alumni who have graduated from the university.
– Pupil means students of the Demonstration School of Bansomdejchaopraya Rajabhat University.

Section 2: Purpose of Data Collection
– To ensure that stakeholders understand the principles of personal data protection.
– To ensure that personal data protection and user privacy are carried out with standards that comprehensively cover the university’s data management operations.
– To maintain the confidence of users in using transactions, electronic transactions, and accessing university data.

Section 3: Collection, Use, or Disclosure of Personal Data
The collection, use, or disclosure of personal data must comply with the following principles of personal data protection:
– Lawfulness, Fairness, and Transparency: Data processing must be lawful, transparent, and fair.
– Purpose Limitation: Data must be collected, used, or disclosed within the scope and for the purposes specified by the university and not beyond these purposes.
– Data Minimization: Data processing should be limited to what is necessary for the purposes of collection, use, or disclosure.
– Accuracy: Data must be accurate and kept up-to-date where necessary.
– Storage Limitation: Personal data should be retained only as long as necessary.
– Integrity and Confidentiality: Appropriate security measures must be in place to protect data.

Section 4: Personal Data Collected, Used, or Disclosed by the University
Personal data will be collected, used, or disclosed for lawful and fair purposes within the scope and objectives necessary for the university’s functions, such as conducting research, applying knowledge for national and social development, benefiting the university, producing graduates, and promoting and developing academic work. The university will limit data processing to what is necessary for educational services, educational activities, or other electronic services under the university’s objectives.

Section 5: Authority and Responsibilities for Personal Data Management
The university is the personal data controller and has the authority and responsibility to decide on the collection, use, or disclosure of personal data. The university and all its departments must comply with personal data protection laws.

Section 6: Authority and Objectives for University Operations
The university will store personal data of data subjects only as necessary under the authority and objectives of its operations as defined by law or as certified under Section 24 of the Official Information Act B.E. 2540 (1997). If the university intends to use personal data for other purposes, it will notify the data subject and obtain consent unless otherwise specified by law or other provisions in this announcement.

Section 7: Consent from Data Subjects Before Collection
The university must obtain consent from data subjects before collecting their personal data, except in the following cases:
– As required by law.
– For the benefit of the data subject and consent cannot be obtained in time.
– For the benefit of the life, health, or safety of the data subject or users.
– For the benefit of investigations by investigating officers or legal proceedings in court.
– For the benefit of education, research, or statistical purposes.

Section 8: Personal Data Not Collected
The university will not collect personal data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal history, health data, disabilities, genetic data, biometric data, or any other data that could harm reputation or lead to unfair discrimination or inequality, except in the following cases:
– Written consent has been obtained from the data subject.
– As required by law.
– For the benefit of the data subject and consent cannot be obtained in time.
– For the benefit of the life, health, or safety of the data subject or users.
– For the benefit of investigations by investigating officers or legal proceedings in court.
– For the benefit of education, research, or statistical purposes.

Section 9: Collection of Personal Data
The university will not allow the personal data controller to collect personal data from sources other than directly from the data subject, except in the following cases:
– The data subject has been informed without delay but not exceeding thirty days from the date of collection, and consent has been obtained.
– The collection is exempt from consent under Section 24 or Section 26 of the Personal Data Protection Act 2019.

Section 10: Data Security Measures
The university recognizes the importance of data security and has established appropriate measures to ensure the security of personal data. These measures aim to prevent the loss, unauthorized access, destruction, use, alteration, modification, or disclosure of personal data unlawfully. The measures align with the university’s policies and practices on information technology security.

Section 11: Rights of Data Subjects
The university must provide channels and facilitate the exercise of data subjects’ rights or their representatives’ rights under personal data protection laws, which include the following rights:
1. Right to Access: The right to access and obtain a copy of their personal data held by the university, or to request the disclosure of the acquisition of their personal data obtained without consent.
2. Right to Data Portability: The right to receive their personal data from the university in a readable or commonly used format by automated tools or devices and to transfer the data to another data controller if feasible by automated means. The right also includes requesting the university to send or transfer the data directly to another data controller, unless technically unfeasible.
3. Right to Information: The right to inspect the existence, nature of the data, purpose of use, and the university’s location. Additionally, the following rights are included:
– Request a copy or certified true copy of their personal data.
– Request the correction or amendment of their personal data to be accurate and complete.
– Request the suspension of use or disclosure of their personal data.
– Request the deletion or destruction of their personal data.
– Request disclosure of the acquisition of their personal data when the data was not collected or stored with their consent.
The university may deny the rights of the data subject in cases specified by law or when the personal data has been anonymized, making it impossible to identify the data subject, provided this does not conflict with the law.

Section 12: Personal Data Protection Officer
The university must appoint a Personal Data Protection Officer (DPO) to perform duties as required by law. If there are any issues in performing their duties, the DPO must promptly inform the university upon becoming aware of the issue and follow up until the problem is resolved.

Section 13: Cooperation and Legal Compliance
All administrators, personnel, and students at all levels within the university must cooperate and comply with personal data protection laws and other relevant laws, as well as the policies, practices, and measures for personal data protection established by the university according to this announcement.

Section 14: Complaint Management System
The university may establish a complaint management system for personal data protection issues according to the criteria and procedures set by the university.

Section 15: Duties in University Operations
University administrators and relevant personnel are responsible for ensuring that university operations and departmental activities comply with the provisions of personal data protection laws by the time such provisions come into effect. They are also responsible for supervising and ensuring that operations continue to comply with the personal data protection laws and this announcement thereafter.

Section 16: Policy Implementation
The implementation of this announcement’s policy must be in accordance with the guidelines set by the university. For personal data protection not specified in this announcement or any other required announcements, compliance must follow the personal data protection laws.

PDPA BSRU

PDPA News