Personal Data Protection Policy of the National Science and Technology Development Agency

Tags:

thaibioeconomy
Thaibioeconomy

Notification of the National Science and Technology Development Agency
Re: Personal Data Protection Policy of the National Science and Technology Development Agency

Whereas, the Personal Data Protection Act B.E. 2562 (2019) is enacted and comes into effect on May 28, 2019, and it is the National Science and Technology Development Agency’s top priority to protect personal data and comply with the personal data protection law, and in order to assure the data subjects that National Science and Technology Development Agency will keep and provide appropriate security measures in respect of their personal data, National Science and Technology Development Agency has thus issued this Personal Data Protection Policy of the National Science and Technology Development Agency, as follows:

1. Definitions

“NSTDA” means the National Science and Technology Development Agency.

“Person” means a natural person.

“Personal Data” means any information relating to a Person who can be identified, directly or indirectly, but excluding specific information of a deceased, e.g., name, surname, nickname, address, telephone number, identification number, passport number, social security number, driving license number, taxpayer identification number, bank account number, credit card number, email address, vehicle license plate, land title deed, IP address, Cookie ID, log file, etc., provided however that the following information shall not be treated as personal data, namely information for business contact without any identified person, e.g., company name, company address, company registration number, office telephone number, office email address, group company email address like This email address is being protected from spambots. You need JavaScript enabled to view it., anonymous data or pseudonymous data, information of a deceased, etc.

“Sensitive Personal Data” means any information which is genuinely personal of a Person, but sensitive and likely exposed to unfair discrimination, e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal records, data relating to health and disability, labor union data, genetic data, biometric data or any other data which affects the data subject in such manner as prescribed and announced by the Personal Data Protection Committee.

“Data Subject” means a Person who owns Personal Data, except where the Person holds the data ownership or creates or collects such data on his/her own, whereby this Data Subject refers to only a natural person and excludes a “juristic person” established by law, such as company, association, foundation or any other organization.

In this regard, a Data Subject includes any of the following Persons:

1. Data Subject of legal age refers to:

1.1 a Person at the age of 20¹ or older; or

1.2 anyone who is married at the age of 17 or older; or

1.3 anyone who is married before the age of 17 with the Court’s permission²; or

1.4 a minor whose legal representative has given consent for the minor to carry on trade or other business or to enter into an employment contract as an employee, and in relation to the business or employment above, the minor shall have the same capacity as a person of legal age (sui juris)³.

In this regard, for the purpose of giving any consent, a Data Subject of legal age may give consent of his/her own accord.

2. A minor Data Subject refers to a Person below the age of 20 and not of legal age under Item 1, and as such, for the purpose of giving any consent, the consent of the person with the parental power to act on behalf of the minor shall also be obtained.

3. A quasi-incompetent Data Subject refers to a Person adjudged by the Court to be quasi-incompetent on the ground that he/she is incapable of managing his/her own affairs or manages it to the detriment of his/her own property or family because of physical or mental infirmity, habitual prodigality, habitual intoxication or other similar causes⁴, and as such, for the purpose of giving any consent, the consent of the curator with the power to act on behalf of the quasi-incompetent person must first be obtained.

4. An incompetent Data Subject refers to a Person adjudged by the Court to be incompetent on the ground of unsound mind⁵, and as such, for the purpose of giving any consent, the consent of the guardian with the power to act on behalf of the incompetent person must first be obtained.

In this regard, such request for a Data Subject’s consent which does not proceed in compliance with the personal data protection law shall not be binding upon the Data Subject.

“Data Controller” refers to a Person or a juristic person with the power and duties to make decisions regarding the collection, use or disclosure of Personal Data.

“Data Processor” refers to a Person or a juristic person who proceeds with the collection, use or disclosure of Personal Data under such orders given by or on behalf of a Data Controller, whereby the Person or juristic person who proceeds as such is not a Data Controller.

2. Sources of Personal Data

Basically, NSTDA shall not collect any Personal Data, except in the following events:

2.1 NSTDA has directly received Personal Data from a Data Subject, in which case, NSTDA shall collect such Personal Data from the service processes as follows:

(1) the use of services with NSTDA or the filing of any applications with NSTDA, e.g., subscription for newsletters, job application;

(2) the collection of data voluntarily provided by a Data Subject, e.g., survey or correspondence via email address or other channels of communications between NSTDA and the Data Subject;

(3) the collection of data from NSTDA’s website via browser’s cookies of a Data Subject and the use of electronic transaction services.

2.2 NSTDA has received Personal Data of a Data Subject from a third party, whereby NSTDA believes in good faith that such third party is entitled to collect and disclose the Data Subject’s Personal Data to NSTDA.

3. Purposes of Processing of Personal Data

NSTDA collects, uses and discloses any Personal Data in accordance with the procedures which are lawful and fair, whereby the collection of Personal Data shall be limited to what is necessary for communications regarding the services, public relations or provision of news, including survey of the Data Subject’s opinions on NSTDA’s missions or activities, only for the purposes of NSTDA’s operations or as provided by law. Should such purposes be changed, NSTDA shall give notice thereof to the Data Subject and further record such change as evidence, and comply with the personal data protection law.

4. Processing of Personal Data

4.1 Collection of Personal Data

NSTDA shall limit the collection of any Personal Data to the extent necessary, depending on the categories of services used by the Data Subject or the Personal Data provided to NSTDA, e.g., registration for participation in activities, registration for use of services, both directly through NSTDA and via NSTDA’s information system, and such Personal Data shall be collected only to the extent necessary.

4.2 Use of Personal Data

NSTDA shall properly use the Personal Data according to the purposes for which such Personal Data is provided by the Data Subject to NSTDA, and shall provide measures to ensure the security and safety of as well as to control access to such Personal Data.

4.3 Disclosure of Personal Data

Normally, NSTDA shall not disclose any Personal Data, except for the purposes for which such Personal Data is provided by the Data Subject to NSTDA, e.g., disclosure of Personal Data for the services requested by the Data Subject or in compliance with contractual obligations or as required by law. In any event where NSTDA wishes to collect, use or disclose additional Personal Data or change the purposes of such collection, use or disclosure, NSTDA shall give notice thereof to the Data Subject prior to processing such Personal Data, unless required or permitted by law.

5. Period of Storage of Personal Data

NSTDA shall keep the Personal Data as long as it is necessary for processing, and upon the lapse of such period, NSTDA shall destroy such Personal Data.

6. Rights of the Data Subject

The consent given by the Data Subject to NSTDA for collection, use and disclosure of the Personal Data shall remain valid until the Data Subject shall withdraw his/her consent in writing. The Data Subject may withdraw his/her consent or suspend the use or disclosure of his/her Personal Data for the purposes of any or all activities of NSTDA by submitting such request in writing to NSTDA or via email to This email address is being protected from spambots. You need JavaScript enabled to view it..

Other than the above rights, the Data Subject shall also be entitled to proceed as follows:

(1) Right to withdraw consent

The Data Subject shall have the right to withdraw consent to the processing of his/her Personal Data given to NSTDA at any time during the period his/her Personal Data is kept with NSTDA.

(2) Right of access

The Data Subject shall have the right to access his/her Personal Data and request NSTDA to make a copy of such Personal Data and provided the same to the Data Subject, as well as request NSTDA to disclose how the Data Subject’s Personal Data was collected without his/her consent to NSTDA.

(3) Right to rectification

The Data Subject shall have the right to request NSTDA to rectify any incorrect Personal Data or add any incomplete Personal Data.

(4) Right to erasure

The Data Subject shall have the right to request NSTDA to erase his/her Personal Data for certain reasons.

(5) Right to restriction of processing

The Data Subject shall have the right to restrict the use of his/her Personal Data for certain reasons.

(6) Right to data portability

The Data Subject shall have the right to require NSTDA to transfer the Personal Data provided by the Data Subject with NSTDA to another Data Controller or the Data Subject for certain reasons.

(7) Right to object

The Data Subject shall have the right to object the processing of his/her Personal Data for certain reasons.

NSTDA respects the Data Subject’s decision to withdraw his/her consent. However, NSTDA hereby informs the Data Subject that there may be certain restrictions to the right to withdraw consent by law or contract in favor of the Data Subject. The withdrawal of consent shall in no way affect the collection, use or disclosure of the Personal Data previously provided with consent by the Data Subject.

7. Security of Personal Data

NSTDA provides appropriate security measures to prevent any unauthorized or undue access to, use, change, rectification or disclosure of the Personal Data. Moreover, NSTDA has set out its internal practice for authorization of access to or use of the Data Subject’s Personal Data in order to keep such data confidential and safe. NSTDA shall review such measures from time to time as appropriate.

8. Use of Cookies

Cookies refers to a small-sized data created by a website that is stored with the Data Subject while visiting the website in order to enable the website to keep track of the Data Subject’s preferences, such as, the most preferred language, system user or other settings. On the Data Subject’s next visit to the website, the website will recognize him/her as a user previously using the services and apply such settings selected by the Data Subject until the Data Subject will delete or disable cookies, as the Data Subject may accept or refuse cookies, and if cookies are refused or deleted, the website may not be able to provide the services or may not display correctly.

9. Update on the Personal Data Protection Policy

NSTDA may update or revise its Personal Data Protection Policy without advance notice to the Data Subject so as to be appropriate and efficient in the provision of services. Therefore, NSTDA hereby advises the Data Subject to read the Personal Data Protection Policy every time he/she visits or uses the services from NSTDA or its website.

10. Compliance with the Personal Data Protection Policy and Contact with NSTDA

In the event that the Data Subject has any questions or suggestions regarding the Personal Data Protection Policy or compliance with this Personal Data Protection Policy, NSTDA is willing to answer such questions and welcome all the suggestions in order to further improve NSTDA’s personal data protection and services. The Data Subject may contact NSTDA at This email address is being protected from spambots. You need JavaScript enabled to view it. or the following address:

National Science and Technology Development Agency
111 Thailand Science Park (TSP), Phahonyothin Road
Khlong Nueng, Khlong Luang, Pathum Thani 12120

¹ Section 19 of the Civil and Commercial Code provides that on the completion of twenty years of age, a person ceases to be a minor and becomes of legal age (sui juris).

² Section 1448 of the Civil and Commercial Code provides that a marriage can take place only when a man and a woman have attained their seventeenth year of age. However, the Court may, on reasonable grounds, permit them to marry before attaining such age.

³ Section 27 of the Civil and Commercial Code, together with Section 20 of the Personal Data Protection Act B.E. 2562 (2019):

Section 27 of the Civil and Commercial Code provides that the legal representative may give consent to a minor to carry on trade or other business or to enter into an employment contract as an employee. Where the legal representative refuses to give such consent without reasonable ground, the minor may apply for permission from the Court.

In relation to the business or employment according to paragraph one, the minor has the same capacity as a person of legal age (sui juris).

Where the business or work consented or permitted according to paragraph one gives result to considerable damage or the detriment of the minor, the legal representative may withdraw his consent, or, in the event it was permitted by the Court, the legal representative may request the Court to revoke its permission.

If the legal representative has withdrawn his consent without reasonable ground, the minor may request the Court to revoke the legal representative’s withdrawal.

The withdrawal of the legal representative’s consent or the revocation of permission by the Court shall bring to an end the capacity of deemed legal age (quasi sui juris) from the minor but shall not affect any act done before the withdrawal or revocation.

ection 20 of the Personal Data Protection Act B.E. 2562 (2019) provides that in the event that the data subject is a minor who is not of legal age (sui juris) by marriage or has no capacity of deemed legal age (quasi sui juris) under Section 27 of the Civil and Commercial Code, the request for consent from such data subject shall proceed as follows:

(1) In the event that the minor’s giving of consent is not any act which the minor may give consent alone as prescribed under Section 22, Section 23 or Section 24 of the Civil and Commercial Code, such act shall also require consent of the person with the parental power to act on behalf of the minor.

(2) In the event that the minor is not over the age of 10, the consent shall be obtained from the person with the parental power to act on behalf of the minor.

In the event where the data subject is incompetent, the data subject’s consent shall be obtained from the guardian with the power to act on behalf of the incompetent person.

In the event where the data subject is quasi-incompetent, the data subject’s consent shall be obtained from the curator with the power to act on behalf of the quasi-incompetent person.

The provisions in paragraphs one, two and three shall apply mutatis mutandis to the withdrawal of consent of the data subject, the notice given to the data subject, the exercise of rights of the data subject, the complaint of the data subject, and any other acts under this Act for the data subject who is a minor, an incompetent or quasi-incompetent person.

⁴ Section 32 of the Civil and Commercial Code provides that a person, who is incapable of managing his own affairs or manages it to the detriment of his own property or family because of physical or mental infirmity, habitual prodigality, habitual intoxication or other similar causes, may be adjudged quasi-incompetent by the Court upon the application of any of persons specified in Section 28.

A person adjudged quasi-incompetent according to paragraph one must be placed under curatorship. The appointment of curator shall be in accordance with the provisions of Book V of this Code.

The provisions of Book V of this Code concerning the cessation of guardianship shall apply mutatis mutandis to the cessation of curatorship.

The order of the Court issued under this Section shall be published in the Government Gazette.

⁵ Section 28 of the Civil and Commercial Codes provides that a person of unsound mind may be adjudged incompetent by the Court on the application of the spouse, ascendants, descendants, guardian or curator, guardian in fact or the public prosecutor.

A person adjudged incompetent according to paragraph one must be placed under guardianship. The appointment, authority and duty of a guardian and the cessation of guardianship shall be in accordance with the provisions of Book V of this Code.

The order of the Court issued under this Section shall be published in the Government Gazette.