Privacy Notice for Employees
WSOL Public Company Limited
WSOL Public Company Limited and its affiliated companies listed in the appendix to this Notice as may be amended from time to time (collectively referred to as the “Company”) place great importance on the protection of personal data of employees, applicants, and/or individuals related to employment.
The Company has therefore prepared this Privacy Notice for Employees to inform you of how the Company collects, uses, discloses, and protects personal data, as well as your rights as a data subject (“you”). The Company will process personal data in accordance with the objectives of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and/or other applicable data protection laws.
1. Persons Covered by This Notice
This Privacy Notice applies to the following persons:
1.1 Permanent employees, contract employees, temporary employees, and interns
1.2 Directors, advisors, or authorized representatives of the Company
1.3 Former employees
1.4 Job applicants and referees
1.5 Family members or beneficiaries of employees (to the extent related to employee benefits)
1.6 Contractors, subcontractors, or external personnel performing work for the Company
2. Categories of Personal Data Collected, Used, or Disclosed
The Company collects, uses, or discloses your personal data as necessary, including the following:
2.1 General Information
Such as full name, national ID number or passport number, date of birth, gender, nationality, photograph, copy of identification card, information appearing on identification documents, and signature.
2.2 Contact Information
Such as address, telephone number, email address, Line ID or other contact channels, and emergency contact persons.
2.3 Financial and Account Information
Such as bank account number, account name, salary, tax information, social security information, provident fund information, benefits and/or other employee welfare entitlements.
2.4 Technical and Security Information
Such as IP address, device ID, system access logs, usage behavior relating to transactions, and cookie data.
2.5 Employment Information
Such as educational background, work experience, job position, salary, performance evaluations, attendance records, and leave records.
2.6 Sensitive Personal Data (Collected when necessary)
Such as health information, medical certificates, biometric data (facial recognition/fingerprint data), or criminal record information.
The Company will process sensitive personal data only when explicit consent has been obtained from you, unless an exception under applicable laws applies or such data is lawfully obtained from government authorities. (e.g., criminal background checks or fingerprint data for attendance recording), or for compliance with applicable laws, establishment, exercise, or defense of legal claims, important public interest, or prevention of danger to life or health.
The Company will collect only such sensitive personal data as is strictly necessary for the stated purposes and will implement enhanced and stringent security measures appropriate to the risks associated with such data.
2.7 Personal Data of Minors, Incompetent Persons, or Quasi-Incompetent Persons
The Company will process personal data of minors, incompetent persons, or quasi-incompetent persons only when explicit consent has been obtained from their parent, guardian, or legal custodian, or when consent may be lawfully given by the minor who has legal capacity to do so, or when exemptions under applicable laws apply.
3. Sources of Personal Data
The Company may obtain personal data from you directly or from other sources, such as government authorities, regulatory authorities, financial institutions, credit information companies, external service providers, reference persons, relevant contractual parties, public sources of information, and/or information technology systems or devices of the Company automatically. The Company will process such data in accordance with the PDPA and other applicable laws.
4. Purposes of Collection, Use, and/or Disclosure of Personal Data
The Company collects, uses, or discloses personal data only as necessary for the purposes notified and/or required under the PDPA and other applicable laws.
4.1 Legal Obligation
The Company processes personal data as required to comply with legal obligations without requiring your consent, including but not limited to personal data protection laws, labor laws, anti-money laundering laws, tax laws and/or court orders or orders from competent authorities. Examples include fraud prevention, monitoring of high-risk transactions, compliance with anti-money laundering regulations, identity verification, suspicious transaction monitoring, reporting to regulatory authorities, and retention of information as required by law.
4.2 Contractual Basis
The Company processes personal data for the performance of employment contracts, including human resource management, payroll processing, employee welfare administration, performance evaluation and employee
development, identity verification and related transactions with the Company.
4.3 Legitimate Interest
The Company collects, uses, discloses, and process your personal data based on the legitimate interests of the Company or third parties, provided that such interests do not override your fundamental rights and freedoms.
Examples include fraud prevention, system security, CCTV surveillance (with clear signage displayed in areas under surveillance) for security purposes, risk management, and service improvement.
The Company will conduct a Legitimate Interest Assessment (LIA) prior to processing personal data under this legal basis.
4.4 Other Purposes
For certain purposes where the law requires your consent such as publication of activity photos, internal corporate activities unrelated to employment contracts, internal communications and organizational announcements, employee training and development or contacting person designated by you in case of emergency.
You have the right to withdraw your consent at any time through the channels specified by the Company. Such withdrawal will not affect the lawfulness of processing conducted prior to the withdrawal unless additional consent or another legal basis applies.
5. Disclosure of Personal Data
The Company may disclose personal data as necessary and in accordance with the purposes stated in this notice to government authorities or regulatory authorities with legal authority, courts, financial institutions, business partners, related service providers or affiliated companies within the corporate group.
External service providers acting as Data Processors may include payroll service providers, HR system providers, IT system providers, cloud service providers, data center providers, auditors or legal advisors.
The Company will ensure that recipients of personal data maintain confidentiality and implement appropriate security measures in accordance with the law. Where applicable, the Company will enter into a Data Processing Agreement (DPA) with such service providers.
In cases where companies within the corporate group jointly determine the purposes and means of processing personal data, they may act as Joint Controllers, and their respective responsibilities will be defined in writing.
6. Cross-Border Transfer of Personal Data
The Company may transfer personal data to foreign countries, when necessary, such as for cloud services, IT systems located overseas, international transactions, or internal transfers within the corporate group.
The Company will ensure that such transfers comply with the PDPA by transferring data to countries or international organizations that have adequate data protection standards as prescribed by the Personal Data Protection Committee or by implementing appropriate safeguards including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other measures required by law.
If these measures cannot be implemented, the Company may rely on legal exemptions, including performance of a contract with you, compliance with the law, protection of life, body, or health, or your explicit consent.
7. Rights of Data Subjects
Under the PDPA, you have the following rights:
- Right to access and obtain a copy of your personal data
- Right to rectify inaccurate data
- Right to request deletion or destruction of data
- Right to request restriction of processing
- Right to object to processing
- Right to data portability
- Right to withdraw consent
- Right to lodge a complaint with the Personal Data Protection Committee Office (PDPA Office)
The Company may refuse a request to exercise data subject rights where permitted by law, where such requests may affect the rights of others, or where any legal exemptions apply.
8. Data Retention Period
The Company will retain personal data according to the type of data and as necessary to achieve the purposes for which it was collected, as well as in accordance with applicable legal retention periods and statutory limitation periods.
For example, personal data may be retained throughout the employment period and for up to 10 years after the termination of employment.
Once the retention period expires, the Company will delete, destroy, or anonymize personal data so that it can no longer identify an individual, unless there is a legal dispute, legal claim, or legal requirement requiring a longer retention period.
9. Security Measures
The Company implements appropriate technical and organizational security measures to protect personal data against loss, unauthorized access, use, alteration, modification, or disclosure.
Such measures include, but are not limited to, data encryption (Encryption), role-based access control according to duties and responsibilities (Access Control), collection and monitoring of system access logs (Log Management), regular testing and evaluation of security system effectiveness, establishment of internal policies and employee training regarding personal data protection.
The Company conducts periodic risk assessments related to personal data protection to ensure that the implemented measures remain appropriate in relation to the nature, volume, and risks associated with the personal data being processed.
The Company also maintains a personal data breach response plan (Personal Data Breach) and an information security incident management process, including periodic review of data access rights.
10. Consequences of Failure to Provide Personal Data
If you fail to provide necessary personal data to the Company, the Company may be unable to proceed with employment processes, salary payments, or the provision of employee benefits as normal.
Where such data is required by law to be collected or retained, the Company may be unable to conduct certain transactions or fulfill obligations in relation to you.
11. Use of Cookies
The Company may collect, use, and/or disclose your personal data through cookies and/or other similar technologies when you access, register, use, or conduct transactions through the Company’s work-related channels, such as the Company’s website, internal systems (Intranet), or applications used in the course of employment.
You may manage your cookie preferences or withdraw your consent in accordance with the details set out in the Company’s Cookie Policy available at: https://wsol.co.th/
12. Personal Data Breach Notification
In the event of a personal data breach, the Company will notify the Personal Data Protection Committee Office within 72 hours of becoming aware of the breach.
The Company will also notify affected data subjects if such breach is likely to result in a high risk to their rights and freedoms.
13. Amendments to this Notice
The Company may review, update, or amend this Privacy Notice from time to time to ensure compliance with applicable laws and relevant practices.
Any revised version will be announced through the Company’s website and will become effective from the date specified in the updated notice.
14. Contact Information
If you have any suggestions, inquiries, or wish to exercise your rights under applicable data protection laws, you may contact the Company through the following channels:
14.1 Human Resources Department
WSOL Public Company Limited
Address:
238 Bang Khun Thian–Chai Thale Road, Samae Dam Subdistrict, Bang Khun Thian District,
Bangkok 10150
Tel: +66 2-009-0500
Email: contact@wsol.co.th
14.2 Data Protection Officer (DPO)
WSOL Public Company Limited
Address:
238 Bang Khun Thian–Chai Thale Road, Samae Dam Subdistrict, Bang Khun Thian District,
Bangkok 10150
Tel: +66 2-009-0500
Email: dpo@wsol.co.th
Data Subject Request:
https://www.wsol.co.th/pdpa-request
The Company will respond to the request within 30 days from the date of receipt of the complete request and supporting documents, or within the period prescribed by law.
Last Updated: March 17, 2026
Effective Date: March 17, 2026