Chomthana Co., Ltd. (Yili Group Thailand)’s Personal Data Security Measures, B.E. 2568 (2025)
Whereas Section 37 of the Personal Data Protection Act, B.E. 2562 (2019) stipulates that the data controller shall provide appropriate security measures to prevent loss, unauthorized or unlawful access to, use, alteration, correction, or disclosure of personal data, and that such measures must be reviewed when necessary or with changing technology in order to efficiently maintain appropriate security and safety. This shall be implemented in accordance with the minimum standards specified and announced by the Personal Data Protection Committee. The Personal Data Protection Committee issued a notification on Personal Data Protection Security Measures, B.E. 2565 (2022).
For compliance with the Personal Data Protection Act, B.E. 2562 (2019), Chomthana Co., Ltd. (Yili Group Thailand) hereby issues this notification as follows:
Clause 1 This notification is called the “Notification of Chomthana Co., Ltd. (Yili Group Thailand) Re: Chomthana Co., Ltd. (Yili Group Thailand)’s Personal Data Security Measures, B.E. 2568 (2025)”.
Clause 2 This notification shall come into force from the date of its announcement onward.
Clause 3 Beside the definitions of specific terms provided in this notification, definitions of the relevant terms in the Personal Data Protection Policy of Chomthana Co., Ltd. (Yili Group Thailand), B.E. 2568 (2025) shall also apply.
“Personnel of the Company” means all personnel of Chomthana Co., Ltd. (Yili Group Thailand) including permanent employees, temporary employees, workers, contractors, consultants, and committees of the Company.
“Security” means the maintenance of confidentiality, integrity, and availability of personal data for the purposes of preventing loss, unauthorized or unlawful access to, use, alteration, correction, or disclosure of personal data.
Clause 4 Personnel of the Company must recognize the importance of personal data protection and comply with the Personal Data Protection Policy of Chomthana Co., Ltd. (Yili Group Thailand). They shall also strictly observe the provisions of the Personal Data Protection Act, B.E. 2562 (2019) and this notification in their collection, use, and disclosure of personal data.
Clause 5 Chomthana Co., Ltd. (Yili Group Thailand) has formulated the personal data security measures which can be divided into the administrative, technical, and physical safeguards of access control. These security measures shall apply to the following operations:
(a) Control of access to personal data and personal data storage and processing devices by taking their functionality and security into consideration.
(b) Determination of access authorization or rights of access to personal data.
(c) Adopting user access management to control access to personal data and restrict access to only authorized persons based on the levels of user rights to import, alter, correct, disclose, erase, and destroy personal data.
(d) Determination of user responsibilities to prevent unauthorized access, disclosure, acquisition, or illicit copying of personal data, including theft of personal data storage or processing devices.
(e) Providing appropriate audit trails review of the methods and means of personal data collection, use, or disclosure.
Clause 6 The Company has formulated the personal data security measures which can be divided into suitable organizational and technical measures, and necessary physical measures according to their risk levels, nature and purposes of personal data collection, use, and disclosure as well as the probabilities of occurrence and impacts of personal data breaches.
Clause 7 The Company has prepared details of these security measures and implementation of such measures with consideration to its security operations, ranging from identifying key risks to its crucial information assets to prevention of key potential risks, inspection and monitoring of personal data threats and breaches, handling of detected personal data threats and breaches, remedy and rehabilitation of damages from such threats and breaches. These security measures should be implemented when it is deemed necessary, appropriate, and possible in terms of risk levels.
Clause 8 The Company stipulates that any operation implemented under the security measures specified in this notification must take into consideration the ability to maintain confidentiality, integrity, and availability of personal data for its risk levels, technologies, contexts, circumstances, and acceptable standards for the same or similar operation, the nature and purposes of personal data collection, use, and disclosure as well as the required resources and operational feasibility.
Clause 9 The Company stipulates that the collection, use and disclosure of electronic personal data must comply with the security measures specified in this notification and cover various parts of the information system for the collection, use and disclosure of personal data, such as the personal data retention system and devices, servers, client computers, network systems, software, and applications that are appropriate for its risk levels. These operations must take into consideration the principle of defense in depth security which comprises of multiple layer security controls for risk mitigation in the event of limitation of certain security measures in certain situations.
Clause 10 The Company stipulates that access to, use, alteration, correction, erasure, or disclosure of personal data must at least consist of the following operations that are appropriate for their risk levels. Such operations must take into consideration the need for appropriate personal data access and usage for the nature and purposes of their collection, use, and disclosure as well as suitable maintenance of security for their risk levels, required resources, and operational feasibility. This should be implemented in combination with:
(a) Appropriate access control, identity proofing and authentication, and authorization on the need-to-know basis and the principle of least privilege.
(b) Appropriate user access management which may include user registration and de-registration, user access provisioning, management of privileged access rights, management of secret authentication information of users, review of user access rights, and removal or adjustment of access rights.
(c) Determination of user responsibilities to prevent unauthorized or unlawful access, use, alteration, correction, erasure, or disclosure of personal data, including cases of users acting beyond their assigned roles and duties, unauthorized or unlawful copying of personal data, and theft of personal data storage or processing devices.
(d) Appropriate audit trails review for the methods and means of personal data collection, use, or disclosure.
Clause 11 The Company stipulates promotion of privacy and security awareness, and appropriate dissemination of its personal data protection policies, practices, and security measures to its personnel or users or persons relating to the access, collection, use, alteration, correction, erasure, or disclosure of personal data for acknowledgment and compliance. They will also be informed of any amendment to the policies, practices, and measures prescribed in this notification as appropriate for the nature and purposes of personal data collection, use, and disclosure as well as their risk levels, required resources, and operational feasibility.
Clause 12 The Company sets up an inspection system for the erasure or destruction of the personal data whose retention period has expired or are no longer relevant to or necessary for the data collection purpose, or the personal data that the data subjects have requested deletion or withdrawal of their consent. Such erasure or destruction shall apply unless the personal data must be kept for the exercising of the right to freedom of opinion and expression or for the purposes specified in Section 24 (1) or (4) or Section 26 (5) (a) or (b) of the Personal Data Protection Act, B.E. 2562 (2019) regarding the use of such personal data for the establishment, compliance, exercising, or defense of legal claims. The provision of Section 33 paragraph Five shall apply mutatis mutandis to the erasure or destruction of personal data. The following actions shall be implemented:
(a) Periodical follow ups to determine which personal data or sets of data in the Company’s care (in its capacity of a data controller) have expired retention period (as notified to the data subjects in its Privacy Notice or request of data subject’s consent). This practice is necessary for the erasure, destruction, or conversion of such personal data into personally unidentifiable information, as the case may be.
(b) In the event that the data subjects have exercised their right to erase or destroy (or withdraw consent) the personal data that required their consent by requesting the data controller to do so, the data controller must erase or destroy the personal data or convert them into personally unidentifiable information, as the case may be.
(c) Erasure and destruction of personal data or converting them into personally unidentifiable information may be exempted when the data controller has a reasonable or necessary cause to retain the personal data that supersedes the data subject’s rights, such as:
- For the preparation of historical or archival documents for the public interest, or for research or statistical purposes.
- For the public interest as is the duties of a specific data controller.
- For the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care services, medical treatment, the management of health, social care system and services.
- For health protection against dangerous contagious disease or cross-border epidemics or control of the standards or quality of medicines, medicinal products, or medical devices.
Clause 13 The Company will review the security measures specified in this notification when necessary or in case of changing technology to ensure efficient and suitable security measures. This will be carried out with consideration to the levels of risk from such factors as technology, contexts, the environment, acceptable standards for an agency or operation of the same or similar nature, nature and purposes of the personal data collection, use, and disclosure as well as the required resources, and operational feasibility. In case of personal data breaches, it is necessary for the data controller to review the security measures in paragraph One unless such breaches present no risk to the rights and liberties of any person.
Clause 14 The Company, in its capacity of the data controller, shall enter into an agreement with the personal data processor to have the data processor provide suitable security measures to prevent loss, unauthorized or unlawful access, use, alteration, correction, or disclosure of personal data. The personal data processor is required to inform the Company of any personal data breach incidents.
Clause 15 The Company may issue guidelines prescribing details of compliance with the security measures specified in this notification.
**Issued on 1 April B.E. 2568 (2025)**