Privacy Policy

Mahidol University Announcement
Re: Personal Data Protection Policy B.E.2563 (A.D.2020)

Mahidol University has carried out the process of collecting, using and disclosing personal data of its staff members, students, clients and other individuals for its own operations. It is therefore appropriate to establish a personal data protection policy in compliance with the law concerning personal data protection so as to ensure its smooth operations with a suitable and standard personal data protection policy.

By virtue of Section 34 (8) of Mahidol University Act B.E.2550 (B.E. 2007), at the 20th/2563 meeting of Mahidol University Committee on 28th October B.E.2563 (A.D.2020), the President hereby set up a personal data protection policy as follows:

Clause 1 In this announcement,
“Personal Data” means any information relating to a person which enables the identification of such person, whether directly or indirectly, including the personal information of staff members, students, clients, and research participants, but not including the information of deceased persons in particular.

Clause 2 The University shall collect, use and disclose in compliance with the following personal data protection principles:

(1)    Lawfulness, Fairness and Transparency: The collection, use or disclosure of the Personal Data shall be lawful, fair and transparent.
(2)    Purpose Limitation: The collection, use or disclosure of the Personal Data shall be proceeding under the scope and purposes specified by the University, and shall not be used or disclosed in any way other than the scope and purposes of collecting, using or disclosing those data.
(3)    Data Minimization: The collection, use, or disclosure of the Personal Data shall be limited as adequate, relevant and necessary, and shall complied with the purposes of collecting, using and disclosing those data.
(4)    Accuracy: The Personal Data that are collected, used, or disclosed shall be accurate up to date where it is necessary.
(5)    Storage Limitation: The Personal Data that are collected, used or disclosed shall be retained to the extent necessary. 
(6)    Integrity and Confidentiality: The collection, use or disclosure of the Personal Data shall be handled safely with appropriate security measures.

Clause 3 The University shall collect, use or disclose the Personal Data in accordance with its authority and accountability to perform duties in order to achieve its purposes, including conducting research with applying its results for developing the country and society as well as providing benefits for the University, producing university graduates, promoting and applying as well as developing academic affairs and advanced professions. Those also includes providing medical, nursing, public health, academic and professional services, encouraging with promoting other institutions’ staff members to participate in creation and development of knowledge, attending knowledge transfer, collaborating with domestic and international institutions, promoting and preserving religion, arts and culture, and also maintaining with utilizing the environment and natural resources in a balanced and sustainable manner.

The collection, use or disclosure of the Personal Data as stated in the first paragraph shall comply with the provisions of the law concerning personal data protection and other related laws.

In the case that such Personal Data are regarding personal health which are personal confidentiality, the University shall not disclose in a manner that is likely to cause damage to the data subject regarding to the National Health Law, unless such disclosure is directly based on the data subject’s demand, or it is permitted to do so by the law concerning personal data protection or any other laws.

Clause 4 To collect, use, and disclose the Personal Data for any operations of Mahidol University, Mahidol University shall be deemed to be a data controller who has the authority to make decisions on collecting, using, and disclosing the Personal Data. Mahidol University and its units shall perform their duties as prescribed in the law concerning personal data protection.

Clause 5 The collection, use, or disclosure of the Personal Data for the University’s operations shall be complied with the purposes notified to the data subject prior to or at the time of such collection, except the case where the data subject has been informed of the new purposes and his/her consent has been obtained prior to collecting, using or disclosing the data, or it is permitted to do so by the provisions of law.

Clause 6 The University shall collect the Personal Data for its operations to the extent necessary with appropriate retention period in relation to the lawful purposes based on the lawful basis for processing the Personal Data that is consistent with the law concerning personal data protection.
 
Clause 7 In the event that the University shall use the consent basis to collect, use or disclose the Personal Data, a request for consent is required to be made explicitly in a written statement or made through the electronic means unless it cannot be done by its nature. Additionally, to request such consent, the University is required to inform the data subject of the purpose for collecting, using or disclosing the Personal Data. Such request for consent shall be clearly separated from the other text. The consent form or statement shall be easily accessible and intelligible with using clear and plain language and does not deceptive or misleading to the data subject regarding those purposes.

To request for consent from the data subject, the University shall utmost take into account that the data subject's consent is freely given. Also, the entering into a contract as well as providing any university service shall not be a conditions to obtaining consent for collecting, using, or disclosing of the Personal Data that are neither necessary nor relevant to entering into the contract including providing those services.

The data subject may withdraw his or her given consent at any time and the consent shall be withdrawn as easily as given, unless there is a restriction on the withdrawal of consent by law or a contract that grants benefits to the data subject. Nonetheless, the withdrawal of consent shall not affect the collection, use, or disclosure of the Personal Data for which the data subject has already given his/her consent legally. Also, in the event that the withdrawal of consent affects the data subject in any matter, the University shall inform him or her of the consequences of that consent’s withdrawal.

Clause 8 To request consent for collecting, using, or disclosing the personal data from the minor who is not sui juris by marriage or has no capacity as sui juris person under Section 27 of the Civil and Commercial Code as well as the personal data of an incompetent or a quasi-incompetent, or the consent’s withdrawal of those persons, the University shall operate in accordance with the law concerning personal data protection.

Clause 9 To collect the Personal Data for the University's operations, the University shall inform the data subject a privacy notice as stipulated in the law concerning personal data protection prior to or at the time of such collection unless the data subject already knows of those details.

Clause 10 collect, use or disclose the sensitive personal data which may include racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any other data affecting the data subject in the same manner, as specified by the personal data committee, the University shall have the duties to protect such Personal Data in particular from being collected, used or disclosed those data unlawfully or redundantly, and the subject data's consent shall be obtained explicitly unless it is permitted by another
 
lawful basis for processing Personal Data in compliance with the law concerning personal data protection.

Clause 11 Due to the fact that part of main activities of the University’s operations shall be the collection, use, or disclosure of the sensitive personal data under Clause 10, it is required to provide a data protection officer (DPO) to perform duties as prescribed by law. Moreover, the University shall support the DPO’s work by providing adequate tools or equipment as well as facilitating access to Personal Data in order to carry out his or her duties, and shall supervise him or her to work independently without interference. However, in the event of any problem in performing DPO’s duties, he or she shall report directly to the President, Head of related working units, or the data processor who operates the processing of collection, use or disclosure of the Personal Data according to the orders, or on behalf of the University.

Clause 12 For the benefits of the University’s operations and the provision of services to the data subject, it is necessary for the University to disclose the Personal Data to other person or juristic person, who is in whether the Kingdom of Thailand or a foreign country, as a personal data processor or a data controller who has the authority to decide on the collection, use, or disclosure of the Personal Data. To disclose the personal data to that person or juristic person, the University shall proceed to have him or her keep the personal data confidential and prevent such person from using or disclosing such Personal Data for any purpose other than the scope specified by the University, or without authorization, or unlawfully.

Clause 13 To send or transfer the Personal Data to a foreign country, the University shall manage to ensure that the destination country or the international organization that receives the Personal Data shall have adequate data protection standard except the case where it is permitted to do so by the law concerning personal data protection.

Clause 14 The University shall provide access and facilities to the data subject or his/her authorized representative for exercising the data subject’s rights in accordance with the law concerning personal data protection, which include as follows:
 

(1)    Right to access to and obtain copy of the Personal Data related to him or her which is under responsibility of the University or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.
(2)    Right to receive the Personal Data related to him or her. In this case, the University shall arrange such data in a readable or commonly used format with an automatic tools or equipment, and such format can be used or disclosed the Personal Data through automated means. Additionally, the right to request the University to send or transfer the Personal Data in such format to another data controller if it can be done by the automated means, and the right to directly obtain the Personal Data in such format transferred by the University to another data controller except where technically infeasible.
(3)    Right to object the collection, use, and disclosure of his or her Personal Data.
(4)    Right to request the University to erase, destroy or anonymize the Personal data to become the data which cannot identify the data subject.
(5)    Right to request the University to restrict the use of the Personal Data.
(6)    Right to request the University to keep his/her Personal Data accurate, up-to- date, and complete without misleading.

However, the University may reject those above requests of the data subject or his/her authorized representative if is not contrary to the laws.

Clause 15 In order to protect the Personal Data, the University and its units shall provide appropriate security measures for preventing the unlawful loss, destruction, access to, use, alteration, correction and disclosure of Personal Data. In addition, such measures are required to be reviewed when necessary, or when technology changes in order to maintain effective and appropriate security. This, however, shall meet the minimum standard set by the Personal Data Protection Committee.

Clause 16 In case of any Personal Data breach, the unit shall notify the University and its DPO of this incident according to the criteria, procedure and methods set by the University. Then the University shall report such breach of Personal Data to Office of Personal Data Protection Commission and/or the data subject, as the case may be, as prescribed by law.

Clause 17 The University shall cooperate with Office of the Personal Data Protection Commission as well as the agencies that supervise or have the authority under related laws to ensure that the protection of personal data complies with the law.

Clause 18 All of the executives, staff members and students of the units of the University shall cooperate and comply with the law concerning personal data protection and other laws as well as the policies, guidelines and measures for protecting Personal Data prescribed by the University in accordance with this announcement.

The University and its units are responsible for supervising their executives, staff members and students to comply with the laws, policies, guidelines, and measures under the first paragraph.

The University and its units shall take the personal data protection as part of their enterprise risk management which risks are appropriately controlled as well as regularly monitored and reviewed.
 
Clause 19 The University may set up a complaint management system with regard to personal data protection under the criteria and procedure prescribed by the University.

Clause 20 The executives and related staff members of Mahidol University and its units are responsible for preparation of their operations in correspondence with provisions of the law concerning personal data protection as scheduled in those provision which will be effective. Also, they are responsible for supervising and proceeding to subsequent operations in compliance with the provisions of the law concerning personal data protection and this announcement.

Clause 21 Any operations under this announcement shall be handled in accordance with the regulations and announcements issued by the University.

Updated on October 27, 2023

In case that you have any inquires, comments, or recommendations about the privacy policy, personal information, or the compliance with this privacy policy document, the Faculty of Graduate Studies is pleased to answer any questions and accept any comments or recommendations which are considered as beneficial for further development. You can contact the faculty from the following address:

Faculty of Graduate Studies, Mahidol University
Address     : 25/25 Moo. 5, Faculty of Graduate Studies Building, Mahidol University Salaya, Phuttamonthon District, Nakhon Pathom
Telephone  : 0 2441 4125
e-mail         : grwww@mahidol.ac.th
Website : https://muce.mahidol.ac.th/