1. Home
  2. Privacy Policy

Privacy Policy

Recognizing the importance of safeguarding the personal data entrusted to it and in compliance with the Personal Data Protection Act B.E. 2562 (2019), Ricoh (Thailand) Limited and its affiliated companies (collectively referred to as the “Company”) have established this Personal Data Protection Policy (the “Policy”). The purpose of this Policy is to set forth the Company’s guidelines and practices for the protection of personal data.

Scope of Application

This Policy applies to the Board of Directors, directors, executives, employees, staff, interns, contractors, external parties, or any individuals acting on behalf of or in cooperation with the Company, as well as any persons who become aware of personal data in connection with the Company’s operations. All such persons are required to comply with this Policy and with the applicable legal requirements.

The Company expects all individuals subject to this Policy to thoroughly understand and strictly adhere to the principles and guidelines set forth herein. Any violation of this Policy or of any practices implemented under it will result in the Company taking necessary measures, which may include disciplinary or other appropriate actions against the violator.

Objectives

  1. To ensure that the Company’s personal data protection practices are carried out in full compliance with applicable legal requirements.
  2. To provide guidelines for the protection of personal data collected and processed by the Company, so that employees and all parties involved strictly adhere to these practices.
  3. To assure data subjects that the personal data collected by the Company will be safeguarded, managed, and processed appropriately, transparently, and in accordance with the provisions of personal data protection laws.

Definitions

“Data Controller” means a person or legal entity who has the authority and responsibility to make decisions regarding the collection, use, or disclosure of Personal Data.

“Data Processor” means a person or legal entity who collects, uses, or discloses Personal Data on behalf of, or under the instructions of, the Data Controller, provided that such person or legal entity is not a Data Controller.

“Personal Data” means any information relating to an individual which enables the identification of that individual, whether directly or indirectly, but does not include information of a deceased person specifically.

“Sensitive Personal Data” means Personal Data concerning race, ethnicity, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health information, disability, trade union information, genetic data, biometric data, or any other information of a similar nature as prescribed by the Personal Data Protection Committee.

“Cookies” means small computer files that temporarily store necessary Personal Data on the Data Subject’s computer to facilitate and enhance communication, effective only during the Data Subject’s access to the Company’s website.

“Data Subject” means a natural person who is the owner of the Personal Data.

“Processing” means the collection, use, or disclosure of Personal Data as defined under the Personal Data Protection Law.

“Personal Data Protection Law” means the Personal Data Protection Act B.E. 2562 (2019) and all relevant subordinate regulations.

Key Principles of Personal Data Protection

The Company processes Personal Data in accordance with the following fundamental principles:

  1. Lawfulness, Fairness, and Transparency - The processing of Personal Data must be lawful, fair, and transparent to the Data Subject.
  2. Purpose Limitation - Personal Data shall be processed only within the scope of the purposes specified by the Company, which must be clear, legitimate, and lawful. Data shall not be processed in a manner inconsistent with or beyond those specified purposes.
  3. Data Minimization - The processing of Personal Data shall be limited to what is adequate, relevant, and necessary in relation to the purposes for which the data is processed.
  4. Accuracy - Personal Data shall be accurate and, where necessary, kept up to date. Appropriate measures shall be taken to ensure that inaccurate data is corrected or amended as required.
  5. Storage Limitation - Personal Data shall be retained only for as long as is necessary for the purposes of processing, unless a longer retention period is required by law.
  6. Integrity and Confidentiality - Appropriate security measures shall be implemented to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
    \
  7. Respecting Data Subject Rights - The Company shall establish clear measures and procedures to enable Data Subjects to exercise their legal rights, including the right to access, correct, delete, restrict processing, transfer, withdraw consent, or object to processing. The Company will respond to such requests within a reasonable time and as required by law.
  8. Data Sharing and Transfer - Where it is necessary to disclose or transfer Personal Data to third parties or to countries outside Thailand, the Company shall implement appropriate data protection measures and ensure that the recipients provide adequate data security safeguards and comply with applicable legal requirements.

Implementation of Key Personal Data Protection Principles

The Company places the highest importance on the protection of Personal Data. Measures for the protection of Personal Data are established in compliance with the Personal Data Protection Law, together with internal controls, operational guidelines, and manuals to ensure that Personal Data protection is carried out effectively and in alignment with the key principles of Personal Data protection. All Company employees are required to strictly comply with the applicable laws, this Policy, and related practices.

To ensure that the key principles of Personal Data protection described in Section 4 are effectively implemented, the Company adopts the following measures:

  1. The Personal Data Protection Policy (“Privacy Policy”) is approved by the authorized person(s), announced, and communicated to all employees and relevant departments. The Policy shall be reviewed and updated regularly to remain current.
  2. Employees are provided with training and education to raise awareness and understanding regarding Personal Data protection.
  3. The processing of Personal Data of Data Subjects must be lawful, fair, transparent, limited in scope, and aligned with the specified purposes.
  4. The collection of Personal Data must be proportionate, consistent with the defined purposes, and based on a valid legal basis for processing.
  5. Personal Data may be retained only for the period specified by the Company and/or as required by law. Data that exceeds the retention period must be deleted, destroyed, or rendered non-identifiable.
  6. The processing of Personal Data must ensure information security, including protection against unauthorized processing, intentional or accidental deletion or destruction, and effective management of information security risks within an acceptable level for the organization.
  7. Processes related to the processing of Personal Data shall be subject to regular audits.
  8. Where consent from a Data Subject is required, such consent must be explicit, expressed in clear language, presented in an accessible and easily understandable format, and written in plain and readable terms.
  9. Methods, channels, and responsible persons shall be designated to receive complaints, requests, and any actions relating to the exercise of Data Subject rights under the Personal Data Protection Law.
  10. Procedures and responsible persons shall be designated to handle investigations, internal inquiries, and reporting in the event of a Personal Data breach.
  11. Records required under Section 39 of the Personal Data Protection Law shall be maintained, including information such as the types of Personal Data collected and details of the Data Controller, and shall be reviewed and updated regularly to allow inspection by Data Subjects and the Personal Data Protection Committee.
  12. Data processing agreements or contracts shall be executed where the Company engages or assigns third parties to process Personal Data on its behalf.
  13. Internal measures shall be established for the transfer or transmission of Personal Data outside the Company, whether domestically or internationally.
  14. The roles, authority, duties, and responsibilities of the Data Protection Officer (DPO) shall be clearly defined to oversee, advise, and monitor Personal Data processing, as well as to act as the primary contact point for Data Subjects and regulatory authorities.

Data Deletion, Destruction, or Anonymization

The Company requires the deletion, destruction, or anonymization of Personal Data so that it can no longer identify the Data Subject once the retention period has expired or the purpose of storage has been fulfilled, unless retention is required by law. In such cases, the Company will retain the data only as long as legally mandated and, upon the expiration of such period, will immediately delete, destroy, or anonymize the data.

All deletion, destruction, or anonymization of Personal Data must be carried out using secure and irreversible methods to prevent recovery or restoration. Examples include shredding physical documents, using secure erasure techniques for electronic data, or applying anonymization methods. All such activities must be performed under the supervision and verification of authorized Company personnel, and the relevant departments handling the data must strictly adhere to these procedures.

Cross-Border Data Transfer

The Company may, when necessary, transfer Personal Data to foreign countries for purposes such as cloud storage, engagement of external service providers, or the Company’s business operations. Any such transfer will be conducted in compliance with Sections 28 and 29 of the Personal Data Protection Act B.E. 2562 (2019) and all relevant subordinate regulations, in accordance with the following practices:

  1. The Company will transfer Personal Data only to countries that provide an adequate level of Personal Data protection as announced by the Personal Data Protection Committee.
  2. If the destination country has not been certified as providing adequate protection, the Company will implement Standard Contractual Clauses (SCCs) or other appropriate data protection measures as required by law.
  3. Legal Exceptions

    The Company may transfer Personal Data to foreign countries without the need to assess the destination country’s protection standards if any of the following legal exceptions apply:
    • The Data Subject has given explicit consent.
    • The transfer is necessary for the performance of a contract between the Data Subject and the Company, or for taking steps at the Data Subject’s request prior to entering into a contract.
    • The transfer is necessary for the performance of a contract between the Company and another person or legal entity for the benefit of the Data Subject.
    • The transfer is necessary to prevent or suppress danger to the life, body, or health of the Data Subject or another person.
    • The transfer is necessary for carrying out tasks in the public interest.
  4. Any cross-border transfer and processing of Personal Data must be carried out securely, in compliance with the Company’s minimum security standards, and in alignment with the Company’s information security policies and procedures.

    All departments involved in handling Personal Data must strictly comply with this Policy to ensure that cross-border data transfers are conducted in accordance with applicable laws and the Company’s security practices.

Controlling Other Parties Involved in the Processing of Personal Data

The relevant business units must establish and enforce provisions on personal data protection in agreements between the Company and external parties (Data Processors/Third Parties). Such agreements must cover at least the following areas:

  1. Non-Disclosure Agreement (NDA)
    • External parties must maintain the confidentiality of all personal data received and are prohibited from disclosing or using such data for any purpose not expressly authorized.
  2. Details of Personal Data Processing
    • Specify the categories of personal data to be processed.
    • Define the purposes of processing.
    • Indicate the duration of the processing activities.
  3. Audit Rights
    • The Company reserves the right to audit and monitor the personal data processing activities of external parties.
    • Audits may be conducted at scheduled intervals or whenever there is reasonable suspicion of a security risk.
  4. Data Return, Deletion, or Destruction
    • External parties must delete, destroy, or return personal data to the Company upon the expiration of the processing period or upon the Company’s request.
    • Deletion or destruction methods must ensure that the data cannot be recovered or reused.
  5. Personal Data Breach Notification
    • External parties must immediately notify the Company of any personal data breach.
    • Notifications must include details of the incident, its potential impact on data subjects, and the corrective measures taken.

Principles for Personal Data Processing

All processing of personal data by the Company shall be carried out lawfully and in accordance with the following key principles:

  1. Processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into such contract.
  2. Processing is necessary to prevent or suppress danger to the life, body, or health of an individual.
  3. Processing is necessary for the performance of a task carried out in the public interest by the data controller or for the exercise of official authority vested in the data controller.
  4. Processing is necessary for the legitimate interests of the data controller or of a third party, except where such interests are overridden by the fundamental rights of the data subject.
  5. Processing is necessary for the achievement of objectives relating to the preparation of historical or archival records for the public interest, or for research or statistical purposes, provided that appropriate safeguards are in place to protect the rights and freedoms of data subjects as required by applicable data protection laws.
  6. Processing is necessary for compliance with a legal obligation to which the data controller is subject.
  7. The data subject has given explicit consent to the processing of their personal data.

Rights of Data Subjects

The Company recognizes the rights of data subjects under the Personal Data Protection Act (PDPA) and is committed to facilitating the exercise of those rights. Data subjects are entitled to the following rights:

  1. Right to be Informed - The Company will provide a clear and comprehensive Privacy Notice stating the purposes of personal data processing, as well as a Cookie Policy describing the types of cookies used and their purposes.
    In the event that the Company processes personal data for purposes not previously disclosed or beyond the scope of any given consent, the Company will inform the data subject and/or obtain additional consent prior to such processing.
  2. Right to Withdraw Consent - Data subjects may withdraw their consent to the processing of personal data at any time.
  3. Right of Access - Data subjects may request access to their personal data and obtain a copy of their personal data processing activities, including information regarding the source of the data.
  4. Right to Rectification - Data subjects may request the correction or updating of inaccurate or incomplete personal data to ensure accuracy, currency, and to prevent misunderstandings.
  5. Right to Erasure - Data subjects may request the deletion, destruction, or anonymization of their personal data.
  6. Right to Data Portability – Data subjects may, in the event that the Company’s systems support the reading or use of personal data through commonly used automated tools or devices, and such personal data can be used or disclosed automatically, request a copy of their personal data. Data subjects may also request that such personal data be automatically transferred to another data controller and may receive the personal data that has been transmitted or transferred.
  7. Right to Restrict Processing - Data subjects may request the suspension of the processing of their personal data under certain conditions.
  8. Right to Object - Data subjects may object to the processing of their personal data, subject to the conditions set out in the Privacy Notice. The Company may refuse such requests where there is a legitimate legal basis, a court order, or where the processing is necessary to protect the rights or freedoms of the data subject or other persons.
    Data subjects wishing to exercise any of the above rights may contact:

Data Protection Compliance Office

Location: Ricoh (Thailand) Limited – Head Office (Onnut)
341 Onnut Road, Prawet, Bangkok 10250, Thailand

Email: [email protected]

Types of Personal Data Processed by the Company

The Company collects personal data directly from data subjects—for example, through communications, quotations, recruitment, contract execution, job applications, and participation in various activities. Personal data may also be obtained from other sources, such as government agencies, business partners, or third parties. The Company collects and processes both general personal data and sensitive personal data as defined by law, as follows:

  1. General Personal Data
    1. Personal Details (Basic Information) – e.g., title, full name, gender, date of birth, age, education, marital status, nationality.
    2. Contact Information – e.g., mailing address, email address, phone number, reference persons, business contact details.
    3. Identity Verification Details – e.g., photographs, national identification number, passport number, driver’s license, signature, taxpayer identification number.
    4. Employment Details – e.g., occupation, job title, income, compensation, employer information.
    5. Financial/Transaction Details – e.g., bank account information, payment records, outstanding payment history.
    6. Marketing and Service Usage Data – e.g., website or application usage history, cookies, log files, activity registration records.

  2. Sensitive Personal Data
    The Company may collect and process certain categories of sensitive personal data only on a clearly defined legal basis and with appropriate security measures, such as:
    1. Health Data
    2. Biometric Data – e.g., fingerprints, facial recognition, voice recognition, iris scans.
    3. Religious Information appearing on national ID cards (if incidentally obtained without intention).
    4. The Company has no policy to collect sensitive data beyond what is necessary, unless permitted by law or with the explicit consent of the data subject.

  3. Criminal Record
    The Company does not have a policy to collect, use, or disclose criminal record data of data subjects, except where explicitly required by law. In such cases (if applicable in the future), processing will be carried out in accordance with internal guidelines established by the Strategic People Management Division and in compliance with the Personal Data Protection Act B.E. 2562 (2019) and related subordinate regulations.

  4. Unnecessary Data Processing
    If the Company receives a copy of a national identification card for identity verification or any transaction that may contain sensitive personal data (such as religion or blood type), the Company has a strict policy not to retain unnecessary information unless legally authorized. Employees or relevant parties must redact, destroy, or anonymize such data (Redaction/Anonymization) before storing or recording the document.

Cookie Policy

The Company uses cookies and similar technologies on its websites and systems to enhance user experience, analyse user behaviour, and improve services. Some types of cookies are essential for system functionality, while others are used for analytics or marketing purposes. Users may reject or adjust their cookie preferences at any time. Cookie data will not be used to identify individuals without authorization, and any disclosure of such data to third parties will strictly comply with the requirements of the Personal Data Protection Act (PDPA).

All departments involved in the collection and processing of cookie-related data must strictly adhere to this policy to ensure that the use of cookies and related information is fully compliant with personal data protection laws.

Privacy by Design

The Company shall incorporate personal data protection considerations from the earliest stages of service design, in accordance with the following principles:

  1. Limited Data Collection: Collect only personal data that is necessary and appropriate for clearly defined purposes.
  2. Limited Data Processing: Process personal data solely for the specified purposes and only to the extent necessary.
  3. Accuracy and Data Quality: Ensure that collected and processed data is accurate, complete, and up to date.
  4. Minimum Purpose Specification: Clearly define and limit the purposes for processing personal data to only what is required.
  5. Deletion or Anonymization: Implement measures to delete, destroy, or anonymize personal data once the intended purpose has been fulfilled.
  6. Temporary Data Management: Securely store and control personal data used during processing to prevent unauthorized access.
  7. Data Retention Period: Establish and apply appropriate retention periods in line with the stated purposes and legal requirements.
  8. Secure Data Sharing Measures: Safeguard against risks when exchanging or sharing personal data with external parties.

Privacy Impact Risk Assessment

Relevant departments shall participate on an ongoing basis to ensure that any business activities, projects, or actions do not adversely affect the rights of data subjects. Before initiating any activity, the relevant departments must jointly review and assess the potential impacts on personal data together with the business units, in order to establish appropriate risk-control measures and effectively prevent personal data breaches.

Data Security

  1. Personal data processed by the Company shall be kept confidential and disclosed only to personnel authorized by law, regulations, or applicable security measures.
  2. Relevant departments are jointly responsible for controlling access to personal data and must ensure that personnel are granted access rights only to the extent necessary for the performance of their duties.
  3. Any request for special access to personal data beyond the designated scope must be reviewed and approved by the data subject.
  4. Technical and administrative measures shall comply with the Company’s Information Security Policy, including but not limited to password protection, encryption of data during storage and transmission, secure storage environments, and monitoring of data access to prevent unauthorized access or disclosure.
  5. Where an external party is engaged to store or process personal data, a written agreement must clearly specify the data security measures to be applied, including procedures for the destruction or deletion of personal data upon termination of services or once the intended purpose of use has been fulfilled. All such actions must strictly comply with the Personal Data Protection Act (PDPA) and applicable subordinate regulations to mitigate the risk of personal data breaches.

Personal Data Breach Management Process

If any individual becomes aware of a personal data breach involving the Company, such individual must immediately report the incident to the Company’s Data Protection Officer (DPO). All such reports will be kept confidential. Upon receiving a breach notification, the Company will promptly investigate the facts surrounding the incident and propose appropriate corrective measures to the Company’s management for further action.

Company’s Legal Obligations

  1. The Company shall provide a privacy notice to data subjects prior to or at the time of collecting their personal data.
  2. The Company shall process personal data only for the purposes that have been notified to the data subject and on a lawful basis as required by applicable law.
  3. The Company shall implement appropriate security measures to protect personal data and prevent any unauthorized use or disclosure, in accordance with the requirements of the Personal Data Protection Act (PDPA).
  4. The Company shall establish a system to review and ensure the deletion or destruction of personal data once the retention period has expired or when such data is no longer relevant or necessary for the stated processing purposes.
  5. The Company shall maintain procedures for notifying and managing personal data breach incidents.
  6. The Company shall execute personal data processing agreements with any data processors engaged to process personal data on its behalf.
  7. The Company shall perform any other duties as required under the Personal Data Protection Act and relevant subordinate regulations.

Roles, Duties, and Responsibilities

The Company’s management is responsible for monitoring and ensuring that all departments comply with this Policy, as well as for promoting awareness among employees so that personal data protection becomes an integral part of the Company’s operations.
All employees are responsible for performing their duties in accordance with this Policy, established work procedures, and applicable personal data protection laws.

Policy Review and Update

The Company will regularly review this Policy to keep it current and will update it as necessary to reflect changes in circumstances or legal requirements. Any updates or revisions will be communicated to all employees through appropriate internal channels, such as email, the intranet system, or other internal communication platforms.


Issued on 9 October 2025