ManpowerGroup Global Privacy Notice
Updated: May 2023
This ManpowerGroup Global Privacy Notice provides a framework of understanding about the personal data that is collected by ManpowerGroup Global Inc. and its subsidiaries and affiliates listedhere as applicable, hereinafter each separately and/or jointly called the "Data Controller". Personal data collected by the Data Controller will be controlled and processed in accordance with the terms of this Privacy Notice.
We at ManpowerGroup Thailand and our affiliated companies worldwide are a global professional services firm focused on recruitment services for providing end to end Human Resource Management to organisations and helps them address their critical talent needs for our clients.
This Policy applies to all regions, offices, business units, projects, and functions that operate within the purview of ManpowerGroup Thailand. The scope and applicability of the Policy is as follows:
All individuals and teams including permanent and temporary associates who collect or process personal data of individuals such as employees, job applications, contingent workers, interns, retirees, contractors, customers, business partners, shareholders, and others;
All Third Party vendors that provide service to/ or behalf of ManpowerGroup Thailand;
All methods of contact, including in person, written, via the Internet, Third Party applications, direct mail, telephone, or facsimile
The purpose of this Policy is to provide leadership direction towards ensuring the privacy of individuals from whom personal data is collected and processed by ManpowerGroup Thailand.The definition of “Processing”is broad and covers any activity or activities performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The key objectives of this Policy are:
To provide adequate guidance and framework for the secure handling of personal information in compliance with all laws and regulations applicable to ManpowerGroup Thailand;
Increase awareness of data privacy and inculcate a privacy oriented mind-set among the members of ManpowerGroup Thailand; and
Safeguard Personal Data by implementing adequate technical and organisational measures.
4. Roles & Responsibilities
This Policy has been issued under the authority of the ManpowerGroup Thailand's Managing Director and is owned and governed by ManpowerGroup Thailand’s Privacy Steering Committee. Refer to the [Privacy Steering Committee]for the members making up the committee and their responsibilities.
Each employee bears a personal responsibility for complying with this Policy in the fulfilment of their responsibilities at ManpowerGroup Thailand.
All employees (permanent and temporary associates) shall ensure adherence to this Policy and shall be responsible for appropriate remedial action as described by the [Employee Undertaking on Data Privacy] incorporated in their employment contracts.
All persons who are covered by this Policy must comply with it, and where requested demonstrate such compliance.
Failure to comply with this Policy can result in disciplinary action which may include termination of services of employees or termination of the engagement of a consultant/contractor or dismissal of interns or volunteers, as the case may be, in accordance with the applicable Human Resources Policy.
6.Data Privacy Principles
ManpowerGroup Thailand has adopted the following principles to govern its use, collection, and transmission of personal data:
Personal Data shall only be processed fairly and lawfully, so that the Data Subjects understand how and why their data is processed and ManpowerGroup Thailand is able to comply with one of a number of conditions or lawful grounds for processing the data.
Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with the original purpose or purposes.
Personal Data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are collected and/or processed.
Personal Data shall be accurate, complete and current as appropriate to the purpose(s) for which they are collected and/or processed.
Personal Data shall not be kept for longer than necessary for the original permitted purpose(s). Once the personal data has satisfied its permitted purpose and there is no further lawful purpose for retention, the personal data should be deleted or anonymised. Anonymisation means removing elements from the personal data that could be used, either on its own or in combination with other elements, to identify the individual of the personal data. Examples of such elements include name, home address, mobile telephone number, national ID numbers etc.Anonymized data can be retained longer if it is no longer capable of being used to identify or re-identify any individual.
Appropriate physical, technical, and procedural measures shall be taken to:
Prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of Personal Data; and
Prevent accidental loss, change to, destruction of, or damage to, Personal Data.
When transferringPersonal Data out of Thailand, it shall be done according to local privacy laws and any obligations that are imposed on ManpowerGroup Thailand.
7.1Strategy & Governance
ManpowerGroup Thailandhas identified roles and responsibilities to establish a privacy management organisation structure which Is required to handle and establish the requirements as identified applicable privacy laws and regulations including Thailand Personal Data Protection Act B.E. 2562. A Protection Officer (DPO) shall be identified
The DPO shall be responsible for activities within the privacyorganisation, and shall be independent of conflicting duties. ManpowerGroup Thailand shall equip the DPO with the resources, support and training required to perform his/ her role.
Name and contact details of the DPO shall be communicated and accessible to all employees and Data Subjects.
DPO shall implement formalized processes to track and address any inquiries and complaints received from Data Subjects in a timely manner.
ManpowerGroup Thailand follows a risk based approach towards its Data Privacy program. ManpowerGroup Thailand shall include privacy related risk in the existing risk register within OneTrustto document data privacy & protection risks to ManpowerGroup Thailand. The risk register shall also document the data privacy risks along with appropriate mitigation plans to remediate the risks. The risk register shall be reviewed periodically by the DPOand approved by senior management.
ManpowerGroup Thailand shall define and document a privacy compliance plan and update the plan at least annually to incorporate changes in its environment (such as change in operations, privacy landscape, legal and regulatory requirements, contracts (including service-level agreements with third parties, business operations and processes, IT security matters and technology etc.
As modern technology plays an important part in processing Personal Data, and with it elevated risks to Personal Data if not handled correctly, ManpowerGroup Global has a Global Technology (“GT”) team to centrally evaluate and approve new technology projects undertaken at the country, region or global level. ManpowerGroup Thailand shall, before carrying out new project initiatives, seek approval from GT, which will in turn communicate its approval to the DPO and Local Information Security Officer (“LISO”). The DPO and/or LISO are not obliged to support the project without GT’s approval.
From time to time, and as advised by the DPO, ManpowerGroup Thailand shall develop/ update procedures, guidelines and best practices around data protection and privacy, and publish these to the relevant stakeholders.
Effectiveness of privacy controls shall be monitored by DPO on an ongoing basis and appropriate measures shall be taken by ManpowerGroup Thailand to address identified deficiencies which shall be monitored for remediation.
Findings and recommendations that come as a result of risk assessment, reviews, audits and monitoring activities of the privacy program shall be communicated to ManpowerGroup Thailand Management as applicable.
7.2 Training & Awareness
Training & awareness materials around data protection and privacy shall be developed for ManpowerGroup Thailand employees. ManpowerGroup Thailand shall also develop role based trainings for individuals or teams considering their role and nature of processing. ManpowerGroup Thailand shall ensure that account managers are identified for identifying and imparting training to the associates present on respective clients.
Data Privacy training and awareness programs shall be conducted on a periodic basis (at minimum annually) for all employees working at ManpowerGroup Thailand;
The training should also be imparted as a part of the new joiners induction to all employees as applicable;
Training attendance records shall be maintained for documentation and audit trail.
7.3 Collection of Personal Data
ManpowerGroup Thailand shall ensure that any personal data collected is adequate, relevant and limited to what is necessary in relation to each individual purpose for which they are processed. The same shall be ensured at all collection points and by respective function leads;
If Personal Data is collected directly from the Data Subject, ManpowerGroup Thailand shall:
Providea concise, transparent, intelligible, easily accessible, and an adequate notice to the Data Subject (employee/ customer/ vendor or others) in physical or electronic format. The notice shall be written in a clear and plain language.
The privacy notice shall provide the following information:
Contact details for ManpowerGroup Thailand;
The purposes of processing undertaken and their associated legal grounds, including where we use legitimate interests as that ground;
The categories of recipients of thedata;
Whether it will be transferred outside a particular region or country (e.g. EU, Australia)
The types of personal data processed and how long they will be kept.
The rights of the data subjects (dependent upon the local applicable laws)
Notify the data subject if there is a change in the purpose of data collection.
These disclosures shall be given as soon as possible, and preferably at the first point of contact with the Data Subject.
ManpowerGroup Thailand shall comply with the policies mentioned in this section while collecting personal data and providing privacy notice via the [Privacy Statement] for external and internal facing parties.
7.4 Data Visibility
ManpowerGroup Thailand shall maintain records to document the Personal Data processing activities under its responsibilities, in the form of Asset Register and Records of Processing Activities (“ROPA”)maintained on OneTrust.
Personal Datashall include data which can identify an individual directly or indirectly. It includes reference numbers, location data, online identifiers, such as cookies, or references to aspects of an individual’s life, even when ManpowerGroup Thailand does not know their identity directly.
As a Data Controller, ManpowerGroup Thailand shall maintain documented records covering including the following:
Details of the controller/ joint controller(s)
Purposes of the processing.
Description of the categories of Personal Data.
Categories of recipients to whom the personal data is disclosed/ transferred including third parties.
Geographies of recipients.
As a Data Processor, ManpowerGroup Thailand shall maintain documented records, in line with instructions of the controller, including the following:
Details of the processor (s) and of the controller on whose instructions processing takes place.
Types of processing activities carried out for that controller.
Description of the categories of personal data.
Categories of recipients to whom the personal data is disclosed/ transferred including third parties.
Geographies of recipients.
Function and client operation teams shall identifytheir point of contact (“PoC”)handling personal data shall develop, maintain and update their Asset Registers and ROPAs. The Asset Registers and ROPAin OneTrust shall be reviewed and updated periodically (at minimum annually) or in the event of any significant changes to the processing activities.
7.5 Processing of Personal Data
ManpowerGroup Thailand shall not process Personal Data in the absence of a valid business and legal basis compliant to local laws and regulations. This shall be ensured by respective function heads.
Periodic reviews/ audits shall be conducted to verify and ensure that function teams and client operations teams collect/ process personal data appropriately in compliance with privacy notices, contracts and this Policy with respect to the compliance plan.
7.6 Privacy Impact Assessment (“PIA”)
Not applicable.It is not a requirement to have PIA under the Thai PDPA.
7.7 Disclosure to Third Party Vendors
ManpowerGroup Thailand has established a vendor governance program to ensure:
Appropriate due-diligence covering data privacy and security is carried out prior to on-boarding new Third Party vendors (vendors) using the [ManpowerGroup Supplier Assessment Questionnaire], which will then be assessed by the DPO and/or LISO.
Contract signed with vendors cover adequate security and privacy obligations as well as clear instructions around how Personal Data shall be handled through the [Date Processing Agreement].
Compliance of vendors to their security and privacy obligations is reviewed/ monitoring periodically.
Due diligence of vendors should be performed by a central department responsible for on boarding the vendors and it shall be further assessed whether vendor can successfully be contracted;
Only successfully identified vendor, shall be utilized for processing any personal data on behalf of ManpowerGroup Thailand.
ManpowerGroup Thailand shall clearly notify Data Subjects prior to transfer of their Personal Data to Third Party vendors. If not notified previously, the Data Subject shall be notified prior to performing the transfer and obtain their consent (where necessary);
In order to fulfil ManpowerGroup Thailand’s obligations as a Data Processor, ManpowerGroup Thailand shall ensure that their clients have written authorizing use of Third Party vendors individually (for example in their contracts);
Personal Data shall be shared to Third Party vendors only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law.
7.8 Cross Border Transfer of Personal Data
In the event Personal Data is to be transferred out of Thailand, ManpowerGroup Thailand must ensure the transfer is done in compliance with the law that is in force at the time of transfer, or any obligations that ManpowerGroup is subject to. An example of such obligation is if ManpowerGroup Thailand receives EU residents’ personal data from EU entity/entities pursuant to EU Standard Contractual Clauses (EU SCCs). Under the EU SCCs, ManpowerGroup Thailandmust sign the same or substantially similar EU SCCs with the recipient(s) it exports the personal data to.
Additionally, in order to fulfil ManpowerGroup Thailand’s obligations as a Data Processor, ManpowerGroup Thailand shall ensure that their clients have authorized the transfer of Personal Data across borders of the country in which the information was initially collected. Evidence of authorisationshould be explicitly reflected in the service agreement between ManpowerGroup Thailand and client.
7.9 Security of Personal Data
ManpowerGroup Thailand has implemented appropriate technical and organisational safeguards, in line with industry standards (such as ISO 27001/27701, NIST etc.,) to ensure the security of Personal Data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
ManpowerGroup Thailand has developed and published information security policies, procedures and guidelines to all employees and contractors.
Employees and contractors shall adhere to ManpowerGroup Thailand security policies, practices and any additional guidance issued by the Information Security Team and the DPO while processing Personal Data.
Confidentiality agreements/undertakingsand NDA’s covering data protection and privacy responsibilities shall be signed by all employees & contractors on or before their joining date.
Employees, contractors and Third Party vendors shall have access only to the Personal Data necessary for the fulfilment of their employment/ contractual duties.
ManpowerGroup Thailand shall comply with the security safeguards as per its contractual and legal requirements in consultation with its Information Security Team.
Information Security Team and DPO shall assess the security measures implemented to safeguard Personal Data on a regular basis and update the same, where required.
7.10 Data Retention and Disposal Policy
Personal Data shall not be retained longer than required for the purpose it was collected for, or as defined by the [Data Retention and Disposal Policy], after considering other regulatory requirements.
Personal Data shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by ManpowerGroup Thailand or for the benefit of the Data Subject.
Where erasure is not possible without disproportionate effort due to the specific type of storage, over-writing, anonymization or another method of removal of the data from live systems shall be used.
Disposal of Personal Data shall be handled with utmost care and shall be governed by the [Data Retention and Disposal Policy].
Where third parties are disposing of Personal Data on behalf of ManpowerGroup Thailand a certificate or other notification of the destruction shall be required.
In order to fulfil ManpowerGroup Thailand’s obligations to their clients, Personal Data obtained from clients shall be retained in line with the written instructions of the client. In the absence of any requirement by the client, Personal Data used for a project shall be disposed once the project is complete, or as defined by ManpowerGroup Thailand’s [Data Retention and Disposal Policy].
7.11 Data Quality
ManpowerGroup Thailand shall implement reasonable processes to monitor the quality of the Personal Datait stores/ processes.
Each function shall take steps to ensure that PersonalData it collects or processes is complete and accurate in the first instance and recorded in a manner to give a true picture of the current situation of the Data Subject.
ManpowerGroup Thailand shall take necessary measures to correct Personal Datawhich it knows to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification. Inaccurate Personal Datashall be erased or replaced by corrected or supplemented Personal Data.
7.12 Data Subject Rights
To the extent allowed under applicable local laws, Data Subjects shall have the right to:
Request access to copies of their Personal Data.
Request information on the processing activities carried out with their Personal Data.
Request that their Personal Data is rectified if it is inaccurate or incomplete.
Request erasure of their Personal Data in certain circumstances.
Request that the processing of their Personal Data is restricted in certain circumstances.
Object to processing of their Personal Data in certain circumstances.
Lodge a complaint with data protection authority (“DPA”).
Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly effects on the Data Subject.
DPO shall regularly review the process to ensure all requests raised by Data Subjects are addressed by the departments holding Personal Data,in a timely manner and in compliance with local laws and regulations.
DPO shall oversee the departments in fulfilling Data Subjects’ requests and ensuring the department providesa legal justification in writing (physically or electronically) when a request is denied.
DPO shall ensure the departments maintain records of such requests irrespective of their fulfilling status.
As a Data Processor, ManpowerGroup Thailand’s shall support its clients in fulfilling requests they receive from their Data Subjects based on the written instructions provided by the client.
An internal procedure document: [Procedure for Handling Data Subject Requests] ismaintained around handling Data Subject requests, including submitting all requests and responses to the DPO.
7.13 Privacy by Default & Design
ManpowerGroup Thailand shall establish a process to proactively embed privacy as the default state of all products, technologies and services. It will ensure privacy is considered at the initial planning/design stages and not as an afterthought, andapply throughout the complete development process of new processes/ services/ technologies that involve processing of Personal Data.
In implementing Privacy by Default and Design, considerations shall be made for technical and organisational measures to enhance privacy by using one or more from the list of non-exhaustive measures such as encryption, pseudonymization, anonymization, data minimization, data aggregation, limiting sharing of Personal Data with those on a need-to-know basis, limiting the storage duration of Personal Data etc.).In addition, appropriate technical and organisational measures shall be considered to ensure that Personal Data collected or processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
An important step in implementing Privacy by Design and Default is to execute a PIA of the new processes/ services/ technologies at the initial planning/design stages where potential privacy issues are identified and remediation factored into the project.
7.14 Data Privacy and Breach Management
ManpowerGroup Thailand shall formulate and implement an incident and breach management mechanism to ensure that exceptions in data privacy manual’s compliance are promptly reported to the incident response teams and DPO;
All employees and contractors shall be aware of the mechanism of raising data privacy and security incidents;
The DPO shall work closely with the incident response and Information Security teams (plus Legal and senior management where appropriate) to investigate potential data privacy and data breach incidents and track to closure;
DPO shall maintain an inventory of such incidents and shall record the lessons learnt;
As a Data Processor, ManpowerGroup Thailand shall notify its clients, in line with the applicable laws and as mandated contractually, of any potential data privacy and data breach incidents;
A [Data Breach Notification Procedure] ismaintained to identify, track, review and investigate incidents to identify potential data breaches. As applicable, the DPO shall take actions to notify data protection authorities and Data Subjects.
7.15 Automated Profiling and Decision Making
Processing activities involving fully automated decision-making, including profiling, which produces legal effects or similarly significantly affects data subjects shall not be performed unless:
It is necessary for entering into or performance of a contract between ManpowerGroup Thailand and the Data Subject;
It is authorized by law (e.g. for the purposes of criminal background check ); or
The Data Subject has providedan explicit consent.
PIAs shall be conducted prior to carrying out any processing activities involving automated profiling or decision making to identify the potential risks to Data Subjects.
DPO and if needed, external legal counsel, shall be engaged during the PIA process to assess the risks and identify appropriate mitigation measures.
ManpowerGroup Thailand shall ensure to notify Data Subjects prior to or during the collection of Personal Data that shall be subject to automated decision making or profiling.
Data Subjects shall be provided the opportunity to object to automated decision making or profiling when:
it is based on automated processing; and
It produces a legal effect or a similarly significant effect on the individual.
In such circumstances, Data Subjects shall be given the opportunity to:
obtain human intervention;
express their point of view; and
obtain an explanation of the decision and challenge it.
As a Data Processor, ManpowerGroup Thailand shall only carry out automated decision making and profiling activities on the Personal Data received from clients based on the authorization and written instructions from the client.
7.16 Managing Changes to Processes/ Solutions/ Technology
No new or expanded collection or processing activities involving Personal Data may be undertaken without first obtaining approval from the DPO.
PIAs through assessment of compliance shall be performed for any new/ changes to major process/ solution/ technology, which requires the processing of Personal Data.
Personnel at all levels shall apply the following while making changes in existing processes/ technologies:
Collection and use of Personal Data shall be avoided or limited when reasonably possible.
Personal Data shall be de-identified when the purposes of data collection or processing can be at reasonable cost achieved without personal identification.
The purpose(s) of the collecting or processing of Personal Data shall be expressly identified by the business unit preparing any new or expanded data collection and processing activity or function.
Personal Data may only be used for the purposes for which they were originally collected, plus historical, statistical, scientific, or legally mandated purposes.
7.17 Monitoring and Enforcement
For the purpose of periodic monitoring, the following processes shall be implemented:
7.17.1 Performance Measurement
ManpowerGroup Thailand shall develop key performance indicators (KPI’s) for measuring the compliance and performance of the current processes related to data privacy. The DPO shall periodically track and monitor the KPIs and identify appropriate remedial actions for functions and client operations teams.
7.17.2 Compliance Assessments
The DPO shall work with the Privacy Steering Committee to develop processes to carry out periodic reviews for all functions and client operations to monitor whether processing activities are carried out in line with this Policy.
This Policy may be revised at any time. Notice of significant revisions shall be provided to employees and contractors through the Intranet Portal of ManpowerGroup Thailand or e-mail communication and to others through an appropriate mechanism selected by the DPO.
This Policy shall be available to employees and contractors through the Intranet Portal of ManpowerGroup Thailand or e-mail communication and to others through an appropriate mechanism selected by the DPO.
This Policy shall be available to employees and contractors through the Intranet Portal of ManpowerGroup Thailand.
9. Key Terms & Definitions
The entity that determines the purposes, conditions and means of the processing of Personal Data
A natural living person whose Personal Data is processed by a Data Controller or Data Processor
The entity that processes Personal Data on behalf of the Data Controller
Any operation performed on Personal Data, whether or not by automated means, including collection, use, recording, holding, accessing, etc.
Third party, in relation to personal data, means any person other than the data subject, the Data Controller, or any Data Processor or other person authorized to process data for the Data Controller.
Any data related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person, by ManpowerGroup Thailand or another body or person, e.g., Name, Address, Phone Number, IP Address, geo location, internal reference numbers, etc.
[Last updated on 10/05/2023]