This Policy establishes the principles, controls, and responsibilities Optimum International Holding Group (“OIHG,” “the Group,” “we,” “our”) follows to protect personal data processed in the course of its global activities—including subsidiaries in Oil & Gas, Gold & Jewellery, Cosmetics, Food & Agriculture, and Investment. It complements (not duplicates) our public‑facing Privacy Policy and applies to all directors, officers, employees, contractors, and third‑party processors who handle personal data on OIHG’s behalf
Term | Meaning |
Personal Data | Any information relating to an identified or identifiable natural person (data subject). |
Special‑Category Data | Data revealing racial/ethnic origin, health, biometric identifiers, etc. |
Processing | Any operation on personal data (collection, storage, use, disclosure, deletion, etc.). |
Controller | The entity that determines the purposes and means of processing (normally OIHG HQ or relevant subsidiary). |
Processor | A party processing personal data on behalf of a controller (e.g., cloud host, payroll provider). |
DPO | Data Protection Officer—function responsible for overseeing compliance (appointed centrally). |
Data Subject | The individual to whom the personal data relate. |
OIHG adheres to the principles set out in Article 5 GDPR and mirrored in the UAE PDPL and Thai PDPA:
Accountability (explicit under GDPR Art. 5 (2) & UAE PDPL).
Role | Key Duties |
Board/Group Executive Committee | Approve policy; allocate resources; champion data‑protection culture. |
Data Protection Officer (DPO) | Advise, monitor, train, conduct DPIAs, liaise with regulators; independent reporting line. |
Business Unit Heads / Subsidiary MDs | Implement controls within their operations; ensure local compliance. |
IT & Security | Apply technical safeguards (access control, encryption, logging, patching, backups). |
HR | Incorporate data‑protection clauses in employment contracts; manage employee data subject rights. |
All Employees & Contractors | Follow this Policy, complete annual training, report incidents immediately. |
Third‑Party Processors | Comply with contractually mandated security, confidentiality, and sub‑processing restrictions. |
Processing must rely on at least one lawful basis (GDPR Art. 6 / UAE PDPL Art. 4 / Thai PDPA Sec. 24):
Special‑category data require an additional condition (e.g., explicit consent or employment law necessity).
We enable and document the exercise of all statutory rights, including: access, rectification, erasure, restriction, portability, objection (including marketing opt‑out), and automated‑decision review. Response within 30 days (extendable where allowed). UAE residents gain analogous rights under PDPL Art. 12; Thai individuals under PDPA Sec. 30.
Security standards align with ISO 27001 and NIST SP 800‑53 frameworks.
Violations of this Policy may lead to disciplinary measures up to and including dismissal, contract termination, or legal action. Third‑party breaches may result in contract suspension, penalties, or termination.
This Policy is reviewed annually or sooner if:
For questions about this Policy or to exercise data‑subject rights:
Data Protection Officer (DPO)
Optimum International Holding Group