Under the PDPA, a personal data means any data or information relating to an individual which enable us to identify such individual, whether directly or indirectly, from that data or information alone or in a combination with other identifiers we possess or can reasonably access, except information of the deceased. The personal data can be categorised as follows:
The type of personal data we collect from you may be different depending on who you are and your relationship with us. The collected personal data may include:
|General personal data||
|Sensitive personal data||Religion, health data (e.g. blood group)|
If you do not or are unable to provide your personal data which we require, we may not be able to establish a relationship with you or offer you our products and/or services including our employment with you and other benefits and welfare.
We will collect your personal data directly from you, but sometimes from publicly available sources and/or from other third parties, provided that we will ensure that we fully comply with the PDPA.
Those other third parties may include our subsidiaries, authorised business partners, service providers or vendors.
We collect, use, disclose, transfer or process your personal data by fair and lawful means to the extent necessary to achieve our purposes. The lawful basis includes:
We may use your personal data for purposes as follows:
4.1 Our contract with you
We will rely on the performance of contracts to which you are a party to use your personal data. Depending on the nature of each contract with us, we may use your personal data for the following reasons:
4.2 Our legitimate interests
We may rely on the purpose of legitimate interests pursued by us or by a third party which require us to use and process your general personal data, except where such interests are overridden by your interests or fundamental rights and freedoms.
For instance, we have legitimate interests which allow us to process your collected personal data in the following circumstances:
4.3 Our legal compliances and legal claims
We will rely on the purpose of legal compliances when it is required or allowed by any applicable laws to which we are subject. For instance, we rely on legal compliance or legal obligation grounds to process your collected personal data in the following circumstances:
We may rely on the legal claims basis to process your sensitive personal data to establish, comply, exercise or defend legal claims against you or initiate litigation action to protect our interests.
We will process your collected personal data on grounds of consents; especially, in the case where our processing activities have potential impact on your sensitive personal data.
We may inform you of the objectives of our personal data usage and request your consent or explicit consent to process your collected personal data in the following circumstances:
We may disclose to or share your collected personal data with other third parties to achieve the specific purposes for which the personal data was collected. The third parties who we may disclose or share your collected personal data with may include:
When we disclose or share your collected personal data with any third parties, we will conduct necessary and appropriate supervision of the third parties to ensure safe processing of disclosed or shared personal data, by, for instance, entering into an agreement regarding the processing of personal data with the third parties.
We will only transfer your collected personal data to a country that, in the view of the Thai Personal Data Protection Commission, has adequate data protection or privacy laws. Where such data security standards are deemed inadequate, we will provide appropriate safeguards to protect your interest or the transfer will take place if one of the exceptions defined by the PDPA is met. The exceptions are where:
Before or at the time of collecting your personal data, we will always inform you of our purposes of processing your personal data. Only in some circumstances, it is not necessary for us to inform you of our processing purposes, such as when:
Under the PDPA, you have the following rights in respect of your personal data:
1) Right to access
You have a right to access and obtain a copy of personal data that we hold about you, or you may ask us to disclose the sources of where we obtained your collected personal data that you have not given consent.
We will respond to your request as soon as reasonably possible but not exceeding thirty (30) days after receiving your request.
2) Right to data portability
You have a right to request us to transfer your collected personal data to other persons/organisations, or request to see your collected personal data that we have transferred to other persons/organisations, unless it is impossible due to technical circumstances.
3) Right to object to the processing of your collected personal data
You have a right to object to the processing of your collected personal data, unless there are circumstances that do not allow you to make the objection. This may include when we have compelling legitimate grounds or when the processing of your collected personal data is carried out to comply, exercise or defend legal claims or for our public interest.
4) Right to erasure
You have a right to request us to delete, destroy or anonymise your collected personal data in the following circumstances where:
5) Right to restrict the processing of your collected personal data
You have a right to request us to restrict the processing of your collected personal data in the circumstances when:
6) Right to rectification
You have a right to rectify inaccurate personal data in order to make it accurate,
up-to-date, complete and not misleading. If we reject your request, we will record such rejection with reasons.
7) Right to lodge a complaint
You have a right to make a complaint in the case of where we, our data processors including our employees or contractors do not comply with the PDPA or other notifications or announcements under the PDPA.
8) Right to withdraw consent
You may withdraw your consent at any time, unless we have a lawful basis to deny your request. We would like to also inform you that your consent withdrawal may affect our relationships with you or the products and/or the services that will be provided to you by us. This is because, for instance, the personal data, if remaining after consent withdrawal, may be insufficient for us to render complete services that you need, or we may need time to request additional information from you.
If you change your mind about how you would like us to have or process your collected personal data and would like to withdraw your consent, you can tell us anytime by sending the email to email@example.com.
Upon our receipt of a request to exercise your rights, we may, in certain cases, request additional information in order to confirm your identity and your rights as part of our security measures.
We will only retain your collected personal data for as long as it is necessary for the specific purposes for which the personal data was collected. This means that the retention periods will vary according to the type of your collected personal data and the purpose or reason that we collect the personal data. If we do need to keep your collected personal data for a longer period to comply with the legal obligation, or if some existing claims or complaints will reasonably require us to keep your personal data or for regulatory or technical reasons, we will continue to protect that collected personal data.
We have procedures in place regarding our retention periods, which are kept under constant review, taking into account the purposes for processing your collected personal data and the lawful basis for doing so.
We may need to retain images and video footages from CCTV surveillance systems installed for security and safety of persons and properties within our premises for 30 days.
We will delete, destroy, permanently anonymise or otherwise dispose of all collected personal data at the end of the retention period, or when we must comply with your request for erasure of your collected personal data.
If you have any questions, please contact us at the provided details in the “How to contact us” section.
We adopt security measures to keep your collected personal data safe and secure as well as to prevent loss or damage and illegal or unauthorised collection, access, use, modification, correction, disclosure or otherwise processing of your collected personal data. Our security measures which are applied to all types of data processing regardless of whether the collected personal data is processed electronically or in paper form, include encryption and other forms of security.
We require our employees and third parties who carry out work on our behalf to comply with the PDPA and the appropriate privacy standards including obligations to protect any leakage of personal data and to apply appropriate security measures for the processing of personal data.
We consistently maintain our security procedures and measures and if an improvement proves to be needed, we will promptly correct or update our security procedures and measures taking into account the appropriate physical, technical and organisational security procedures and measures to ensure a level of security of your collected personal data appropriate to the respective risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing.
If you have any comments, suggestions, questions or want to make a complaint or exercise your rights regarding your personal data, please contact us at
Address: 140 One Pacific Place Bld, Level 16 Room 1605, Sukhumvit Rd., Klongtoey Bangkok 10110, Thailand