This Privacy Notice is issued by WHA TUS Company Limited (the “Company”, “we”, “us”, or “our”), a limited company registered in Thailand.
The Company is committed to protecting and respecting privacy of whom we interact. This Privacy Notice explains what Personal Data we collect, how we use and disclosure it as well as your rights.
This Notice is addressed to individuals outside the Company with whom we are in contact, such as individual clients, visitors to our offices, sites or websites, our suppliers, business partners, representative of our clients, of our partners or of suppliers/other organisations or other individuals (hereinafter “you”). Defined terms used in this Notice are described in Section 2.
This Notice may be updated from time to time to record changes in our Processing of Personal Data or changes in law. We encourage you to read this Notice, and to regularly check for updates.
|1.||Personal Data||Data that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier (e.g. a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity) which is processed by the Company or by a Data Processor on behalf of the Company.|
|2.||Sensitive Personal Data||Sensitive Personal Data is a category of Personal Data. It is any Personal Data relating to race, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data or disability condition, trade union information, genetic data, biometric data and any data of the same nature as prescribed by the Personal Data Protection Commission established by the PDPA (“Commission”).|
|3.||Processing||Any activity with any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, storage, alteration, consultation, use, retrieval, disclosure by transmission, share, making available, alignment or combination, restriction transmission, dissemination, erasure or destruction by any means.|
|4.||Data Subject||An identified or identifiable natural person to whom the Personal Data is related to.. Data Subject shall not include deceased person and ‘juristic person’ (established under the laws, such as a company, foundation, association or other organisations).|
|5.||Data Controller||A person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.|
|6.||Data Processor||A person or a juristic person who process the Personal Data pursuant to the orders given by, or on behalf of, the Company acting as a Data Controller.|
|7.||Data Protection Officer||The Data Protection Officer (DPO) appointed by the Company.|
|8.||Personal Data Breach||Any unlawful or unauthorised Processing of the Personal Data|
In the course of our business, we may obtain and process your Personal Data as our clients, partners, suppliers, or when you are in contact with us, e.g. when you participate in the Company’s events, job application process, etc. Some data we obtain are Personal Data about you.
The Personal Data that we process are the following:
The Company will send data about our products or services to you from time to time if you have a subscription to receive the data via our newsletters, email, or other communication channels. However, you can change the way you receive the data, or cancel such services at any time by using the same method as to when you subscribed to receive such data from the Company or you may contact the Company for this purpose.
In our ordinary course of business, we may obtain certain Sensitive Personal Data about you. For example, the national identification cards that we collect in the ordinary course of business contain a Sensitive Personal Data (e.g. religion). When it is necessary to process a Sensitive Personal Data about you, we will do so on for the following purposes by relying on the following legal bases:
(a) We may process the Sensitive Personal Data where the Processing is necessary for the establishment of legal rights (e.g. litigation), compliance with the law or defending a right (e.g. to prepare our defence in court proceedings or any process carried out by public authorities); and
(b) We may process the Sensitive Personal Data about you to prevent or suppress a danger to you or other persons’ lives, body or health when the you are incapable of giving consent;
(c) We may process the Sensitive Personal Data for other purposes only if you give us your explicit consents for such Processing or when the Sensitive Personal Data about you is made publicly available (e.g. in social medias)
(d) We may have to process Sensitive Personal Data when the Processing is necessary for complying with the law or for other purposes as specified by the law; and
(e) Any other legal bases as permitted by the law.
The Company is the owner of the following websites:
In addition to the above, you may be in contact with the Company through several other channels which you may give us your Personal Data, such as the following:
The Company may process your Personal Data for the following purposes:
|For management and improvement of website and service quality in order to provide a reasonable and satisfiable services;||
We will process when;
|For sending news, advertisement, and other data relating to products and services of the Company, affiliated companies and/or business partners;||
We will process when;
|For Processing your request for customer and business partner registration or registration of your participation to the Company’s events.||
We will process when;
|For transferring any data in the case of business transfer;||
We will process when:
|For investigation of misconduct or fraud and for security measure||
We will process when:
|For disclosing any data relating to legal procedure or court order or any authorities under the law;||
We will process when:
|For protecting legal rights of the Company and relevant persons.||
|For other legitimate purposes||
From the above, we may process a Personal Data about you without a need to obtain your explicit consent when It is necessary: for performance of contracts you entered into with us; for us to proceed in accordance with your request prior to contracting; for us to carry out for the Company’s legitimate interest which is not overridden by your fundamental rights; or to comply with the law or other public interest purposes. The Personal Data we process for these purposes include those relating to identification (e.g. name, citizen ID no., nationality, date of birth, religion, blood groups, address, gender, height, and photograph in the copy of national ID card, address, and gender in the copy of house registration, bank account, copy of passbook). If we do not obtain the above Personal Data, we may not be able to identify you and, as a result, we may not be able to proceed on the matter prior to contracting, or we may not be able to enter into contracts with you. Our performance of the contract entered into with you may also be disrupted.
We share or transfer Personal Data when:
The Company will ensure that the organisations that we may share Personal Data about you have an adequate data protection standard.
In light of the above, the Company may, in the ordinary course of our business, disclose or share the Personal Data we collect with the following persons for the following purposes:
If any transfer of the Personal Data require a consent, the Company will proceed with obtaining such consent prior to such transfer.
Because of our nature of business and for the purposes as specified in items 5-6, we may send, transfer, share or transmit Personal Data about you to persons in other countries when such transfer, sharing or transmitting has a valid legal base as specified in item 6 and provided further that: the recipient of the Personal Data has sufficient safeguard for data in accordance with the notification of the Commission. We may share or transfer the Personal Data even if there is no sufficient safeguard in the foreign country only when:
The criterion we use for determining the data retention period are as follows: we will retain Personal Data as long as it is necessary to serve or interact with you in accordance with the law and for as long as it is considered to be reasonable according to the purposes for which the Personal Data is collected. In particular, we may retain your Personal Data for the duration of any period necessary to establish, exercise or defend any legal rights.
If you would like to delete your Personal Data, you can make a request to us through different channels such as through the Company’s Website or filling in the form available at our office or by contacting our Call Center at [other channel(s) to be determined by CEO at a later stage] [Monday to Friday from [09.00-17.00 hours] We will consider it on a case-by-case basis.
You are entitled to the following rights under the PDPA:
|Data Subject’s Rights||Description|
|1.||Right of access||You have a right to get access and obtain a copy of your Personal Data that we hold about you, or you may ask us to disclose the sources of where we obtained your data that you haven’t given consent. We would not be able to provide you with such access if it is prohibited by the law or court order and such access would impair rights and freedom of other persons.|
|2.||Right to data portability||You have a right to request us to transfer your Personal Data to other persons/organisations, or request to see the Personal Data that we have transferred to other persons/organisations, unless it is impossible due to technical circumstances.|
|3.||Right to object the Processing of your data||You have a right to object to the Processing of your Personal Data. The Company respects your right and we will assess the request on a case-by-case basis in accordance with the legal requirements.|
|4.||Right to erasure||
You have a right to request us to delete, destroy or anonymise your Personal Data in the following circumstances where:
The Company respects your right and we will delete your Personal Data unless the Company consider necessary to maintain such Personal Data.
|5.||Right to restrict the Processing of your data||
You have a right to request us to restrict the Processing of your Personal Data in the following circumstances when:
|6.||Right to withdraw consent||You may withdraw your consent any time, unless it is against the Company’s notice. After the consent is withdrawn, we will stop Processing the Personal Data, unless there are other legal bases on which the Personal Data can be processed by us.|
|7.||Right to rectification||You have a right to rectify inaccurate Personal Data in order to make it accurate, up-to-date, complete and not misleading. If the Company rejects your request, the Company will record such rejection with reasons.|
|8.||Right to lodge a complaint||You will have the right to make a complaint in the case of where the Company, the Data Processor including the employees of the Company does not comply with the PDPA or other announcements of the PDPA.|
To exercise any of your Data Subject Rights, please contact our Data Protection Officer (DPO) via email@example.com menu or fill in the form available at our office or by contacting our Call Center Monday to Friday from 09.00-17.00 hours or through other channels. In case of a request for copy of your Personal Data, unless the Company has grounds to refuse your request, the Company will send such copy to you within 30 days upon obtaining your request. In certain cases, the Company may request additional data in order to confirm your identity and your rights as part of our security measures. If you have any questions or would like to exercise any rights relating to your Personal Data, please contact the DPO of the Company according to the provided details.
For those who are our existing customers before the PDPA comes into force, we will continue Processing your Personal Data provided that our data Processing will strictly follow the objectives and purposes for which you allowed us to collect your data. You may request us to stop Processing Personal Data about you through firstname.lastname@example.org. We will review your request on a case-by-case by basis. The Company would like to inform you that your consent withdrawal may affect the services that will be provided by the Company such as getting you in touch with our new products or services. This is because, for instance, the data, if remaining after consent withdrawal, may be insufficient for us to render complete services that you need or we may need time to request additional data from you.
In the event that the Personal Data you have provided has changed, we encourage you to notify the Company of such update or edit the provided Personal Data so that your Personal Data is accurate and up-to-date. If your Personal Data is incorrect, it may affect the services of the Company and the Company will not be responsible for any loss or damage that may arise with you or the third party as a result of your failure to correct or update your Personal Data to be accurate in any way.
When there is a request to exercise the rights, we will acknowledge receipt of the request and confirm that we’re looking into the request and will respond within the statutory timeframe. We will assess the legal requirements, legal basis of Processing, consequence that the request may result on you and we will respond to you in due course. Each request would be considered in relation to the facts and circumstances and the legal requirements at the time. We will keep track and record the request for accountability purposes.
You have the right to make a complaint in the case of where the Company, the Data Processor including the employees of the Company does not comply with the PDPA or other announcements of the PDPA.
If you consider that we have processed your Personal Data in violation of applicable law and failed to remedy such violation to your reasonable satisfaction, please contact the DPO of the Company via email@example.com at WHA TUS Company Limited.
In addition, you can contact the Company via our Call Center on Monday to Friday from 09.00 – 17.00 hours or at our head office located at WHA TUS Company Limited.
You also have the right to lodge a complaint with the Personal Data Protection Commission or any Expert Committee appointed by it in accordance with the law.
Subject to obtaining your consent, we may place Cookies on your web browser, your device or read Cookies already on your device when you visit our websites or check for messages.
You may choose to disable some of the above cookies while visiting our websites. However, disabling any of such cookies may impact your experience on our websites.
If you use different devices to access our websites, we recommend you ensure that each browser of each device is set to your cookie preference.
For more details on cookie management, please refer to our ‘Cookies policy’.
The company certifies that all the Personal Data collected will be stored safely and strictly with adequate security standards. If you have a reason to believe that your Personal Data has been breached or if you have any questions regarding this Privacy Notice, please contact the DPO of the Company.
The company will take appropriate steps to ensure that all Personal Data collected and processed is kept secure and protected against unauthorized or unlawful Processing, use, modification or disclosure, accidental loss or destruction of, or damage by establishing the policies and procedures, and implementing the technologies and software such as user authentication control, external and internal network perimeter controls and malicious program/ software control.
The Company’s websites may be redirected to other websites for the purpose of facilitating you when you visit other websites. These websites may collect your Personal Data. The Company is not responsible for the Processing of your Personal Data by other websites or such parties. For this reason, the Company recommends that you carefully review the Privacy Notice of these websites before you use the service on those websites.
The Company reserves the right to change, amend or update the Privacy Notice at any time as it deems appropriate by notifying you of the said change. The Company will notify the changes on the website or via [other channel(s) to be determined by CEO at a later stage] in which you can check at any time.
If you have any comments, suggestions, questions or want to make a complaint regarding your Personal Data, please contact the DPO of the Company via firstname.lastname@example.org at WHA TUS Company Limited.