Privacy Notice for Business Partners and Affiliates
Revised as of 20 February 2023
Thaicom Public Company Limited and its subsidiaries (hereinafter referred to as the “Company”) appreciate the importance of the rights and privacy of personal data owners (hereinafter referred to as “Data Subject(s)”) as well as the protection of personal data. Therefore, the Company hereby notifies you of the Company’s data protection policy, which contains the Company’s practices regarding the collection, use, disclosure of personal data including the rights of Data Subjects under the personal data protection law, in cases where the Data Subjects provide product procurement, sales of goods, contracting, or other services to the Company or work for, on behalf of, or as a representative or agent of the Company.
This privacy notice (hereinafter referred to as the “Privacy Notice“) applies to the Company’s business partners and affiliates in the communication, procurement, sales of goods, contracting, or provision of services to the Company, including the sourcing, purchasing, leasing, hire purchase, service provision, working for, acting on behalf of, or representing the Company. The Company collects, uses, and discloses personal data of Data Subjects as follows:
1. The Company may collect the following personal data of Data Subjects:
1.1 Personal data collected before providing services or for the purpose of entering into a contract such as:
- Name, surname, national identification card number
- Photocopy of national identification card, signature (without displaying gender or religion)
- Address, contact information, telephone number, fax number, email address
- Company registration certificate, power of attorney
- Certificate of value added tax (Form Por.Por. 20)
- Business history
- Service contract.
1.2 Personal data collected during the course of using the Company services, such as:
- Quotation data
- Service provision data
- Delivery of goods or services data
- Payment data for goods or services
- Quality assessment data for the delivery of goods or services
- Complaint data
- CCTV footage.
The Company has no intention to collect or use any other information contained in the copy of the Data Subject’s identification card except the personal data stated in section 1. It is suggested that the Data Subject should redact any other personal data not mentioned above in the copy of identification card before submitting it to the Company. If any personal data is presented to the Company without redaction, it shall be deemed that the Data Subject has authorized the Company to redact such data. The redacted document shall be considered valid and legally binding in all respects. In case the Company is unable to redact any personal data due to technical limitation, the Company shall collect and use such personal data solely for the purpose of identity verification of the Data Subject.
In the event that the Data Subject provides the Company with the personal data of third parties, such as emergency contacts, spouses, parents, descendants, relatives, children, employers, agents, beneficiaries, or referees, the Data Subject should ensure that he or she has the right or authority to share such personal data and to allow the Company to use such personal data in accordance with this Privacy Notice. The Data Subject shall also inform all related third parties of this Privacy Notice and/or obtain their consent if needed and/or rely on other legal basis.
2. The Company may collect personal data either directly from the Data Subject or indirectly from other sources as follows:
2.1 Personal data obtained directly from the Data Subject, whether through documents, verbal communication, electronic means, or other forms of communication between the Data Subject and the Company, or by any other means provided that the Data Subject has consented to the collection, use, and disclosure of such personal data.
2.2 Personal data obtained from the Company’s representatives acting on behalf of the Company, provided that the Data Subject has consented to the collection, use, and disclosure of such personal data.
2.3 Personal data obtained from affiliated companies, provided that the Data Subject has consented to the collection, use, and disclosure of such personal data.
2.4 Personal data collected by the Company from devices used by the Data Subject to interact with the Company’s IT system or other operational systems.
2.5 Personal data collected by the Company from public domain or other sources where the Company is legally entitled to collect such personal data without the need to obtain any consent from the Data Subject.
2.6 Personal data obtained from government agencies or regulatory bodies.
3. The Company has the following purposes for the collection, use, and disclosure of personal data:
3.1 To comply with the agreement between the Data Subject and the Company as a contracting party, or to take any action as requested by the Data Subject before entering into that agreement.
3.2 To perform necessary actions for contract compliance such as verifying the identity of the Data Subject before providing services or when the Data Subject contacts the Company through various channels, communicating with the Data Subject in different circumstances, exercising various rights, delivering goods or services, making payments, preparing purchase orders, etc.
3.3 To perform necessary actions for contract enforcement or for asserting the Company’s legal rights even after the contract has terminated, for example, enforcing payment obligations after termination of a contract, or enforcing court judgments.
3.4 To evaluate the quality of delivery and analyze the behavior of business partners for the purpose of improving and developing products and services.
3.5 To perform any actions that have been consented to by the Data Subject, such as providing offers or information from the Company to the Data Subject.
3.6 To perform necessary and appropriate actions to maintain the security of computer systems, electronic systems, electrical systems, telecommunications networks, or other systems used by the Company to provide services, protect the security of personnel, property, and premises of the Company, including mitigating, preventing, or limiting damages that may occur.
3.7 To perform necessary and appropriate actions to enforce the rules and policies related to personal data and to protect the privacy rights of the Data Subjects.
3.8 To comply with the purposes as authorized by law as a data controller for collecting, using, or disclosing personal data without requiring consent from the Data subject.
4. The Company may disclose or share personal data with third parties as follows:
4.1 The Company may disclose the personal data stated in section 2 to affiliated companies, business partners, regulatory bodies, governmental authorities, or other entities with legal authority, whether located within Thailand or abroad, including natural persons, legal entities, or other organizations that have a legal relationship with the Company provided that such disclosure is necessary for the purposes outlined in section 3.
4.2 If the Company is required to disclose personal data to any foreign organizations or entities where the destination country does not have adequate data protection standard as determined by the Personal Data Protection Committee, the Company shall inform the Data Subject of such matter and the Data Subject’s consent must be given before disclosure.
5. The Company shall implement measures for the retention of personal data and retention periods as follows:
5.1 The Company shall securely store and keep confidentiality of personal data and shall implement effective security measures in accordance with the law to prevent loss, unauthorized access to, use, alteration, or disclosure of personal data.
5.2 The Company shall retain personal data of the Data Subject for a period deemed necessary or appropriate, or as required by the statute of limitations, as well as in accordance with the Company’s standard for keeping documents, i.e. retention period of 5 (five) years from the date of contract termination or from the end of the Company’s relationship with the Data Subject unless a longer retention period is required due to legal proceedings. In such case, the Company may retain the personal data as long as necessary until the end of such proceedings.
5.3 Upon expiration of the data retention period, or once the Company can no longer assert a legal right to collect, use, and disclose the personal data, the Company shall proceed to delete, destroy, or anonymize personal data such that the Data Subject cannot be identified.
5.4 In the event of a data breach or violation of personal data, the Company has implemented measures to respond to such incident as follows:
5.4.1 Individual who becomes aware of the incident must report it to the Data Protection Officer.
5.4.2 The Data Protection Officer receives the report and records the incident.
5.4.3 The Data Protection Officer assesses the risk of the incident to determine whether it has any impact on the rights and freedoms of the Data Subjects.
5.4.4 In the case where there is no risk, the Data Protection Officer shall proceed as follows:
(1) Record the incident for future reference.
(2) Report the incident to the management.
5.4.5 In cases where a risk is identified, the Data Protection Officer shall take the following actions:
(1) Record the incident for future reference.
(2) Notify the Personal Data Protection Committee of the personal data breach within 72 hours of becoming aware of the incident.
(3) Report the incident to the management.
5.4.6 In cases of high risk, the Data Protection Officer shall proceed as follows:
(1) Record the incident for future reference.
(2) Notify the Personal Data Protection Committee of the personal data breach within 72 hours of becoming aware of the incident.
(3) Inform the Data Subjects of the breach, along with remedial measures.
(4) Report the incident to the management.
5.4.7 The Data Protection Officer shall conduct investigations to determine the cause of the personal data breach as well as to identify the root causes of the leakage or violation.
5.4.8 The Company shall improve the data leakage prevention measures.
6. Rights of the Data Subject under the personal data protection law are as follows:
6.1 Data Subject has the right to give and withdraw his or her consent as follows:
6.1.1 In cases where the processing of personal data requires the consent of the Data Subject, the Data Subject has the right to give consent to the Company for the collection, use, and disclosure of personal data, to enable the Company to process personal data for the purposes notified to the Data Subject. Alternatively, the Data Subject may refuse to give such consent.
6.1.2 Once the Data Subject has given consent to the Company for the collection, use, and disclosure of personal data, the Data Subject may withdraw his or her consent at any time, unless there is a restriction of the withdrawal of consent by law or contract which gives benefits to the Data Subject.
6.1.3 In the event that the withdrawal of consent will affect the performance of the Company or the Data Subject in any manner, the Company shall inform the Data Subject of the consequences of consent withdrawal.
6.2 The Data Subject has the right to access his or her personal data which is under the responsibility of the Company.
6.3 The Data Subject has the right to obtain a copy of personal data related to the Data Subject from the Company.
6.4 The Data Subject has the right to request the Company to disclose the acquisition of the personal data obtained without the Data Subject’s consent for the collection, use and disclosure.
6.5 The Data Subject has the right to receive the personal data concerning him or her from the Company where the Company has arranged such personal data to be in the format which is readable or commonly used by way of automatic tools or equipment and can be used or disclosed by automated means.
6.6 The Data Subject has the right to request the Company to transmit or transfer his or her personal data in the format specified in section 6.5 to another data controller where it is practicable through automated means.
6.7 The Data Subject has the right to obtain his or her personal data that the Company has transmitted or transferred as described in section 6.6, unless it is technically impracticable.
6.8 The Data Subject has the right to object to the collection, use, or disclosure of his or her personal data at any time. In case of Data Subject’s objection, the Company may continue to collect, use, or disclose the personal data only if it can demonstrate that there are compelling legal grounds for doing so.
6.9 The Data Subject has the right to request the Company to delete, destroy, or anonymize the personal data in the event that the personal data is no longer necessary to the Company in relation to the purposes stated in this Privacy Notice or in the event that the Data Subject withdraws consent for the personal data that requires consent or in the event that the collection, use, or disclosure of the personal data are unlawful.
6.10 The Data Subject has the right to request that the Company temporarily suspend the use of personal data while the Company is reviewing the Data Subject’s request to correct personal data or to object unnecessary or unlawful collection of personal data.
6.11 The Data Subject has the right to request the Company to correct personal data to ensure that it is accurate, up-to-date, complete, and not misleading.
7. The Company is required to collect, use, and disclose personal data as specified by law or as required to enter into a contract between the Company and the Data Subject. In case the Data Subject’s consent is not given, the Company may be unable to fulfil its contractual obligation. Nevertheless, the Company reserves the right to use personal data in situations where it is strictly necessary to communicate with the Data Subject.
8. The Company shall collect, use or disclose personal data in accordance with the applicable law currently in force. The Company is entitled to collect and use personal data that has previously been collected by the Company before the effective date of the Personal Data Protection Act for the original purposes. However, if the Data Subject does not wish the Company to continue collecting and using such personal data after the Personal Data Protection Act comes into force, the Data Subject may withdraw his or her consent through the method specified in section 9 of this Privacy Notice.
9. If the Data Subject has any question regarding this Privacy Notice or wishes to exercise the rights under section 6 or section 8, please contact the Company at Thaicom Public Company Limited, No. 349 SJ Infinite One Business Complex, 28th Floor, Vibhavadi Rangsit Rd., Chomphon, Chatuchak, Bangkok 10900, Telephone Number: (+66) 2-596-5095, or the Company’s website www.thaicom.net, or contact the Company’s Data Protection Officer at [email protected].
10. The Company may request the Data Subject to verify his or her identity prior to taking any action in case of the Data Subject’s exercise of the rights under section 6 or section 8.
11. The Company reserves the right to reject any exercise of rights of the Data Subject in accordance with the criteria specified by law. The Data Subject has the right to file a complaint with the Personal Data Protection Committee (PDPC) as specified by law.
12. The Company may revise this Privacy Notice from time to time and shall announce such revised Privacy Notice on the Company’s website. The revised Privacy Notice shall become effective on the date of announcement. In case any additional consent of the Data Subject is required, the Company shall request additional consent from the Data Subject.
Announced on 20 February 2023