PRIVACY POLICY

1. INTRODUCTION

Pisut and Partners Company Limited (“P&P” or “we”) recognise the importance of personal data entrusted to us and we respect the privacy of each stakeholder whose personal data is collected, used, and/or disclosed (collectively, “processed”) by us. It is our responsibility to properly manage, protect, and process your personal data in accordance with the Personal Data Protection Act B.E. 2562 (“PDPA”) and regulations and guidelines issued thereunder, whether now existing or to be updated or additionally announced in the future. This Privacy Policy is created and developed to help you understand how we process your personal data so that you can make an informed decision before providing us with any of your personal data, as well as to inform you of your statutory rights under the PDPA and how you can exercise them with respect to your personal data collected and maintained by us.

2. APPLICABILITY OF THIS PRIVACY POLICY

This Privacy Policy generally applies to the processing of personal data of all individuals having relationships with us, which data is now or will in the future be processed by us through our staff, as well as through third parties who process such data pursuant to our instructions (“Data Processors”).

Individuals having relationships with us as referred to in the foregoing paragraph include:

  • individual customers;
  • individual vendors;
  • our directors, agents, employees, employment applicants, and former employees;
  • directors, officers, legal representatives, employees, agents, shareholders, and other individuals of our customers, vendors, regulators, trade associations, and other organisations having any relationships with us;
  • visitors to our websites and users of our other systems, applications, etc.; and
  • other individuals whose data is processed by us, such as family members of any of the foregoing individuals, visitors to our business locations, etc.

All of the above individuals whose personal data is processed by us are collectively referred to as “Data Subjects” or “you”.

In addition to this Privacy Policy, we may provide to our Data Subjects a Privacy Notice describing in particular the purposes of certain data processing activities, specific types of personal data to be processed, the applicable data retention periods, and other details as required by law. In cases where there are any discrepancies between this Privacy Policy and a particular Privacy Notice, the Privacy Notice shall prevail.

3. TYPES OF PERSONAL DATA THAT WE COLLECT

The term “personal data” is broadly defined under the PDPA as: “any information relating to a [natural] person, which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons in particular”.

Our general policy, which is in line with the general principle of the PDPA, is to only collect personal data which is necessary for us, our businesses, and/or other undertakings responsible to us. However, we may also be required by law or contractual obligations to collect and process certain personal data for other purposes.

We collect different types of personal data, depending on the relationships between Data Subjects and us, and the purposes of relevant data processing activities. The types of personal data listed below are a mere general representation of what we generally collect during the ordinary course of our business, but we may also collect other types of personal data as necessary, depending on the circumstances, as shall be described in more detail in the applicable Privacy Notice:

  • Names, e.g., given name, middle name, family name, nickname, alias, etc. and including prefix and title (Mr, Mrs, Miss, etc.)
  • Addresses, e.g., residential address (whether actual or registered), office address, business address, delivery address, etc.
  • Email addresses, whether business or personal emails
  • Telephone numbers
  • Social media account names or ID, e.g., LINE, Facebook, WhatsApp, Instagram, etc.
  • Date of birth
  • Age
  • Gender
  • ID numbers, e.g., national ID card number, passport number, tax ID number, employee ID number, driving license number, work permit number, professional license number, etc.
  • Copies of identification documents, e.g., national ID card, passport, tax ID card, employee ID card, driving license, work permit, professional license, etc.
  • Photographs, images, voice records, and video records of Data Subjects
  • Bank account details, e.g., account name, account number, and bank’s details
  • Financial information regarding Data Subjects, e.g., incomes, debts, credit ratings, etc.
  • Title or position in an organisation
  • Employment history and work experiences
  • Performance reviews and ratings
  • Education background, trainings, and other credentials
  • Professional association
  • Products and services interested, purchased, or received from us or our affiliates and the Data Subjects’ comments, suggestions, preferences, and other feedback
  • Technical IT and network information, e.g., IP addresses, device ID, hardware specifications, operating systems, application software versions and other details, network and internet service providers, search and browsing history, GPS locations, cookies and other similar technologies, etc.

Apart from the foregoing, we may also collect to the extent necessary certain types of personal data which are considered “Sensitive Data” under the PDPA, including the followings:

  • Criminal records
  • Health data (e.g., health records, health conditions, records of medical treatment received, vaccination status, health examination results, etc.)
  • Disabilities
  • Labour or trade union association
  • Biometric data (e.g., fingerprints, iris patterns, palm patterns, face recognition, voice recognition, etc.)
  • Other sensitive data as may be further prescribed by the Personal Data Protection Commission (“PDPC”) in the future.

However, we will only process your Sensitive Data when we have your explicit consent or when there is an applicable exemption which allows or requires us to do so without your consent.

You may be required to provide your personal data to us in order to comply with certain legal requirements, to comply with a certain contract, or to enable us to enter into a contract with you. Should you refuse to provide us with the necessary data, withdraw your consent previously given to us to process such data, or object to our processing of such data, we may be unable to provide you with some or all of our products and/or services or to otherwise facilitate your requests to us.

 

4. DATA RETENTION PERIOD

We generally retain your personal data for as long as it is necessary for the purposes for which such data was collected, which typically means throughout the relationships between you and us and for a reasonable period thereafter. In the absence of unusual circumstances (such as an investigation, potential litigation, or litigation involving a Data Subject) or specific legal requirements, we would generally not retain your personal data beyond ten years after the end of the relationship between you and us. However, a different data retention period may be specified in the relevant Privacy Notice provided to you in connection with specific data processing activities.

At the end of the applicable data retention period or when your personal data is no longer required for the relevant purposes, we will delete, destroy, or anonymous your personal data in accordance with the requirements under the PDPA or prevailing international standards.

5. SOURCES OF PERSONAL DATA THAT WE COLLECT

We collect your personal data primarily directly from you through various interactions between you and us, whether online or offline, such as, through an employment application process, customer registration, sales transactions, participation in our marketing activities, entering into a contest or competition arranged or sponsored by us, getting in touch with our customer service teams, visits to our website or business locations, etc.

We may also, to the extent permitted by law, collect your personal data through other sources, such as publicly available databases, government agencies, marketing agencies, recruiters, social media platforms, etc., provided that such alternative data sources are legally allowed to disclose your personal data to us, whether with the proper written consent of the relevant Data Subjects or the disclosure is lawfully made under any other applicable legal basis.

In this regard, whenever you provide us personal data of any third party, you confirm to us that you have properly obtained necessary written consent from the relevant Data Subject or the data provided to us can be lawfully disclosed and processed by us in accordance with the purposes of our data processing activities. Also, in that case, it is your responsibility to ensure that the Data Subject in question is provided with this Privacy Policy in due course.

6. PURPOSES OF PERSONAL DATA COLLECTION AND PROCESSING

We collect, use, and/or disclose your personal data for various purposes, depending on your relationships with us and the applicable circumstances, including the following purposes:

  • To conduct third-party verification processes in accordance with our policies, including potential conflicts of interest assessment, against you or an organisation of which you are a legal representative or contact person;
  • To confirm your identity, qualifications, and credentials;
  • To confirm your authority to act on behalf of another party;
  • To prepare and enter into contracts with you;
  • To create a customer, vendor, employer, or another profile our internal systems;
  • To fulfil your purchase orders or otherwise execute transactions to which we are a party;
  • To accept products and/or services from you or an organisation of which you are a legal representative or contact person;
  • To make payments to or collect payments from you or an organisation of which you are a legal representative or contact person;
  • To create necessary accounting and tax documentation;
  • To offer you other products and/or services of us or of our affiliates;
  • To engage in marketing activities involving you;
  • To carry out necessary administrative functions within our organisation including training and improvement of our staff’s performance;
  • To assess and manage risks and conduct internal risk management exercises;
  • To prevent, detect, avoid, and examine frauds, security breaches, and unauthorized or illegal activities;
  • To consider your suitability for an employment position for which you have applied;
  • To render an appropriate employment offer to you;
  • To create necessary documentation in connection with your employment;
  • To evaluate your suitability for particular works;
  • To manage your sick leave requests, maternity leave requests (if applicable), and other benefits and issues relating thereto;
  • To ensure a safe work environment for our employees;
  • To control access to certain areas of our business locations;
  • To monitor activities that take place inside or in the vicinity of our business locations;
  • To verify with relevant third parties, the correctness, completeness, and currency of the personal data collected by us in connection with the abovementioned purposes;
  • To handle your inquiries and requests;
  • To perform other contractual obligations either between you and us;
  • To take necessary actions to protect our legitimate interests or those of other parties;
  • To otherwise manage the relationships between you (or a party related to you) and us;
  • To exercise our rights towards or defend our interests;
  • To prevent or suppress danger to the life, body, or health of any person;
  • To comply with applicable legal requirements (including legitimate orders and instructions from a competent authority) to which we are subject;
  • Etc.

The purposes outlined above are the most common purposes for processing your personal data. We may process your data for other additional purposes, as shall be set forth in the relevant Privacy Notice (if applicable).

We will also take appropriate measures to ensure that your personal data is not used or disclosed for any purpose other than those we have previously informed you unless you have consented to such additional use or disclosure, or unless we are lawfully allowed or required to do so under the PDPA.

7. LEGAL BASES OF PERSONAL DATA PROCESSING

We process your personal data based on one or more of the following legal bases under the PDPA, depending on the circumstances:

  • your consent, which can be withdrawn by you at any time, unless there is an applicable restriction on such consent withdrawal, whether under the law or under a contract which provides certain benefits;
  • vital interest of you or other individuals (to prevent or suppress a danger to the life, body, or health of an individual);
  • performance of contracts between you and us or facilitation of your requests prior to entering into such contracts;
  • our legitimate interests or those of other parties which must not be of lesser importance than your fundamental rights as a Data Subject;
  • compliance with legal requirements imposed on us; or
  • other legal bases available under the PDPA.

8. PERSONS TO WHOM WE MAY DISCLOSE YOUR PERSONAL DATA

We will not provide, disclose or share your personal data to or with third parties unless we have obtained your consent or such provision, disclosure or sharing of personal data is permitted under the PDPA or any other applicable law.

We may, from time to time, disclose your personal data to one or more of the following parties as necessary:

  • our shareholders, directors, employees, and agents;
  • our external advisors and other relevant product/service providers, sub-contractors, and business partners, such as our marketing agencies, insurance companies, auditors, lawyers, hospitals, telecommunication service providers, etc.;
  • our financial institutions;
  • other data processors which have entered into a data processing agreement with us to process your personal data strictly in accordance with our instructions;
  • regulators and other government agencies relating to our businesses;
  • other parties, to the extent permitted by law.

In some cases, we may need to send or transfer your personal data abroad in order to carry out certain activities or undertakings. For example, we may need to send your personal data to a computer server located outside Thailand which hosts cloud services that we use.

Where it is necessary for us to send or transfer your personal data outside of the country, we will take necessary precautionary measures to ensure that the recipient of the data has adequate personal data protection measures in accordance with international standards.

However, it is also possible that some of the parties to whom we disclose your personal data may be located in other countries where there are insufficient data protection standards, in which case, our disclosure of your personal data to such parties would either be subject to your consent or other applicable legal exemptions.

9. DATA PROCESSING BY THIRD PARTIES

Your personal data may be processed by one or more of our Data Processors which are third parties entrusted by us to process personal data pursuant to our instructions.

Whenever we use Data Processors to process your personal data, we will put in place a proper data processing agreement and other measures to ensure that the Data Processors shall process your personal data only to the extent specified in the agreement and in accordance with our instructions. The same principle also applies to sub-contractors who act as data processors of our Data Processors (if any).

In cases where any of our Data Processors is in breach of the aforementioned data processing agreement between them and us, they shall be deemed a data controller under the PDPA in respect of the data that they processed beyond our instructions and they shall have direct legal responsibilities towards you and other relevant Data Subjects.

10. SECURITY MEASURES

We take necessary precautionary measures to secure the security and integrity of your personal data by restricting access to your personal data so that it can only be accessible by specific, authorised or designated persons who have a necessity to process such personal data for the relevant purposes, whereby such persons shall be required to strictly adhere to and comply with our personal data protection measures and are obligated to keep confidential the personal data that they have access to in the course of their performance of their duties. We have implemented operational and technological data security measures that comply with the PDPA and prevailing international standards.

11. YOUR STATUTORY RIGHTS UNDER THE PDPA

As a Data Subject, you are afforded the following statutory rights under the PDPA, subject to applicable legal requirements and exceptions:

  • Right to withdraw your consent: In cases where you have given your consent to us for the processing of your personal data, you have the right to withdraw your consent at any time, unless there is an applicable restriction on the consent withdrawal, whether under the law or under a contract which give you certain benefits. However, such consent withdrawal would not retroactively affect the collection, use, or disclosure of my personal data which has already been done prior to the consent withdrawal.
  • Right to access to and obtain a copy of your personal data: You have the right to request access to and obtain a copy of your personal data collected and maintained by us. You may also request that we disclose to you the sources of your personal data which we collected without your consent (if any).
  • Right to data portability: To the extent applicable, you have the right to obtain a copy of your personal data collected and maintained by us in a format which is readable or generally usable by automatic tools or equipment and can be used or disclosed by automatic means. You may also request that we transfer your personal data in such format either to other data controllers if it can be done by automatic means or to you, provided that it is technically doable.
  • Right to object to the processing of your personal data: You have the right to object to the processing of your personal data based on our legitimate interests (unless we can demonstrate a compelling legitimate ground or such data processing is required by us for the establishment or exercise of, compliance with, or defence against legal claims) or the processing of your personal data is carried out in connection with direct marketing purposes.\
  • Right to delete, destroy, or anonymise your personal data: You have the right to request that we delete, destroy, or anonymise your personal data collected and maintained by us in cases where: (1) your personal data is no longer necessary in relation to the purposes for which it is processed; (2) you have withdrawn your consent to the processing of your personal data and we do not have any other legal basis to carry out the same; (3) you have objected to the processing of your personal data and we have no right to reject your request; or (4) your personal data is unlawfully collected, used, and/or disclosed.
  • Right to suspend the use of your personal data: You have the right to request a suspension of the use of your personal data under the following circumstances: (1) while we are correcting or updating your personal data; (2) when your personal data is unlawfully collected, used, and/or disclosed but you choose the request a suspension of the use instead of deletion; (3) when your personal data is no longer necessary to be maintained in relation to the purposes for which it is collected but you have the necessity to have it maintained for the establishment or exercise of, compliance with, or defence against legal claims; or (4) while we are verifying whether we can deny your objection to process your personal data based on our legitimate interests.
  • Right to correct your personal data: If you discover that your personal data collected and maintained by us is misleading, inaccurate, incomplete or outdated, you may request that we correct and/or update your personal data as appropriate.
  • Right to report non-compliance to the regulator: If you discover that we or our employees, contractors, or data processors violated or failed to comply with the PDPA, you may report the same to the regulator pursuant to the regulations prescribed by the Personal Data Protection Commission.

12. UPDATES TO THE PRIVACY POLICY

We may adjust, modify, replace, or supplement (collectively, “update”) this Privacy Policy from time to time, and the latest version of the Privacy Policy will always be posted on our website: https://pisutandpartners.com/privacy-policy

If we make material updates to this Privacy Policy, we may provide a more prominent notice to you via various communication channels to let you know what the updates are. We encourage you to review the contents of the latest version of the Privacy Policy carefully.

Your continued interactions with us or continued uses of our services or systems (if applicable) following the updates constitute your acceptance of the latest version of the Privacy Policy.

13. CONTACT US

If you have any comments or questions concerning our collection, use, and/or disclosure of your personal data or if you would like to exercise any of your rights under the PDPA with respect to your personal data collected, used, and/or disclosed by us, please send your comments, questions, and/or requests to the followings:

Data Protection Officer
Pisut and Partners Co., Ltd.
19th Floor, Rajanakarn Building
3 South Sathorn Road
Yannawa, Sathorn, Bangkok, Thailand 10120
T: 66 2026 6226
F: 66 2026 6227
E: info@pisutandpartners.com
Operating hours: Monday to Friday, 09.00 – 18.00 hrs.