Personal Data Protection Notice for the Company’s Visitors, Workplace Building Visitors and CCTV
We, บริษัท เสริมสุข จำกัด (มหาชน) , (the “Company”) recognize and respect the privacy and the protection of personal data of the Company’s visitors, workplace building visitors or areas within the Company’s responsibility (collectively “You”). The Company put in place this Personal Data Protection Notice in order to notify You of the details relating to a collection, use and disclosure of Your personal data (collectively the “Process”) in accordance with the personal data protection laws.
1. Purposes of Processing the Personal Data
1.1 The Company will Process Your personal data for the following purposes:
Purposes |
Lawful Basis |
|
(1) |
Controlling access of buildings, workplaces or areas within the Company’s responsibility including for monitoring, protecting, preventing and examining an access of such places without permission, maintaining security around the buildings, workplaces and specific areas including exchanging of access card, registering, recording of information and necessary data of the persons access to work for the Company or the Company’s visitors around the buildings, workplaces or areas within the Company’s responsibility, recording information of the persons having the right to use car parks within the area provided by the Company, recording information of the persons having the right to enter-exit areas within the Company’s building and places. |
Legitimate Interests |
(2) |
Complying with the Company’s internal processes before accessing the buildings, workplaces or areas within the Company’s responsibility such as a registration before working for the Company. |
Legitimate Interests |
(3) |
Maintaining security of the Company’s employees and assets including using CCTVs to record image, still and motion, of persons around the area of the buildings, workplaces and areas within the Company’s responsibility. |
Legitimate Interests |
(4) |
Controlling access to the Company’s sources of information technology and databases including preventing, restricting and examining access to sources of information technology and databases without permission. |
Legitimate Interests |
(5) |
Managing risks, overseeing an audit including an internal audit by the internal audit department and an internal management within the organization. |
Legitimate Interests |
(6) |
Creating legal claim, complying with laws or exercising legal rights, litigating and using as evidence for legal proceeding (if any) with relating parties including operating for compulsory execution according to the laws. |
Legitimate Interests |
(7) |
Complying with laws, order of authorities, independent organizations or officers having lawful duties and authorities such as compliance with a summon, warrant of seizure, order of the courts, police officers, public prosecutors, government authorities. |
Legal Obligation
|
(8) |
Complying with laws concerning public interest in respect of public health such as health protection against dangerous communicable disease or epidemic which may be contagious or spread into the kingdom. |
Legal Obligation
|
(9) |
Managing Your hygiene and safety. |
Preventing or suppressing danger to a person's life, body or health (Vital Interests) |
1.2 In the event that the Company will Process Your personal data for any purpose other than the above purposes, the Company may request additional personal data from You and we will collect Your additional personal data by notifying You and requesting Your consent from time to time (as the case may be).
2. Personal Data to be Collected
In general, the Company will collect Your personal data by directly querying You or requesting the data from You; however, there may be some circumstances that the Company may collect Your personal data from other sources such as government authorities or other sources where Your personal data are clearly and publicly disclosed including the personal data disclosed via social media, etc., in such case the Company will collect only the information You choose to be publicly available. In this regard, the type of Your personal data which will be Processed by the Company will be as follows:
2.1 Once You access an area within the Company’s responsibility:
(1) The Company may collect images, still and motion, and/or sounds using closed-circuit television (“CCTVs”) provided that the Company will display a sign stating there is a use of CCTVs in the area within the Company’s responsibility.
(2) The Company may record information of visitors such as name; surname, telephone number, email address, information specified in the identification card or passport or other similar documents, registration number of vehicle You bring into the area within the Company’s responsibility;
(3) Once you wish to use the Company’s Wi-Fi, You have to register and provide Your personal data such as name, surname, telephone number, email address to the Company.
2.2 Once You contact the Company via customers relations center or other service units:
(1) Personal information such as name, surname, date of birth, address and other information specified in the identification card or passport;
(2) Contact information such as address, e-mail address, telephone number, online social media contact information;
(3) Other information such as record of products/service used, location of the purchase of products or services and quantity of the products purchased.
2.3 The aforementioned collected personal data is necessary for the Company to perform according to the agreement or Your request prior to entering into an agreement. If You decline to provide the Company with the necessary personal data, the Company may not be able to proceed any activity relating to considering the selection process, entering into transaction or managing according to the agreement entering into with You (as the case may be).
3. Sensitive Personal Data
3.1 The Company may have to Process sensitive personal data in accordance with the personal data protection laws for the purposes as notified by the Company according to this Notice or any other purposes as the Company additionally notify You or as per Your consent provided to the Company on a case-by-case basis such as:
(1) once the Company has to use the information for the benefit of the Company’s security such as biometric data, face recognition data and fingerprint data for verifying Your identification;
(2) the Company may collect Your sensitive personal data although the activities or services provided are not directly related to the sensitive personal data such as the Company has to use Your identification card which contains religious information for verifying Your identification;
(3) health information such as food allergy, drug allergy, personal congenital disease, medical history in case you can claim medical expenses from the Company for using in any activity You participate in or for public health benefits such as prevention the spread of contagious disease or epidemic, etc.
3.2 The Company will request for Your express consent on a case-by-case basis for Processing Your sensitive personal data and will provide adequate security measures to protect Your sensitive personal data.
4. Cookies
In the event that You access any electronic device of the Company such as applications, websites, information technology and cyber system, etc., the Company uses cookies for collecting personal data as specified in the Cookies Notice.
5. Withdrawal of Consent and Effect thereof
5.1 In the event that the Company Processes personal data with Your consent, You have the right to, at any time, withdraw Your consent given to the Company. Such withdrawal will not affect any Process of personal data performed by the Company prior to the withdrawal of Your consent.
5.2 Your withdrawal of consent given to the Company or refusal to provide certain information may result in the Company being unable to meet all or certain purposes of the Company as notified in this Notice or other purposes as the Company additionally notify You or as per Your consent provided to the Company on a case-by-case basis.
6. Personal Data of Other Persons
6.1 In the event that You provide personal data of other persons to the Company, You have the following obligations:
(1) to notify such person of the details as specified in this Notice including to request a consent from such person (if data subject’s consent is required);
(2) to perform any necessary actions in order that the Company is able to legally Process such person’s personal data.
6.2 Personal data, include sensitive personal data, of other persons which may be Processed by the Company such as name, surname, date of birth, address, sex, information shown in an identification card or passport, nationality, e-mail address, telephone number, occupation, position, work location, financial documents, relationship with You, online social media contact information.
7. Personal Data of a Minor, Incompetent Person and Quasi-incompetent Person
7.1 In the event that the Company has to obtain a consent for Processing personal data of a minor, incompetent person or quasi-incompetent person, the Company will be able to Process personal data of such person only upon the Company’s receipt of a consent of the holder of parental responsibility over the minor, the custodian or the curator, or the person with authority to give consent in the name of such person in accordance with the personal data protection laws (as the case may be).
7.2 In the event that the Company has to obtain a consent for Processing personal data of a minor, incompetent person or quasi-incompetent person but, at that time of data Processing, the Company is not aware that the data subject is a minor, incompetent person or quasi-incompetent person, and later becomes aware that the Company had Processed the personal data of such person without consent of the person with authority to give consent in the name of such person in accordance with clause 7.1, the Company will erase or destroy the personal data or anonymize the personal data of the data subject which is a minor, incompetent person or quasi-incompetent person to become the anonymous data which cannot identify the data subject except in the event that the Company can Process the personal data of such person by using lawful cause and without consent.
8. Period for Retaining the Personal Data
8.1 The Company will retain Your personal data for a period necessary for achieving the purpose of such personal data Processing unless it is permitted to be retained longer by any law. If it is unable to be clearly identify the period for retaining the personal data, the Company will retain Your personal data for a period that can be anticipated in accordance with the collecting standards, by taking into consideration a business practice for each type of personal data.
8.2 The Company will retain Your personal data collected from the CCTVs for a period as follows:
(1) In general, the Company will retain Your personal data for a period of 1 year from the date the CCTV records Your personal data.
(2) In necessary situation such as using as evidence for inquiry, investigation or legal proceeding or in case of Your request, the Company will retain Your personal data over 1 year from the date the CCTV records Your personal data and the Company will delete or destroy the personal data or turn Your personal data into anonymous data once the Company completes such purposes.
8.3 In the event that the Company Processes Your personal data with Your consent, the Company will Process Your personal data until the Company receives Your withdrawal for such consent and the Company finishes proceeding with Your withdrawal request. However, the Company will still retain Your personal data as necessary to make a record that You used to withdraw such consent in order that the Company will be able to respond to Your request in the future.
9. Disclosure of Personal Data
9.1 The Company may disclose Your personal data to the companies within the group, any person assigned by the Company to be personal data processors and/or personal data protection officers, advisors, financial institutes, financial service providers, auditors, external auditors, credit rating company, partners, business partners, service providers, contractors, sub-contractors who are related to business operations of the Company to the extent that, associated with personal data, partners who are co-branding with the Company, any natural persons and/or juristic persons who have relationship or legal relation with the Company, any persons who are interesting in receiving the assignment of the Company’s rights and obligations, any persons who intend to have a merger transaction with the Company in any manner, any organization related to sustainability index, infirmary and/or rescue forces (in case of emergency for protecting Your benefits), government authorities, regulatory authorities, legal authorities, any persons who request the Company to disclose Your personal data with legal power and/or in compliance with any agreements You are a party thereto and/or any natural persons or juristic persons as necessary, whether inside or outside Thailand, (including staff members, employees, executives, directors, shareholders, agents and advisors of the Company and of the aforesaid recipients) in order that the Company will be able to operate their businesses and provide services to You including to comply with the purposes of personal data Processing as specified in this Notice or other purposes as the Company will additionally inform You or in accordance with Your consent given to the Company on a case-by-case basis and/or to act in compliance with the laws.
9.2 The Company will cause the recipients of Your personal data to have appropriate security measures for protecting Your personal data and to Process Your personal data only to the extent as necessary, and to prevent any use or disclosure of Your personal data by any other persons without lawful authority.
9.3 The Company will cause the recipients of Your personal data to keep such personal data in confidence and not use it for any purposes other than the purposes of personal data Processing under this Notice or other purposes as the Company will additionally inform You or in accordance with Your consent given to the Company on a case-by-case basis and/or to act in compliance with the laws.
10. Sending or Transferring Personal Data to Foreign Countries
In the event that the Company is required to send or transfer Your personal data to any foreign country including to keep Your personal data on any database in any foreign country, the Company will ensure that a transferee or data retention service provider in such destination country has adequate data protection standard to protect the personal data in accordance with those specified in the personal data protection laws of the country of transferer of such personal data (if any). If the transferee or data retention service provider in such destination country has data protection standard to protect the personal data lower than those specified in the personal data protection laws of the country of transferer of such personal data, the Company will perform as appropriate and necessary in order that the personal data transferred to such foreign country will be protected in the same level as the Company protect Your personal data.
11. Security Measures for Personal Data Protection
11.1 The Company will strictly set up the right to access, use, modify, revise or disclose the personal data including to display or confirm the identity of a person who accesses or uses the personal data in compliance with the standards for safeguarding the personal data as specified in the personal data protection laws.
11.2 The Company will set up an appropriate technological procedure to prevent any access to information technology system which collects personal data without permission.
11.3 In the event that the Company discloses Your personal data to any third person, the Company will perform any action to prevent such person from illegal or unauthorized use or disclosure of the personal data so that such person will only use Your personal data as necessary and in accordance with the purposes as the Company notifies You and/or in accordance with Your consent on a case-by-case basis.
11.4 The Company will set up a monitoring system for erasing or destroying personal data from the collecting system once the retention period for such personal data ends or once such personal data is excessive or no longer related to the data processing purposes or upon Your request or withdrawal of consent.
11.5 In the event that there is a violation of the Company’s security measures for personal data which causes an infringement of Your personal data, the Company will, without delay, notify such infringement to a competent authority as specified in the personal data protection laws unless there is no risk that such infringement will affect Your personal rights and freedom. If there is high risk that such infringement will affect Your personal rights and freedom, the Company will, without delay, notify You of such infringement together with remedial guidelines in accordance with the criteria and procedures specified in the personal data protection laws.
11.6 The Company will record any transactions as specified in the personal data protection laws in writing or on electronic system so that the data subject or any authority under the personal data protection laws be able to make an examination thereon.
12. Rights of Data Subject
12.1 You, as a data subject, have the rights to deal with Your personal data which are in the Company’s responsibility in accordance with the personal data protection laws as follows:
(1) to request access to or obtain copy of Your personal data or to request the disclosure of the acquisition of Your personal data without Your consent;
(2) to obtain Your personal data in electronic form or transfer Your personal data to other persons;
(3) to object to the collection, use, or disclosure of Your personal data in accordance with the personal data protection laws;
(4) to erase or destroy Your personal data, or to anonymize Your personal data to become the anonymous data which cannot identify You in accordance with the personal data protection laws;
(5) to restrict the use of Your personal data in accordance with the personal data protection laws;
(6) to revise or modify Your personal data to be accurate, up to date, complete and not misleading;
(7) to withdraw Your consent given to the Company unless there is any restriction for consent withdrawal by laws or any agreement which gives benefits to You;
(8) to complain to any authority if You believe that any dealing with the personal data by the Company is incompliance with the personal data protection laws.
12.2 You can use the right as specified in clause 12.1 by contacting the person specified in clause 14 hereof.
12.3 The Company reserves the right to refuse to perform according to Your request, whether in whole or in part, if the Company has reasonable and lawful reason such as such performance will cause unreasonable burden to the Company, is impracticable, is illegal or the use of such right by You will or may affect other person’s rights or freedom or in the event that the Company has a legal authority to collect Your personal data without Your consent.
13. Privacy Notice or Privacy Policy of other Websites or Applications
In the event that You use the Company’s websites or applications and You clicks any link shown on such websites or applications to enter into other websites or applications, whether such other websites or applications belong to the Company or not, You are required to learn and comply with the Privacy Notice or Privacy Policy of such other websites or applications, and the Company will not be responsible for any contents or data protection standards to protect the personal data of such other websites or applications. Moreover, if You give Your personal data to the owners of other websites or applications, You acknowledge and understand that the Company is not relevant to processing of Your personal data by the owners of such other websites or applications.
14. Details of Personal Data Controller and Personal Data Protection Officer
You can contact the personal data controller and/or personal data protection officer of the Company through the following channels:
PDPA Contact Center
Tel. 0-2975-5566 or E-mail pdpa_info@sermsukplc.com
15. Revision of Personal Data Protection Notice
In the event that there is any revision to this Notice, the Company will make an announcement via the Company’s website or application, or other communication channels of the Company and the new Notice will be effective on the date of such announcement.