This Privacy Notice is issued by WHA Corporation Public Company Limited (the “Company”, “we”, “us”, or “our”), a limited company registered in Thailand.
The Company is committed to protecting and respecting privacy of whom we interact. This Privacy Notice explains what Personal Data we collect, how we use and disclosure it as well as your rights.
This Notice is addressed to individuals outside the Company with whom we are in contact, such as individual clients, visitors to our offices, sites or websites, our suppliers, business partners, representative of our clients, of our partners or of suppliers/other organisations or other individuals (hereinafter “you”). Defined terms used in this Notice are described in Section 2.
This Notice may be updated from time to time to record changes in our Processing of Personal Data or changes in law. We encourage you to read this Notice, and to regularly check for updates.
|1.||Personal Data||Data that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier (e.g. a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity) which is processed by the Company or by a Data Processor on behalf of the Company.|
|2.||Sensitive Personal Data||Sensitive Personal Data is a category of Personal Data. It is any Personal Data relating to race, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data or disability condition, trade union information, genetic data, biometric data and any data of the same nature as prescribed by the Personal Data Protection Commission established by the PDPA (“Commission”).|
|3.||Processing||Any activity with any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, storage, alteration, consultation, use, retrieval, disclosure by transmission, share, making available, alignment or combination, restriction transmission, dissemination, erasure or destruction by any means.|
|4.||Data Subject||An identified or identifiable natural person to whom the Personal Data is related to.. Data Subject shall not include deceased person and ‘juristic person’ (established under the laws, such as a company, foundation, association or other organisations).|
|5.||Data Controller||A person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.|
|6.||Data Processor||A person or a juristic person who process the Personal Data pursuant to the orders given by, or on behalf of, the Company acting as a Data Controller.|
|7.||Data Protection Officer||The Data Protection Officer (DPO) appointed by the Company.|
|8.||Personal Data Breach||Any unlawful or unauthorised Processing of the Personal Data|
- Personal Data
In the course of our business, we may obtain and process your Personal Data as our clients, partners, suppliers, or when you are in contact with us, e.g. when you participate in the Company’s events, job application process, etc. Some data we obtain are Personal Data about you.
The Personal Data that we process are the following:
- Personally identifiable data such as name, surname, date of birth, identification card number;
- Contact data such as address, email and phone number;
- Transaction data such as payment details, bank account, product details and other services that you bought or leased from the Company including the data of accessing our website and other services;
- Technical data such as username, password, interests, setting preferences, IP address, login data, browser type, browser version, time and date setting, connection setting, operation and platform system and other technology that you have used your devices to sign in into our system;
- Marketing and communication data such as marketing services’ satisfactions and communication channels;
- Attendance Records, such as records of meetings and other events organized by the Company or on behalf of the Company;
- Consent Records (i.e. records of any consents to us, together with the date and time, means of consent and other data);
- For job applicants, curriculum vitae, data about you such as relatives, names and phones of reference persons.
- Views and Opinions that you choose to send to us or publicly post about the Company.
The Company will send data about our products or services to you from time to time if you have a subscription to receive the data via our newsletters, email, or other communication channels. However, you can change the way you receive the data, or cancel such services at any time by using the same method as to when you subscribed to receive such data from the Company or you may contact the Company for this purpose.
- Sensitive Personal Data
In our ordinary course of business, we may obtain certain Sensitive Personal Data about you. For example, the national identification cards that we collect in the ordinary course of business contain a Sensitive Personal Data (e.g. religion). When it is necessary to process a Sensitive Personal Data about you, we will do so on for the following purposes by relying on the following legal bases:
(a) We may process the Sensitive Personal Data where the Processing is necessary for the establishment of legal rights (e.g. litigation), compliance with the law or defending a right (e.g. to prepare our defence in court proceedings or any process carried out by public authorities); and
(b) We may process the Sensitive Personal Data about you to prevent or suppress a danger to you or other persons’ lives, body or health when the you are incapable of giving consent;
(c) We may process the Sensitive Personal Data for other purposes only if you give us your explicit consents for such Processing or when the Sensitive Personal Data about you is made publicly available (e.g. in social medias)
(d) We may have to process Sensitive Personal Data when the Processing is necessary for complying with the law or for other purposes as specified by the law; and
(e) Any other legal bases as permitted by the law.
The Company is the owner of the following websites:
- Other website that we may own in the future or other applications and online services of the Company.
In addition to the above, you may be in contact with the Company through several other channels which you may give us your Personal Data, such as the following:
- You register your Personal Data when you open your new customer account and business partner account in order to receive services from the Company;
- You contact the Company, our representatives or our business partners through online or offline channels;
- You subscribe to our advertisement or our marketing news, or participate in any marketing campaign; and/or
- You have participated in different events of the Company such as taking photos during the seminar or where you participated in other PR events
- We may collect or obtain your Personal Data that you made public, including via social media (e.g. social media profile(s) that you make a public post);
- You visit any of our offices, sites or websites;
- We may receive Personal Data about you from third party if you choose to interact with any thirdparty content or advertising on a website or in an application (e.g. application for job seekers);
- We may obtain your Personal Data from third parties who provide it to us (e.g. credit agencies; courts or public authorities)
- We may create Personal Data about you, such as records of your communication with us, including attendance at events or interviews. We may record telephone calls, meetings and other discussion with us in accordance with the law.
The Company may process your Personal Data for the following purposes:
|For management and improvement of website and service quality in order to provide a reasonable and satisfiable services;||
We will process when;
|For sending news, advertisement, and other data relating to products and services of the Company, affiliated companies and/or business partners;||
We will process when;
|For Processing your request for customer and business partner registration or registration of your participation to the Company’s events.||
We will process when;
|For transferring any data in the case of business transfer;||
We will process when:
|For investigation of misconduct or fraud and for security measure||
We will process when:
|For disclosing any data relating to legal procedure or court order or any authorities under the law;||
We will process when:
|For protecting legal rights of the Company and relevant persons.||
|For other legitimate purposes||
From the above, we may process a Personal Data about you without a need to obtain your explicit consent when It is necessary: for performance of contracts you entered into with us; for us to proceed in accordance with your request prior to contracting; for us to carry out for the Company’s legitimate interest which is not overridden by your fundamental rights; or to comply with the law or other public interest purposes. The Personal Data we process for these purposes include those relating to identification (e.g. name, citizen ID no., nationality, date of birth, religion, blood groups, address, gender, height, and photograph in the copy of national ID card, address, and gender in the copy of house registration, bank account, copy of passbook). If we do not obtain the above Personal Data, we may not be able to identify you and, as a result, we may not be able to proceed on the matter prior to contracting, or we may not be able to enter into contracts with you. Our performance of the contract entered into with you may also be disrupted.
We share or transfer Personal Data when:
- We obtain an explicit consent from you;
- It is necessary for prevention or suppression of a danger to life, body or health of a person;
- It is necessary for the performance of contracts you entered into or for us to proceed in accordance with your request prior to contracting;
- It is necessary for the Company’s legitimate interest which is not overridden by your fundamental rights; or to comply with the law or other public interest purposes.
- Other purposes as imposed on us by pubic authorities or as required, or permitted, by the law.
The Company will ensure that the organisations that we may share Personal Data about you have an adequate data protection standard.
In light of the above, the Company may, in the ordinary course of our business, disclose or share the Personal Data we collect with the following persons for the following purposes:
- Companies in our group. You may visit our website, https://www.wha-group.com/index.html, to see our companies in the group. We share such data for the purpose of: communicating products and services of our group; Processing your request to use our products and services or participating to our events; transferring any data in the case of business transfer; investigating of misconduct or fraud and for security measure; disclosing any data relating to legal procedure or court order or any authorities under the law; protecting legal rights of our group and relevant persons; as well as other legitimate purposes.
- Professional service providers, such as lawyers, accountants or auditors who are subject to binding contractual obligation of confidentiality toward the Company;
- Third party processors, such as providing of clouds, data hosting services and IT system services;
- Any relevant party, courts, public authorities, state enterprises (e.g. electricity/waterworks authorities) and law enforcement agencies;
- any relevant third-party acquirers, partners in the event that we sell or transfer all or any portion of our business or assets (including in the event of a reorganization, dissolution or liquidation);
- any relevant third party who are products/service providers, where our websites or applications use third party advertising plugins or content. Please note although we will ensure that the third party has sufficient privacy protection standard, if you choose to interact with any such advertising, plugins or content, your Personal Data would be processed by the third party. Hence, we recommend you review the third party’s Privacy Notice thoroughly before interacting or proceeding with such third parties.
If any transfer of the Personal Data require a consent, the Company will proceed with obtaining such consent prior to such transfer.
Because of our nature of business and for the purposes as specified in items 5-6, we may send, transfer, share or transmit Personal Data about you to persons in other countries when such transfer, sharing or transmitting has a valid legal base as specified in item 6 and provided further that: the recipient of the Personal Data has sufficient safeguard for data in accordance with the notification of the Commission. We may share or transfer the Personal Data even if there is no sufficient safeguard in the foreign country only when:
- the transfer or sharing is necessary to comply with the law;
- we obtain an explicit consent from you to the transfer/sharing by you being fully informed of the details of such inadequacy of safeguard of that other country;
- it is necessary for the purpose of contracting or proceeding with a matter upon your request prior to contracting;
- it is necessary for the performance of a contract between the Company and another individual or juristic person for your benefit;
- it is necessary for prevention or suppression of a danger to life, body or health or other substantial public interest;
- It is necessary for carrying out activities relating to one or more significant public interest as permitted by law;
- When the transfer or sharing is required, or permitted, by the law
The criterion we use for determining the data retention period are as follows: we will retain Personal Data as long as it is necessary to serve or interact with you in accordance with the law and for as long as it is considered to be reasonable according to the purposes for which the Personal Data is collected. In particular, we may retain your Personal Data for the duration of any period necessary to establish, exercise or defend any legal rights.
If you would like to delete your Personal Data, you can make a request to us through different channels such as through the Company’s Website or filling in the form available at our office or by contacting our Call Center at [other channel(s) to be determined by CEO at a later stage] [Monday to Friday from [09.00-17.00 hours] We will consider it on a case-by-case basis.
You are entitled to the following rights under the PDPA:
|Data Subject’s Rights||Description|
|1.||Right of access||You have a right to get access and obtain a copy of your Personal Data that we hold about you, or you may ask us to disclose the sources of where we obtained your data that you haven’t given consent. We would not be able to provide you with such access if it is prohibited by the law or court order and such access would impair rights and freedom of other persons.|
|2.||Right to data portability||You have a right to request us to transfer your Personal Data to other persons/organisations, or request to see the Personal Data that we have transferred to other persons/organisations, unless it is impossible due to technical circumstances.|
|3.||Right to object the Processing of your data||You have a right to object to the Processing of your Personal Data. The Company respects your right and we will assess the request on a case-by-case basis in accordance with the legal requirements.|
|4.||Right to erasure||
You have a right to request us to delete, destroy or anonymise your Personal Data in the following circumstances where:
The Company respects your right and we will delete your Personal Data unless the Company consider necessary to maintain such Personal Data.
|5.||Right to restrict the Processing of your data||
You have a right to request us to restrict the Processing of your Personal Data in the following circumstances when:
|6.||Right to withdraw consent||You may withdraw your consent any time, unless it is against the Company’s notice. After the consent is withdrawn, we will stop Processing the Personal Data, unless there are other legal bases on which the Personal Data can be processed by us.|
|7.||Right to rectification||You have a right to rectify inaccurate Personal Data in order to make it accurate, up-to-date, complete and not misleading. If the Company rejects your request, the Company will record such rejection with reasons.|
|8.||Right to lodge a complaint||You will have the right to make a complaint in the case of where the Company, the Data Processor including the employees of the Company does not comply with the PDPA or other announcements of the PDPA.|
To exercise any of your Data Subject Rights, please contact our Data Protection Officer (DPO) via DPO.email@example.com menu or fill in the form available at our office or by contacting our Call Center Monday to Friday from 09.00-17.00 hours or through other channels. In case of a request for copy of your Personal Data, unless the Company has grounds to refuse your request, the Company will send such copy to you within 30 days upon obtaining your request. In certain cases, the Company may request additional data in order to confirm your identity and your rights as part of our security measures. If you have any questions or would like to exercise any rights relating to your Personal Data, please contact the DPO of the Company according to the provided details.
For those who are our existing customers before the PDPA comes into force, we will continue Processing your Personal Data provided that our data Processing will strictly follow the objectives and purposes for which you allowed us to collect your data. You may request us to stop Processing Personal Data about you through DPO.firstname.lastname@example.org. We will review your request on a case-by-case by basis. The Company would like to inform you that your consent withdrawal may affect the services that will be provided by the Company such as getting you in touch with our new products or services. This is because, for instance, the data, if remaining after consent withdrawal, may be insufficient for us to render complete services that you need or we may need time to request additional data from you.
In the event that the Personal Data you have provided has changed, we encourage you to notify the Company of such update or edit the provided Personal Data so that your Personal Data is accurate and up-to-date. If your Personal Data is incorrect, it may affect the services of the Company and the Company will not be responsible for any loss or damage that may arise with you or the third party as a result of your failure to correct or update your Personal Data to be accurate in any way.
When there is a request to exercise the rights, we will acknowledge receipt of the request and confirm that we’re looking into the request and will respond within the statutory timeframe. We will assess the legal requirements, legal basis of Processing, consequence that the request may result on you and we will respond to you in due course. Each request would be considered in relation to the facts and circumstances and the legal requirements at the time. We will keep track and record the request for accountability purposes.
You have the right to make a complaint in the case of where the Company, the Data Processor including the employees of the Company does not comply with the PDPA or other announcements of the PDPA.
If you consider that we have processed your Personal Data in violation of applicable law and failed to remedy such violation to your reasonable satisfaction, please contact the DPO of the Company via DPO.email@example.com at WHA Corporation Public Company Limited.
In addition, you can contact the Company via our Call Center on Monday to Friday from 09.00 – 17.00 hours or at our head office located at WHA Corporation Public Company Limited.
You also have the right to lodge a complaint with the Personal Data Protection Commission or any Expert Committee appointed by it in accordance with the law.
The company certifies that all the Personal Data collected will be stored safely and strictly with adequate security standards. If you have a reason to believe that your Personal Data has been breached or if you have any questions regarding this Privacy Notice, please contact the DPO of the Company.
The company will take appropriate steps to ensure that all Personal Data collected and processed is kept secure and protected against unauthorized or unlawful Processing, use, modification or disclosure, accidental loss or destruction of, or damage by establishing the policies and procedures, and implementing the technologies and software such as user authentication control, external and internal network perimeter controls and malicious program/ software control.
Subject to obtaining your consent, we may place Cookies on your web browser, your device or read Cookies already on your device when you visit our websites or check for messages.
- distinguish between users;
- tailor our websites and services to the needs and preferences of visitors;
- improve the use and the functionality of our websites; and
- analyse how our website is used and compile anonymous and aggregate statistics
You may choose to disable some of the above cookies while visiting our websites. However, disabling any of such cookies may impact your experience on our websites.
If you use different devices to access our websites, we recommend you ensure that each browser of each device is set to your cookie preference.
For more details on cookie management, please refer to our ‘Cookies policy’.
The Company’s websites may be redirected to other websites for the purpose of facilitating you when you visit other websites. These websites may collect your Personal Data. The Company is not responsible for the Processing of your Personal Data by other websites or such parties. For this reason, the Company recommends that you carefully review the Privacy Notice of these websites before you use the service on those websites.
The Company reserves the right to change, amend or update the Privacy Notice at any time as it deems appropriate by notifying you of the said change. The Company will notify the changes on the website or via [other channel(s) to be determined by CEO at a later stage] in which you can check at any time.
If you have any comments, suggestions, questions or want to make a complaint regarding your Personal Data, please contact the DPO of the Company via DPO.firstname.lastname@example.org at WHA Corporation Public Company Limited.