Latest update on 14 September 2020.

 

1. Principles and objectives

 

CUEL Limited (“the Company”) is committed to strengthen personal data protection in accordance with the Personal Data Protection Act B.E. 2562 (2019) and therefore introduces this Privacy Policy to ensure the Company’s compliance with laws and international standards on personal data protection. In addition, the Company has established rules for the protection of personal data of data subjects and has implemented effective and appropriate measures for addressing any violations of the rights of data subjects.

 

2. Scope of enforcement and application

 

The scope of enforcement and application of the Privacy Policy prepared in accordance with the Personal Data Protection Act B.E. 2562 (2019) covers all processing of personal data performed by the Company, as well as any person who comes into contact with personal data because it is related to the Company's operations and must therefore comply with this Privacy Policy and the legal framework.

With respect to personal data collected prior to the introduction of the Personal Data Protection Act B.E. 2562 (2019), the Company is allowed/ enable to continue collecting and using the personal data for the initial purposes. Any disclosures and acts other than the collection and use of personal data must be in compliance with the Personal Data Protection Act B.E. 2562 (2019).

 

3. Definitions

 

“Privacy Policy” means the policy that the Company has established to make the data subject aware of the Company’s processing of data and a number of relevant issues as stipulated by the Personal Data Protection Act B.E. 2562 (2019).

“Personal Data” means any information relating to an identifiable person, either directly or indirectly, but excluding the information of a deceased person in particular.

“Sensitive Data” means personal information relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biological data, or any other data which may impact the data subject in a similar manner, as stipulated in the Personal Data Protection Commission’s announcements.

“Processing” means the collection, use, or disclosure of Personal Data.

“Data Subject” means an individual who is the owner of Personal Data.

“Data Controller” means a person or juristic person with power and duties to make a decision regarding the collection, use or disclosure of Personal Data.

“Data Processor” means a person or juristic person who processes, collects, uses or discloses Personal Data in accordance with an order of or on behalf of the Data Controller. The person or the juristic person engaging in those procedures is not the Data Controller.

“Cookies” means small, temporary files collecting Personal Data that it is necessary to install on the computer of the Data Subject only for convenience and facilitation of communication while gaining access to a website.

 

4. Roles and responsibilities

 

4.1 Roles and responsibilities of the Company are set forth in accordance with the Personal Data Protection Act B.E. 2562 (2019) in cases where the Company is the Data Controller or the Data Processor.

 

Roles	Responsibilities
Data Controller	To put in place appropriate protection measures to prevent loss of, or unauthorized or illegal access to or use, alteration, modification or disclosure of Personal Data and to review the measures where necessary or when technology changes To take appropriate courses of action to prevent unauthorized or illegal exploitation or disclosure of Personal Data by a recipient who is not the Data Controller. To establish a system of checks of the deletion or destruction of Personal Data as stipulated by the Personal Data Protection Act B.E. 2562 (2019) To inform the Office of the Personal Data Protection Commission and the Data Subject of any breach of Personal Data immediately To keep records of transactions as stipulated by the Personal Data Protection Act B.E. 2562 (2019) To establish a Personal Data processing agreement between the Data Controller and Data Processor in cases where the Personal Data processing is assigned to a Data Processor To provide the Data Subject and the Office of the Personal Data Protection Commission with information about data protection officers, where they can be contacted and the method of contact To support the data protection officers in performing their duties
Data processor	To carry out the collection, use, or disclosure of Personal Data in accordance with the orders received from Data Controllers only, unless the order is contrary to the law or the provisions regarding personal data protection under the Personal Data Protection Act B.E. 2562 (2019) To establish appropriate security measures to prevent loss of or unauthorised or unlawful access to or use, modification, correction or disclosure of Personal Data To notify the Data Controller of Personal Data breaches To prepare and maintain records of Personal Data processing activities To provide Data Subject and the Office of the Personal Data Protection Commission with information about data protection officers, where to contact them and the methods of contact. To support the data protection officers in performing their duties.

 

4.2 Roles and responsibilities of management, Personal Data protection officers, officers and employees of the company

 

Role	Responsibilities
Management	Carry out, reviews and monitor that the performance of officers and employees strictly complies with the Privacy Policy
Officers and employees	To strictly comply with the Privacy Policy
Personal data protection officer	To advise, manage, and monitor the compliance of Personal Data processing with the Personal Data Protection Act B.E. 2562 (2019) To report any issues that arise when performing duties to top management To coordinate and cooperate with the Office of the Personal Data Protection Commission To report breach of Personal Data incidents to the Office of the Personal Data Protection Commission and the Data Subject without delay, in accordance with the rules established by the Company and in compliance with the law To prepare and review personal data protection policies To maintain the confidentiality of Personal Data that becomes known or is gathered in the course of performing duties To perform duties or other tasks in compliance with the law

 

5. Personal Data Collection

 

The Company’s collection of Personal Data (such as specific personal information, information related to personal life or personal interests, financial information, sensitive personal information) is to be based on the following sources and principles:

 

5.1 Sources of Personal Data

The Company may receive Personal Data from 2 channels as follows:

5.1.1 Collection from the Data Subject, for example, collection of Personal Data from filling out personal information in application forms, either in paper form or online, responses to surveys conducted by the Company, or access to the Company’s website using Cookies

5.1.2 Collection from sources other than the Data Subject, for example, searches for Personal Data via a website or inquiries made by third parties. In these cases, the Company will notify Data Subject of the Personal Data collection without delay, but not more than 30 (thirty) days from the date the Company collects Personal Data from such sources, and request consent to collect the Personal Data from the Data Subject, except where exempted by law from the need to request consent from or notify the Data Subject.

 

Examples of data that the Company may collect are as follows:

• Personal information: name, date of birth, nationality, ID card number or passport number, or other identifiable government documents
• Contact information: email address, phone number, and fax number
• Work history: professional status, position
• Information on use of websites: username and password for use of online services and applications, IP address information
• Information on use of Cookies
• Data from marketing surveys: data analysis, marketing statistics of Data Subject
• Sensitive information: information on religion, health, criminal history
• Information on devices and the locations of devices, such as GPS data
• CCTV footage
• Conversations and communications by telephone or electronic equipment

 

5.2 Principles of Personal Data collection

5.2.1 The Company will only collect Personal Data that is necessary for the operations of the Company. However, the purposes for which the Company processes Personal Data may differ by case, and can be, for examples, exemplified as follows:

• To provide information to customers for bidding process prior to entering into agreement.
• To enter into an agreement and comply with an agreement between the Company and the customers
• To verify identity or investigate an individual before providing services or entering into an agreement with the Company
• To comply with laws relating to the operations of the Company, e.g., to collect Personal Data for the purpose of withholding tax
• To provide information to government agencies as required by law or by public authority
• For the purposes of audit, analysis and preparation of documents as requested by other agencies or organisations that are involved with or may be relevant to the Company's business operations
• For the benefit of the Company’s internal management, e.g., to pay salaries and compensation to its employees, wage earners and trainees, to enter into an employment agreement, to internally manage personnel of the Company and to provide benefits to employees and wage earners of the Company

5.2.2 In case where it is necessary for the Data Subject to provide the Personal Data for the purpose of entering into the contract or any other purposes, a refusal of presenting the Personal Data may affect a transaction or any other activities relating to the Data Subject being suspended or ceased as required by business operation or laws, unless the Data Subject provides such data to the Company. 

5.2.3 The Company will collect Personal Data only as long as necessary for the fulfilment of the purposes in accordance with applicable laws, with Data Subject notified prior to or at the time of collection of Personal Data. The Company shall obtain explicit consent from Data Subject prior to or at the time of collection of Personal Data, except under the following circumstances, where the Company may collect Personal Data without requesting consent.

(1) To fulfill purposes relating to the preparation of historical documents or archives on public interest grounds or relating to research studies or statistics. In such cases the Company will implement appropriate security measures to protect the fundamental rights and freedoms of Data Subject.

(2) To prevent or to avoid danger to an individual’s life, body or health

(3) To comply with a contract, only to the extent that it is necessary to do so, to which the Data Subject is a party or in order to take steps requested by the Data Subject prior to entering into a contract

(4) To carry out tasks, only to the extent that it is necessary to do so, for the public interest or in the exercise of official authority vested in the Company

(5) For the purposes of legitimate interests pursued by the Company or by third parties or by other juristic persons, except where such interests are overridden by the fundamental rights and freedoms of Data Subject

(6) To comply with laws such as the Credit Information Business Operation Act, B.E.2559, Civil and Commercial Code and Criminal Code.

5.2.4 When collecting sensitive Personal Data, the Company shall obtain explicit consent from Data Subject prior to or at the time of collection, in accordance with the Company's rules and in compliance with applicable laws.

 

6. Use and disclosure of Personal Data

 

The use and disclosure of Personal Data by the Company shall be in compliance with the purposes and principles stated in Section 5.2 Principles of Personal Data collection. The Company may disclose Personal Data to agencies or third parties with the consent of the Data Subject only to the extent that it is necessary to do so, unless such disclosure is permitted by law. Personal Data may be disclosed to third parties, organisations or government agencies as follows:

(1) Affiliates or group companies

(2) Contractual parties, service providers and business partners of the Company

(3) Customers

(4) Banks

(5) Government agencies with legal authority such as the Social Security Office, the Revenue Department, the Legal Execution Department and courts

(6) Other agencies or organisations who are or may be involved in the business operations of the Company

 

7. Period for Personal Data retention

 

The duration for which the Company stores Personal Data will be either one of the following:

7.1 Personal Data will be kept for the periods stipulated by laws specifically relevant to retention of Personal Data such as the Accounting Act B.E. 2543 (2000), Anti-Money Laundering Act, B.E. 2542 (1999), Act on Commission of Offences Relating to Computer, B.E. 2550 (2007) and the Revenue Code.
7.2 In cases where the retention period for Personal Data is not specified by relevant laws, the Company will determine the period necessary and appropriate for its operations.

At the end of such period, the Company shall delete, destroy, or anonymize the Personal Data

 

8. Transmission or transfer of Personal Data to other countries

 

When the Company transmits or transfers Personal Data to another country, it shall take steps to ensure that the destination country has sufficient personal data protection standards. 

However, in cases where that the destination country does not have sufficient personal data protection standards, the transmission or transfer of such personal information must comply with exceptions specified in the Company’s rules that are not in violation of the law.  

 

9. Rights of personal data subjects

 

This policy is established to assure personal data subjects that they can exercise the following rights available to them under the Personal Data Protection Act, B.E.2562 (2019).

(1) Right to withdraw consent: The Data Subject have the right to withdraw their consent for the processing of Personal Data that they have given to the Company throughout the period in which the Personal Data is kept by the Company.

(2) Right of access: The Data Subject have the right to access their Personal Data and request the Company to make a copy of such data, including the right to ask the Company to disclose any acquisitions of their Personal Data for which consent has not been given.

(3) Right to rectification: The Data Subject have the right to request the Company to rectify incorrect or incomplete data.

(4) Right to erasure: The Data Subject have the right to request the Company to delete their Personal Data for certain reasons.

(5) Right to restriction of processing: The Data Subject have the right to request the Company to restrict the use of their Personal Data for certain reasons.

(6) Right to data portability: The Data Subject have the right to transfer Personal Data that they have provided to the Company to other Data Controllers or themselves for certain reasons.

(7) Right to object: The Data Subject have the right to object to the processing of their Personal Data for certain reasons.

However, the Company may refuse the exercise of the above rights by the Data Subject, provided that the rejection is in accordance with the Company’s rules that are not in violation of the law.

The Company shall provide a channel through which Data Subject can contact the Company to make requests to exercise the above rights. In the event that the Company rejects a request, it shall notify the Data Subject of the reason for the rejection.

The Data Subject has the right to file a complaint in case where the Data Controller or the Data Processor, including its employees or service providers violates the Personal Data Protection Act B.E. 2562 (2019), or notifications issued in accordance with the Act.

 

10. Personal Data security

 

The Company has established appropriate Personal Data security measures to prevent the loss of, unauthorized and unlawful access to, and the use, modification, correction or disclosure of Personal Data in accordance with the Company's policies and procedures for information security.

In case where the Company has engaged an agency or a third party to perform work related to the collection, use or disclosure of Personal Data of the Data Subject, it shall require the agency or the third party to keep the Personal Data confidential and secure, and to prevent the collection, use or disclosure of such Personal Data for any purposes other than specified in the scope of engagement or for any unlawful purposes. 

 

11. Policy review and improvement

 

The Company shall review and update this policy at least once a year, or when any change with a significant impact on the policy occurs.

 

12. Contact information

 

Details of Data Controller

Name: CUEL Limited

Address: 18 SCB Park Plaza, Tower 2 (West), 9^th Floor, Ratchadaphisek Road, Chatuchak, Chatuchak, Bangkok, 10900

Channels of contact: Telephone No. +66 (0) 2500 -1200

                                   www.cuel.co.th/

 

Details of Data Protection Officer

Address: 18 SCB Park Plaza, Tower 2 (West), 9^th Floor, Ratchadaphisek Road, Chatuchak, Chatuchak, Bangkok, 10900

 

E-mail:dpo@cuel.co.th

 

13. Ownership

 

This policy is managed and controlled by the Strategic Corporate Compliance department and must be approved by the Managing Director prior to any revision that may be necessary.