Phuket Square Company Limited (the “Company”) recognizes the importance of protecting the personal data of data subjects, which is a fundamental right to privacy.
Naturally, data subjects would wish for their personal information to be securely safeguarded. For data subjects to be confident in the Company’s protection of personal data, the
Company has established this privacy policy (the “Policy”) to set forth the procedures related to the collection, use, and/or disclosure of personal data, with details as follows.
1. Objectives
The objectives of this Policy are as follows:
1.1. To define the roles and responsibilities of departments, executives, and employees involved with personal data;
1.2. To establish procedures or standards for ensuring the security of personal data protection;
1.3. To outline the guidelines for employees' operations in compliance with personal data protection laws; and
1.4. To build confidence in the security of personal data among individuals, customers, business partners, service users, and other stakeholders involved with personal data.
2. Scopes of Application
This Policy applies to the personal data belonging to the followings:
2.1. Individual customers of the Company, including target customers (potential future customers), current customers, and former customers. individuals within the Company.
2.2. Employees, personnels, authorized persons, shareholders, directors, and other individuals within the Company.
2.3. Employees, personnels, authorized persons, shareholders, directors, representatives, and other individuals associated with the Company's corporate customers, including target customers (potential future customers), current customers, and former customers.
2.4. Individuals who are not customers of the Company but engage in transactions or activities, or have a relationship with the Company, such as external service providers, partners, and contractors with the Company (hereinafter, unless specifically referring to sections 2.1 to 2.4, the individuals mentioned in sections 2.1 to 2.4 will be collectively referred to as "Data Subjects.")
3. Definition
| Words |
Definition |
| Company |
Phuket Square Company Limited |
| Individual |
Living individual |
| Personal data |
Information about an individual that can be used to identify that person,
either directly or indirectly, excluding deceased persons. The Company
may collect, use, and/or disclose personal data of Data Subjects
obtained directly from the Data Subjects (e.g., through the company's
registration platform) or received or accessed from other sources (e.g.,
the Department of Business Development, Ministry of Commerce, the
Department of Provincial Administration, Ministry of Interior, the
Department of Consular Affairs, Ministry of Foreign Affairs, Legal
Execution Department, or other public information sources), or through
affiliated companies, service providers, business partners, governmental
agencies, or third parties.
|
| Special Category Personal Data |
Personal data under Section 26 which includes race, ethnicity, political
opinions, beliefs in cults, religion or philosophy, sexual behavior,
criminal records, health information, disabilities, union membership,
genetic data, biometric data, or any other information that similarly
affects the data subjects as determined by the Personal Data Protection
Committee.
|
| Data Subject |
The data subject referred to by personal data means only a natural
person and does not include a "juridical person" established by law. The
data subjects are as follows:
1. Data subjects who are of legal age, meaning:
1.1 Individuals who are 20 years old or older, or
1.2 Individuals who are married at the age of 17 or older, or
1.3 Individuals who are married before the age of 17 with court permission, or
1.4 Minors whose legal representatives have consented to engage in commercial business or other business, or to
enter into employment contracts. In these cases, minors are considered as if they are of legal age.
For any consent, data subjects who are of legal age can give their consent by themselves.
2. Data subjects who are minors, meaning individuals under 20 years old who are not considered of legal age as specified in
section 1. Any consent must be obtained from their legal guardians who have the authority to act on behalf of the
minors, and from the minors themselves if they are over 10 years old but under 20 years old.
3. Data subjects who are quasi-incompetent, meaning individuals who have been declared quasi-incompetent by the court due
to physical disabilities, mental disorders, habitual wastefulness, chronic intoxication, or other similar reasons, which make them
unable to manage their affairs or handle their assets in a way that would not harm themselves or their families. Any consent
must be obtained from their guardians who have the authority to act on their behalf.
4. Data subjects who are incompetent, meaning individuals who have been declared incompetent by the court due to mental
illness. Any consent must be obtained from their custodians who have the authority to act on their behalf.
|
| Data controller |
A person or juridical person who has the authority to make decisions
regarding the collection, use, or disclosure of personal data.
|
| Data processor |
A person or juridical person who acts in relation to the collection, use,
or disclosure of personal data according to the instructions or on
behalf of the data controller. This person or juridical person is not
considered the data controller.
|
| Data Protection Officer (DPO) |
A person appointed by the Company to serve as the Data Protection
Officer in accordance with the Personal Data Protection Act B.E. 2562.
|
| Processing |
Any operation or activity performed on personal data, whether by
automated means or otherwise, such as collection, recording,
structuring, storage, adjustment or modification, retrieval, use,
disclosure by means of transmission, publication, or making available,
organization or combination, restriction, deletion, or destruction of
personal data.
|
| Other definitions |
Unless specified by this Privacy Policy, the definitions provided by the
Personal Data Protection Act B.E. 2562 shall apply.
|
4. Personal data protection
The Company values the protection of personal data and will process personal data in accordance with the following principles:
4.1 Lawfulness, Fairness and Transparency: The Company will process data only based on lawful grounds and will clearly define how personal data is collected, used, and/or disclosed.
4.2 Purpose Limitation: The Company will process data only for the purposes that are specified and communicated at the time the personal data is collected, except where processing is necessary for related purposes or to explicitly comply with legal obligations.
4.3 Data Minimization: The Company will process only the personal data necessary to achieve the intended processing purposes.
4.4 Accuracy: The Company will take adequate measures to ensure that the personal data it stores is accurate, complete, current, and not misleading.
4.5 Storage Limitation: The Company will retain data only as long as necessary for its intended use, unless retention is required for compliance with document retention standards or regulatory requirements.
4.6 Integrity and Confidentiality: The Company will implement adequate technical and administrative measures to ensure that the personal data it stores receives an appropriate level of protection.
4.7 Accountability: The Company will take adequate actions to demonstrate compliance with the aforementioned principles.
5. Personal data collection
The Company will collect the following personal data from data subjects.
5.1 Personal data provided directly to the Company by data subjects: Generally, the Company collects personal data directly from data subjects through their interactions with the Company, such as inquiries, feedback, or complaints via the website, phone, email; engagement to receive services or entering into contracts with the Company; goods or service offering to and entering into contracts with the Company; marketing activities; or other events.
5.2 Personal data collected automatically: The Company may automatically collect certain technical data about devices, activities, browsing patterns, and website usage history of data subjects.
5.3 Personal data received from external sources: The Company may occasionally receive personal data from external sources, such as public information sources, data sources related to data subject’s business or commerce, or governmental agencies, whether or not the data subjects have directly provided their personal data or consented to its disclosure.
5.4 Personal Data collection will be conducted for specific purposes and only as necessary for those purposes or for directly related benefits. Data subjects will be informed of the following details before or at the time of collection:
1) The purpose of collecting the data,
2) The duration of data retention,
3) The types of individuals or entities to whom the personal data may be disclosed,
4) Contact information of the Company,
5) The rights of the data subjects, and
6) The impact of not providing personal data when required by law or for the execution of a contract.
5.5 Personal data collection must be consented, except on the basis of the following legal exceptions:
Legal basis under Section 24 for the collection, use, and disclosure of the personal data, including the followings:
1) Archive/statistics/research: for the purposes of historical documentation, public interest, or research or statistical purposes;
2) Vital Interest: to prevent or mitigate harm to an individual’s life, body, or health;
3) Contractual basis: necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into that contract;
4) Public interest: necessary for the performance of a task carried out in the public interest by the data controller or in the exercise of official authority vested in the data controller;
5) Legitimate interests: necessary for the legitimate interests of the data controller or a third party, unless these interests are overridden by the fundamental rights and freedoms of the data subject;
6) Compliance with Law: to comply with legal obligations of the data controller.
For Special Category Personal Data under Section 26, consent is generally required unless there are legal exception as follows:
1) Protection of life: to protect or prevent harm to life, body, or health where the data subject is incapable of giving consent;
2) Vital Interest: the processing of special category data such as blood type or health information necessary is allowed in situations where consent cannot be obtained, such as in medical emergencies. Consent should be sought where feasible, with general data under Section 24 and special data under Section 26;
3) Non-profit activities: for lawful activities carried out by foundations, associations, or non-profit organizations with appropriate safeguards;
4) Publicly disclosed data: data that has been explicitly consented to be made public by the data subject;
5) Legal Claims: necessary for the establishment, exercise, or defense of legal claims;
6) Compliance with Laws: specific to fields such as preventive medicine, occupational health, employee work capability assessment, medical diagnosis, healthcare or social services, medical treatment, health management, social welfare systems, public health, labor protection, social security, national health insurance, legally eligible medical benefits, accident protection, or social protection, scientific research, historical or statistical purposes, or other significant public benefits.
5.6 The collection of personal data of persons with limited capability shall be proceeded as follows:
1) In the case where data subjects are minors under 10 years of age, the Company will seek consent from their legal guardians. For data subjects over 10 but under 20 years of age, the Company will seek consent from both their legal guardians and the minors themselves;
2) In the case where data subjects are quasi-incompetent individuals, the Company will seek consent from their appointed guardians who have the authority to act on their behalf;
3) In the case where data subjects are incompetent, the Company will obtain consent from their appointed custodians who have the authority to act on their behalf.
If consent is not obtained in accordance with data protection laws, such consent may not be legally binding on the data subject.
5.7 The special categories personal data shall not be collected unless there is a need for such collection, for which a clear consent must be obtained from the data subjects except for the case where collection of special categories personal data without consent is permitted by law, according to 5.5.
5.8 Collection of third-party information: if the data subject provides the Company with personal information about third parties, such as emergency contacts, references, or family members, e.g., names, addresses, phone numbers, or other contact details for emergency purposes, through application forms or transactions with the Company, the data subject shall ensure that this information is legally accurate. The data subject shall also inform these individuals about the Company's Privacy Policy and/or obtain their consent.
5.9 CCTV surveillance data collection: the Company collects data through CCTV surveillance to ensure the personal safety of data subjects including their properties; to safeguard the company's buildings, facilities, and assets from damage, interference, destruction, or other criminal activities; and for other related purposes, without having to obtain consent from the data subjects as the company relies on a legitimate interest basis for processing, and privacy notices and signage are provided in areas with surveillance equipment.
6. Personal data use or disclosure
6.1. The use or disclosure of personal data shall be in accordance with the purposes communicated to the data subject before or at the time of collection, and shall be based on the data subject's consent, unless exempted by law.
6.2. If a data processor is involved, who is an individual or an entity that acts in relation to the collection, use, or disclosure of personal data for or on behalf of the Company which is a data controller, a Data Processing Agreement (DPA) must be entered into by such individual or entity who processes data.
6.3. If a government agency or authority requests access to personal data based on laws, regulations, or orders that the Company must comply with, the Company will does not apply to general legal obligations that the Company is required to fulfill.
6.4. To achieve the objectives stated in this Privacy Policy, personal data may be used and/or disclosed to various departments within the Company and to external parties or entities as follows:
| Types of data receiver |
Details |
| 6.4.1 The Company’s internal parties |
Personal data of the data subjects may be used and/or
disclosed or transmitted to various departments within the
Company, including the Company’s head office and
branches only as necessary and relevant to the specific
purposes. These individuals or teams within the Company
will be permitted to access the personal data of the data
subjects as deemed necessary and appropriate:
• Customer service representatives or other relevant
staffs: access will be granted based on their role and
responsibility
• Managers or direct supervisors responsible for
managing or making decisions related to the
data subjects or involved in personnel procedures
• Support departments or teams whose processes
involve the handling of personal data.
|
| 6.4.2 Government agencies, regulatory bodies, or other lawful authorities |
Personal data of the data subjects may be disclosed or
transmitted to external organizations such as the Revenue
Department, Social Security Office, the Department of
Welfare and Labor Protection, the Department of Legal
Execution, Ministry of Labor, or any other agencies
authorized by law.
|
| 6.4.3 External organizations or individuals |
The Company may disclose personal data of the data
subjects to external organizations or individuals who
inquire for the purpose of verifying the data subjects'
transactions and to provide services that align with the
needs of the data subjects.
|
7. Personal data transfer or transmission to foreign countries
7.1. The Company may transfer or transmit the personal data of data subjects to other individuals or entities, both domestically and internationally, as necessary to fulfill a
contract to which the data subject is a party; to comply with contractual obligation between the Company and other individuals or entities for the interest of the data
subject; to proceed as requested by the data subject prior to entering into a contract; to prevent or suppress danger to the life, body, or health of the data
subject or others; to comply with legal obligations; or as necessary for the performance of tasks carried out in the public interest.
7.2 The Company may store the data subject's personal data on computers, servers, or cloud services provided by third parties and may use software or applications from
third parties in the form of Software as a Service (SaaS) or Platform as a Service (PaaS) to process personal data. In this regard, the Company will not allow unauthorized
persons to access personal data and will require these third parties to have adequate personal data security measures in place.
7.3 In the case where personal data of data subjects is required to be transferred or transmitted to foreign countries, the Company will comply with personal data
protection laws and apply adequate measures to ensure that the personal data of data subjects is protected, and that the data subjects will be able to exercise their
rights regarding their personal data as prescribed by law. The Company will also require the recipients of the data subject’s personal data to implement adequate
measures to protect the personal data and to process it only as necessary. Furthermore, the Company will prevent unauthorized or unlawful use or disclosure of personal data.
8. Personal data retention and retention period
The Company will proceed as follows with regard to personal data retention:
1) Retain personal data in physical documents and electronic formats
2) Retain personal data with restricted access, on server, and/or in online cloud storage
The Company will store the personal data of data subjects for the period necessary to process the data in accordance with the purposes defined by the
Company and with applicable legal requirements.
Criteria to determine the retention period include the period during which the Company has obligations to the data subject. The data may be retained as necessary
to comply with legal requirements, statute of limitations, for the establishment, exercise, or defense of legal claims, or for other reasons according to the Company's internal policies and regulations.
The Company will continue to collect, use, and disclose the personal data of data subjects as necessary, even after the data subject terminates any relationship with
the Company, to comply with legal requirements for legitimate interests, or to retain the data in a directly or indirectly unidentifiable form, such as data anonymization or data pseudonymization.
The Company may retain the personal data of data subjects for the period necessary to fulfill the data processing purposes as specified in the privacy notice. The
Company will retain processed personal data for no more than 10 years from the date the data subject terminates their relationship or last contact with the Company, unless a longer retention period is permitted by law.
The Company will conduct regular reviews to delete or destroy personal data, render it permanently unidentifiable, or otherwise limit the personal data when the
retention period has expired, the data is irrelevant, or exceeds the necessary purposes of collection, or upon the data subject's request for data deletion.
Personal data for which the data subject has given consent for processing, whether for collection, storage, use, or disclosure under the purpose requested by the
Company, will be retained in the Company’s storage system for 10 years from the date of consent.
9. Roles and responsibilities
The Company requires employees or departments handling personal data to prioritize and take responsibility for the collection, use, or disclosure of personal data in strict
accordance with the Privacy Policy and practices. The following individuals or departments are assigned to oversee and audit the Company's operations to ensure compliance with the Policy and the personal data protection laws:
9.1 Data Controller
| Responsibilities |
Details |
| 1. Collect, use, disclose personal data in accordance with law |
The collection, use, and disclosure of personal data shall be
supported by a legal basis, and data subjects shall be informed of
such acts. Personal data shall be collected directly from the data
subjects unless an exception applies in relation to the document
preparation responsibility, to ensure that data subjects are
confident about how their personal data will be collected and
managed by the data controller if they consent to it.
|
| 2. Provide channels for data subjects to exercise their rights |
Provide a channel for data subjects to exercise their rights and to
record their requests when the data controller denies the exercise
of a data subject's rights, as well as the basis of such denial as
required under Section 39.
|
| 3. Implement personal data security measures |
To prevent loss or unauthorized or unlawful access, use, alteration,
modification, or disclosure of personal data, and to review such
measure when necessary or upon technological changes to ensure
adequate security efficiency based on minimum standards.
|
| 4. Implement measures to prevent unauthorized use or disclosure of personal data |
In cases where personal data needs to be provided to other
individuals or entities that are not data controllers, such as
personal data transfer to data processors, measures must be
implemented to prevent unauthorized or unlawful use or
disclosure of personal data by such parties.
|
| 5.Implement monitoring system to delete, destroy, or anonymize personal data |
Implement a monitoring system to delete or destroy personal data
once the retention period has expired, when the data is no longer
relevant or necessary for the purpose for which it is collected,
upon request from the data subject, or when consent is withdrawn,
unless the data is retained for purposes related to freedom of
expression, establishing legal claims, complying with or exercising
legal rights, defending legal claims, or fulfilling legal obligations.
|
| 6. Report of personal data breaches |
Report any personal data breaches to the Office of the Personal
Data Protection Committee (PDPC) within 72 hours after becoming
aware of the incident. If the breach poses a high risk to the rights
and freedoms of individuals, notify the affected data subjects of
the breach along with the remediation plan without delay.
|
| 7. Appoint a representative in Thailand |
If the data controller is located outside Thailand, they must
appoint a representative in Thailand in writing. This representative
must be located in Thailand and be authorized to act on behalf of
the data controller without any limitations of liability concerning
the collection, use, or disclosure of personal data according to the
data controller's objective.
|
| 8. Record of Processing Activities (RoPA) |
Implement the Record of Processing Activities (RoPA) in a physical
or electronic format to allow the data subject and the Office of the
Personal Data Protection Committee (PDPC) to verify.
|
| 9. Execute Data Processing Agreement (DPA) between the data controller and data processor |
In performing the data processing duties as assigned by the data
controller, the data controller shall execute an agreement to
regulate the operations of the data processor.
|
| 10. Appoint Data Protection Officer (DPO) |
If the data controller falls under the criteria established by law
requiring the appointment of a Data Protection Officer (DPO) as
specified in the announcement regarding the appointment of a
DPO under Section 41 (2), the data controller shall appoint a Data
Protection Officer and notify the Office of the Personal Data
Protection Committee (PDPC).
|
9.2 Data Processor
| Responsibilities |
Details |
| 1. Process personal data under the instructions of the data controller |
Collect, use, or disclose personal data only according to the
instructions received from the data controller, unless such
instructions are contrary to the law or provisions on data protection.
|
| 2. Implement adequate data security measures |
Implement adequate data security measures to prevent the loss,
unauthorized or unlawful access, use, alteration, or disclosure of
personal data, as well as notifying the data controller of any
personal data breaches that occur.
|
| 3. Maintain a record of personal data processing activities |
Prepare and maintain records of personal data processing activities
in accordance with the criteria and methods provided by the
PDPC’s regulations.
|
| 4. Execute a Data Processing Agreement |
The execution of the data processor’s responsibilities, as assigned
by the data controller, must be governed by an agreement
between the parties to regulate the execution of the data
processor's responsibilities.
|
9.3 Data Protection Officer (DPO)
| Responsibilities |
Details |
| 1. Provide consultation |
Provide consultation to the data controller or the data processor,
including employees or contractors of the data controller or the
data processor.
|
| 2. Inspect the operations |
Inspect the operations of the data controller or the data processor,
including employees or contractors of the data controller or the
data processor, regarding the collection, use, or disclosure of
personal data.
|
| 3. Coordinate and cooperate with the Office of the Personal Data Protection Committee (PDPC). |
Coordinate and cooperate with the Office of the Personal Data
Protection Committee (PDPC) in cases of issues related to the
collection, use, or disclosure of personal data by the data
controller or the data processor.
|
| 4. Maintain data confidentiality |
Maintain the confidentiality of personal data learned or acquired
through the performance of duties.
|
10. Data Security Measures
The Company has implemented the following measures for the protection of personal data confidentiality and security.
10.1 The Company will establish access rights for the use, disclosure, and processing of personal data, including the identification or verification of individuals accessing or
using personal data, by implementing security measures and processes for reviewing and assessing the effectiveness of these security measures, in strict accordance with
the Policies related to the company's personal data protection operations.
The Company will ensure that personal data is well-protected through
technical measures and organizational measures to maintain adequate security and prevent data breaches. The Company has set policies, regulations, and criteria for
data protection, including measures to prevent data recipients from using or disclosing data for purposes outside those intended or without proper authority.
These policies, regulations, and criteria are regularly updated as needed. Additionally, executives, employees, contractors, representatives, consultants, and data recipients
from the Company are required to maintain the confidentiality of personal data according to the Company's confidentiality measures.
10.2 When transferring personal data to foreign countries or storing it in data systems hosted abroad, the destination country must have data protection measures that
have adequate standards or those outlined in this Policy.
10.3 In the event of a breach of the Company's security measures that results in a personal data breach, the Company will notify the Office of the Personal Data
Protection Committee (PDPC) within 72 hours from the time the company becomes aware of the breach, to the extent possible. If the breach poses a risk to the rights and
freedoms of the data subject, the Company will notify the data subject of the breach, along with remediation measures, without undue delay. The company will
not be liable for any damages arising from the intentional or negligent actions or omissions by the data subject or any other person authorized by the data subject
that result in personal data being used or disclosed to third parties.
The Company will regularly review and update its personal data security measures to ensure an appropriate level of security relative to the risks and to maintain
confidentiality, integrity, availability, and flexibility in processing personal data. This includes protecting against loss, unauthorized collection, access, use, alteration,
modification, or disclosure of personal data. The Company will apply these security measures to all types of personal data processing, whether electronic or paper based.
11. Data subject rights
Data subjects are entitled to the followings.
11.1 Rights to withdraw consent: Data subjects have the right to withdraw their consent easily and may do so at any time. The Company will inform the data subjects about
the impact of such withdrawal, which will not affect the collection, use, or disclosure of personal data for which consent was given prior to the withdrawal. However, if the
personal data is stored in other databases, the data subjects may not be able to withdraw their consent.
The withdrawal of consent can be done electronically or in writing, as long as it is similar to the method used in giving consent. For instance, if consent is provided
in writing, withdrawal must also be in writing to ensure clear evidence, especially when consent involves minors (as defined in the Civil and Commercial Code,
Sections 19 and 20, where minors are individuals who have not reached legal age: either 20 years old or have been married). Consent or withdrawal of consent must
be authorized by the minor’s guardian. After the data subject exercises their right to withdraw consent, the Company will delete all related personal data within 7 days.
11.2 Rights to access personal data: Upon receiving such request, the Company will prepare the relevant information. There are 3 categories of data to which data subjects are entitled to under this right:
1) Confirmation that the Company has processed the data and must disclose the acquisition of data collected without consent;
2) Copies of the data as mentioned in point 1;
3) Supporting Information including:
• Processing purposes
• Personal data types
• Data recipients or types of data recipients, including specifically those outside the country or international organizations
• The retention period of the personal data
• The rights of the data subject to rectify, erase, and restrict or object to the processing of their data
• The right to lodge a complaint with a supervisory authority
• Information about the data source if not collected directly from the data subject
• Details related to automated decision-making and profiling, including the logic used and the expected consequences of such processing.
Grounds for denial: The data controller may deny the request upon following cases:
1) The data controller is able to prove that a denial is in accordance with the law or a court order;
2) The request infringes upon the rights or freedoms of others.
11.3 Right to data portability: The Company will prepare personal data in a structured andmachine-readable format to facilitate the transfer of personal data to another data
controller upon request. The data transfer will not be in a format that hinder the processing capabilities of the recipient.
Personal data received by the Company will only come from the data subject, including cases involving the monitoring of the data subject’s activities, such as
search data and location data. However, this does not include anonymous data or data that has been anonymized in a way that prevents identification of the data
subject. Pseudonymized data will fall under this right if it can be linked back to and identify the data subject.
Grounds for Denial: The data controller may deny the request upon following cases:
1) The processing is necessary for the performance of a task carried out in the public interest;
2) Such request would negatively impact the rights and freedoms of others, such as disclosing data that contains trade secrets or intellectual property of third parties;
3) In the case of denial to comply with the right to data portability, the Company will document the request. Additionally, the data subject has the right to file a
complaint with the supervisory authority to ensure the Company complies with the rights.
11.4 Right to object to data processing: Data subjects have the right to object to the collection, use, or disclosure of their personal data. This right can be exercised in three scenarios:
1) When personal data is collected, used, or disclosed under an exemption of consent, unless the Company can demonstrate compliance with the law;
2) When personal data is collected, used, or disclosed for direct marketing purposes;
3) When personal data is collected, used, or disclosed for scientific, historical, or statistical research, unless it is conducted for the public benefit of the data controller.
Grounds for Denial: The data controller may deny the objection upon denial to comply with the right to object to data processing, the request of which case shall
also be recorded by the Company. Additionally, the data subject has the right to file a complaint with the supervisory authority to ensure that the Company complies with the rights.
11.5 Right to erasure: The Company will delete, destroy, or anonymize personal data so that the data subject cannot be identified through personal data where the following ground applies:
1) The personal data is no longer necessary for the purposes for which it was collected, used, or disclosed;
2) The data subject does not consent to the collection, use, or disclosure of personal data, and the data controller has no legal authority to retain the data;
3) The data subject objects to processing and the Company cannot rely on consent as the basis for processing;
4) The data subject objects to processing and the Company has no lawful basis for processing, or for establishing legal claims, or for defense in legal claims, or for compliance with the law;
5) The data subject objects to processing for direct marketing purposes,
6) The processing of personal data is unlawful;
7) The deletion of data is in accordance with the law and the company's policies.
In the case where data has been disclosed to third parties, the Company shallensure that such third parties also delete the data in any format in which it is
maintained, whether original, copies, or links associated with the personal data, at the Company’s expense.
Grounds for Denial: The data controller may deny the request where the following ground applies:
1) The processing is necessary for expressing or exercising rights and freedoms concerning the data, for which case consideration should be given to the
necessity and appropriateness of using the personal data for expression, such as whether the data is outdated and no longer suitable for use,
2) The processing is in accordance with the purpose of creating historical documents or archives for public benefit, or related to research or statistics, with appropriate
measures in place to protect the rights and freedoms of the data subject, or when the processing is necessary for performing public duties related to the data
controller’s interests, or exercising powers delegated to the data controller, or for retaining special categories of personal data required to fulfill statutory duties for
the purposes of preventive medicine, occupational medicine, or public health, as per Sections 26(5)(a) and (b) of the Personal Data Protection Act B.E. 2562;
3) When personal data retention is for the establishment, compliance with, or exercise of legal claims, or for defense against legal claims, or to comply with legal obligations;
4) When there is a denial to comply with the right to delete data, the data controller shall record the data subject's request, and the data subject has the right to file a
complaint with the supervisory authority to ensure that their rights are enforced.
11.6 Right to restriction of processing: The Company will suspend the processing of personal data where the following four cases applies:
1) The Company is in the process of verifying the data for correction;
2) The Company intends to delete or destroy the personal data, but the data subject requests the suspension of data processing;
3) The personal data is no longer necessary to retain for purposes of such collection, but the data subject has necessity to carry on for legal claims.
4) When the data subject is in a process where the Company has denied the request to exercise the right to object to data processing.
The suspension of processing may be carried out in various ways, depending on the nature of the processing activities. The data subject may request suspension of processing through the following methods:
1) Temporarily moving personal data to another processing system;
2) Temporarily suspending user access to the data;
3) Temporarily removing data from a website or system.
If personal data has been disclosed to third parties, the data subject must notify those third parties to suspend processing as well.
Grounds for Denial: The data controller may deny the request upon following cases:
1) When the data subject objects to processing and the Company believes that there are legitimate grounds for continuing the processing, such as for the
performance of tasks carried out in the public interest or for other legitimate interests;
2) When the request to suspend processing is denied, the Company must record the request.
11.7 Right to rectification: The Company is responsible for ensuring that personal data is accurate, up-to-date, and not misleading. The Company should establish guidelines
requiring the data subject to provide relevant evidence or documents to support their claim that the data held by the Company is incorrect or incomplete. When data
is transferred to third parties, the data subject must also inform the data recipients of these changes.
Grounds for Denial: The data controller may deny the request upon following case: When a request to exercise the right to rectification is denied, such as when there is
insufficient reason because the data is already correct, the company must record the request.
11.8 Right to complaint: Data subjects have the right to lodge a complaint with the expert committee appointed by the Personal Data Protection Committee, in accordance
with the regulations and procedures set forth by data protection laws, if they believe that the collection, use, and/or disclosure of their personal data is in violation of or not compliant with applicable laws.
The Company has the sole authority and discretion to accept or deny the data subject's request. The exercise of the data subject's rights may be restricted
under applicable laws, and there may be instances where the Company may deny or be unable to act on the data subject's request, such as in complying with legal
requirements or court orders, in the public interest, or if fulfilling the request could infringe upon the rights or freedoms of others. If the Company denies the request, it
will provide the data subject with the ground for such denial. In this regard, the Company will process the data subject's request within the following time frame.
| No. |
Right |
Processing time from the data subject’s request date |
| 1 |
Right to withdraw consent |
7 days |
| 2 |
Right to access personal data |
30 days |
| 3 |
Right to data portability |
30 days |
| 4 |
Right to object |
30 days |
| 5 |
Right to erasure |
30 days |
| 6 |
Right to restriction of processing |
30 days |
| 7 |
Right to rectification |
11 days |
12. Awareness raising for personnel
The Company arranges for the training and evaluation on compliance with personal data protection laws to all levels of management and employees. In this regard, the
personal data coordinator shall attend the training and ensure strict participation of their subordinate employees who handle personal data. This is to promote awareness of
personal data protection among the Company’s operational personnel and to keep them informed about changes in work procedures to be compliant with personal data
protection laws. Furthermore, the Company will conduct inspections or ensure that itspersonnel are adequately aware and understand personal data protection to
appropriately follow the procedures, legal requirements, or personal data protection policies set forth by the Company. The primary objective is to embed personal data
protection into the organizational culture and integrate it as part of the Company's working approach.
Monitoring compliance results: The Company will implement guidelines for regularly and continuously monitoring work processes, from data collection, retention, to deletion, for the following purposes:
1) To ensure consistently accurate and full compliance with the law, and
2) To review the Company’s work procedures to ensure alignment with the law if the Company has increased or modified its personal data processing activities.
13. Amendments to the Policy
The Company will review its Privacy Policy at least once a year, and upon any amendments or changes, will announce such amendments or changes to employees and relevant external parties within 30 days from the date of the amendment or change.
14. Penalties
The data controller, data processor, or any responsible party who neglects or fails to order or take action, or who orders or takes any action in their duties in violation of the
policy and practices related to personal data, and/or as stipulated by the Personal Data Protection Act B.E. 2562, resulting in legal violations and/or damages, shall be subject to
disciplinary action according to the Company’s regulations and to relevant legal penalties. If such misconduct causes damage to the Company and/or any other person, the Company may consider taking further legal action.
15. Contact channels
If you have any suggestions, questions, or need information regarding the collection, use, and/or disclosure of personal data, including rights under the personal data protection law, or if you wish to withdraw consent or stop receiving marketing communications, please contact the Company through the following channels:
Data Protection Officer
Phuket Square Co., Ltd.
Address: 175,177,181,193,195,197 and 201, Raj-Uthit 200 Pee Road, Patong Subdistrict,
Kathu District, Phuket
Email address:
[email protected]
Phone number: +66 76-600-111 ext. 600
Operating hours: Monday to Friday from 09.00 to 18.00 hrs.
This Policy shall take effect from 11 November 2024 onwards.
