means Personal Data Protection Act B.E. 2562, as amended, including relevant rules, regulations, and orders.
means any Personal Data which can be identified a natural person directly or indirectly according to the Personal Data Protection Act B.E. 2562.
Data Protection Officer
means officer(s) appointed by the Data Controller to perform and act as the Data Protection Officer in accordance with the Personal Data Protection Act B.E. 2562.
means Thailand Professional Qualification Institute (Public Organization)
means the natural or juristic person that has the authority to make decisions about the Personal Data and to obtain the Personal Data from the Customer to provide services or to perform contract obligations with such persons.
means a natural person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller.
Means business or trade partners which are the Institute’s allies or operating jointly with the Institute [please provide the list of the Institute’s allies or refer to such list via QR code or url link]
means any website owned or provided by Thailand Professional Qualification Institute (Public Organization) as the case may be.
2. General Provision
3. Collection of Personal Data
The Institute will collect your Personal Data for the Institute’s purposes and shall collects only to what necessary to fulfil the purposes of Personal Data processing and to comply with PDPA in the following ways
- The Institute will legitimately collect, use, and/or disclose Third Party’s personal data. The institute would only collect Third Party’s Personal Data that is necessary to fulfill the purposes of processing of Personal Data and in accordance with the law.
- General Personal Data such as
- personal information such as name and surname, date of birth, age, gender, photo, signature, workplace, job position, education background, employment information, training experiences, work experiences or personal information based on copies of documents issued by authority agencies such as copy of national identification card number, copy of passport, copy of house registration, etc.
- Contact information such as address, telephone number, email, contact point in the event of an emergency, or other related information which the Institute can contact.
- Financial information such as bank account information or tax pay identification number.
- Information for references such as Personal Data as shown in the copy of identification card, copy of passport, copy of name change document, copy of house registration, copy of driving license, copy of vehicle registration, vehicle registration number, copy of land deed, copy of power of attorney, copy of Company certificates, invoices, receipts, payment vouchers or copy of professional licenses, etc.
- IT Information such as log, IP address, location, browser, referring website, login log, transaction log, Access time, social media, cookies, or other technologies in the same manner.
- CCTV footage which records your stills and moving footages, voice records or other Personal Data which can be identified natural person.
- Third Party’s refusal to provide Third Party’s personal data, or Third Party’s giving of inaccurate or outdated Personal Data to the Institute, may result in Third Party’s inability to conduct any transactions with the Institute or to demand certain performance of a contract with the Institute. All of these restrictions may potentially cause damages and lost of opportunities for Third Party and may potentially affect any legal obligation in which Third Party or the Institute, as the case may be, is required to comply. The Institute collects, uses, and/or discloses as follows
- Sources of Personal Data
The following are multiple sources which the Institute collect your Personal Data from:
- Personal Data obtained from you directly, for example, you fill in your Personal Data through Institute’s applications in Institute’s Websites or though other available channels, or when you enter into a contract with the Institute, or when you submitted or make copy of any document pertaining Personal Data to the Institute, or when you submit your questions, concerns, complaint, appraisal to the Institute via telephone, e-mail, postal, your cookies in visiting Institute’s Websites or applications, your cookies in IP address, etc.
(2) Personal Data obtained from Third Parties or other reliable sources such as government agencies, Department of Business Development website, Revenue Department website, etc.
4. Purposes of Processing of Personal Data
The Institute shall collect your Personal Data only to what necessary to fulfil the purpose. Nonetheless, the Institute may have different purposes for Processing of Personal Data as follows:
- The collection, use, disclosure of Personal Data for the following purposes:
- For the purposes of drafting and managing contracts made between the Institute and other contractual parties including for performance of a contract.
- For the purposes of procurement or registration of new contracting parties or any other persons with the same manner as well as processing of requests of the contracting party or any other person with the same manner.
- For recording the Institute’s creditor, for issuing invoices and tax invoices, for the Institute’s credit bureau, for disbursement including related financial transactions and accounting operations.
- For identification or verification of the data subject in cases of accessing services, entering into a contract, performing contractual obligations, to ensure that the services provided and all Institute’s communication that take places are kept in secure and confidential manner.
- For communicating or coordinating Institute business operations or tasks with third parties, contractors, and contract parties.
- For legal obligations purposes which related to the Institute’s business operation and to comply with the government’s official orders such as registration of business at the Department of Business Development, notification of registration personnel or related persons, conducting tax reports to submit to the Revenue Department, accounting audits by the auditors, etc.
- For Institute’s public announcements such as the Institute’s news and events, trainings, conferences, seminars, the Institute’s projects, relation events, social events, etc.
- For Institute’s database of events participants, project participants, attendees’ participants, training participants, or seminar participants including the analysis and observation of such individual’s behavior.
- For health management, occupational health, and safety management of the contractors. To organize an annual health checkup for both general health check-up and occupational health check-up (Health check according to risk factors), to administer health insurance and assess health readiness, to use health data for reporting, investigation, causal analysis or for development of preventive health management and to formulate measures to prevent incidents occurring.
- For the preventing from any dangerous communicable disease that may spreading in the Institute which will screening people entering and leaving premises including tracking travel and conduct report on travel which may result in potential risk of spreading disease.
- For examine and enhance facility security performance in building or in premises of the Institute. For security risk assessment including entering and exiting the premises. For identification purposes and keeping record of entering and exiting the premises. For video footages in buildings, offices, or surrounding areas under CCTV surveillance.
- For the establishment, compliance, exercise, or defense of legal claims. For initiating litigation, as well as proceeding for legal enforcement such as investigation and/or examination by government officials, for case preparation, and/or defense of legal claims in court, etc.
- For audits or internal audits of the Institute to ensure compliance with the standards and to comply with applicable laws and regulations.
- For internal data managements of the Institute and monitoring security of the Institute’s internal data systems.
- For obtaining and verifying licenses or permits that are mandatory for business operation.
5. Disclosure of Personal Data
- The Institute shall disclose your Personal Data in compliance with PDPA and in compliance with the notified purposes to the following persons:
- Service Provider(s) and the Data Processor which the Institute appoints to manage/ process Personal Data for the Institute in providing services. For example, human resources management, to provide services in security, to provide services in information technology, accounting audits, or other services related to business operations or benefits you.
- Consultants, legal consultants, attorneys, auditors, external auditors, speakers, or both internal and external experts, etc.
- Government agencies, authorized official authorities under the law such as Ministry of Labor, Social Security Office, Department of Skill Development, Legal Execution Department, Student Loan Fund, Department of Empowerment of Persons with Disabilities, Revenue Department, Department of Land Transportation, Social Security Office, Department of Business Development, Department of Industrial Works, Industrial Estate Authority of Thailand, Immigration Bureau, Office of the Personal Data Protection Committee, Courts Official, Police Officers, or other related official authorities as prescribed by the law.
- Vendor(s), contractors, Contract parties of the Institute in which you coordinate or related to your job position or responsible person or designated person(s).
- Commercial banks, financial institution, Bank of Thailand.
- Insurance companies or hospitals related to operations of the Institute.
- Other related person(s) or agencies that you had given consent to.
- The Institute may transfer or disclose your Personal Data to foreign countries. The Institute shall obtain your consent prior to transferring or disclosing of your Personal Data to a foreign country in case consent is required. The Institute shall conduct verification process to ensure that the designation country or international organization that receives such Personal Data shall have adequate data protection standards and carried out in accordance with the rules for the protection of Personal Data as prescribed by PDPA.
6. Retention Period of Personal Data
The Institute shall collect and retain Personal Data of Data Subject for as long as necessary for the purposes of collecting, use, and disclosure of Personal Data in this Policy. In cases where the Data Subject terminate relation or agreement with the Institute, or no longer using the services or the business transaction. The Institute shall store Personal Data for specified period or as specified by the law, or by prescription period or for exercise or defense of legal claims. After the expiration of the storage period of each type of Personal Data, the Institute shall proceed to erase or destroy or make anonymize of Personal Data. However, the retention period of Personal Data shall be in accordance with the Institute’s Data Retention Policy. The Institute may retain the Personal Data of the Data Subject for longer than has been specified if permitted by law.
7. Third Party rights as the Data Subject.
- Third Party may file a request form in accordance with the Institute’s conditions and procedures in cases the Data Subject requests for a copy of the Personal Data being processed by the Institute or requests the Institute to inform what sources the Personal Data originated.
- In the event that Third Party sees that his or her Personal Data is inaccurate, not up to date, or incomplete which may cause misunderstanding. Third Parties have the rights to request the Institute to correct and complete Personal Data based on information Third Party may provide by filing Data Subject rights request application to the Institute in accordance with the Institute’s conditions and procedures. In case where the Institute do not respond or comply with the rights request, the Institute shall keep record of the request with reasons of refusal as evidence for future inspection.
- Third Parties have the rights to withdraw consent once given to the Institute for Processing Third Party’s Personal Data at any reasonable time unless there is a restriction of the withdrawal of consent by law, or there is contractual obligation that benefits Third Party. For example, Third Party may still bound by a contract with the Institute, or Third Party has contractual obligations or legal obligation with the Institute. Nevertheless, if Third Party chooses to withdraw consent, Third Party may not be able to receive services from or conduct transaction with the Institute, or the Institute’s ability to provide services to Third Party may be limited.
- Third Party have the rights to receive the Personal Data concerning himself or herself from the Institute. In which the Institute shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. Third Parties are also entitled to request the Institute to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by the automatic means or entitled to request to directly obtain the Personal Data in such formats that the Institute sends or transfers to other Data Controllers unless it is impossible to do because of the technical circumstances.
- Third Party have the rights to object the collection use or disclosure of his or her Personal Data at any reasonable time in one of the following circumstances:
- Where collection, use, and disclosure of Personal Data is necessary for the performance of a task carried out in the public interest by the Institute or necessary for the legitimate interest of the Institute. Unless the Institute can prove that:
- There is a compelling legitimate ground; or
- It is necessary for the establishment, compliance, or exercise of legal claims, or defense of legal claims.
- Where collection, use, and disclosure of Personal Data is for the purpose of direct marketing; or
- Where Processing of Personal Data is for the purpose relating to scientific or historical research or statistics, unless it is necessary for the performance of a task carried out in the public interest by the Institute.
- Third Party have the rights to request the Institute to erase or destroy or anonymize Personal Data to become anonymous data where legitimate ground applies:
(1) Personal Data is no longer necessary in relation to the purposes for which it was collected, used, or disclosed.
(2) When Third Party withdraw the consent on which the collection, use, or disclosure is based on, and where there is no other legal ground for such collection, use, or disclosure.
(3) When Third Party objects to the processing of the Personal Data referred in Clause 7.5(1) and the Institute cannot reject such request, or the processing of Personal Data is for the purposes relating to direct marketing; or
(4) The Personal Data have been unlawfully collected, used, or disclosed
- Third Party have the rights to request the Institute to restrict the use of Personal Data, where the following applies:
- When the Institute is pending examination process in accordance with Third Party’s request to ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.
- Where it is the Personal Data which shall be erased or destroyed because it has been unlawfully collected, used, or disclosed, but Third-Party request for restriction of the use instead.
- Where it is no longer necessary to retain such Personal Data for the purposes of such collection, but Third Party have necessity to request the retention for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims; or
- Where the Institute is pending verification to demonstrated that there is a compelling legitimate ground or pending examination for the establishment, compliance or exercise of legal claims, or defense of legal claims to reject the objection request made by Third Party.
- Third Party have the rights to complain to expert committee in accordance with PDPA in cases the Institute or the Data Controller including Third Parties or Data Processor(s) does not take action or does not comply with PDPA at the following address:
Office of the Personal Data Protection Commission
7th Floor, Ratthaprasasanabhakdi Building 80th Anniversary Government Center, Chaengwattana Road, Thungsonghong Subdistrict, Laksi District, Bangkok 10210
Nevertheless, the Institute reserves the rights to examine your request where it is permitted by law.
8. Security Measures for Storing Personal Data
The Institute is committed to protecting Third Party’s Personal Data. Hence, the Institute shall provide security measures including a safe and appropriate system for collecting, using, or disclosing Personal Data to prevent Third Party’s Personal Data from accidental loss, unauthorized access of data, destroy of data, misuse of data, unauthorized change or disclosing of data in accordance with the Institute’s information technology security policies and/or procedures.
The Institute shall provide security measures of Personal Data which include operational safeguards, technical protection measures and physical safeguards regarding access or control of the Personal Data usage which at least consists of the following actions:
- Control of access to Personal Data and storage devices and Processing of Personal Data considering the usage and security.
- Determine permission to access Personal Data.
- Users access management to Personal Data for designated person(s) only.
- Determine roles and responsibilities of users to prevent unauthorized access, disclosure, cybercrime, copy of Personal Data, or to prevent theft of storage devices or data; and
- Provide method for tracing back in access, alteration, disposal, or transmission of Personal Data in accordance with the methods and storage media used for processing of Personal Data.
8. Link to Third Party Website Disclaimer
9. Policy Review
Policies are reviewed at least once a year. Updated versions are to be adopted by the Institute where deemed necessary or appropriate.
10. Governing Law and Jurisdiction
11. Policy Review
Policies are reviewed at least once a year. Updated versions are to be adopted by the Institute where deemed necessary or appropriate.
- Governing Law and Jurisdiction
Data Protection Office
Email address: [email protected]
Telephone No.: +66 2035 4900
Address: Thailand Professional Qualification Institute (Public Organization) 1177 Pearl Bangkok Building, 14th floor, Phahonyothin road, Phayathai Sub-district, Phayathai District, Bangkok 10400