Privacy policy

Thailand Professional Qualification Institute (Public Organization) (“The Institute”) respects and recognizes the importance of the privacy rights and the protection of Personal Data of service users which are the fundamental rights in privacy for individuals. Naturally, service users would prefer their Personal Data to be secured. Coupled with the rules and measures laid by Privacy law governing security measure in processing Personal Data and data subject’s rights. The Institute hereby implements this Privacy Policy to notify the principle for Personal Data protection with the following context:

1.        Definitions 

In this Privacy Policy, words or messages have meanings as described in the following definitions:

2.        General Provision

     This Privacy Policy aims to explain how the Institute collects, uses, and/or discloses and protects Personal Data of service users. Whereby the Institute may improve or amend any material changes in this Privacy Policy whether in whole or in part to comply with the amending laws and regulations. Therefore, service user should regularly access this Privacy Policy and follow up about the current version.

3.        Collection of Personal Data

1. The Institute will legitimately collect, use, and/or disclose service user’s personal data. The institute would only collect service user’s Personal Data that is necessary to fulfill the purposes of processing of Personal Data and in accordance with the law.
2. The Institute may collect, use, and/or disclose service user’s Personal Data from service user or the Allies, or from other reliable sources, such as from information which service user have made available to the public.
3. Service user’s refusal to provide service user’s personal data, or service user’s giving of inaccurate or outdated Personal Data to the Institute, may result in service user’s inability to conduct any transactions with the Institute or to demand certain performance of a contract with the Institute. All of these restrictions may potentially cause damages and lost of opportunities for service user and may potentially affect any legal obligation in which service user or the Institute, as the case may be, is required to comply. The Institute collects, uses, and/or discloses as follows
   1. General Personal Data such as

1. Identification information and contact information such as photos, name and surname, national identification card number, information as appear in national identification card, passport number, gender, date of birth, age, marital status, address, occupation, workplace information, telephone number, fax number, email address, etc.
2. Occupation information such as position, department, contract details, personal resume, education and job records, etc.
   1. Sensitive Data is defined in Section 26 of PDPA as Personal Data pertaining to biometric data, finger scan, face recognition, religious, health data, racial, criminal records, etc. However, the Institute do not collect, use and/or disclose for Sensitive Data from service user unless the Institute obtained service user’s consent for processing of such sensitive data or it falls under any exception as prescribed by this privacy policy or the law.

                                    The Institute will not collect service user’s sensitive data, unless

                                    (1) the Institute has received explicit consent from Service User, or

                                    (2) under other circumstances according to the law.

1. Retention Period of Personal Data

           The Institute shall collect and retain service user’s Personal Data for as long as necessary for the purposes of collecting, use, and disclosure of Personal Data in this Policy. In case service user terminate relationship or an agreement with the Institute, or if service user is no longer using the services or the business transaction has been executed, or if service user’s Personal Data is no longer necessary in relation to the specified purposes, the Institute shall store service user’s Personal Data for specified period or as specified by the law, or by prescription period or for exercise or defense of legal claims. After the expiration of the storage period of each type of Personal Data, the Institute shall proceed to erase or destroy or make anonymize of such Personal Data. The retention period shall be in accordance with the Institute’s Data Retention Policy. The Institute may continue to retain the service user’s Personal Data after the retention period in accordance with the law.

4.        Purposes of Processing of Personal Data       

The Institute processes service user’s Personal Data for the purposes in accordance with lawful basis under PDPA as follows:              

1. Purposes of processing of Personal data in which the Institute must obtained consent

The Institute will seek service user’s consent for collecting, using, and/or disclosing service user’s Personal Data for the following purposes.

(1) Collection, usage, and/or disclosure of service user’s sensitive data for identificationpurpose such as identification by nation identification card or passport which may contain religion, race, and health data. For verification and identification of the Service User such as verification through identification card or passport in which Sensitive Data such as religious, blood group, race data may be shown

(2) Transferring service user’s Personal Data to foreign country with no adequate data protection standard in compliance with PDPA

(3) Collection, usage, and/or disclosure of service user’s Personal Data for advertising, public relations, and notify service user of the Institute new information and event.

1. Purposes in which the Institute may refer to other lawful basis for Personal Data processing

The Institute may process Personal Data by lawful basis of processing as follows:

(1) Processing is necessary for the performance of a contract to which the service user is a party, or in order to take steps at the request of the service user prior to entering into a contract.

(2) it is necessary for compliance with legal obligations.

(3) it is necessary for the purposes of the legitimate interests of the Institute or third party, where such interests are proportionate to the fundamental rights of the service user of his or her Personal Data.

(4) it is necessary for preventing or suppressing a danger to a person’s life body or health; and

(5) it is necessary for the performance of a task carried out in the public interest by the Institute, or it is necessary for the exercising of official authority vested in the Institute.

Aforesaid, the Institute shall rely on lawful basis of processing listed in (1) to (5) for the collection, use, and/or disclose of Personal Data for the following purposes.

• To carry out a contract to which the service user is a party, or to take actions at the service user's request prior to entering a contract,
• To hold a meeting, a seminar, a training, or an evaluation,
• To handle compliant procedure
• To provides service user with necessary information such as an evaluate status,
• To safekeep service user’s documents,
• To delivers service user’s documents,
• To processes service user’s payments,
• To announces evaluation result,
• To prepares service user’s certificates,
• For internal accounting,
• For coordinate purposes,
• For registration to the Institute’s internal system or application.
• For other reasonable purposes which the Institute has inform service users in the application form or other relevant documents.
  1. The Institute shall not collect, use, and/or disclose Personal Data for purpose which the Institute have not inform the service user, unless

   (1) the Institute has notified new purposes to the service user and has obtained consent from service user; or

   (2) it falls under any exception as prescribed by the law.

5.             Disclosure of Personal Data

1. The Institute shall only disclose Personal Data to the Allies for the purposes which the institute has informed the service user as follows,

(1) Where the Institute obtains consent from the service user,

(2) Where it is necessary for the performance of a contractor upon the service user’s requests including the disclosure of Personal Data to enter business transaction or any relevant activities of the service user.

(3) Where it is necessary for legitimate interests such as the disclosure of Personal Data to Institute or organization for fraud prevention, the video recording in conference or while doing business transaction with the Institute, or for safety purposes of the Institute.

(4) Where it is necessary for compliance with a law, regulations, orders from or authorized official authority under the law such as Ministry of Labor, Department of Public Welfare, Department of Skill Development, Legal Execution Department, Student Loan Fund, Court, Police, or other relevant government sector as prescribed by the law,

(5) To disclose Personal Data to the following third parties:

1. Outsource or Service Provider such as commercial bank, e-payment provider, human resource system provider, training provider, and accounting and finance provider can access Personal Data to access and process Personal Data of the service user for the purposes listed in Clause 4 of this Privacy Policy.
2. Government sector or authorized official authorities under the law such as Revenue Department, Court, Legal Execution Department, Police, or other relevant government sector as prescribed by the law.

6.        Improvement, Review, Amendment of Privacy Policy

            Whereby the Institute may improve, revise, or amend any material changes in this Privacy Policy whether in part or in whole to comply with the Institute’s method of operation, or to comply with amending laws and regulations.

7.        Service user rights as the Data Subject.

1. Service user may file a request form in accordance with the Institute’s conditions and procedures in cases the Data Subject requests for a copy of the Personal Data being processed by the Institute or requests the Institute to inform what sources the Personal Data originated.
2. In the event that service user sees that his or her Personal Data is inaccurate, not up to date, or incomplete which may cause misunderstanding. Service users have the rights to request the Institute to correct and complete Personal Data based on information service user may provide by filing Data Subject rights request application to the Institute in accordance with the Institute’s conditions and procedures. In case where the Institute do not respond or comply with the rights request, the Institute shall keep record of the request with reasons of refusal as evidence for future inspection.
3. Service users have the rights to withdraw consent once given to the Institute for Processing service user’s Personal Data at any reasonable time unless there is a restriction of the withdrawal of consent by law, or there is contractual obligation that benefits service user. For example, service users may still bound by a contract with the Institute, or service user has contractual obligations or legal obligation with the Institute. Nevertheless, if a service user chooses to withdraw consent, service user may not be able to receive services from or conduct transaction with the Institute, or the Institute’s ability to provide services to service user may be limited.
4. Service users have the rights to receive the Personal Data concerning himself or herself from the Institute. In which the Institute shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. Service users are also entitled to request the Institute to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by the automatic means or entitled to request to directly obtain the Personal Data in such formats that the Institute sends or transfers to other Data Controllers unless it is impossible to do because of the technical circumstances.
5. Service users have the rights to object the collection use or disclosure of his or her Personal Data at any reasonable time in one of the following circumstances:

1. Where collection, use, and disclosure of Personal Data is necessary for the performance of a task carried out in the public interest by the Institute or necessary for the legitimate interest of the Institute. Unless the Institute can prove that:
   1. There is a compelling legitimate ground; or
   2. It is necessary for the establishment, compliance, or exercise of legal claims, or defense of legal claims;

1. Where collection, use, and disclosure of Personal Data is for the purpose of direct marketing; or
2. Where Processing of Personal Data is for the purpose relating to scientific or historical research or statistics, unless it is necessary for the performance of a task carried out in the public interest by the Institute.
   1. Service users have the rights to request the Institute to erase or destroy or anonymize Personal Data to become anonymous data where legitimate ground applies:

(1)       The Personal Data is no longer necessary in relation to the purposes for which it was collected, used, or disclosed.

(2)       When service user withdraws the consent on which the collection, use, or disclosure is based on, and where there is no other legal ground for such collection, use, or disclosure;

(3)       When service user object to the processing of the Personal Data referred in Clause 7.5(1) and the Institute cannot reject to such request, or the processing of Personal Data is for the purposes relating to direct marketing; or

(4)       The Personal Data have been unlawfully collected, used, or disclosed

1. Service users have the rights to request the Institute to restrict the use of Personal Data, where the following applies:

1. When the Institute is pending examination process in accordance with service user’s request to ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.
2. Where it is the Personal Data which shall be erased or destroyed because it has been unlawfully collected, used, or disclosed, but service user request for restriction of the use instead.
3. Where it is no longer necessary to retain such Personal Data for the purposes of such collection, but service user have necessity to request the retention for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims; or
4. Where the Institute is pending verification to demonstrated that there is a compelling legitimate ground or pending examination for the establishment, compliance or exercise of legal claims, or defense of legal claims to reject the objection request made by service user.
   1. Service users have the rights to complain to expert committee in accordance with PDPA in cases the Institute or the Data Controller including employees or Data Processor(s) does not take action or does not comply with PDPA at the following address:

     Office of the Personal Data Protection Commission  
7^th Floor, Ratthaprasasanabhakdi Building 80^th Anniversary Government Center, Chaengwattana Road, Thungsonghong Subdistrict, Laksi District, Bangkok 10210

Nevertheless, the rights of Data Subject as abovementioned depend on various factors and circumstances. The Institute reserves the rights to examine the right requests where it is permissible by law, where the Personal Data have been anonymized, or where it can be demonstrated by the Institute that there is compelling legitimate ground for processing of Personal Data, for example, service user is still using the service or conducting transaction with the Institute, or where the Institute is under legal obligation even if the service user has terminated the relationship with the Institute such as Personal Data collection as prescribed period by law or for exercise of legal claim.

8.        Security Measures for Storing Personal Data

       The Institute is committed to protecting service user’s Personal Data. Hence, the Institute shall provide security measures including a safe and appropriate system for collecting, using, or disclosing Personal Data to prevent service user’s Personal Data from accidental loss, unauthorized access of data, destroy of data, misuse of data, unauthorized change or disclosing of data in accordance with the Institute’s information technology security policies and/or procedures.

       The Institute shall provide security measures of Personal Data which include operational safeguards, technical protection measures and physical safeguards regarding access or control of the Personal Data usage which at least consists of the following actions:

1. Control of access to Personal Data and storage devices and Processing of Personal Data considering the usage and security.
2. Determine permission to access Personal Data.
3. Users access management to Personal Data for designated person(s) only.
4. Determine roles and responsibilities of users to prevent unauthorized access, disclosure, cybercrime, copy of Personal Data, or to prevent theft of storage devices or data; and
5. Provide method for tracing back in access, alteration, disposal, or transmission of Personal Data in accordance with the methods and storage media used for processing of Personal Data.                    

9.        Application of Privacy Policy

This Privacy Policy applies to all Personal Data in which the Institute collected, used, and disclosed, and in which the Institute had obtained consent from service user prior to carrying out the processing activity (If any), as well as the collection of service user’s Personal Data in current or in the future for use and disclosure to the third parties within the scope of this Privacy Policy.

1. Personal Data of Third Party

       If the service user provided any third party’s Personal Data such as spouse, child, parents, family members, beneficiary, emergency contact, reference persons, and other third parties related to the security holding of the service user. The service user hereby affirms that he or she is authorized to provide information of such third party to the Institute. In addition, the service user shall be accountable to inform such a third party about this Privacy Policy and to obtain consent from such third party.

1. Policy Review

The Institute and related business units shall review this Policy at least once a year. Updated versions are to be adopted by the Board of Directors of the Institute were deemed necessary or appropriate.

12.     Governing Law and Jurisdiction        

     This Privacy Policy is governed by and construed in accordance with Thai laws and Thai courts have the jurisdiction to consider any disputes that may arise.

13.     Contact Information

            Any questions or concerns regarding this Privacy Policy, the exercising of service user’s rights, or have reasonable reasons to believe that the Personal Data has been misused, please contact the Institute via the following channels:

Data Protection Office
Email address: [email protected]
Telephone No.: +66 2035 4900
Address: Thailand Professional Qualification Institute (Public Organization) 1177 Pearl Bangkok Building, 14th floor, Phahonyothin road, Phayathai Sub-district, Phayathai District, Bangkok 10400