Privacy and Personal Data Protection Policy
“Personal Data” refers to the data relating to a person identifiable either directly or indirectly, but particularly excluding the deceased’s data.
“Personal Data Controller” refers to a person or juristic person who has a decision authority relating to collection, usage, and disclosure of the personal data.
“Personal Data Processor” refers to a person or juristic person who executes regarding the collection, usage, or disclosure of the personal data based on the order or on behalf of the personal data controller. However, the said executing person or juristic person is not the personal information controller.
“Data Owner” refers to the customer, staff, and business partner who are natural persons.
“Person” refers to a natural person.
2. Objective for Preparing the Personal Data Protection Policy
The Company has established a personal data protection policy for protecting the data of the Company’s customers, staffs, and business partners, to ensure the safety and reliability in performing any transactions with the Company, the efficient data owner protection, and prevention from the unauthorized usage of the owner’s personal data, and remedy of the personal data owner according to the relevant laws.
3. Limited Personal Data Collection
The storage and collection of personal data shall be performed under the objective and scope, using the lawful and fair procedure for data collection and storage. In addition, the limited personal data is stored to the extent that it is essential for providing services, or services by any other economic procedure under the Company’s objective only. However, the Company shall execute to ensure the data owner’s perception and consent via electronics as the Company deems fit.
The Company shall collect your data via two channels as follows.
Data presented and delivered to the Company.
Data of the usability behavior collected via the third-party’s services
The Company may store your personal data relating to the interest and service used by you. The said personal data may consist of your race, religion or philosophy, health data, biological data, infirmity, disability, identity, or any other data which will be useful for service provision. However, according to the aforesaid execution, the Company shall request for your consent prior to collection, unless the following events.
3.1. Being the legal observance, such as the Personal Data Protection Act, Electronic Transaction Act, Telecommunications Business Act, Anti-Money Laundering Act, Civil and Criminal Code, and Civil and Criminal Procedure, etc.;
3.2. Being taken place for the investigation benefit of the inquiry official, or the court’s trial and judgment;
3.3. For your benefit, and failure to request for consent at that time;
3.4. Being necessary for the lawful benefit of the Company or of other person or juristic person which is not the Company;
3.5. Being necessary for preventing or suppressing danger on the person’s life, body, or health;
3.6. Being necessary for complying with the contract of which the personal data owner is a contractual party or for using in execution as requested by the personal data owner prior to entry into the said contract;
3.7. For attaining the objective relating to preparation of the history papers or archives for the public benefit, or for the study, research, and statistical preparation, whereas a suitable preventive measure is established.
3.8 Usability behavioral data via the following tools: Google Analytics, Google AdWords, Google Data Studio (Looker Studio), Hotjar, and Facebook Pixel, for analyzing the platform capacity, and planning the platform development in the future, whereas the said data is the usability data, and not related to any personal data at all.
4. Objective of the Personal Data Collection
The Company shall store, collect, use, update, and disclose the personal data of the data provider pursuant to the objective, scope, and procedure prescribed by laws. The storage shall be performed to the extent that is essential for service provision. In addition, the Company shall be mainly operated for benefit of the data owner and other undertakings in accordance with the following objectives.
4.1) For using in processing, managing, and considering the service provisions and operations relating to the Company’s businesses which has been currently existent and may be existent in the future, as well as any undertakings for the data owner’s benefit; and applying in preparation of the accounting, financial statements, and accounting information of the Company;
4.2) For delivering the personal data to the Company, and National Credit Bureau Co., Ltd., to be used in request of the credit approval, or to any other relevant government agencies for benefit in usage for considering the data provider’s credit;
4.3) For using in monitoring and collecting the installment payment pursuant to the hire-purchase contract, and any other debts (if any) from the data owner, under the legal right of the Company;
4.4) For using in revision, cancellation, and/or renewal of the hire-purchase contract, employment contract, and any other contracts between the data owner and the Company;
4.5) For using as an analytical and presenting data which are allowed to be used in marketing research, and/or sales promotion activity organizing, and/or for benefit in preparation of database and use of data for offering the privilege based on the data owner’s interest and/or improving the service provision, execution, or product of the Company;
4.6) For observing the rules, announcements, regulations, and any other requirements under the duty of the Company in binding in the legal observance;
4.7) For presenting the data, monitoring, coordinating, providing after sales service, as well as preparing the electronics services;
4.8) For any other related executions to attain the aforesaid objective
5. Limitation of the Personal Data Usage
The Company shall store personal data in accordance with the standards prescribed by law, and neither use nor disclose such data to the third party without the data owner’s consent, unless being an observance for the objective specified above, or in accordance with the law requirement for disclosure. The personal data shall be disclosed to the following relevant agencies or persons.
5.1) The Company’s group of businesses and business alliances, as well as the government agencies relating to provision of services, processing, management, and consideration on the provision of services and the operation of works which are acquired by the data owner and may be acquired in the future
5.2) National Credit Bureau Co., Ltd. and the affiliated companies of the same enterprise or business, or other relevant agencies
5.3) The staff, authorized person, representative, person or juristic person who provide the vehicle registration service, and/or debt collection service, and/or auditor of the Company, and/or services and operations in relation to the Company’s business which has been currently existent and may be existent in the future
5.4) The staff, authorized person, representative, person, juristic person, or any other agencies for observing the law requirement or establishment of the right in accordance with the Company’s contract.
6. Right of the Personal Data Owner
The Company gives precedence to a right of the personal data owner, and therefore, defines a right of the data owner to store his/her/its own personal data which is collected by the Company for the law consistency as follows.
6.1) Request to access and receive a copy of his/her/its relevant personal data under the Company’s responsibility in accordance with the rules and procedures prescribed by the Company; or request to disclose the acquisition of such personal data without his/her consent.
6.2) Request to receive his/her/its relevant personal data from the Company in case where the Company makes that personal data to be in readable or general usable format by the automatic tool or device; and to be usable or disclosed by an automatic method.
6.3) Objection of, whenever, the collection, usage, and disclosure of his/her/its relevant personal data permitted by laws for storage without the data provider’s consent.
6.4) Request the Company to delete or destruct personal data or make the personal data to be the data of which the personal data owner is unidentifiable in the case required by law.
6.5) Request the Company to suspend the use of personal data in the case required by law.
6.6) Notify the Company to execute so that the said personal data is correct, updated and complete, without cause of misunderstanding.
6.7) Complain in the case where the personal data controller or the personal data processor, as well as the employee or the contractor of the personal data controller or the personal data processor violates or breaches the personal data protection law.
7. Consent Revocation
The data owner can, whenever, revoke his/her/its consent given to the Company for collecting, using, or disclosing the aforesaid personal data, by giving a notice of intention to the Company for acknowledgement together with a reason of the said regard. The Company shall execute as notified, unless in case of the limitation of legal right to revoke the consent or data owner utilization agreement.
However, the personal data owner’s consent revocation shall not affect the collection, usage, or disclosure of the personal data already given for a prior consent by the personal data owner.
8. Refusal and Preparation of Memo
In the case where the data owner requests the Company to execute as specified in Clause 6.1-6.7, or Clause 7, the Company shall execute as requested within an appropriate period and in accordance with the operating procedure of the Company. Unless in the following events, the company may refuse the said execution.
8.1) Natural impossibility to execute the foregoing;
8.2) Being a refusal according to law or order of the court, whereas an access and request for receiving a copy of the said personal data will have an impact which may cause damage to a person’s right and freedom;
8.3) Transmission or transfer of the said personal data is a function for the public benefit or a legal function; or exercise of the said right may violate the right or freedom of a person.
8.4) The personal data controller shall indicate a more important legitimate ground in collection, usage, or disclosure of the said personal data.
8.5) The collection, usage, or disclosure of the said personal data shall be taken place for establishing a legal right of claim, observing or exercising a legal right of claim, or raising to defend a legal right of claim.
In the case where the Company refuses not to execute as requested by the data owner for any execution pursuant to Clause 7.1-7.8, or Clause 8, the Company shall prepare the report of refusal memo and reason to refuse the storage in the department, division, or any other work unit inside the Company that declines the request of the data owner.
9. Data Security and Quality Maintenance Measure
Due to the Company’s realization on the significance of your personal data’s security, therefore, the Company, has established a measure of the personal data security to be appropriate and consistent with the personal data confidentiality to prevent loss, access, destruction, usage, modification, revision, or disclosure of the personal data without the right or illicitness; and to prevent an unauthorized usage of the personal data.
In addition, the Board of Directors has established the policy, practice, manual, guideline, and training for providing knowledge in storage, usage, and disclosure of the personal data to ensure the conformity to the Company’s standards and consistency with the relevant laws in storage, usage, and disclosure of the personal data by the Company’s staffs at all levels.
10. Personal Data Protection Officer
The Company executes in accordance with the Personal Data Protection Act B.E. 2562 (2019) by appointing a Data Protection Officer (DPO) to audit the Company’s execution in relation to the collection, usage, and disclosure of the personal data to be consistent with the Personal Data Protection Act B.E. 2562 (2019), including the relevant laws of the personal data protection. In addition, the Company has established the regulations and orders for the related party’s execution as required to ensure the orderliness of the operation in accordance with the guideline of the personal data protection policy, and the policy of the Personal Data and Cyber Security Management Governance Committee prescribed by the Company.
11. Storage and Destruction Period of Personal Data
The Company shall store data acquired form the data owner in the essential period for execution pursuant to the aforesaid objective only, unless in the case where it is particularly required by law for longer storage or it is necessary for establishing a legal right of claim, observing or exercising a legal right of claim, or raising to defend a legal right of claim, or executing the contract of which the Company has the legal right.
2525 FYI Center, Building 2, Room No. 1203-1205, 12th Floor, Rama 4 Road, Klong Toei, Klong Toei, Bangkok 10110, Thailand
Data Protection Office Unit
Email: [email protected]
Last Update May 2020