What is personal data?
What personal data do we collect?
How do we collect your personal data?
How do we use your collected personal data?
When do we disclose or share your collected personal data?
Do we transfer your collected personal data overseas?
When do we inform you about your personal data?
What are your rights under the PDPA?
How long do we keep your collected personal data for?
What measures do we use to secure your collected personal data?
How to contact us?
1. What is personal data?
Under the PDPA, a personal data means any data or information relating to an individual which enable us to identify such individual, whether directly or indirectly, from that data or information alone or in a combination with other identifiers we possess or can reasonably access, except information of the deceased. The personal data can be categorised as follows:
General personal data – means any personal data which is not sensitive personal data e.g. name and surname, gender, date of birth, age, nationality, contact number, photo, address, email address.
Sensitive personal data – means a special category of personal data under the PDPA consisting of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data or disability condition, trade union information, genetic data, and biometric data.
2. What personal data do we collect?
The type of personal data we collect from you may be different depending on who you are and your relationship with us. The collected personal data may include:
General personal data
Sensitive personal data
If you do not or are unable to provide your personal data which we require, we may not be able to establish a relationship with you or offer you our products and/or services including our employment with you and other benefits and welfare.
3. How do we collect your personal data?
We will collect your personal data directly from you, but sometimes from publicly available sources and/or from other third parties, provided that we will ensure that we fully comply with the PDPA.
Those other third parties may include our subsidiaries, authorised business partners, service providers or vendors.
4. How do we use your collected personal data?
We collect, use, disclose, transfer or process your personal data by fair and lawful means to the extent necessary to achieve our purposes. The lawful basis includes:
obtaining your consent to use your personal data;
believing that the use of your personal data is of vital interest or to prevent or avoid danger to a person’s life, body or health;
believing that the use of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
believing that the use of your personal data is necessary for the performance of our task carried out in the public interest or in the exercise of official authority vested in us;
believing that the use of your personal data is necessary for the legitimate interests pursued by us or by a third party, unless the interests are overridden by your interests or fundamental rights and freedoms;
believing that the use of your personal data is necessary for the establishment, complaint, exercise or defence of legal claims against you;
believing that the use of your personal data is necessary for compliance with a legal obligation to which we are subject.
We may use your personal data for purposes as follows:
4.1 Our contract with you
We will rely on the performance of contracts to which you are a party to use your personal data. Depending on the nature of each contract with us, we may use your personal data for the following reasons:
Processing recruitment and selection regarding your employment application before entering into the employment agreement;
Establishing, controlling, delegating, coordinating, collaborating, managing, concluding and other actions with regards to your employment relationship with us;
Procuring, issuing or executing contracts, creating and maintaining your account with us i.e. land purchase agreements, novation agreements, lease agreements, sales and purchase agreements, consignment agreements;
Auditing processes and generating reports;
Exercising rights or performing obligations under executed contracts;
Participating in activities organised by or on behalf of us i.e. trainings and workshops, race events, CSR activities;
Administering, implementing, facilitating, monitoring, maintaining, managing and operating our products and/or services i.e. hotel services, cleaning services, laundry services; or
Processing payment, including the disclosure of personal data to third party service providers to process such payment and to the authorised financial institutions.
4.2 Our legitimate interests
We may rely on the purpose of legitimate interests pursued by us or by a third party which require us to use and process your general personal data, except where such interests are overridden by your interests or fundamental rights and freedoms.
For instance, we have legitimate interests which allow us to process your collected personal data in the following circumstances:
Communicating business transactions at preliminary stage;
Executing agreements and other legal documents;
Arranging services i.e. E-AGM shareholder’s meeting;
Contacting your relatives or contact persons in emergency cases i.e. emergency contacts of employees;
Collecting guest’s feedbacks and contacts, and creating Guest Satisfaction Index report to track service quality; or
Maintaining security and safety of persons and properties on our premises i.e. using of CCTV surveillance system.
4.3 Our legal compliances and legal claims
We will rely on the purpose of legal compliances when it is required or allowed by any applicable laws to which we are subject. For instance, we rely on legal compliance or legal obligation grounds to process your collected personal data in the following circumstances:
Processing personal data of data subjects for the purposes of payment and taxes in compliance with the Accounting Act and Revenue Code;
Following the instructions of the authorities under the law, including following the lawful requests for disclosure made by the law enforcement authorities or other government agencies.
We may rely on the legal claims basis to process your sensitive personal data to establish, comply, exercise or defend legal claims against you or initiate litigation action to protect our interests.
We will process your collected personal data on grounds of consents; especially, in the case where our processing activities have potential impact on your sensitive personal data.
We may inform you of the objectives of our personal data usage and request your consent or explicit consent to process your collected personal data in the following circumstances:
When we do not have other lawful grounds to process your general personal data or sensitive personal data e.g. processing health information, processing copies of ID cards containing sensitive personal data;
When we intend to transfer your collected personal data overseas and the destination country has lesser data privacy standards; or
When you are classified as a minor, quasi-incompetent or incompetent of which the consent will be requested from your legal representatives, guardians or curators, as the case may be.
5. When do we disclose or share your collected personal data?
We may disclose to or share your collected personal data with other third parties to achieve the specific purposes for which the personal data was collected. The third parties who we may disclose or share your collected personal data with may include:
Group companies and subsidiaries;
Governmental agencies, regulatory or judicial authorities;
Authorised business partners, service providers or vendors.
When we disclose or share your collected personal data with any third parties, we will conduct necessary and appropriate supervision of the third parties to ensure safe processing of disclosed or shared personal data, by, for instance, entering into an agreement regarding the processing of personal data with the third parties.
6. Do we transfer your collected personal data overseas?
We will only transfer your collected personal data to a country that, in the view of the Thai Personal Data Protection Commission, has adequate data protection or privacy laws. Where such data security standards are deemed inadequate, we will provide appropriate safeguards to protect your interest or
the transfer will take place if one of the exceptions defined by the PDPA is met. The exceptions are where:
the transfer is necessary for compliance with the law;
you have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer due to the absence of adequate security standards or safeguards;
the transfer is necessary for the performance of a contract with you or the implementation of pre-contractual measures taken at your request;
the transfer is necessary for the conclusion or performance of a contract in your interest between us and another natural or legal person;
the transfer is necessary to protect your vital interests or those of other persons, and the data subject is incapable of giving consent; or
the transfer is necessary for important reasons of public interest.
7. When do we inform you about your personal data?
Before or at the time of collecting your personal data, we will always inform you of our purposes of processing your personal data. Only in some circumstances, it is not necessary for us to inform you of our processing purposes, such as when:
you are already aware of such new purposes or details of processing of your personal data;
we believe that notice of such new purposes or the details of our processing is impossible or will obstruct the use or disclosure of your personal data, where we have taken suitable measures to protect your rights, freedoms and interests;
it is urgent to use or disclose your collected personal data as required by law and we have implemented suitable measures to protect your interests; or
we are aware of or acquire your personal data from our duty, occupation or profession, and we have maintained such new purposes or certain details with confidentiality as required by law.
8. What are your rights under the PDPA?
Under the PDPA, you have the following rights in respect of your personal data:
Right to access
You have a right to access and obtain a copy of personal data that we hold about you, or you may ask us to disclose the sources of where we obtained your collected personal data that you have not given consent.
We will respond to your request as soon as reasonably possible but not exceeding thirty (30) days after receiving your request.
Right to data portability
You have a right to request us to transfer your collected personal data to other persons/organisations, or request to see your collected personal data that we have transferred to other persons/organisations, unless it is impossible due to technical circumstances.
Right to object to the processing of your collected personal data
You have a right to object to the processing of your collected personal data, unless there are circumstances that do not allow you to make the objection. This may include when we have compelling legitimate grounds or when the processing of your collected personal data is carried out to comply, exercise or defend legal claims or for our public interest.
Right to erasure
You have a right to request us to delete, destroy or anonymise your collected personal data in the following circumstances where:
Your collected personal data is no longer necessary for the purpose for which it was collected, used or disclosed;
You have withdrawn your consent to which the collection, use or disclosure is based on and we do not have legal grounds to collect, use or disclose your collected personal data;
You have objected to the collection, use or disclosure of your collected personal data and we do not have legal grounds to reject your request; and/or
Your personal data has been unlawfully collected, used or disclosed under the PDPA.
Right to restrict the processing of your collected personal data
You have a right to request us to restrict the processing of your collected personal data in the circumstances when:
It is under the pending examination process of checking whether your collected personal data is accurate, up-to-date, complete and not misleading;
It is your collected personal data that should be deleted or destroyed as it does not comply with the laws, but you request to restrict it instead;
Your collected personal data is no longer necessary to be retained for the purpose for which it was collected, used or disclosed, but you still have the necessity to request the retention for the purposes of the establishment, compliance, exercise of legal claims or the defence of legal claims; and/or
We are pending verification in order to reject the objection request to the collection, use or disclosure of your collected personal data.
Right to rectification
You have a right to rectify inaccurate personal data in order to make it accurate, up-to-date, complete and not misleading. If we reject your request, we will record such rejection with reasons.
Right to lodge a complaint
You have a right to make a complaint in the case of where we, our data processors including our employees or contractors do not comply with the PDPA or other notifications or announcements under the PDPA.
Right to withdraw consent
You may withdraw your consent at any time, unless we have a lawful basis to deny your request. We would like to also inform you that your consent withdrawal may affect our relationships with you or the products and/or the services that will be provided to you by us. This is because, for instance, the personal data, if remaining after consent withdrawal, may be insufficient for us to render complete services that you need, or we may need time to request additional information from you.
If you change your mind about how you would like us to have or process your collected personal data and would like to withdraw your consent, you can tell us anytime by email at firstname.lastname@example.org.
Upon our receipt of a request to exercise your rights, we may, in certain cases, request additional information in order to confirm your identity and your rights as part of our security measures.
9. How long do we keep your collected personal data for?
We will only retain your collected personal data for as long as it is necessary for the specific purposes for which the personal data was collected. This means that the retention periods will vary according to the type of your collected personal data and the purpose or reason that we collect the personal data. If we do need to keep your collected personal data for a longer period to comply with the legal obligation, or if some existing claims or complaints will reasonably require us to keep your personal data or for regulatory or technical reasons, we will continue to protect that collected personal data.
We have procedures in place regarding our retention periods, which are kept under constant review, taking into account the purposes for processing your collected personal data and the lawful basis for doing so.
We may need to retain images and video footages from CCTV surveillance systems installed for security and safety of persons and properties within our premises for 60 days.
We will delete, destroy, permanently anonymise or otherwise dispose of all collected personal data at the end of the retention period, or when we must comply with your request for erasure of your collected personal data.
If you have any questions, please contact us at the provided details in the “How to contact us” section.
10. What measures do we use to secure your collected personal data?
We adopt security measures to keep your collected personal data safe and secure as well as to prevent loss or damage and illegal or unauthorised collection, access, use, modification, correction, disclosure or otherwise processing of your collected personal data. Our security measures which are applied to all types of data processing regardless of whether the collected personal data is processed electronically or in paper form, include encryption and other forms of security.
We require our employees and third parties who carry out work on our behalf to comply with the PDPA and the appropriate privacy standards including obligations to protect any leakage of personal data and to apply appropriate security measures for the processing of personal data.
We consistently maintain our security procedures and measures and if an improvement proves to be needed, we will promptly correct or update our security procedures and measures taking into account the appropriate physical, technical and organisational security procedures and measures to ensure a level of security of your collected personal data appropriate to the respective risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing.
12. How to contact us?
If you have any comments, suggestions, questions or want to make a complaint or exercise your rights regarding your personal data, please contact us at 076 362300 ext. 1705, or by email at email@example.com , or visit our website at www.lagunaresorts.com.