Privacy Policy

The Company is aware of the importance of the collection and keeping the confidentiality of User Personal Data. However, in order to operate the business and provide services to User, it is necessary for the Company to use, collect, store, and disclose User Personal Data. Therefore, the Company, has duty to comply with the PDPA as Data Controller and Data Processor (in some cases). The Company hereby confirms that:

  • the Company shall duly and lawfully use, collect, store, and disclose User Personal Data within the scope of law;
  • the Company supports the protection of User Personal Data;
  • the Company has security and storage system to protect and safeguard the confidentiality of Personal Data in accordance with applicable legal standard; and
  • the Company shall create a system that take User’s privacy into consideration when using, collecting, storing, and disclosing any information.

Consequently, the Company has prepared this privacy policy to explain how the Company will treat User Personal Data, such as, use, collection, storage, disclosure, and protection of Personal Data, including User’s rights. For your own benefits, the Company suggests that User thoroughly read and comprehend the following privacy policy as follows:

1. Definition

Unless specified otherwise herein, the following words shall have the meaning as provided herebelow:

 

  1. PDPA” means the Personal Data Protection Act of 2019 (B.E. 2562) or any amendment thereafter, including any royal decrees, ministerial regulations, notifications, orders, and other laws related to Personal Data protection;
  2. Service” means a purchase, sale, hire, service, or any other action provided by the Company to User;
  3. Personal Data” means any data relating to a person, which can identify such person directly or indirectly, including all identifiable information, such as, name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, mental, social, economic, or cultural identity of that person;
  4. Company” means Benchachinda Holding Co., Ltd., Subsidiaries, and other companies which controlled and managed by shareholder of Benchachinda Holding Co., Ltd.;
  5. Subsidiaries” means Benchachinda group company as stipulated in the Company’s website, i.e. https://benchachinda.co.th/th/#group, or any other company which the Company and/or Benchachinda group company holds 50 percent or more of its issued shares (“First–Tier Subsidiary”), including any other company which the aggregated amount of the shareholding of the First-Tier Subsidiary and/or subsidiaries in any subsequent tiers hold 50 percent or more of its total issued shares;
  6. Data Controller” means a person or juristic person who has power and duties to make decisions regarding the collection, use or disclosure of Personal Data;
  7. Data Processor” means a person or juristic person who acts in respect of the collection, use, or disclosure of Personal Data as per an order or on behalf of Data Controller. In this regard, the said person or juristic person shall not be deemed as Data Controller; and
  8. User” means a person or juristic person who receives Service in any form from the Company, including its agents, staffs, employees, executives, or representatives.
2. Data management policy

In order to operate the business, it is necessary for the Company to use, collect, store, and disclose User Personal Data. The Company, therefore, has duty to comply with the PDPA as Data Controller and Data Processor (in some cases). In this regard, the Company represents and warrants that:

  1. the Company shall use, collect, store, and disclose User Personal Data within the scope of law;
  2. the Company has security and storage system to protect and safeguard User Personal Data in accordance with applicable legal standard; and
  3. the Company shall take User’s privacy into consideration when using, collecting, storing, and disclosing any Personal Data.
3. Scope of privacy policy

To protect User Personal Data and privacy, this privacy policy shall apply to all use, collection, storage, or disclosure of User Personal Data from all transaction and Services between User and the Company.

4. Personal Data collection and processing principles
The Company shall collect and process Personal Data under six principles as follows:

5. Legal basis for the use, collection, storage, and disclosure of Personal Data
The Company shall not use, collect, store, and disclose User Personal Data without User’s consent, unless it is for compliance with applicable law, or the performance of a contract, or the Company is permitted by law or legitimate right to proceed with the said use, collection, storage, and disclosure of Personal Data. The Company applies the following legal basis for the aforesaid use, collection, storage, and disclosure of Personal Data:

6. Legal basis for the use, collection, storage, and disclosure of sensitive Personal Data
The Company shall not use, collect, store, and disclose User’s sensitive Personal Data, such as, data in respect of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal record, health information, disabilities, labor union information, heredity information, biological information, without User’s consent, unless the Company has a legal basis to support its operations as specified in the PDPA, for example:

7. Limitation of Personal Data collection

The Company shall use, collect, store, or disclose Personal Data under lawful and fair purposes, scopes, and means. The Company shall limit its collection of Personal Data to the extent necessary for the provision of the Service. The Company may collect Personal Data from any physical or electronic means, in whatever form, according to the purposes of the Company or for the benefit of the Company’s business operation only.

User acknowledges and renders consent to the Company’s use, collection, storage, or disclosure of User Personal Data in accordance with the purposes specified by the Company via physical, electronic, or any other means designated by the Company. In addition, in the event that the processing of sensitive Personal Data (such as, data in respect of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal record, health information, disabilities, labor union information, heredity information, biological information or any other information which affects the data subject in the same manner) is necessary for the provision of the Service to User, User has also consented to the Company’s use, collection, storage, or disclosure of such sensitive Personal Data.

The Company may use, collect, store, or disclose User Personal Data without requesting consent from User during the collection of Personal Data in the following events:

  1. to achieve purposes in the making of history documents or annals for public interest, or relating to the study, research or statistics for which the appropriate protection standard is established;
  2. to protect vital interests, life, and health of persons;
  3. necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  4. necessary for the performance of a task carried out in public interest;
  5. necessary for the purposes of the legitimate interests pursued by the Company or by a person or juristic person that is not the Company;
  6. to comply with legal obligation to which the data controller is subject, such as, the PDPA, the Electronic Transaction Act of 2001 (B.E. 2544), the Telecommunications Business Act of 2001 (B.E. 2544), the Anti-Money Laundering Act of 1999 (B.E. 2542), the Civil and Commercial Code, the Penal Code, the Civil Procedure Code, the Penal Procedure Code, and etc.;
  7. necessary to protect vital interests, life, and health of User;
  8. for the benefit of the investigation by investigators or court trials; or
  9. for the interest of User where User is incapable of giving consent at the relevant time.
8. Purposes of the use, collection, storage, or disclosure of Personal Data

The Company collects, stores, and uses User Personal Data to provide the Service to User, including providing other services which User is interested in, or to create database, or to provide privilege based on User’s preferences, or to perform data analysis in order to offer goods or services of the Company and/or distributor, agent, or other related person thereof, and/or any other purposes not prohibited by law, and/or to comply with any laws or regulations applicable to the Company, whether currently in effect or may be enforced in the future, and/or for any purposes beneficial to the Company’s business operation.

User renders consent for the Company’s sending, transferring, and/or disclosing of Personal Data to Subsidiaries, business alliance, Data Processor assigned by the Company, and/or any other person/company who has legal or business relationship with the Company, including consenting the Company to send, transfer and/or disclose User Personal Data to other person/company, both domestically and internationally.

9. Restriction of use and disclosure of Personal Data

The Company shall only use and disclose User Personal Data with the consent of User according to the purposes of data collection and storage of the Company and purposes specified by the Company. In this regard, the Company shall supervise its employees, officers, or operating staffs from using and/or disclosing User Personal Data in any way other than the purposes of its collection or disclosure to any third party, except:

  1. to achieve purposes in the making of history documents or annals for public interest, or relating to the study, research or statistics for which the appropriate protection standard is established;
  2. to protect vital interests, life, and health of persons;
  3. necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  4. necessary for the performance of a task carried out in public interest;
  5. necessary for the purposes of the legitimate interests pursued by the Company or by a person or juristic person that is not the Company;
  6. to comply with a legal obligation to which the data controller is subject, such as, the PDPA, the Electronic Transaction Act of 2001 (B.E. 2544), the Telecommunications Business Act of 2001 (B.E. 2544), the Anti-Money Laundering Act of 1999 (B.E. 2542), the Civil and Commercial Code, the Penal Code, the Civil Procedure Code, the Penal Procedure Code, and etc.;
  7. necessary to protect vital interests, life, and health of User;
  8. for the benefit of the investigation by investigators or court trials; and
  9. for the interest of User where User is incapable of giving consent at the relevant time.

The Company may use third party service providers to collect, store, use, process, or disclose Personal Data. The said service provider must have security measures which prohibit the collection, use, processing, or disclosure of Personal Data other than those specified by the Company.

In addition, the Company may use automated decision-making process to process User Personal Data through a computer system in some cases. User may inquire more details with respect to this matter by contacting the Data Protection Officer.

10. Recipient of User Personal Data

The Company is aware of the importance of ensuring sufficient protection of Personal Data. In this regard, the Company tries to restrict the access of Personal Data only to those who are required to access such data for the performance of their obligations in accordance with User’s given consent or for the performance of a contract by the Company.

The executives, employees, and staffs of the Company, including third party who have contractual obligation to provide services to the Company involving Personal Data processing service and other contracting parties who act on behalf of the Company, will receive and process Personal Data of User. The Company shall only disclose and share information to such service providers only as necessary for the provision of the Service to User and to protect the Company’s interests. The Company shall protect User Personal Data from unauthorized access or disclosure. For more details regarding type of service providers to which User Personal Data will be disclosed to by the Company, please contact the Data Protection Officer.

User renders consent for the sending, transferring and/or disclosing of Personal Data to Subsidiaries, business alliance, Data Processor assigned by the Company, and/or any other person/company who has legal or business relationship with the Company, including consenting the Company to send, transfer and/or disclose User Personal Data to other person/company, both domestically and internationally, for the purpose of the Company’s business operations, or for compliance with policy or notification as the Company may stipulate on a case by case basis, or for protection of legitimate interests and legitimate rights of the Company.

11. Transfer of Personal Data to third country

The Company may transfer User Personal Data to third country for the purpose of the Company’s business operations as necessary. User agrees and renders consent for the Company’s transfer of User Personal Data to person or entity in third country or under the jurisdiction of other countries, regardless of whether Personal Data protection law of such country may or may not reach the protection standard of Thailand’s Personal Data protection law. In any event, the Company shall comply with appropriate measure to protect the security of User Personal Data at the same level of protection as Thailand’s Personal Data protection law.

12. Data retention

The Company shall only retain User Personal Data for as long as necessary or as regulated by law for the purposes specified by the Company. For more information regarding the Company’s Personal Data retention period, please contact the Data Protection Officer.

13. User’s right under the PDPA
As a data subject under the PDPA, User is entitled to the following legal rights:

In the event that User refuses to give consent for the Company’s processing of User Personal Data or requests the Company to erase User Personal Data, the Company may be unable to provide service to User, effectively. Therefore, User may not be able to obtain the Services from the Company.

The Company reserves the right to reject User’s request in the event that it is permitted by law, or there is an order of competent government authorities or the court, or User’s request is contrary to the law or may impact or cause damage to the Company.

If there is a request to erase User Personal Data from the system, the Company shall use its best efforts to erase User Personal Data from the system. However, User agrees and acknowledges that the Company may retain records or make copies of such data in the Company’s server or back-up system to back up data in case of errors, defects, or malfunctions to the Company’s system, including retaining them as evidences or for the performance of legal obligation.

User’s exercise of rights shall be subject to the rules, notifications, and regulations prescribed by the Company, which shall be in line with the criteria of the PDPA, including the Company’s privacy policy and other criteria specified by the Company. User can exercise the above data subject’s right by sending written request to the Data Protection Officer as detailed in clause 16 of this privacy policy.

14. Consent withdrawal

User is entitled to withdraw consent for the Company’s collection, use, processing, or disclosure of User Personal Data by notifying the Data Protection Officer in writing.

The said consent withdrawal is subject to the conditions, rules, notifications, or regulations provided in the PDPA, as well as the Company’s privacy policy and other criteria specified by the Company.

15. Notification of breach of Personal Data

In the event of any violation of Personal Data, please notify the Data Protection Officer as detailed in clause 16 of this privacy policy within 24 hours from the occurrence of such event in order to protect Personal Data and to prevent and remedy the said violation for User.

16. Data Protection Officer

For the exercise of rights specified in clause 13, or report of Personal Data breach, or any inquiries regarding the collection, use, or disclosure of Personal Data of the Company, please contact the Data Protection Officer as per the details below:

Data Protection Officer
Mr. Tanakhon Kasemsin
Address: 499 Kamphaeng Phet 6 Road, Ladyao Sub-district, Chatuchak District, Bangkok 10900
Tel: 02-016-5500
Email: DPO@benchachinda.co.th

17. Data security

The Company has policies and programs on information technology security protection that meet international standards to protect the confidentiality and security of User Personal Data and to prevent loss or unauthorized destruction, access, or disclosure of User Personal Data, that must be strictly complied by the Company’s employees. The Company also educates and raises awareness of the importance of Personal Data and the responsibility for the security of such information. However, the Company makes no representations or warranties that the implementation of the said policy will be free of any defects or errors. The Company, therefore, reserves the right to discharge all liabilities for any damage or loss occurred to User.

18. การปรับปรุงนโยบายการจัดการข้อมูลส่วนบุคคล
เพื่อประโยชน์และประสิทธิภาพสูงสุดในการให้บริการแก่ผู้ใช้บริการ บริษัทอาจมีความจำเป็นต้องปรับปรุง
หรือแก้ไขนโยบายการจัดการข้อมูลส่วนบุคคลนี้ โดยไม่ได้แจ้งให้ผู้ใช้บริการทราบล่วงหน้า ดังนั้น บริษัท
จึงขอให้ผู้ใช้บริการหมั่นตรวจสอบนโยบายการจัดการข้อมูลส่วนบุคคลนี้อย่างสม่ำเสมอ
19. Privacy policy update

For the benefit and efficiency in providing the Service to User, the Company reserves the right to update or revise this privacy policy without notifying User in advance. Consequently, the Company requests User to review this privacy policy, regularly.