CUSTOMER PRIVACY POLICY
VGI PUBLIC COMPANY LIMITED
Updated as of 8 November 2021
VGI Public Company Limited. (the “Company”, “we”, “us”, or “our”) recognizes the importance of the protection
of personal data. We follow security measures when collecting, using, and/ or disclosing your Personal Data (as defined below) in order to provide you with the best experience and customer service.
In operating our business, we may have to collect, use, and/or disclose the Personal Data of our past, current, and potential customers, including any other individuals who we receive Personal Data from (e.g. visitors, press, corporate social responsibility (CSR) related persons, shareholders, and securities holders) (“you” or “your”) for certain purposes in relation to the business operation of the Company and the Companies under BTS Group ( BTS Group means the companies listed in this link https://www.vgi.co.th/Companies-under-BTS-Group-EN.pdf )
This privacy policy (“Privacy Policy”) applies to our business operation via websites, telephone, email, call center, activity
or press release registration, post, online social media, online communication channels and other channels or places where we receive your Personal Data.
From time to time, we may revise and/or update this Privacy Policy. We will notify any substantial revisions and/or updates by posting the date our Privacy Policy was last revised and/or updated at the top of the Privacy Policy. We encourage you to carefully read this Privacy Policy and regularly check the Privacy Policy to learn the changes and/or updates we might take in accordance with the terms of this Privacy Policy.
1. WHAT PERSONAL DATA WE COLLECT
For the purposes of this Privacy Policy, “Personal Data” means any directly or indirectly identified or identifiable information as listed below.
We may collect your Personal Data directly or indirectly from other sources, such as the Companies under BTS Group, other third parties (e.g. reference persons, brokers, investors, analysts, employers), public domain (e.g. online social media), and third-party website or the relevant government agencies. The specific type of Personal Data which we collect will depend on the context of your relationship with us or the Companies under BTS Group, and the services or products you wish to receive from us or the Companies under BTS Group. The followings are example of Personal Data which we may collect:
1) Personal information , such as title, name, surname, gender, age, occupation, date of birth, identifiabl information issued by the government sector (e.g. national identification card, passport, house registration, work permit), signature, and/or photograph;
2) Contact information, such as postal address, house registration address, national identification card address, workplace address, phone number, facsimile number, email address, LINE user account, Facebook account, and other information related to online social media;
3) Financial information, such as bank account information;
4) Transaction information, such as information in the documents related to such transaction (e.g. contract, land deed, receipt);
5) Technical information, such as Internet Protocol (IP) address, web beacon, log, device model and type, hardware-based identifiers such as universal device identifier (UDID), media access control information, software-based identifier such as identifier for advertisers for iOS operation system (IDFA), or identifier for advertisers for Andriod operation system (AAID), connection information, access information, single sign-on (SSO) information, login log, access time, time spent on our webpage, cookies, login data, search history, browsing detail, browser type and version, time zone setting and location, plug-in browser types and versions, operating system and platform, and other technology on devices used to access the platform;
6) Information related to relationship management, such as opening of customer account, management, operation, payment, dispute resolution, processing and reporting on behalf of the customer, such Personal Data may also include communication records with us;
7) CCTV details, please see our “CCTV Privacy Policy” for more details on how we collect, use and/or disclose Personal Data
If you provide Personal Data of any third party (such as emergency contact or other party) to us, e.g. their name, family name, address, relationship and contact information, you represent and warrant that you have the authority to do so
by (i) informing such other person about this Privacy Policy; and (ii) obtaining consents (where required by laws or necessary) to permit the Company to use the Personal Data in accordance with this Privacy Policy.
We do not intentionally collect your sensitive data (“Sensitive Data”) such as the Sensitive Data as appeared in the government issued documents (e.g. religion information on the national identification card). However, in case that we do, we will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.
We only collect the Personal Data of children, quasi-incompetent person and incompetent person where their parent or guardian has given their consent. We do not knowingly collect Personal Data from persons under the age of 20 without their parental consent when it is required, or from quasi-incompetent person and incompetent person without their legal guardian’s consent. In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from quasi-incompetent person and incompetent person without their legal guardians, we will delete it immediately or collect, use and/or disclose if we can rely on other legal basis apart from consent or where permitted by law.
2. WHY WE COLLECT, USE AND/OR DISCLOSE PERSONAL DATA
We may collect, use and/or disclose Personal Data for the following purposes:
2.1 THE PURPOSE OF WHICH WE RELY ON CONSENT:
We rely on consent for the collection, use, and/or disclosure of your Personal Data to provide you with certain marketing communications in which we cannot rely on other legal bases: such as to provide you with marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications via online and offline channels about products and services provided by the Company, Companies under BTS Group, our affiliates, subsidiaries, and appropriate business partners.
Where the Company relies on consent as our legal basis for the collection, use and/or disclsoure of Personal Data,
you have the right to withdraw consent by contacting the Company (at the address set out in Section 9 below).
The withdrawal of consent will not affect the collection, use and/or disclosure of Personal Data and/or Sensitive Data that was previously consented before the withdrawal. If you do not give consent to the Company or subsequently withdraw your consent, the Company may not be able to provide our services to you.
2.2 THE PURPOSE THAT WE MAY RELY ON OTHER LEGAL BASES FOR COLLECTION, USE, AND/OR DISCLOSURE OF PERSONAL DATA
We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation,
for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties. We will balance the legitimate interest pursued by us and your interest, fundamental rights and freedoms in relation to the protection of your Personal Data; (4) for preventing or suppressing a danger
to a person’s life, body or health; and/or (5) public interest, for the performance of a task carried out in the public interest or for the exercising of the state authorities (6) for establishment and raising of potential legal claims or other legal bases permitted under applicable laws relating to personal data protection (as the case may be). Depending
on the context of the relationship with us, we may collect, use and/ or disclose Personal Data for the following purposes:
1) To operate our business: such as to offer products and services, to support and arrange other activities relating
to such products or services, to facilitate (e.g. social function arrangement or observational study in the country or abroad), to provide souvenirs and privileges, to request necessary details, to use as evidence, to manage the accounting, and to proceed financial transaction;
2) To register and verify: such as to register, record, and examine the information, authenticate, and verify;
3) To contact and communicate: such as, to use for any contact and news/information delivery, to inform and invite
to activities, to arrange activities (e.g. CSR activities, press release, events, and exhibitions);
4) To provide marketing communications: such as, to provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications via online and offline channels about products and services provided by the Company, Companies under BTS Group, our affiliates, subsidiaries, and appropriate business partners;
5) To manage relationship: such as, to consider the complaints in relation to the products and services obtained
from us and the Companies under BTS Group, to resolve the issues in the complaints and improve the services,
and to coordinate with the relavant agencies in solving problems and improving the services;
6) To select and provide products or services which might be of an individual’s interest and tailored to individual’s needs: such as, to allow the Company, Companies under BTS Group, our affiliates, subsidiaries,
and business partners to use the result from data cleansing and matching, data profiling and data analytics
to recommend products and services that might be of an individual’s interest; to identify individual’s preferences,
and customize the experience; and to develop website content and platforms to meet individual’s interests in the future;
7) To improve business operation, products and services: such as, to analyse, evaluate, and prepare a report for
the Company and the Companies under BTS Group, to oversee operation, coordinate, monitor, examine, and control the operation within the group companies in order to comply with the policies, rules, and standards, to evaluate
the reliability and completeness of internal operation, to lay out the plans and strategies in relation to the public relations operation and organizational policies, and to improve the business operation or advance other lines
of businesses;
8) To ensure the function of our websites, mobile applications, and platforms: such as, to administer, operate, track, monitor and manage our websites and platforms to facilitate and ensure that they function properly, efficiently and securely; to facilitate and enhance users experience on our websites, and platforms; and to improve layout and content of our websites and platforms;
9) To manage IT-related matter: such as, for IT management, management of communication system, IT security system and to control access to data and system and to conduct IT security audit; internal business management
for internal compliance requirements, policies and procedures; and to revise and update our database;
10) To comply with legal obligations and orders from the government agencies: such as, where the Company
or the Companies under BTS Group has a reasonable ground to believe that they shall comply with the laws and/or orders or provide cooperation to such cases, to follow the legal proceedings or government authorities’ orders which include government authorities outside Thailand and/or cooperate with court, regulators, government authority
and law enforcement bodies. We may have to disclose Personal Data to comply with the said legal provisions, proceedings or government orders. This includes internal investigation proceedings or crime/fraud prevention
and/or establishment of legal claims;
11) To protect our interests: such as, to protect the security and integrity of our business and the businesses of the Companies under BTS Group or other revevant entities; to exercise our rights and protect the interests of the Company and the Companies under BTS Group or other relevant entities where it is necessary and lawful to do so, for example
to detect, prevent and proceed with matters in relation to any corruptions, intellectual property infringement claims
or violations of law; to manage and prevent loss of our assets; to detect and prevent misconduct within the premises
of the Company or the Companies under BTS Group, to secure the compliance of the terms and conditions
of the Company, Companies under BTS Group, or other relevant entities, to detect and prevent internal misconduct,
to monitor incidents, to prevent and report criminal offences and to protect the security and confidence in the businesses of the Company and Companies under BTS Group;
12) Business transfer or merger: in case of sale, transfer, merger, organizational restructuring, or other event of the same nature, the Company may transfer your Personal Data to one or many other third party(ies) as part of such transaction;
13) To manage risks: such as, to perform risk management, performance monitoring and risk assessments; and/or
14) To provide security: such as, to prevent or suppress a danger to a person’s life, body, health, or asset, or for disease/epidemic control.
In case the Personal Data we collect from you is needed to meet our legal or contractual obligations or enter into an agreement with you, if we do not receive the Personal Data when requested, we may not be able to achieve the abovementioned purposes.
3. TO WHOM WE MAY DISCLOSE OR TRANSFER YOUR PERSONAL DATA
We may disclose or transfer your Personal Data to the following third parties who collect, use, and/or disclose Personal Data in accordance with the purposes under this Privacy Policy. These third parties may be located inside or outside Thailand. You can visit their privacy policy to learn more details on how they collect, use and/or disclose Personal Data since you could also be subject to their privacy policies.
3.1 Companies under BTS Group
As the Company is part of the Companies under BTS Group which all collaborate and partially share customer services and/or systems, e.g. service system and website-related systems, we may need to transfer your Personal Data to,
or otherwise allow such Personal Data to be accessible by the Companies under BTS Group, for the purposes set out above. In this regard, the Companies under BTS Group, our affiliates and subsidiaries could also rely on the consent obtained by us to use your Personal Data.
In addition, the Company collaborates with BSS Holdings Company Limited (“BSSH”), which is one of the Companies under BTS Group, to develop the operation of media and digital marketing businesses in order to allow us to provide better services to you, including complying with the applicable laws in relation to Personal Data protection. Please visit the privacy policy of BSSH as well as the privacy policies of other Companies under BTS Group to learn the details
on how they collect, use, and/or disclose your Personal Data.
3.2 Our service providers
We may engage other companies, agents or contractors to perform services on our behalf or to accommodate the provision of services. We may disclose Personal Data to the third-party service providers, including, but not limited to,
(1) infrastructure, software, internet and website developers and IT service providers; (2) event organizers; (3) data storage and/or document destruction service providers; and/or (4) travel agencies/ travel companies.
In the course of providing such services, the service providers may have access to your Personal Data. However, we will only provide our service providers with the Personal Data that is necessary for them to provide the services, and we will ask them not to use your Personal Data for any other purposes. We will take steps to ensure that all the service providers we work with will keep your Personal Data secure.
3.3 Our business partners
We may transfer your Personal Data to our business partners to operate our business and provide services including, but not limited to, project owners, manufaturers or service providers for CSR projects, banks, financial institutes, securities companies, insurance companies, provided that the receiving business partner shall agree to treat Personal Data in
a manner consistent with this Privacy Policy.
3.4 Third parties permitted by law
In certain circumstances, we may be required to disclose or share your Personal Data to third parties in order to comply with a legal or regulatory obligation. This includes any law enforcement agency, court, regulator, government authority, embassy, consulate, or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety; or to detect, prevent, or otherwise address fraud, security or safety issues.
3.5 Professional advisors
We may have to disclose Personal Data to our expert advisors including, but not limited to,
(1) independent advisors, project advisors, financial advisors; (2) legal advisors who assist us in our business operations and provide litigation services such as defending or initiating legal actions; and/or (3) auditors who provide accounting services or conduct financial audit for the Company.
3.6 Other third parties
We may be required to disclose Personal Data based on the legal bases in accordance with the purposes as specified in this Privacy Policy to other third parties, such as the public, complainants or other third parties that we receive a request to access our CCTV records etc.
3.7 Third parties connected with business transfer
We may disclose or transfer your Personal Data to our business partners, investors, major shareholders, assignees or transferees in the event of any reorganization, restructuring, amalgamation, merger, acquisition, business transfer, in whole or in part, sale, purchase, joint venture, assignment, or any similar event involving transfer or other disposition of all or any portion of our business, assets or stock. If any of the above events occurs, the receiving party will comply with this Privacy Policy to respect your Personal Data.
4. CROSS-BORDERTRANSFERS OF PERSONAL DATA
We may disclose or transfer Personal Data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards as Thailand’s. We take steps and measures to ensure that Personal Data is securely transferred, the receiving parties have in place suitable data protection standard and the transfer is lawfully permitted under the applicable laws.
5. HOW LONG DO WE KEEP PERSONAL DATA
We retain Personal Data for as long as is reasonably necessary to fulfil purposes for which we obtained them and to comply with the relevant legal and regulatory obligations. However, we may have to retain Personal Data for a longer duration, as required by the applicable laws.
6. COOKIES AND HOW THEY ARE USED
If you visit our websites, cookies will gather or track certain information in relation to your use of our websites which
will be used to analyze trends, administer our websites, track users’ movements around the websites, or to remember users’ settings. Some of the cookies are necessary because without them, the site would not be able to function properly. Other cookies will help us to improve your experience on our websites and adjust the content to suit your needs which would make your browsing more convenient as the cookies remember the users (in a secure manner)
as well as your language preferences.
Usually, most internet browsers allow you to control whether or not to accept cookies. If you
reject cookies, it might affect your use of the websites and your ability to use some or all of
the features or areas of our websites may be limited.
Please find more details about the cookies we use for our VGI website at VGI Cookies
Policy link.
7. DATA SECURITY
As a way to protect personal privacy of Personal Data, we maintain appropriate security measures, which includes administrative, technical and physical safeguards in relation to access control, to protect the confidentiality, integrity, and availability of Personal Data against any accidental or unlawful or unauthorized loss, alteration, correction, use, disclosure or access, in compliance with the applicable laws.
In particular, we have implemented access control measures which are secured and suitable for our collection, use, and/or disclosure of Personal Data. We restrict access to Personal Data as well as storage and processing equipment by imposing access rights or permission, user, access management to limit access to Personal Data to only authorized persons, and implement user responsibilities to prevent unauthorized access, disclosure, perception, unlawful duplication of Personal Data or theft of device used to store and process Personal Data. This also includes measures that enables the
re-examination of unauthorized access, alteration, erasure, or transfer of Personal Data which is suitable for the method and means of collecting, using and/or disclosing of Personal Data.
8. RIGHTS AS A DATA SUBJECT
Subject to applicable laws and exceptions thereof, a data subject may have the following rights to:
1) Access: Data subjects may have the right to access or request a copy of the Personal Data we are collecting, using and/or disclosing. For privacy and security, we may require proof of the data subject’s identity before providing the requested Personal Data;
2) Rectification: Data subjects may have the right to have incomplete, inaccurate, misleading, or or not up to date Personal Data that we collect, use and/or disclose rectified;
3) Data Portability: Data subjects may have the right to obtain Personal Data we hold about that data subject,
in a structured, electronic format, and to transmit such data to another data controller, where this is (a) Personal Data which you have provided to us, and (b) if we are collecting, using and/or disclosing that data on the basis of data subject’s consent or to perform a contract with the data subject;
4) Objection: Data subjects may have the right to object to certain collection, use and/or disclosure of Personal Data;
5) Restriction: Data subjects may have the right to restrict our use of Personal Data where the data subject believes such Personal Data to be inaccurate, that our collection, use and/or disclosure is unlawful, or that we no longer need such Personal Data for a particular purpose;
6) Withdraw Consent: For the purposes the data subjects have consented to our collection, use and/or disclosure of Personal Data, data subjects may have the right to withdraw consent at any time
7) Deletion: Data subjects may have the right to request that we delete, destroy or anonymize Personal Data that we collect, use, and/or disclose, except we are not obligated to do so if we need to retain such Personal Data in order to comply with a legal obligation or to establish, exercise or defend legal claims; and
8) Lodge a complaint: Data subjects may have the right to lodge a complaint to the competent authority where the data subject believe our collection, use and/or disclosure of Personal Data is unlawful or non-compliance with applicable laws in relation to data protection.
9. OUR CONTACT DETAIL
If you wish to contact us to exercise the rights relating to your Personal Data or if there is any queries about your Personal Data under this Privacy Policy, please contact our Data Protection Officer (DPO) at:
VGI Public Company Limited
21 TST Tower, 9th Floor, Vibhavadi Rangsit Rd.,
Chom Phon, Chatuchak, Bangkok 10900
Thailand
Email: dpo@vgi.co.th Tel: 02 273 8884 Ext. 147