(Privacy Policy)
Prolife Plus Public Company Limited (the “Company”) is committed to implementing personal data protection measures in accordance with the Personal Data Protection Act B.E. 2562 (2019) and all applicable laws. This Privacy Policy has been established to ensure that the Company’s operations comply with legal requirements and international standards for personal data protection. It also outlines the principles for safeguarding the rights of data subjects and the management procedures to address any infringement of such rights in an efficient and appropriate manner.หมาะสม
1. Scope of Application
This Privacy Policy, in compliance with the Personal Data Protection Act B.E. 2562 (2019) and other relevant legislation, governs the processing of all personal data carried out by the Company. It extends to any individuals who gain access to personal data in connection with the Company's operations. All such persons are required to comply with this Privacy Policy and the applicable legal framework as defined under contractual terms and conditions, including products and services under the Company’s management such as websites, applications, documents, or other forms of services (collectively referred to as the “Services”).
This Policy applies to the following data subjects:
- Individual customers;
- Officers, staff, or employees of the Company;
- Business partners and service providers who are natural persons;
- Directors, authorized persons, representatives, agents, shareholders, employees, or other individuals holding a similar status in legal entities that have a relationship with the Company;
- Users of the Company’s products or services;
- Visitors to or users of the Company’s websites, systems, applications, devices, or other communication channels under the Company’s control;
- Other individuals whose personal data is collected by the Company, such as job applicants, employees’ family members, guarantors, etc. Items (1) through (7) are hereinafter collectively referred to as the “Data Subjects.”
In addition to this Policy, the Company may issue specific Privacy Notices (each a “Notice”) relating to certain products, services, or personal data processing activities that are subject to particular contractual terms or conditions. These Notices are intended to inform Data Subjects of the personal data being processed, the purposes of such processing, the retention periods, and the rights to which they are entitled under applicable law. In the event of any inconsistency between such a Notice and this Policy, the provisions set forth in the Notice shall prevail.
With respect to personal data collected prior to the effective date of the Personal Data Protection Act B.E. 2562 (2019), the Company may continue to collect and use such data for the original purposes for which it was obtained. However, any disclosure or processing activities other than collection and use shall be conducted in accordance with the Personal Data Protection Act B.E. 2562 (2019) and relevant laws.
2. Definitions
For the purposes of this Personal Data Protection Policy, the following terms shall have the meanings set forth below:
“Personal Data Protection Policy” refers to this policy established by the Company to inform Data Subjects of the Company’s personal data processing activities and relevant details, as required under the Personal Data Protection Act B.E. 2562 (2019) and applicable laws.
“Personal Data” means any information relating to an individual that enables the identification of such individual, whether directly or indirectly, but excluding information of deceased persons.
“Sensitive Personal Data” means any Personal Data pertaining to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, labor union information, genetic data, biometric data, or any other information of a similar nature as may be prescribed by the Personal Data Protection Committee.
“Processing” means the collection, use, or disclosure of Personal Data.
“Data Subject” refers to a natural person who is the subject of the Personal Data.
“Data Controller” means a person or juristic person who has the authority and responsibility to make decisions regarding the collection, use, or disclosure of Personal Data. This definition shall include any reference under applicable data protection laws that has the same or similar meaning to a data controller.
“Data Processor” means a person or juristic person who processes the collection, use, or disclosure of Personal Data on behalf of or under the instructions of the Data Controller. This term shall include any reference under applicable data protection laws that has the same or similar meaning to a data processor. For clarity, such a person or entity is not considered a Data Controller.
“Cookies” means small computer files that temporarily store necessary Personal Data on the Data Subject’s computer in order to facilitate and enhance communication during access to the Company’s website. The use of Cookies is effective only during a user’s session on the website.
3. Collection of Personal Data
The Company may collect Personal Data, including but not limited to, personally identifiable information, data relating to private life or personal interests, financial information, and Sensitive Personal Data. The sources and principles governing the collection of such Personal Data are outlined as follows:
3.1 Sources of Personal Data The Company may obtain Personal Data through the following four primary channels:
3.1.1 Direct Collection from the Data Subject The Company may collect Personal Data directly from the Data Subject through various means, including but not limited to the completion of application forms (either in paper format or online), responses to surveys, job applications, execution of contracts or documents, or communications made through designated channels with the Company.
3.1.2 Collection through the Use of the Company’s Website, Software, or Applications The Company may collect Personal Data arising from the Data Subject’s use of the Company’s websites, software, or applications in accordance with applicable service agreements. This includes the tracking of usage behavior via cookies or software installed on the Data Subject’s device to improve services and user experience.
3.1.3 Collection from Social Media Platforms or External Account Providers The Company may obtain Personal Data from social media service providers or external account providers when the Data Subject has granted consent to disclose such data in order to connect their external accounts to the Company’s services. The scope of Personal Data disclosed to the Company shall be subject to the Data Subject’s privacy settings and the privacy policy of the respective external service provider.
3.1.4 Collection from Third-Party or Indirect Sources The Company may collect Personal Data from sources other than the Data Subject directly, provided that such collection is in compliance with applicable laws or where the Data Subject has provided prior consent for such disclosure to the Company. These sources may include, without limitation, publicly available websites, inquiries to third parties, disclosures from affiliates, business partners, or third parties for the purposes specified in this Policy.
In such cases, the Company shall notify the Data Subject of the collection without undue delay, and in any case, within thirty (30) days from the date of collection. The Company shall also seek the Data Subject’s consent to collect the said Personal Data unless exempted from the requirement to obtain consent or provide notice in accordance with applicable laws.
The Company may collect the following categories of Personal Data, including but not limited to:
| Category | Description and Examples |
|---|---|
| Identifiable Personal Information | Title, full name, national identification number or passport number, nationality, household registration information, driver's license details, signature, social security number, or other government-issued documents that may directly or indirectly identify an individual. |
| Personal Attributes | Date of birth, gender, height, weight, age, marital status, military status, photographs, spoken language, behavioral traits, preferences, bankruptcy status, incapacity or quasi-incapacity status, etc. |
| Contact Information | Home phone number, mobile number, fax number, email address, mailing address, social media usernames or application account IDs (e.g., Line, Facebook, Apple, Google, Microsoft), location of residence, etc. |
| Employment and Educational Information | Employment and education details, including employment type, occupation, rank, job title, responsibilities, expertise, work permit status, reference contacts, emergency contacts, taxpayer identification number, employment history, salary details, employment start and end dates, performance evaluations, benefits and entitlements, company-assigned equipment, work achievements, bank account number, academic institution, educational qualifications, academic results, graduation date, workplace access data, and working hour logs. |
| Social Relationship Information | Information relating to the individual’s social connections, such as political status, holding of political positions, or information on any beneficial interests in businesses that engage with the Company. |
| Service Usage Information | Details regarding the use of the Company’s products or services, including user account name, password, PIN, OTP, computer traffic data, geolocation, images, videos, voice recordings, behavioral data, search history, cookies or similar technologies, device ID, device type, connection details, browser data, preferred language, and operating system. |
| Financial and Transactional Information | Financial details, financial status, or financial history, such as bank account numbers, transaction records, loan repayment history, income tax documents, income statements, utility payment records, and information regarding owned assets. |
| Vehicle Information | Vehicle-related information and registration details, such as vehicle registration number, engine number, vehicle registration data, and GPS tracking information. |
| Sensitive Personal Data | Sensitive personal data as defined by law, including but not limited to race, religion, disability, political opinions, criminal records, biometric data (e.g., facial image data), and health-related information. |
| Other Personal Data | Such as personal data used for marketing analytics, closed-circuit television (CCTV) footage, audio recordings, and communication data via telephone or electronic devices. |
3.2Principles for the Collection of Personal Data
3.2.1 Legal Basis for the Collection of Personal Data The Company determines the appropriate legal basis for the collection of personal data in accordance with the nature of the services provided, contractual obligations, and applicable legal requirements. The primary legal bases upon which the Company relies for the processing of personal data include, but are not limited to, the following:
| Legal Basis | Description |
|---|---|
| Performance of a Contract | To enable the Company to enter into and perform its obligations under contracts with data subjects, such as loan agreements, service agreements, employment contracts, or contracts for hire of work. |
| Compliance with Legal Obligations | To allow the Company to comply with applicable laws and regulations, such as tax laws, labor protection laws, insurance laws, and to act in accordance with court orders. |
| Legitimate Interests | For purposes that are necessary for the legitimate interests of the Company or third parties, provided such interests do not override the fundamental rights of the data subjects and are reasonably expected by the data subjects. Examples include identity verification, facilitating service access, offering related products or services, improving services and products, fraud prevention, maintaining Company security, optimizing internal operations and systems, internal governance within affiliated or group companies, risk management, regulatory compliance, auditing, and organizational administration. |
| Vital Interests | To protect or prevent threats to the life, physical integrity, or health of the data subject or another person. For example, contacting emergency references if the data subject is unconscious, or preventing and monitoring outbreaks of communicable diseases. |
| Consent of the Data Subject | For the collection, use, or disclosure of personal data that requires consent, where the Company has informed the data subject of the specific purposes prior to or at the time of obtaining consent. Examples include marketing and promotional activities by affiliated or group companies and business partners, targeted advertising, or the collection of sensitive personal data not exempted by law. |
Additionally, the Company may consider relying on other legal bases beyond those specified above in connection with its services or business operations, provided such reliance is in accordance with the applicable legal framework.
3.2.2 The Company shall collect only the personal data that is necessary for the performance of its operations. The purposes for processing personal data may vary depending on the specific context or case, for example:
| Objective | Details |
|---|---|
| For the execution of the data subject's request before entering into a contract and for fulfilling the contract between the company and the data subject | Using personal data as necessary for service use or entering into a contract with the company, such as: - Accessing products or services under the PROLIFE PLUS trademark/service mark - Accessing the All living Website services |
| To verify identity or check an individual | Verifying the identity of the data subject before providing services or entering into a contract in the manner determined by the company, or verifying identity during transactions, including verifying the signature of the data subject. |
| To respond to inquiries and assist customers | Assisting customers with services, such as providing information on customer data updates, bill payments, debt history, or submitting requests or complaints. |
| To provide information about products, services, or marketing promotions | Offering or promoting products or services, special offers, benefits, and promotions by the company to customers, including offering products or services by affiliates, subsidiaries, or business partners via communication channels received from the customer. |
| To develop and improve products and services | Researching, analyzing, and developing the company's products or services, including those of its affiliates and subsidiaries, to better meet customer needs. |
| For data analytics | Analyzing data for various lawful purposes, such as product and service development, risk management within the organization, and fraud prevention. |
| To monitor and improve IT systems | Monitoring and improving the organization's IT systems to comply with international standards and relevant regulations, such as ensuring system security, auditing IT systems, and performing penetration tests. |
| To monitor and prevent legal violations | Conducting audits and actions to prevent violations of relevant laws, including security breaches affecting the company and the data subject. |
| To comply with applicable laws | Complying with laws related to the company's business operations, such as data retention for tax withholding, auditing customer facts, or complying with debt collection laws and consumer protection laws. |
| To provide information to government agencies as required by law or upon request | Providing and explaining information to law enforcement agencies or government officials as required by law or relevant government organizations that may be involved in business operations. |
| For internal management purposes | Managing internal operations, such as ensuring compliance with corporate governance principles, ethical standards of business conduct, risk management, fraud prevention, and anti-bribery measures. |
| For human resources management purposes | Managing human resources within the company and its subsidiaries, including recruitment, criminal background checks, payroll, employee benefits, performance evaluations, health and safety compliance, and compliance with labor laws. |
| For business transactions purposes | Engaging in company transactions related to business operations, such as buying and selling assets, procurement, securing financing for business operations domestically and internationally, converting assets into securities, issuing debt instruments, or transferring business operations. |
| For establishing legal rights and litigation purposes | Resolving disputes and engaging in judicial processes, including filing lawsuits and complying with court orders, judgments, or arbitration rulings. |
3.2.3 The Company will collect personal data only as necessary for the lawful purposes that have been communicated to the data subject prior to or at the time of collecting the personal data. The Company will explicitly obtain consent from the data subject before or at the time of collecting personal data, unless the law allows the Company to collect personal data without the need for consent.
3.2.4 In cases where the data subject is required to provide personal data to comply with the law or a contract, or if it is necessary for entering into a contract, or for any other purposes, if the data subject fails to provide such data, it may result in the suspension or temporary cessation of transactions or activities related to the data subject until the Company receives the personal data. This is because the Company cannot process the data, or the law prohibits the continuation of such transactions or activities.
3.2.5 For processing based on the consent of the data subject, if the data subject does not provide consent, the Company will not process any personal data that requires consent. The refusal to provide consent by the data subject will not affect the execution of the contract or the fulfillment of the contract between the data subject and the Company, nor will it adversely affect the data subject, except where it is legally necessary to obtain consent for processing. Furthermore, the data subject may withdraw their consent at any time, and such withdrawal can be done as easily as providing consent. However, the withdrawal of consent will not affect the legality of any processing carried out prior to the withdrawal.
3.2.6 For the collection of sensitive personal data, if it does not fall under any legal exception, the Company will explicitly obtain consent from the data subject before or at the time of collecting such sensitive personal data. This will be done according to the Company's established procedures, ensuring compliance with applicable laws. If the data subject refuses to provide consent, it may result in the inability to access certain services that cannot be processed under any other legal basis, except explicit consent.
3.2.7 Personal data of minors, persons with no legal capacity, and persons with limited legal capacity: In cases where the Company becomes aware that the personal data requiring consent for collection belongs to a minor, person with no legal capacity, or person with limited legal capacity, the Company will not collect such personal data until consent is obtained from a legally authorized guardian or representative of the minor, or a custodian or legal guardian as applicable, in accordance with the conditions set forth by law.
In cases where the Company was unaware that the data subject was a minor, a person with no legal capacity, or a person with limited legal capacity, and later discovers that it has collected the personal data of such a person without the required consent from a legally authorized guardian or representative, the Company will promptly delete or destroy that personal data unless there is another lawful reason for processing such data, other than consent for the collection, use, or disclosure of the data.
4. Use and Disclosure of Personal Data
4.1 Basic Principles The use and disclosure of personal data by the Company are for the purposes and in accordance with the principles outlined in Section 3.2, which govern the collection of personal data. The Company may disclose personal data to external parties only to the extent necessary, based on the consent of the data subject, unless such disclosure is permitted under the legal framework. Personal data may be disclosed to external individuals, organizations, or government agencies as follows:
- Service providers related to transactions and financial matters, such as banks
- Cloud service providers
- Data processors
- Providers of technology services and developers of IT systems and programs
- Professional consultants
- External and internal agencies that conduct data management audits to prevent fraud
- Government agencies, law enforcement authorities, and regulatory bodies with legal authority
- Other organizations for legal purposes, such as agencies complying with legal orders, auditing agencies, or legal proceedings/litigation
- Other individuals as necessary for the Company to conduct its business and provide services to you, including activities necessary to fulfill the purposes of personal data collection and processing as specified in the Privacy Policy
4.2 Cookies The Company collects and uses cookies, along with other similar technologies, on websites under the Company's management or on the devices of the data subject. These technologies are used for security purposes related to the Company’s services and to provide users with a more convenient and improved experience. The information collected is utilized to enhance the Company’s website and tailor it to your needs. You can manage or delete cookies by adjusting the settings in your web browser.
5. Retention Period of Personal Data
The Company will retain your personal data only for as long as necessary to fulfill the purposes of each service, in accordance with the duration of the contract or legal relationship in force between you and the Company, unless required for compliance with applicable laws and regulations, internal operational procedures, or legal claims or requests from regulatory authorities. The data will be retained for a period deemed appropriate and necessary based on the type of personal data involved.
The Company will delete or destroy personal data or anonymize it, making it impossible to identify the data subject, according to the Company’s data destruction standards, once the retention period expires or if the Company no longer has the right or lawful basis to process your personal data.
6. Transfer or Transmission of Personal Data Abroad
The Company may need to transfer your personal data to its group companies or affiliates with whom the Company has legal agreements or relationships, including cloud platforms located abroad. This transfer will be for your benefit or to support the overall business operations. In such cases, the transferred data will be protected according to the applicable data protection standards.
7. Rights of the Data Subject
The data subject has the right to exercise their rights under the provisions of applicable laws and the policies currently in force or as amended in the future. The data subject may contact the Company’s personnel or exercise their rights directly through the channels designated by the Company. The Company will require proof to verify the identity of the data subject.
The Company may charge a fee in cases where the request is found to be unfounded, repetitive, or excessive. The Company may refuse requests that are dishonest, unreasonable, or impractical, or may refuse requests based on other criteria set by applicable laws.
The data subject has the right to file a complaint with the Personal Data Protection Committee under the provisions of the applicable laws.
7.1 Right to Withdraw Consent
When the data subject has consented to the Company for a specific purpose, they have the right to withdraw such consent at any time, unless restrictions apply under the law or the consent is related to a contract that benefits the data subject. The withdrawal of consent may impact the data subject’s benefits, so it is advised to consult or inquire about the potential consequences before exercising this right. If the withdrawal of consent prevents the Company from delivering certain products or services to the data subject, the Company will notify the data subject of the impact. However, the withdrawal of consent does not affect the lawful collection, use, or disclosure of personal data that occurred prior to the withdrawal.
7.2 Right to Access and Request Copies
The data subject has the right to request access to and copies of their personal data, such as copies of invoices or receipts, according to the procedures and criteria defined by the Company. The Company may refuse requests according to the law, a court order, or if the request would negatively impact the rights and freedoms of others.
7.3 Right to Data Portability
The data subject has the right to request their personal data in a format that is commonly used and readable by automated tools or devices. They also have the right to request that the Company transfer or transmit this data to another entity, or request copies of personal data already transmitted to another entity, unless the Company is unable to do so due to technical or legal reasons.
7.4 Right to Object to the Processing of Personal Data
The data subject has the right to object to the collection, use, and disclosure of their personal data. However, if the objection is based on processing that is necessary for the Company’s legitimate interests or for public tasks, the Company may continue processing if it demonstrates a lawful basis that overrides the objection or is necessary for the establishment, exercise, or defense of legal claims. The Company may refuse requests based on legal grounds or court orders, or if the request could harm the rights and freedoms of others.
7.5 Right to Restrict the Processing of Personal Data
The data subject has the right to request the temporary restriction of the processing of their personal data while the Company is reviewing a request for rectification, objection, or other legal grounds for the temporary suspension of data processing as required by law.
7.6 Right to Erasure
The data subject has the right to request the deletion or destruction of their personal data, or to anonymize it so that it can no longer identify the individual, unless the Company is required by law to retain the data for contractual or legal reasons.
7.7 Right to Rectification
The data subject has the right to request the correction or update of any inaccurate or incomplete personal data to ensure it is current, subject to the provisions of applicable laws.
7.8 Right to Lodge a Complaint
The data subject has the right to file a complaint regarding personal data. They can contact the Company through the designated channels to have their concerns addressed or clarified before escalating the matter to the relevant regulatory authority under the Personal Data Protection Act.
The Company may refuse the exercise of the rights mentioned above according to its established criteria, provided such refusal does not violate the law.
The data subject may exercise these rights by submitting a request to the Company through the designated contact channels. The Company will process the request within 30 (thirty) days from the receipt of the request. If the Company rejects the request, it will provide reasons for the rejection.
The data subject has the right to file a complaint with the Personal Data Protection Committee or the appropriate authorities if the Company, its data processors, employees, or contractors violate the Personal Data Protection Act of 2019 or any other related laws.
8. Security of Personal Data
The Company has implemented appropriate security measures to protect personal data against loss, access, use, alteration, modification, or unauthorized disclosure, in accordance with the Company’s information security policies and applicable laws.
If the Company engages external entities to collect, use, or disclose personal data, it will ensure that these entities maintain confidentiality and security of the data and prevent its use for purposes beyond the scope of the agreement or in violation of the law.
9. Links to External Websites or Services
The Company’s services may contain links to third-party websites or services, which may have privacy policies that differ from the Company’s. Therefore, the data subject should review the privacy policy of any third-party websites or services before accessing them. The Company has no control over, and is not responsible for, the privacy practices, content, policies, or actions of any third-party websites or services.
10. Third-Party Service Providers or Subprocessors
The Company may engage third parties (data processors) to process personal data on its behalf. These third parties may provide various services such as hosting, outsourcing, cloud computing, IT services, or internal business management support (e.g., debt collection, customer service, payroll management, surveys, data analysis). The Company will establish agreements defining the rights and responsibilities between the Company and the third-party service providers, ensuring that personal data is processed only for the purposes specified in the agreements and under the Company’s instructions. If the data processor engages a subprocesser to process personal data on behalf of the Company, the Company will ensure that a written agreement exists between the processor and subprocesser, containing terms at least as stringent as those between the Company and the data processor.
11. Review and Revision of Policy
The Company will review and update this policy at least once a year or when significant changes occur that affect the policy. In case of any changes, the updated privacy policy will be posted on the Company’s website. ัทฯ
12. Contact Channels for Personal Data
Details of the Personal Data Controller
Name:
Prolife Plus Public Company Limited
Contact Address:
109/8, 109/9 Sakangam Road, Samdam Subdistrict, Bangkhuntien District, Bangkok 10150, Thailand
Contact Channels:
Phone: 02-451-6923 ext. 308
Website: www.prolifeplus.co.th
Line@: @prolifeplus
Facebook: Prolife Plus - Complete Advertising Media Production
Details of the Personal Data Processing Supervision Team
Contact Address:
109/8, 109/9 Sakangam Road, Samdam Subdistrict, Bangkhuntien District, Bangkok 10150, Thailand
Contact Channels:
Phone: 02-451-6923 ext. 308
E-mail: [email protected]
This notice is issued for acknowledgment and compliance by all concerned.
Announced on: 18th April 2023
(Ms. Benyada Rungroj)
Managing Director