QVEDO Privacy Policy

GENERAL PROVISIONS

1. Purpose and basis of the Privacy Policy

1.1. This Policy of the Limited Liability Company QUEEDO (THAILAND) CO., LTD. (TIN: 0105566074684) (Privacy Policy) regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in pursuance of the requirements of The Kingdom of Thailand's Personal Data Protection Act in order to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The Policy applies to all personal data processed by QUEEDO (THAILAND) CO., LTD. (hereinafter referred to as the Operator, Organization).

1.3. The Policy defines the basic rights and obligations of the Operator and personal data subjects, the purposes of personal data processing, the legal grounds for processing personal data, the categories of personal data being processed, the categories of personal data subjects, the procedure and conditions for processing personal data, as well as measures to ensure the security of personal data when they are processing applied by the Organization.

1.4. The Policy applies to relations in the field of personal data processing that arose with the Operator both before and after the approval of the Policy.

1.5. The policy, as well as changes to it, are approved by the Director General of the Organization or a person acting in his capacity.

1.6. In pursuance of the requirements the Personal Data Protection Act the Policy is published in the public domain on the Internet information and telecommunications network on the Operator's website.

1.7. Control over the fulfillment of the requirements of the Policy is carried out by authorized persons responsible for organizing the processing of personal data by the Operator.

1.8. Responsibility for violation of the requirements of the legislation of the Kingdom of Thailand and the regulations of the Operator in the field of processing and protection of personal data is determined in accordance with the legislation of the Kingdom of Thailand.

1.9. Basic terms and definitions

Personal data is any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).

Personal data operator (Operator) - QUEEDO (THAILAND) CO., LTD. (TIN: 0105566074684), which organizes and (or) carries out the processing of personal data in the Company (hereinafter referred to as the Company), and also determines the purposes of processing personal data, composition of personal data to be processed, actions (operations) performed with personal data.

User of the Operator's service (hereinafter referred to as the User) is an individual who has access to the service via the Internet and uses the Operator's service on the basis of the Public Offer of the Service

Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons.

Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons.

Blocking of personal data is a temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data).

Destruction of personal data means actions that make it impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.

Depersonalization of personal data - actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.

Personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

1.10. Basic rights and obligations of the Operator

1.10.1. The operator has the right:

1.10.1.1. independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

1.10.1.2. entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. A person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the Law on Personal Data;

1.10.1.3. in the event that the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Law on Personal Data.

1.10.2. The operator is obliged:

1.10.2.1. organize the processing of personal data in accordance with the requirements of the Law on Personal Data;

1.10.2.2. respond to requests and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;

1.10.2.3. report to the authorized body for the protection of the rights of subjects of personal data at the request of this body the necessary information within 30 (thirty) calendar days from the date of receipt of such a request.

1.11. Basic rights of the subject of personal data

1.11.1. The subject of personal data has the right:

1.11.1.1. receive information regarding the processing of his personal data, except as otherwise provided by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data related to other subjects of personal data, unless there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Personal Data Protection Act;

1.11.1.2. require the Operator to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights;

1.11.1.3. put forward the condition of prior consent when processing personal data in order to promote goods, works and services on the market.

2. Purposes of collecting personal data

2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.

2.2. Only personal data that meet the purposes of their processing are subject to processing.

2.3. The processing of personal data by the Operator is carried out for the following purposes:

2.3.1. ensuring compliance with the Constitution of the Kingdom of Thailand, federal laws and other regulatory legal acts of the Kingdom of Thailand;

2.3.2. Conclusion of an agreement (offer) and support of the concluded agreement (offer);

2.3.3. provision by the Operator of the services specified in the offer;

2.3.4. collection of statistical information;

2.3.5. implementation of user verification;

2.3.6. technical support and administration;

2.3.7. organization of analytics of actions of the functionality of the Operator's Service;

2.3.8. carrying out activities in accordance with the Charter of the Organization;

2.3.9. exercising the rights and fulfilling the obligations of the parties to labor relations;

2.3.10. implementation of civil law relations;

2.3.11. organization of individual (personalized) registration of employees in the system of mandatory pension insurance;

2.3.12. attraction and selection of candidates for work with the Operator;

2.3.13. filling in and submitting to the executive authorities and other authorized organizations the required reporting forms;

2.3.14. accounting;

2.3.15. Establishing feedback with the User, including sending notifications, requests regarding the use of the functionality of the Service by the User;

2.3.16. Providing the User with his consent, service updates, special offers, pricing information, newsletters and other information on behalf of the Operator;

2.3.17. Implementation of advertising activities with the consent of the User;

2.3.18. Use by the User of the functionality of the Service.

2.4. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal grounds for the processing of personal data

3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, in accordance with which and in accordance with which the Operator processes personal data in accordance with the requirements of the Constitution of the Kingdom of Thailand, the Civil Code of the Kingdom of Thailand, Labor Code of the Kingdom of Thailand, Tax Code of the Kingdom of Thailand, Personal Data Protection Law, as well as other regulatory legal acts of the Kingdom of Thailand governing relations related to the activities of the Operator.

3.2. The legal basis for the processing of personal data is also the Charter of the Operator in the current version, contracts concluded between the Operator and subjects of personal data, the consent of subjects of personal data to the processing of their personal data.

4. Scope and categories of processed personal data, categories of personal data subjects

4.1. The content and scope of the processed personal data must comply with the stated purposes of processing, provided for in section 2 of the Policy. The processed personal data should not be excessive in relation to the stated purposes of their processing.

4.2. The Operator may process personal data of the following categories of personal data subjects.

4.2.1. Candidates for employment with the Operator:

4.2.1.1. Full Name;

4.2.1.2. floor;

4.2.1.3. citizenship;

4.2.1.4. Date and place of birth;

4.2.1.5. contact phone number;

4.2.1.6. E-mail address;

4.2.1.7. photographic image;

4.2.1.8. information about education, work experience, qualifications;

4.2.1.9. other personal data reported by candidates in resumes and cover letters.

4.2.2. Employees and former employees of the Operator:

4.2.2.1. Full Name;

4.2.2.2. floor;

4.2.2.3. citizenship;

4.2.2.4. Date and place of birth;

4.2.2.5. passport data (number, series of the passport, by whom and when issued, code of the department that issued the passport);

4.2.2.6. data of the document replacing the passport (name of the document, number, series of the document, by whom and when issued, code of the unit that issued the document);

4.2.2.7. address of residence (registration);

4.2.2.8. address of the place of actual residence;

4.2.2.9. contact phone number;

4.2.2.10. E-mail address;

4.2.2.11. photographic image;

4.2.2.12. information about education, including the following information: level of education, name of the educational institution, year of graduation, diploma number, specialty / field of study, qualification;

4.2.2.13. individual taxpayer number (TIN);

4.2.2.14. insurance number of an individual personal account;

4.2.2.15. information about marital status and family composition;

4.2.2.16. information about labor activity, including the place of work, insurance (work) experience, position held, transfers to another position;

4.2.2.17. military registration information;

4.2.2.18. bank account details;

4.2.2.19. information about wages and other payments;

4.2.2.20. information about awards and promotions;

4.2.2.21. other personal data provided by employees in accordance with the requirements of the legislation of the Kingdom of Thailand.

4.2.3. Family members of the Operator's employees:

4.2.3.1. Full Name;

4.2.3.2. relation degree;

4.2.3.3. Date of Birth;

4.2.3.4. address of residence (registration);

4.2.3.5. other personal data provided by employees in accordance with the requirements of the legislation of the Kingdom of Thailand.

4.2.4. Clients and counterparties of the Operator (individuals and/or individual entrepreneurs):

4.2.4.1. Full Name;

4.2.4.2. Date and place of birth;

4.2.4.3. passport data (number, series of the passport, by whom and when issued, code of the department that issued the passport);

4.2.4.4. address of residence (registration);

4.2.4.5. address of the place of actual residence;

4.2.4.6. contact phone number;

4.2.4.7. E-mail address;

4.2.4.8. individual taxpayer number (TIN);

4.2.4.9. insurance number of an individual personal account;

4.2.4.10. bank account details;

4.2.4.11. other personal data provided by clients and counterparties (individuals and/or individual entrepreneurs) necessary for the conclusion and execution of contracts.

4.2.5. Representatives/employees of the Operator's clients and counterparties (individuals):

4.2.5.1. Full Name;

4.2.5.2. passport data (number, series of the passport, by whom and when issued, code of the department that issued the passport);

4.2.5.3. data of the document replacing the passport (name of the document, number, series of the document, by whom and when issued, code of the unit that issued the document);

4.2.5.4. address of residence (registration);

4.2.5.5. address of the place of actual residence;

4.2.5.6. contact phone number;

4.2.5.7. E-mail address;

4.2.5.8. job title;

4.2.5.9. other personal data provided by representatives/employees of clients and contractors necessary for the conclusion and execution of contracts.

4.2.6. Individuals who have purchased or intend to purchase the Operator's services, third-party services through the Operator or who do not have contractual relations with the Operator, provided that their personal data is included in the automated systems of the Organization and is processed in accordance with the legislation on personal data:

4.2.6.1. Full Name;

4.2.6.2. E-mail address;

4.2.6.3. contact phone number;

4.2.6.4. Date and place of birth;

4.2.6.5. bank card details;

4.2.6.6. level of physical activity;

4.2.6.7. floor;

4.2.6.8. data for integration with social networks Google https://plus.google.com and Facebook https://facebook.com/ (login/username, email address);

4.2.6.9. data for integration with the State Services portal;

4.2.6.10. information about actions performed on the Operator's platforms, as well as information about the devices used (such as geolocation, IP addresses, type of operating system, browser type, Cookies).

4.3. The Operator does not process biometric and special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as provided by the legislation of the Kingdom of Thailand.

5. Procedure and conditions for processing personal data

5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Kingdom of Thailand.

5.2. The operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes and destroys personal data.

5.3. The processing of personal data by the Operator is carried out in the following ways:

5.3.1. manual processing of personal data;

5.3.2. automated processing of personal data with or without transmission of the received information via information and telecommunication networks.

5.4. The processing of personal data is carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without it in cases provided for by the legislation of the Kingdom of Thailand, namely:

5.4.1. the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;

5.4.2. the processing of personal data is necessary to achieve the goals stipulated by an international treaty of the Kingdom of Thailand or the law, to exercise and fulfill the functions, powers and duties assigned to the operator by the legislation of the Kingdom of Thailand;

5.4.3. the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;

5.4.4. the processing of personal data is necessary for the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Kingdom of Thailand on enforcement proceedings;

5.4.5. the processing of personal data is necessary for the exercise of the powers of federal executive bodies, bodies of state extra-budgetary funds, executive bodies of state power of the constituent entities of the Kingdom of Thailand, local authorities and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by Federal Law No. 210-FZ "On the organization of the provision of state and municipal services", including the registration of a personal data subject on a single portal of state and municipal services and (or) regional portals of state and municipal services;

5.4.6. the processing of personal data is necessary for the performance of an agreement to which the personal data subject is a party or beneficiary or guarantor, as well as to conclude an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will be the beneficiary or guarantor;

5.4.7. the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

5.4.8. the processing of personal data is necessary for the exercise of the rights and legitimate interests of the operator or third parties, including in cases provided for by the Personal Data Protection Law, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the subject of personal data;

5.4.9. the processing of personal data is necessary for the professional activities of a journalist and (or) the legitimate activities of the mass media or scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;

5.4.10. the processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Personal Data Protection Law, subject to mandatory depersonalization of personal data;

5.4.11. the processing of personal data obtained as a result of depersonalization of personal data is carried out in order to increase the efficiency of state or municipal government, as well as for other purposes provided for by Federal Law No. necessary conditions for the development and implementation of artificial intelligence technologies in the subject of the Kingdom of Thailand;

5.4.12. processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

5.5. Employees of the Operator whose duties include the processing of personal data are allowed to process personal data.

5.6. The processing of personal data is carried out by:

5.6.1. obtaining personal data in oral and written form directly from the subjects of personal data;

5.6.2. obtaining personal data from publicly available sources;

5.6.3. entering personal data into the journals, registers and information systems of the Operator;

5.6.4. use of other methods of processing personal data.

5.7. It is not allowed to disclose to third parties and disseminate personal data without the consent of the subject of personal data, unless otherwise provided by the Law on Personal Data. Consent to the processing of personal data authorized by the subject of personal data for distribution is issued separately from other consents of the subject of personal data to the processing of his personal data.

5.8. The transfer of personal data to the bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Kingdom of Thailand, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Kingdom of Thailand.

5.9. When processing personal data, the operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

Ensuring the security of personal data is achieved by the Operator through:

5.9.1. determination of threats to the security of personal data during their processing;

5.9.2. adoption of local regulations and other documents regulating relations in the field of processing and protection of personal data;

5.9.3. appointment of persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;

5.9.4. creating the necessary conditions for working with personal data;

5.9.5. organization of accounting of documents containing personal data;

5.9.6. organization of work with information systems in which personal data is processed;

5.9.7. storage of personal data under conditions that ensure their safety and exclude unauthorized access to them;

5.9.8. organizing training for the Operator's employees who process personal data.

5.10. The operator stores personal data in a form that allows to determine the subject of personal data, no longer than required by the purposes of processing personal data, if the period for storing personal data is not established by the Personal Data Protection Law, the contract.

5.11. When collecting personal data, including through the Internet information and telecommunications network, the Operator ensures recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Kingdom of Thailand using databases located on the territory of the Kingdom of Thailand, for except for the cases specified in the Personal Data Protection Law.

6. Procedure for updating, correcting, deleting and destroying personal data

6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information specified in Personal Data Protection Law, are provided by the Operator to the subject of personal data or his representative when applying or upon receiving a request from the subject of personal data or his representative.

The information provided does not include personal data relating to other personal data subjects, unless there are legal grounds for disclosing such personal data.

The request must contain:

6.1.1. number of the main document proving the identity of the subject of personal data or his representative, information on the date of issue of the said document and the authority that issued it;

6.1.2. information confirming the participation of the subject of personal data in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing personal data by the Operator;

6.1.3. signature of the personal data subject or his representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Kingdom of Thailand.

If in the appeal (request) of the personal data subject, in accordance with the requirements of the Personal Data Law, all the necessary information is not reflected or the personal data subject does not have the right to access the requested information, then a reasoned refusal is sent to him.

The right of the subject of personal data to access his personal data may be limited in accordance with Personal Data Protection Law, including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.

6.2. In the event that inaccurate personal data is detected when the subject of personal data or his representative contacts, or at their request or at the request of the authorized body for the protection of the rights of subjects of personal data, the Operator blocks personal data relating to this subject of personal data from the moment of such request or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data, or other necessary documents, clarifies personal data within 7 (seven) working days from the date of submission of such information and removes the blocking of personal data.

6.3. In the event that unlawful processing of personal data is detected when a personal data subject or his representative or an authorized body for the protection of the rights of personal data subjects is contacted (requested), the Operator shall block the unlawfully processed personal data relating to this personal data subject from the moment of such an appeal or receipt of a request.

6.4. Upon reaching the goals of processing personal data, as well as in the event that the subject of personal data withdraws consent to their processing, personal data shall be destroyed if:

6.4.1. otherwise not provided by the contract, the party to which, the beneficiary or the guarantor of which is the subject of personal data, another agreement between the operator and the subject;

6.4.2. The operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by the Law on Personal Data or other federal laws.

7. Policy change

7.1. The Operator has the right to make changes to this Policy. When changes are made, the heading of the Policy indicates the date of the last revision of the revision. The new version of the Policy comes into force from the moment it is posted on the Operator's website, unless otherwise provided by the new version of the Policy.

7.2. The current version is stored at the location of the Operator's executive body at the address: 139 Sethiwan Tower, Pan Road, Silom, Bang Rak, Bangkok, 10500, electronic version of the Policy - on the Operator's website at https://qvedo.com/en/privacy-policy