With awareness of the importance of personal data protection, Veranda Resort Public Company Limited and its subsidiaries (collectively referred to as the “Company”) hereby formulate the Personal Data Protection Policy (the “Policy”) in order to establish the purposes of the collection, the use, and the disclosure of personal data, the protection of personal data, the period of retention, as well as the rights of data subjects, so that the data subjects are aware of the personal data protection policy of the Company.
“Personal data” means any information that can be used to identify a natural person (“data subject”), whether directly or indirectly, but shall not include, in particular, any information regarding deceased persons.
“Sensitive data” means any information that is intrinsically personal of any individual that is sensitive and may be subject to discrimination. For example, race, political opinions, beliefs, religion, philosophy, information of health or disability or any similar data which may affect the data subject.
“Data controller” means a person or a juristic person who has the power and duty to make decisions regarding the collection, use, or disclosure of personal data.
“Data processor” means a person or a juristic person who is engaged in the collection, use, or disclosure of personal data under the instruction of a data controller. The person or juristic person who is engaged in the above-mentioned activities is not considered a data controller.
The Company shall collect personal data in accordance with the purposes, scope, and procedures that are lawful. The personal data shall be collected to the extent that it is necessary for the operations under the purposes of the Company only. In this regard, the Company shall procure that the data subjects are aware of and obtain the consent of the data subject by electronic means or any other procedure specified by the Company. In the case that the Company collects sensitive data of a data subject, the Company shall obtain the express consent of the data subject before collecting sensitive data, with the exception of the collection of personal data and sensitive data that falls under the exemption under the Personal Data Protection Act B.E. 2562 (2019) or as prescribed by law.
The Company shall collect or use personal data of data subjects for the purposes specified in this Policy. and shall not use the personal data for any other purposes, unless consent has been granted by the data subject or as required by law as follows:
The Company shall not disclose any personal data of a data subject to any person without the consent from the data subject, and shall disclosure personal data in accordance with the purposes for which the Company has informed the data subject. Notwithstanding the foregoing, in the interest of the operations of the Company and the provision of services to the data subject, the Company may be required to disclose the personal data of the data subject to its subsidiaries, the internal auditor, the auditor, or other person or juristic person as prescribed by law.
The Company shall establish measures in safeguarding the security of the personal data that is in compliance with the applicable laws, regulations, criteria, and guidelines on the personal data protection for the employees of the Company and all concerned parties. In addition, the Company shall encourage and promote the employees to acquire knowledge and be aware of their duties and responsibilities in the collection, the retention, the use, the updating, and the disclosure of personal data. The Company shall adopt appropriate security measures to prevent any unauthorized access or breach of personal data, or any adjustment or destruction of personal data. In this regard, the employees of the Company shall comply with the Policy as specified by the Company in order for the Company be able to properly and efficiently comply with the Policy and the law on the personal data protection.
The Company may outsource the management of personal data to its third-party service providers, which includes a data processor. The Company shall appoint a service provider who has confirmed that it has the capability to properly manage personal data only, and the Company shall disclose personal data to the service provider in accordance with the scope of work and the provision of services, and shall enter into an agreement with the service provider in writing or in a similar means to ensure that the service provider shall properly manage personal data.
The Company shall retain personal data for a period that is necessary in the interest of the operations or provision of services to the data subjects, or the period required by the relevant law.
The data subjects of personal data shall have the following rights:
The data subject can request the Company to exercise the rights stated above by submitting a request for exercising the rights to the Company in writing or via an electronic mail in the form specified by the Company to the “Contact Channel” set out below. The Company shall consider the request and inform the data subject of the results of consideration within 30 days from receipt of the request. Notwithstanding the foregoing, the Company may decline the right of the data subject if it is required by law.
The Company may amend or revise this Policy from time to time as it deems necessary in order to ensure that the Policy is in compliance with the law. Any amendment or revision to the Policy will be published on the Company’s website or any other channel that it deems appropriate.