Personal Data Protection Policy of U-Tapao International Aviation Co., Ltd. and Affiliates Last updated in January 2023
U-Tapao International Aviation Co., Ltd. and affiliates (the "Company") respect the privacy of customers, service users, the Company's stakeholders, and any person who has provided the Company with personal data. The Company recognises the importance of protecting personal data and its integrity and/or cross-border transfer of your personal data. To ensure that the personal data it receives is used for the intended purposes and in accordance with the law, the Company has prepared this Personal Data Protection Policy (the “Personal Data Protection Policy") to inform the data subject of the purposes and details of personal data collection, use, and disclosure, and/or cross-border transfer of your personal data, as well as your legal rights.
In addition to this Personal Data Protection Policy, the Company may prepare a Privacy Notice for the Company's services or activities to inform the data subject who is our service user and participant, of the personal data being processed, the objectives and legitimate purposes of the processing, the retention period, and the data subject's specific rights. If the terms of the Privacy Notice conflict materially with those provided under this Personal Data Protection Policy, the terms of the specific Privacy Notice for the services or activities will govern.
This Personal Data Protection Policy applies to the Company's business operations on websites, via telephone or email, by mail or social network, as well as any other channels or locations where your personal data is collected.
The Company may amend this Personal Data Protection Policy from time to time. The most updated version of the Personal Data Protection Policy will be published for your information. The Company encourages you to carefully review this Personal Data Protection Policy and to regularly review the updated Personal Data Protection Policy.
The purpose of this Personal Data Protection Policy is to clarify the Company's personal data collection, use, and disclosure practices, as well as how to implement, promote, and enforce these practices.
Personal data collection, use, or disclosure always requires the data subject's consent, unless the Company may collect, use, or disclose the data without consent in accordance with the law.
The Company may comply with the laws or act within the exceptions under the laws that expressly permit it to act on or take any steps regarding the personal data. However, this Personal Data Protection Policy applies to the extent that it is not provided or exempted by law.
The Company may update or modify this Personal Data Protection Policy without notifying you in advance. However, the Company will notify you when the update is significant.
This Personal Data Protection Policy applies to the Company's customers and service users, as well as the data subject whose personal data is collected, and anyone whose personal data is received by the Company as a result of a transaction by the data subject.
The Company may be unable to provide the whole or part of the required services to the data subject if the Company needs to collect the necessary personal data to enter into or perform a contract, to provide services, to survey and carry out an activity, or to carry out its statutory duties, and the data subject refuses to provide the personal data or objects to the processing of the personal data in accordance with the objectives of the contract or the activity.
Channels for collecting personal data
The Company collects or obtains various categories of personal data from the sources listed below.
Personal data that the data subject has provided directly to the Company via channels such as during a transaction, while applying for a service or product, or participating in an activity such as a job application, registration of activity participation, entering into and executing a contract or document, completing a questionnaire, or when the data subject communicates with the Company at the Company's office or using other channels under the Company's control.
Personal data that the Company collects from the data subject’s use of website, products, services, or participation in other activities under the contract or in a mission such as a monitoring of website, product, or service use or participation in the Company’s activities using cookies or a software on the data subject’s personal devices.
Personal data that the Company receives or gains access to from other sources, such as those maintained by government agencies, business partners and their service providers, data service providers, individuals or legal entities conducting transactions with the Company, public sources (such as the Government Gazette), anyone with the lawful authorisation or rights, and any other persons or agencies with whom the Company has a legal relationship.
Categories of personal data that the Company collects, uses, or discloses
The Company may collect or obtain the following personal data based on the nature of its relationship or legal relationship with the data subject and other factors affecting the collection of personal data. The Company may either directly or indirectly collect personal data from other sources such as the Company’s service providers, (i.e., questionnaire service providers, independent advisers, project advisers, financial advisers, legal advisers, or accounting advisers), the Company’s third-party business partners, other third parties (such as reference persons, employers, investors), public sources of data (i.e., social networks), and third parties- websites or relevant government agencies.
Data subject’s identification data such as photograph, title, middle name, family name, alias, gender, date of birth, age, marital status, family status, number of family members and children, relationship data such as with an emergency contact person, nationality, country of residence, car registration number, signature, information in a government document (such as a copy of national identity card, passport, visa, alien’s certificate, work permit, government official/ state enterprise identity card, copy of house registration, birth certificate, certificate of name change, certificate of marriage and divorce, death certificate, certificate of driving licence or other similar identification documents).
Contact information such as address details in important documents, current residence, and country of residence based on nationality, workplace, telephone number, mobile phone number, facsimile number, email address, name or account name used in electronic channel of communication or social networks (such as LINE ID) or evidence of residence in Thailand (for foreigners).
Information in documents used in carrying out transactions such as a company’s certificate of incorporation, a list of shareholders, a Power of Attorney, a commercial registration document, or a bank account number.
Sensitive personal data means personal data that may be collected by the Company for its operation or services based on specific legal requirements, such as religion data on a copy of a national identification card or nationality data on a copy of a passport in some countries, biometric data such as facial images, fingerprints, e-signature (the key behavioural feature of which is analysed using an identity verification and authentication technology), criminal records, and medical records. The Company does not intend to collect sensitive personal data. However, when the Company needs to collect the sensitive personal data the Company may only occasionally collect, use, or disclose this sensitive personal data based on the data subject's explicit consent or when required to do so by law.
The Company may collect personal data of a minor, a quasi-incompetent person, and an incompetent person when their parents, curators, or guardians have given their consent. The Company does not intend to collect personal data from an individual under the age of 20 without their parental consent as is required by the law, or from quasi-incompetent persons and incompetent persons without their legal curator’s or guardian's consent (as the case may be). If the Company learns that it has collected personal data from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their curator’s or guardians’ consent, the Company will delete it immediately or collect, use, disclose and/or transfer only if the Company can rely on other legal bases apart from consent.
A person providing the Company with a third party’s personal data must notify the third-party data subject of the requirements under this Personal Data Protection Policy and, if required, seek the third-party data subject’s consent, or must establish other legal bases to ensure that the Company may collect, use, or disclose the third-party personal data. Third-party data subject under this clause is, for example, a third party that is a juristic person’s personnel or who is related to the person giving the Company the data such as shareholders, directors, authorised persons, family members, reference, partners, guarantor, mortgagor, person giving the security, beneficiary, administrator, emergency contact person, or other persons under the relevant transaction documents.
Purposes for collecting, using, or disclosing personal data
The Company collects, uses, or discloses a data subject's personal information for various purposes, depending on the activity types, services, as well as the legal relationship or relationship between the data subject and the Company or its personnel, and in accordance with each specific context as described below.
Consent-based purposes The Company may rely on the data subject's consent to collect, use, or disclose the data subject's personal data for certain types of communication, for which the Company may not rely on the legal bases, such as marketing activities, surveys, organising activities, providing information, making a special offer or privileges, advertising, issuing a newsletter, and other online and offline communications about the Company and its business partners.
When the legal basis for the Company to collect, use, or disclose personal data is consent from the data subject, the data subject may at any time withdraw consent by contacting the Company.The consent withdrawal does not affect the legality of collecting, using, or disclosing personal data obtained with the data subject's prior consent. However, if the data subject refuses to give consent or later withdraws the given consent, the Company may not engage in transactions or activities with or provide services to the data subject.
Other legal bases than consent to collect, use, or disclose personal dataThe Company may rely on the following bases in collecting, using, or disclosing personal data: (1) entering into or performing a contract with the data subject, (2) complying with a legal obligation, (3) protecting the Company’s and third party’s legitimate interests proportionate to the protection of benefits and fundamental rights and freedoms of the data subject about personal data protection, (4) protecting or suspending life, physical, or health harm, (5) protecting public interest or exercising official authority, or (6) establishing or exercising or defending legal rights in relation to future laws or such other legal bases under the personal data protection law (as the case may be), depending on the relationship with the Company. The Company may collect, use, or disclose the personal data for purposes such as:
human resources management in accordance with the human resources management procedure under relevant laws and the executive’s policy, as well as allocation of welfare benefits to employees’ family;
use of CCTV to control access to the Company's office building;
prevention or suspension of life, physical, or health harm;
compliance with an order given by a lawful authority or legal compliance;
actions performed in relation to a contract entered into by the data subject, such as the processing of application forms, communication, and the delivery of documents or packages;
opinion survey and participation in the Company’s activities;
communication such as when the Company communicates with you and sends you information for public relations purposes or invites you to attend activities such as CSR activities, press releases, fairs, and exhibitions;
customer relations management such as when the Company considers and responds to complaints about its products and services and improves its services, as well as coordinates with relevant agencies in solving problems and improving services;
improvement to business, product, and service, such as when the Company analyses, evaluates, and prepares internal reports for internal compliance, coordination, monitoring, and control to comply with policies, rules, regulations, and standards, as well as to verify credibility and validity of internal operations and to develop plan and strategy for public relations and organisation policies and for business development or expansion to other businesses;
use on websites, applications, and platforms such as maintenance, operations, monitoring, observation, and administration of websites, applications, and platforms to ensure that their functions will be smooth, efficient, and safe, and that their use will be convenient, as well as to improve work plan and contents of websites, applications, and platforms;
prevention of harm to life, body, health, or property, such as to contain contagious disease or epidemic. The Company may need to collect personal data to comply with the law or contracts or to enter into a contract with you. If the Company does not receive the requested personal data from you, the Company may be unable to carry out the above purposes;
other purposes to be consistent with the regulatory requirements of or negotiations with the Company’s regulatory authority as may be appropriate. This may include disclosure of data subject’s personal data to a third party, an agency that processes legal actions and a law enforcement agency, the conduct of cases or investigation by these entities wherever or whenever the action is required.
Who may the Company share personal data with?
The Company may disclose the data subject’s personal data to a third party with the data subject’s consent or the legal requirements that allow the disclosure. The individual or organisation that receives the personal data will collect, use, or disclose it in accordance with the scope of the consent or the scope applicable under this Personal Data Protection Policy. In some cases, the data subject may also be subject to the recipient’s personal data protection policy. The personal data recipient may be located in Thailand or abroad.
In some instances, the Company may need to disclose the personal data to comply with the order of a person with lawful authority or right or to comply with the laws.The recipients of personal data may include a law enforcement agency, the Company's supervisory regulator, a government agency, an association, an agency, or other parties whose disclosure is required to fulfil legal or contractual obligations or to protect the Company's or a third party's rights. This may also involve taking appropriate legal action.
For the purposes of the Company's business operations, the Company may disclose the data subject's personal data to its auditor, external auditor, legal counsel, tax counsel, or other advisers or specialists.
In some instances, U-Tapao International Aviation Co., Ltd. may be required to work with its affiliates in providing services to customers and may use some systems jointly with its affiliates. These systems are, for example, service provision systems or website-related systems. Therefore, personal data transfer within the affiliates may be necessary or the affiliates may be permitted to access personal data for the objectives described under this Personal Data Protection Policy.These affiliates may also rely on the consent obtained by U-Tapao International Aviation Co., Ltd..
Cross-border transfer of personal data
The Company may disclose or transfer personal data to a third party or an overseas server that may or may not have an equivalent level of protection for personal data. The Company will take steps and precautions to ensure that the transfer of personal data is secure, that the recipient implements appropriate personal data protection measures, and that the transfer is lawful or to the extent the transfer is permitted by law only.
How long does the Company retain personal data?
The Company will retain personal data for as long as is necessary to achieve the purposes for which the data was collected, as well as to comply with applicable legal requirements and rules and regulations. However, the Company may be required by law to retain personal data for a longer duration.
What safeguards does the company have in place to protect personal data?
In accordance with applicable laws, the Company will implement technical, administrative, and physical safeguards to protect and maintain the confidentiality, availability, and integrity of the data subject's personal data and to prevent unauthorised or unlawful access, collection, modification, alteration, use, or disclosure. The Company will implement appropriate measures to prevent breaches of personal data and will implement personal data protection policies, regulations, and requirements. Also, subcontractors, agents, and advisers must comply with the Company's measures to maintain the confidentiality of personal data.
What rights does the data subject have regarding the personal data?
A data subject may exercise rights subject to the laws and the Personal Data Protection Policy now in force or as amended in the future, as well as other requirements that the Company may establish. A data subject under the age of 20 or with limited legal capacity may exercise their rights through their parents or legal guardian. The rights of the data subject are described in detail below.
Right to withdraw consent: If the data subject has consented to the Company's collection, use, or disclosure of personal data (whether before or after the effective date of the personal data protection law), the data subject may withdraw consent at any time while the personal data is maintained by the Company, unless the data subject's right is restricted by law or a contract that benefits the data subject. The withdrawal of the data subject’s consent does not affect the collection, use, or disclosure of personal data before the withdrawal. However, the Company may be unable to perform its contractual obligations or provide services to the data subject if the data subject withdraws consent. The consent withdrawal may result in the transaction or other activity being suspended or terminated. Due to the consent withdrawal, the data subject may not receive useful information or advice. Before withdrawing consent, the data subject should consider and inquire about the consequences of the withdrawal.
Right of access: The data subject may request access to the personal data under the Company’s control. The data subject may also request a copy to be made of the personal data by the Company, and to require the Company to disclose how it has obtained the data subject’s personal data.
Right to data portability: The data subject may receive the personal data if the Company has prepared the data in a structured, commonly used, and machine-readable format that permits automated use or disclosure of the data. The data subject may also require the Company to transmit or transfer the personal data in such format to another controller when it is automatically possible. The data subject may request the personal data transmitted directly from one controller to another unless it is not technically feasible.
Right to object: The data subject may object to the collection, use, or disclosure of personal data at anytime if the personal data is collected, used, or disclosed for the necessary operations in the legitimate interests of the Company or other individual or juristic person or in the public interests.Where the data subject objects to the processing of personal data, the Company may continue to collect, use, or disclose the personal data if the Company can demonstrate compelling legitimate grounds for the processing, which override the the data subject’s rights or for the establishment, exercise or defence of legal claims, as the case may be.
Right to erasure or destruction of personal data: The data subject may request the erasure, destruction, or anonymisation of personal data if the data subject believes that the personal data has been collected, used, or disclosed unlawfully, or if the personal data are no longer necessary in relation to the purposes for which they were to be retained, or if the data subject has exercised his or her right to withdraw consent or object to the processing of the personal data as described above.
Right to request suspension of use: The data subject may request to suspend the use of the personal data temporarily while the Company is investigating the data subject’s request to exercise the rights to rectification or to objections or in other situations where the personal data is no longer necessary and must be erased or destroyed in accordance with the applicable laws, but the data subject instead requires the suspension of use.
Rights to rectification: The data subject may request to rectify inaccurate, incomplete, and misleading personal data relating to the data subject.
Right to complaint: The data subject may complain to the lawful authority under applicable laws if the data subject considers that the collection, use, or disclosure of the personal data violates or fails to comply with the relevant laws. The data subject’s exercise of the rights listed above may be restricted under relevant laws. Under certain circumstances, the Company may refuse to comply with or may be unable to comply with the request to exercise the rights such as when it is required to comply with the law or the court’s order, or when the Company is compelled by the public interests, or the exercise of rights may violate the rights or freedoms of others. If the Company refuses to comply with the data subject's request, it must provide the data subject with an explanation for the refusal.
Channels for the exercise of rights
For questions, suggestions, or concerns about the collection, use, or disclosure of your personal data or about this Personal Data Protection Policy, or for the exercise of your rights under the personal data protection law, please contact us at:
U-Tapao International Aviation Co., Ltd.
99 Moo 14, Vibhavadi-Rangsit Road, Chomphon Subdistrict,
Chatuchak District, Bangkok 10900
Telephone: +66(0)2 079 7432
This Personal Data Protection Policy is effective on 1st January 2023.