Personal Data Protection Policy (Privacy Policy)
Quality Houses Public Company Limited
07 October B.E. 2564
Introduction
Quality Houses Public Company Limited (“The Company”) sees the importance of privacy and personal data protection and comply with Thailand Personal Data Protection Act B.E. 2562 (“Thai PDPA”). The Company has created the personal data protection policy (“Policy”) to strengthen and support the personal data protection activity, especially for the benefit of all customers. Furthermore, The Company has defined the scope of the policy, in order not to conflict with the principles of the related to the personal data protection laws and regulations. Any personal data processing activities has either been consent by you or it is under a legally permissible basis.
If you have any questions or concerns regarding this Policy, including the enforcement scope of it, please contact The Company’s Data Protection Officer (DPO) for more information.
Objective of the Policy
This Policy is created to protect the personal data of customers, employees, and business partners that The Company has collected, stored, used, or disclosed in accordance with Thai PDPA. This Policy addresses the responsibility that The Company and its employees has towards the customers, as well as the customers’ rights as data subject.
Definition
Personal Data | Data of a natural person which can be used either directly or indirectly to identify an individual. Personal data:
|
Data Controller | Quality Houses Public Company Limited |
Data Processor | A natural or juristic person excluding The Company’s employees which proceeds with the collection, use, or disclosure of personal data according to the order or on behalf of The Company |
Data Subject | Any natural person who is the data subject |
Data Protection Office | Personnel performing duties relating to the protection of personal data |
Person | A natural person, excluding the deceased |
Employee | Employee of Quality Houses Public Company Limited |
Business Partner | A seller of goods, a service provider of The Company, or land seller |
Scope of the Policy
This Policy effects the collection, usage, and disclosure of personal data throughout all of The Company’s processing activities as the data controller. This Policy is also enforced on the data processors that The Company has disclose personal data to, for the objective of processing it.
Policy Updates and Revisions
This Policy will be reviewed and updated by the Company at least every twelve (12) months and the Data Protection Officer may from time to time issue additional guidelines or guidelines regarding this Policy, which will be reviewed by the Data Protection Officer; related policies and guideline shall be created to comply with Thai PDPA.
Governance Structure
The governance structure of The Company’s policies and guidelines to ensure compliance with the requirements of Thai PDPA.
- Appointment of Personal Data Protection Committee Personal Data Protection Committee acts as the leader regarding The Company’s personal data protection program and helps coordinate and provides advice to solve problems related to personal data protection throughout all departments of The Company as requested.
- Appointment of Data Protection Officer
- The Company is considering of appointing a appropriate personnel for Personal Data Protection Officer position.
- Duty, Roles, and Responsibility of Data Protection Officer
- Duty, roles, and responsibilities of the Data Protection Officer is as listed below;
- Advisory Duty
- Inform and advice regarding the personal data protection duty to data controller or data processor, as well as related employees.
- Provide advice regarding Data Protection Impact Assessment (DPIA)
- Coordinate and provide advice on personal data protection initiatives in The Company such as conduct training, create relating forms or documents.
- The Data Protection Officer can participate and make recommendations in assessing the effectiveness of security when there are changes in technology.
- Reviewing, Monitoring and Investigating Compliance Duties
- Monitor compliance of The Company and relevant personnel in relation to personal data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations.
- Co-ordinate and Co-operate Duties
- The Data Protection Officer acts as a contact person and coordinator to support regulators on issues relating to personal data processing activities.
- Answer questions and receive complaints, or requests if there are questions or concerns related to compliance and take any of The Company’s personal data related action.
- Take actions on the data subject requests when there is submission of request to exercise the data subjects’ rights
- Protect the data subjects’ rights such as responding to or reviewing requests to exercise the rights or filing a complaint.
- Confidentiality of Personal Data
- Ensure confidentiality of personal data under the control of the Data Protection Officer during the performance of the position’s duties.
- Advisory Duty
Processing of Personal Data
Purpose Limitation/ Data Minimization
The Company is able to collect, use, or disclose personal data that is related to the purposes which has been clearly addressed and shall not process it for other purposes which is not related to original objectives. However, such objectives must be appropriate to the circumstances in which personal data is collected, used, or disclosed by The Company. Furthermore, the data subject shall be notified regarding the objectives through Privacy via The Company's website. The Privacy Notice shall state all purposes in relation to collection, usage, or disclosure of personal data of The Company. The data subjects’ consent of the additional personal data is required for any other purposes other than those that is stated in the Privacy Notice.
The Company shall collect only necessary personal data for the stated objectives and for the purpose of contacting data subjects only. Nonetheless, The Company will not process any sensitive personal data.
Notification
The Company will notify data subject regarding the objectives of collecting, using, or disclosing personal data prior to or during the stages of collection, usage, or disclosure of such personal data. Except where the exceptions set forth in this Policy are met.
Nonetheless, in Privacy Notice, The Company shall notify the data subjects regarding the details as listed below:
- The Company’s legal compliance with Thai PDPA
- Objectives of personal data collection, usage, or disclosure
- Data subjects’ rights
Privacy Notice may be sent to the data subjects or is announced on The Company’s official website. The data subjects shall be notified regarding the objectives where the personal data is collected, used, or disclosed by The Company. The Company does not have to request consent for the processing of personal data that has been collected prior to 1st June 2021, if the processing of personal data is only for the purpose of compliance with the terms and conditions of sale of goods and/or services of The Company only. However, if The Company wishes to process that personal data for a different purpose, explicit consent of data subject is required. Otherwise, the processing activities shall be in accordance with the lawful basis specified in Thai PDPA or related laws, rules, and regulations. The Data Protection Officer is responsible for reviewing the effectiveness, content, and notification method of the Privacy Notice least every 12 months.
Consent
The Company will not collect, use, or disclose personal data for certain processing activities if the data subject did not consent to it, such as for direct marketing activities. Unless it is in the event that The Company is allowed to do as stated in Thai PDPA or relevant laws. In the event that The Company receives personal data form third party, the personal data can be processed if the third party received explicit consent (such as the data subject was informed that The Company will be the personal data receiver) from the data subjects. If the third party did not receive explicit consent, The Company shall notify and request consent from the data subjects within 30 days after The Company received personal data from the third party.
Lawful consent cannot be acquired via the following means:
- Consent is set as a condition of receiving products or services
- Providing false information or consent is acquired from misleading practices
Format of Consent
The request for consent will be in a clear, written form, such as making a check box for the data subject to press/write themselves. Format of consent request must be clear and specific. Whereby the data subject will be able to choose explicitly for what purpose to give consent to. The consent can be requested through channels such as email, SMS, website, or etc. For direct and personalized marketing purposes, The Company will need explicit consent of the data subject for the collection, usage, and disclosure of personal data.
Record of Consent
Recorded consent must be clear, unambiguous, and is saved in writing. The Company's system shall be able to record the obtaining the consent of the data subject, as well as the withdrawing of consent when the data subject requests to exercise their rights.
Data Subject Rights
Right to withdraw
Data subjects have the right to withdraw their consent on which the collection, usage, or disclosure of personal data is based on at any time. As a result, The Company shall stop the processing of such data as soon as possible. If The Company does not have any other lawful basis which allow further processing of personal data, the personal data shall be deleted.
Right to object the collection, use, or disclosure
The data subject has the right to object to the processing of his or her data at any time when the following conditions are met:
- In the event that personal data which was collected by The Company without consent only in the following cases
- For the performance of public tasks or performing duties that regulators has granted for the Company.
- It is necessary for the legitimate interests of The Company or of another person, unless such benefits are less important than the fundamental rights of the data subject.
- In the event that The Company processes personal data for purposes related to direct marketing, The Company will not be able to refuse the request to object to the processing of personal data and must cease such processing activities.
- In the event that the processing of personal data is for scientific, history, or statistics research purposes, The Company can reject a request if it is necessary to carry out public tasks.
In the event that the data subject has objected to the processing of the personal data and The Company has no reason for rejection as listed above, The Company shall assume that there is no exception for The Company and can no longer collect, use, or disclose that data. Thus, without exception to refuse the request to exercise the right to object the processing of personal data, The Company shall delete or destroy the personal data, or clearly segregated the related data from other data immediately when the data subject has submitted request of objection.
Right to deletion
The data subjects have the right to request deletion of their personal data. The Company has to delete the personal data if one of the following conditions are met.
- The personal data is no longer necessary for the objective of the collection or processing of personal data.
- Data subjects withdrew their consent for the personal data processing and The Company has no legal authority to process it any further.
- Data subjects object the processing activities related to direct marketing.
- Data subjects object the processing activities (other than the objection of processing activities for direct marketing purposes) and The Company does not have the legitimate interest lawful ground.
- The processing activity is unlawful.
If the events as listed above occurred, The Company must delete, destroy, or make the data non-identifiable without any delay. If The Company discloses personal data to the public, The Company shall notify other data controllers regarding the request to exercise the right of erasure by the data subject, so the data controller can delete that personal data as well.
Nonetheless, The Company can refuse the request, if it can be proven that such processing activities are necessary as follows.
- The Company can state the higher lawful ground.
- The personal data is necessary to establish legal claims, compliance, or to exercise or raise the defense of legal claims.
- It is for the purpose of exercising freedom of expression.
- To achieve objectives relating to the preparation of historical documents or archives for the public interest, or in connection with research studies or statistics with appropriate safeguards to protect the rights and freedoms of the data subject.
- The processing activities are necessary for carrying out public task or or performing duties that regulators has granted for the Company.
Right to Restriction of Processing
The data subject has the right to restrict the processing of personal data if the following conditions are met:
- When the data subject restricts the processing activities and the reason provided is more important that The Company’s legitimate interest.
- The processing activity is no longer necessary; however, the storage of personal data remains necessary for the objective of legal claims
- The processing activity is unlawful, but the data subject wishes to restrict the processing activities instead of personal data deletion or erasure.
Right to portability
The data subject has the right to request his or her personal data from The Company, including the right to request The Company to directly send or transfer the personal data to other data controllers.
Right to access
The data subject has the right to receive confirmation from data controller regarding whether what or how the personal data is being processed. The data subject also has the right to submit request to access the data and receive a copy of his or her own personal data under the possession of data controller as listed below:
- Testimonials that the data controller processes the personal data.
- A copy of personal data related to the data subject
- Purposes of personal data processing to which individuals have the right to know the legal basis for the processing of their personal data.
- Category of personal data
- The category of person or entity to whom personal data may be disclosed to, especially the recipients of personal data in foreign countries or international organizations. The data subject has the right to be informed regarding data security measures, showing whether it is sufficient and appropriate or not.
- The length of time the personal data is stored or the criterion in determining retention period.
- Existence of the data subject's legitimate rights, namely the right to correct their personal data, right to request erasure, right to restrict or object processing of personal data.
- The right to lodge a complaint with a supervisory authority.
- Sources of Personal Data (In the event that The Company receives it from another source).
- Details in relation to automated decision making and profiling, including rationale of the logic, and the expected results of such processing.
Right to correction
The data subject has the right to request data controller to correct his or her personal data to be accurate and current as listed below:
- In the event that the personal data is incomplete, is when the data controller has the correct data but it is incomplete; thus, it is insufficient to be processed for the intended purpose.
- In the event that the personal data is incorrect.
In both scenarios, The Company shall immediately take actions, as well as providing details for information correction (supplementary statements) as evidence of such incomplete or inaccurate personal data as requested by the data subject.
Nonetheless, during the remedial action, the data controller shall temporarily suspend the processing activities, to verify the correction of data before processing it again to prevent the effects of inaccurate data processing.
In addition, the data controller shall notify whom such personal data has been disclosed regarding the correction of such personal data
Lawful Basis
The Company can collect, use, or disclose personal data when the processing activities is based on legal basis. The personal data will be disclosed to individuals or entities outside The Company under the legal basis permitted by law as listed below:
- Contractual basis
- Legal basis
- Legitimate interest basis
The processing activities on legitimate interest basis is the processing when there are reasons or business or commercial purposes for which The Company has necessary to collect, use, or disclose personal data as listed below:- The processing activity is for internal management, including the disclosure of personal data within the same group companies to raise the standard of operation. The disclosure of such data will be in accordance with the Personal Data Protection Policy.
- It is for security reason and to prevent illegal activities which may including photography and CCTV surveillance within the project area, or office building.
- It is necessary to maintain relationship with customers such as handling complaints and offering benefits without marketing objectives.
In conclusion, The Company will not collect, use, or disclose personal data without consent of the data subject unless there is other legal bases that support and allow it.
The table below shows an example of processing activities and the legal bases used.
Purpose | Legal Basis |
Provision of Products and Services | |
|
|
|
|
|
|
|
|
|
|
|
|
Customer Support | |
|
|
|
|
|
|
Marketing Activities | |
|
|
|
|
|
|
|
|
|
|
|
|
Sharing Data Subjects' Personal Data to Third Parties for Their Marketing | |
|
|
Business Improvement | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fulfillment of Our Legal Obligations | |
|
|
|
|
Security and Risk Management | |
|
|
Accuracy
The Company must have adequate measures to ensure that personal data that is collected, used, or disclosed on behalf of The Company is accurate and complete. If personal data is likely to be used in decision-making involving the data subject by The Company or by another organization, prior to doing so The Company shall consider the following:
- Characteristics of personal data and the importance of it to the data subject
- Purposes of personal data collection, usage, or disclosure
- Credibility of personal data
- Current of personal data
- Possible consequences if personal data is inaccurate or incomplete
To review the accuracy and completeness of personal data, The Company must have the following measures or guidelines:
- Accurately record the personal data being collected (either from direct or indirect collection)
- Collect all relevant parts of personal data for completeness
- Consider and verify that the personal data being collected, used, or disclosed is accurate and complete
- Consider the necessity measures to keep personal data that was collected, used, or disclosed up to date.
Storage and Retention
Company will cease the storage of documents containing personal data whether it is in paper or electronics format immediately if one of the following scenarios is applicable:
- Quality House's business relationship with the data subject ends and the purpose of personal data processing is accomplished
- Retention of such personal data is no longer necessary for legal or business purposes
The Company has a record of personal data storage and erasure methods and has set a clear retention period. The retention period is subject to relevant laws and regulations, or it is retained as necessary for legal or business purposes.
The end of retention period can take the form of:
- Documents disposal
- Anonymization of personally identifiable information
All employees of The Company have duties and responsibilities to check the orderliness and use appropriate methods to dispose of documents containing personal data. Employees can find more information in the Retention and Deletion policy
Confidentiality and Integrity
Security Measures of Personal Data
The Company has appropriate security measures, including organizational and technological measures to prevent message spoofing, including unauthorized collection, use, access or alteration. The Company has established procedures for dealing with incidents of personal data breach and shall notify data subject in accordance with the legal requirements.
Complaint Management Handling
Complaints or allegations of personal data breach can be done through DPO@qh.co.th
All complaints must be forwarded to the Data Protection Officer to investigate and advise on corrective action or appropriate response. Complaints that the Data Protection Officer receives from any channel must be investigated and referred to the relevant departments. All complaints must be resolved within a reasonable time unless the Data Protection Officer is obliged to extend a period.
Complaints that is not involve with personal data breach incident that have been notified via the Data Protection Officer’s email, The Data Protection Officer must keep records of all complaints or personal data breach incidents and report to the Personal Data Protection Committee.
If the Data Protection Officer determines that there is a personal data breach incident that may affect reputation or finances, the Data Protection Officer shall report such incident to the Personal Data Protection Committee to assess and decide on the reporting process to the regulator or continue to notify the data subject.
Personal Data Breach Notification
The Company must announce a personal data breach incident without delay and no later than 72 hours after being notified. Unless the personal data breach incident does not risk affecting the rights and freedoms of a natural persons.
If it is possible for personal data breach incident to result in a risk or affecting the rights and liberties of natural persons, The Company must report a personal data breach incident and remedy recover plan to the related data subjects without delay. However, the notification method must be in accordance with the standards and methods announced by the Personal Data Protection Committee.