Privacy Policy

The Company is aware of the importance of the collection and keeping the confidentiality of User Personal Data. However, in order to operate the business and provide services to User, it is necessary for the Company to use, collect, store, and disclose User Personal Data. Therefore, the Company, has duty to comply with the PDPA as Data Controller and Data Processor (in some cases). The Company hereby confirms that:

  • the Company shall duly and lawfully use, collect, store, and disclose User Personal Data within the scope of law;
  • the Company supports the protection of User Personal Data;
  • the Company has security and storage system to protect and safeguard the confidentiality of Personal Data in accordance with applicable legal standard; and
  • the Company shall create a system that take User’s privacy into consideration when using, collecting, storing, and disclosing any information.

Consequently, the Company has prepared this privacy policy to explain how the Company will treat User Personal Data, such as, use, collection, storage, disclosure, and protection of Personal Data, including User’s rights. For your own benefits, the Company suggests that User thoroughly read and comprehend the following privacy policy as follows:

1. Definition

Unless specified otherwise herein, the following words shall have the meaning as provided herebelow:

  1. PDPA” means the Personal Data Protection Act of 2019 (B.E. 2562) or any amendment thereafter, including any royal decrees, ministerial regulations, notifications, orders, and other laws related to Personal Data protection;
  2. Service” means a purchase, sale, hire, service, or any other action provided by the Company to User;
  3. Personal Data” means any data relating to a person, which can identify such person directly or indirectly, including all identifiable information, such as, name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, mental, social, economic, or cultural identity of that person;
  4. Company” means Cloudsec Asia Co., Ltd. Subsidiaries, and other companies which controlled and managed by shareholder of Cloudsec Asia Co., Ltd.
  5. Data Controller” means a person or juristic person who has power and duties to make decisions regarding the collection, use or disclosure of Personal Data;
  6. Data Processor” means a person or juristic person who acts in respect of the collection, use, or disclosure of Personal Data as per an order or on behalf of Data Controller. In this regard, the said person or juristic person shall not be deemed as Data Controller; and
  7. User” means a person or juristic person who receives Service in any form from the Company, including its agents, staffs, employees, executives, or representatives. 

2. Data management policy

In order to operate the business, it is necessary for the Company to use, collect, store, and disclose User Personal Data. The Company, therefore, has duty to comply with the PDPA as Data Controller and Data Processor (in some cases). In this regard, the Company represents and warrants that:

  1. the Company shall use, collect, store, and disclose User Personal Data within the scope of law;
  2. the Company has security and storage system to protect and safeguard User Personal Data in accordance with applicable legal standard; and
  3. the Company shall take User’s privacy into consideration when using, collecting, storing, and disclosing any Personal Data.

3. Scope of privacy policy

To protect User Personal Data and privacy, this privacy policy shall apply to all use, collection, storage, or disclosure of User Personal Data from all transaction and Services between User and the Company.

4. Personal Data collection and processing principles

The Company shall collect and process Personal Data under six principles as follows:


Personal Data protection principles

Context for the Companys operation

Lawfulness, Fairness and Transparency

The Company shall use, collect, store, disclose, and process User Personal Data in accordance with the consent given by User, or as specified in the terms and conditions of the agreement between the Company and User. The said data will be stored in paper and electronic form according to its nature and purpose as consented or contractually agreed. The use, collection, storage, and disclosure of Personal Data will be for the purposes of using, collecting, storing, and disclosing Personal Data as stipulated by law and the purposes which the Company has notified User when collecting such information.

Purpose Limitation

The Company shall only use, collect, store, and disclose Personal Data for the purposes for which it was collected, or according to the legal authority or obligation, or the specified scope of work.

Data Minimization

The Company shall limit the use, collection, storage, and disclosure of Personal Data to the extent necessary as per the specified purposes, unless stated by law to additionally operate, use, collect, store, and disclose the data to protect the legitimate interest of the Company.

Accuracy

The Company shall verify and keep Personal Data accurate and up-to-date, including correcting any inaccuracy without delay.

Storage Limitation

The Company shall limit the storage period of Personal Data to the extent necessary or as required by law for the purposes specified by the Company, unless stipulated by law to extend the storage or to protect the legitimate interest of the Company.

Integrity and Confidentiality

The Company shall use appropriate security measures suitable for data collected by the Company to protect against unauthorized access, loss, or destruction by third party, or unlawful use.

5. Legal basis for the use, collection, storage, and disclosure of Personal Data

The Company shall not use, collect, store, and disclose User Personal Data without User’s consent, unless it is for compliance with applicable law, or the performance of a contract, or the Company is permitted by law or legitimate right to proceed with the said use, collection, storage, and disclosure of Personal Data. The Company applies the following legal basis for the aforesaid use, collection, storage, and disclosure of Personal Data:

Legal basis

Example of the Companys use, collection, storage, and disclosure of Personal Data

Necessary for performance of a contract

The use, collection, storage, and disclosure of User Personal Data for performance of a contract, or any terms or conditions stipulated in a contract, or the Company’s guidelines for performance of a contract.

Necessary for performance of the Company’s task carried out in public interest as a Data Controller in the exercise of official authority vested in the Company as a Data Controller

The disclosure of Personal Data to competent government authorities according to the court order or lawful orders of government authorities.

Necessary for the purposes of legitimate interests pursued by the Company and Subsidiaries as a Data Controller, except where such interests are overridden by the fundamental rights of the data subject which require protection of Personal Data

    • The collection of User Personal Data via the Company’s closed-circuit television (CCTV) system and processing of such data for security purposes, including for the development of the security system of the Company.

The recording of image or Personal Data from regular use of the Company’s services, or to protect the security of the confidentiality of the Company.

6. Legal basis for the use, collection, storage, and disclosure of sensitive Personal Data

The Company shall not use, collect, store, and disclose User’s sensitive Personal Data, such as, data in respect of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal record, health information, disabilities, labor union information, heredity information, biological information, without User’s consent, unless the Company has a legal basis to support its operations as specified in the PDPA, for example:

Legal basis

Example of the Companys use, collection, storage, and disclosure of sensitive Personal Data

To protect the vital interests, life, and health of the data subject where the data subject is for whatever reason incapable of giving consent

The disclosure of User Personal Data, such as, health information, blood group, or religious beliefs, to medical staff or hospital to protect the vital interests, life, and health of User in the event that User has an accident and User is unconscious and unable to give consent.

It is the data which are manifestly made public by the data subject

The disclosure of User’s name, surname, and photo, which disseminated by the Company through website with User’s consent.

Necessary to comply with legal obligation to achieve the objectives relating to preventive or occupational medicine, assessment of working performance of employee

The disclosure of User Personal Data, such as, name, surname, gender, health information, blood group, or religious beliefs, to officer or public health authorities in the event of an outbreak of contagious disease in the vicinity of or related to the Company.

Necessary to comply with legal obligation to achieve the objectives relating to public interest, or scientific, historic, or statistics study, or other public interest

The use of Personal Data to analyze, research, or develop scientific services for common interest, such as, data processing by artificial intelligence (AI), etc.

7. Limitation of Personal Data collection

The Company shall use, collect, store, or disclose Personal Data under lawful and fair purposes, scopes, and means. The Company shall limit its collection of Personal Data to the extent necessary for the provision of the Service. The Company may collect Personal Data from any physical or electronic means, in whatever form, according to the purposes of the Company or for the benefit of the Company’s business operation only.

User acknowledges and renders consent to the Company’s use, collection, storage, or disclosure of User Personal Data in accordance with the purposes specified by the Company via physical, electronic, or any other means designated by the Company. In addition, in the event that the processing of sensitive Personal Data (such as, data in respect of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal record, health information, disabilities, labor union information, heredity information, biological information or any other information which affects the data subject in the same manner) is necessary for the provision of the Service to User, User has also consented to the Company’s use, collection, storage, or disclosure of such sensitive Personal Data.

The Company may use, collect, store, or disclose User Personal Data without requesting consent from User during the collection of Personal Data in the following events:

  1. to achieve purposes in the making of history documents or annals for public interest, or relating to the study, research or statistics for which the appropriate protection standard is established;
  2. to protect vital interests, life, and health of persons;
  3. necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  4. necessary for the performance of a task carried out in public interest;
  5. necessary for the purposes of the legitimate interests pursued by the Company or by a person or juristic person that is not the Company;
  6. to comply with legal obligation to which the data controller is subject, such as, the PDPA, the Electronic Transaction Act of 2001 (B.E. 2544), the Telecommunications Business Act of 2001 (B.E. 2544), the Anti-Money Laundering Act of 1999 (B.E. 2542), the Civil and Commercial Code, the Penal Code, the Civil Procedure Code, the Penal Procedure Code, and etc.;
  7. necessary to protect vital interests, life, and health of User;
  8. for the benefit of the investigation by investigators or court trials; or
  9. for the interest of User where User is incapable of giving consent at the relevant time.

8. Purposes of the use, collection, storage, or disclosure of Personal Data

The Company collects, stores, and uses User Personal Data to provide the Service to User, including providing other services which User is interested in, or to create database, or to provide privilege based on User’s preferences, or to perform data analysis in order to offer goods or services of the Company and/or distributor, agent, or other related person thereof, and/or any other purposes not prohibited by law, and/or to comply with any laws or regulations applicable to the Company, whether currently in effect or may be enforced in the future, and/or for any purposes beneficial to the Company’s business operation.

User renders consent for the Company’s sending, transferring, and/or disclosing of Personal Data to Subsidiaries, business alliance, Data Processor assigned by the Company, and/or any other person/company who has legal or business relationship with the Company, including consenting the Company to send, transfer and/or disclose User Personal Data to other person/company, both domestically and internationally.

9. Restriction of use and disclosure of Personal Data

The Company shall only use and disclose User Personal Data with the consent of User according to the purposes of data collection and storage of the Company and purposes specified by the Company. In this regard, the Company shall supervise its employees, officers, or operating staffs from using and/or disclosing User Personal Data in any way other than the purposes of its collection or disclosure to any third party, except:

  1. to achieve purposes in the making of history documents or annals for public interest, or relating to the study, research or statistics for which the appropriate protection standard is established;
  2. to protect vital interests, life, and health of persons;
  3. necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  4. necessary for the performance of a task carried out in public interest;
  5. necessary for the purposes of the legitimate interests pursued by the Company or by a person or juristic person that is not the Company;
  6. to comply with a legal obligation to which the data controller is subject, such as, the PDPA, the Electronic Transaction Act of 2001 (B.E. 2544), the Telecommunications Business Act of 2001 (B.E. 2544), the Anti-Money Laundering Act of 1999 (B.E. 2542), the Civil and Commercial Code, the Penal Code, the Civil Procedure Code, the Penal Procedure Code, and etc.;
  7. necessary to protect vital interests, life, and health of User;
  8. for the benefit of the investigation by investigators or court trials; and
  9. for the interest of User where User is incapable of giving consent at the relevant time.

The Company may use third party service providers to collect, store, use, process, or disclose Personal Data. The said service provider must have security measures which prohibit the collection, use, processing, or disclosure of Personal Data other than those specified by the Company.

In addition, the Company may use automated decision-making process to process User Personal Data through a computer system in some cases. User may inquire more details with respect to this matter by contacting the Data Protection Officer.

10. Recipient of User Personal Data

The Company is aware of the importance of ensuring sufficient protection of Personal Data. In this regard, the Company tries to restrict the access of Personal Data only to those who are required to access such data for the performance of their obligations in accordance with User’s given consent or for the performance of a contract by the Company.

The executives, employees, and staffs of the Company, including third party who have contractual obligation to provide services to the Company involving Personal Data processing service and other contracting parties who act on behalf of the Company, will receive and process Personal Data of User. The Company shall only disclose and share information to such service providers only as necessary for the provision of the Service to User and to protect the Company’s interests. The Company shall protect User Personal Data from unauthorized access or disclosure. For more details regarding type of service providers to which User Personal Data will be disclosed to by the Company, please contact the Data Protection Officer.

User renders consent for the sending, transferring and/or disclosing of Personal Data to Subsidiaries, business alliance, Data Processor assigned by the Company, and/or any other person/company who has legal or business relationship with the Company, including consenting the Company to send, transfer and/or disclose User Personal Data to other person/company, both domestically and internationally, for the purpose of the Company’s business operations, or for compliance with policy or notification as the Company may stipulate on a case by case basis, or for protection of legitimate interests and legitimate rights of the Company.

11. Transfer of Personal Data to third country

The Company may transfer User Personal Data to third country for the purpose of the Company’s business operations as necessary. User agrees and renders consent for the Company’s transfer of User Personal Data to person or entity in third country or under the jurisdiction of other countries, regardless of whether Personal Data protection law of such country may or may not reach the protection standard of Thailand’s Personal Data protection law. In any event, the Company shall comply with appropriate measure to protect the security of User Personal Data at the same level of protection as Thailand’s Personal Data protection law.

12. Data retention

The Company shall only retain User Personal Data for as long as necessary or as regulated by law for the purposes specified by the Company. For more information regarding the Company’s Personal Data retention period, please contact the Data Protection Officer.

13. User’s right under the PDPA

As a data subject under the PDPA, User is entitled to the following legal rights:

Right

Details

Right to access

User has the right to examine as to how the Company processes User Personal Data retained by the Company, including the right to access to and request a copy of the said Personal Data from the Company.

Right to rectification

The Company shall use its best efforts to ensure that User Personal Data retained by the Company is accurate, complete, and up-to-date. However, if User finds that any of User Personal Data in the Company’s possession is inaccurate, User can request the Company to correct such inaccuracy and the Company will verify and correct such information, accordingly.

Right to erasure

User has the right to request the Company to erase or destroy, or cause User Personal Data in the Company’s possession to be unidentifiable, unless such request is contrary to the law or may impact or cause damage to the Company. Upon receiving User’s request, the Company shall verify the request and proceed with the deletion, destroy, or making unidentifiable data without delay, subject to the criteria and measures specified by law.

Right to restrict processing

User has the right to request the Company to stop using User Personal Data, unless such request is contrary to the law or may impact or cause damage to the Company.

Right to data portability

User has the right to request for User Personal Data in electronic form in the event that the Company makes such Personal Data available in a structured, commonly used and automated machine-readable format which can use or disclose the said Personal Data by automatic method, as well as requesting the Company to transmit or transfer such Personal Data in the said format to third party, unless such request is contrary to the law or may impact or cause damage to the Company.

Right to object

User has the right to object the use, collection, storage, or disclosure of User Personal Data in the event that User finds any use, collection, storage, or disclosure of Personal Data for other purposes, unless such objection is contrary to the law or may impact or cause damage to the Company.

Right to object automated decision-making

User has the right to object or suspend the Company from processing User Personal Data though automated decision-making process or Artificial Intelligence (AI).

In the event that User refuses to give consent for the Company’s processing of User Personal Data or requests the Company to erase User Personal Data, the Company may be unable to provide service to User, effectively. Therefore, User may not be able to obtain the Services from the Company.

The Company reserves the right to reject User’s request in the event that it is permitted by law, or there is an order of competent government authorities or the court, or User’s request is contrary to the law or may impact or cause damage to the Company.

If there is a request to erase User Personal Data from the system, the Company shall use its best efforts to erase User Personal Data from the system. However, User agrees and acknowledges that the Company may retain records or make copies of such data in the Company’s server or back-up system to back up data in case of errors, defects, or malfunctions to the Company’s system, including retaining them as evidences or for the performance of legal obligation.

User’s exercise of rights shall be subject to the rules, notifications, and regulations prescribed by the Company, which shall be in line with the criteria of the PDPA, including the Company’s privacy policy and other criteria specified by the Company. User can exercise the above data subject’s right by sending written request to the Data Protection Officer as detailed in clause 16 of this privacy policy.

14. Consent withdrawal

User is entitled to withdraw consent for the Company’s collection, use, processing, or disclosure of User Personal Data by notifying the Data Protection Officer in writing.

The said consent withdrawal is subject to the conditions, rules, notifications, or regulations provided in the PDPA, as well as the Company’s privacy policy and other criteria specified by the Company.

15. Notification of breach of Personal Data

In the event of any violation of Personal Data, please notify the Data Protection Officer as detailed in clause 16 of this privacy policy within 24 hours from the occurrence of such event in order to protect Personal Data and to prevent and remedy the said violation for User.

16. Data Protection Officer

For the exercise of rights specified in clause 13, or report of Personal Data breach, or any inquiries regarding the collection, use, or disclosure of Personal Data of the Company, please contact us : info@cloudsecasia.com

17. Data security

The Company has policies and programs on information technology security protection that meet international standards to protect the confidentiality and security of User Personal Data and to prevent loss or unauthorized destruction, access, or disclosure of User Personal Data, that must be strictly complied by the Company’s employees. The Company also educates and raises awareness of the importance of Personal Data and the responsibility for the security of such information. However, the Company makes no representations or warranties that the implementation of the said policy will be free of any defects or errors. The Company, therefore, reserves the right to discharge all liabilities for any damage or loss occurred to User.

18. Privacy policy update

For the benefit and efficiency in providing the Service to User, the Company reserves the right to update or revise this privacy policy without notifying User in advance. Consequently, the Company requests User to review this privacy policy, regularly.

19. Additional information

For more information regarding this privacy policy or any operation related to User Personal Data, please contact the Data Protection Officer as detailed in clause 16 of this privacy policy.