1. Introduction
Vnohow (Thailand) Co., Ltd. “Vnohow” has created this privacy statement in order to demonstrate our firm commitment to privacy. We take the protection of your personal data very seriously and always processes your personal data in accordance with the statutory data protection regulations. This privacy notice is designed to provide you with an overview of how we process your data and of your rights in this connection. Your relationship to our organization mainly determines which data in particular are processed or used by us. For this reason, some parts of this privacy notice may not apply to you.
2. Data Controller and Data Protection Officer
Responsibility for the processing of your personal data lies with:
Vnohow (Thailand) Co., Ltd.
90/31 Sathorn Thani Building 1,
12FL., North Sathorn Road,
Silom, Bangrak, Bangkok
10500 Thailand
Tel.: + 662-634-3287-89
Fax: + 662-634-3299
Email: vnohow@vnohow.com
You can reach our data protection officer at:
Data Protection Administration officer
Vnohow (Thailand) Co., Ltd.
90/31 Sathorn Thani Building 1,
12FL., North Sathorn Road,
Silom, Bangrak, Bangkok
10500 Thailand
Tel.: + 662-634-3287-89
Fax: + 662-634-3299
Email: vnohow@vnohow.com
3. How we collect your personal data
We process personal data that we receive from you when you contact us or use our website, in particular when you show interest in our training, testing, consulting and related services.
We also process personal data that we legally acquire from public domain sources or that are legally transmitted to us by other organizations or third parties (e.g. client, client organization, business partners, network providers, building owners, previous tenants, facility managers, commercial credit agencies, marketing agencies, event organizers, etc.).
Relevant personal data include:
Personal identification and contact details (e.g. title, name, address, email address, telephone number);
Payment data (e.g. account details);
Data arising from the fulfillment of our contractual obligations, e.g. training attendee records, exam tester records, providing consulting services, recruiting contract staff, delivering training services;
Data about your online behavior and preferences (e.g. IP addresses, identifying features of mobile end devices, data about access to our websites and apps, geolocation data);
Data for communication with you (e.g. by letter, email, social media);
Advertising and sales data (e.g. information on consents you have granted or objections you have lodged).
In some cases, we also process legitimation data (e.g. ID data), registration, relocation, residence data and audiovisual data (e.g. material from closed circuit television).
4. Purpose and legal basis of data processing
We process personal data in line with the Personal Data Protection Act (PDPA – Thailand local law).
Within the context of PDPA, Vnohow’s lawful bases for processing personal data include:
Performance of a contract between parties
The performance of a legal obligation
The protection of vital interests (e.g. in a health emergency)
The exercise of our legitimate interests (described below).
1) In order to fulfill contractual obligations
Processing is performed to fulfill our contract with you and to perform pre-contractual measures, instigated on your initiative. For example:
Producing project proposals;
Communicating with you and your colleagues during consulting projects;
Evaluating your applications for certificated training programs;
Dispatching invoices;
Assessing your suitability for associate placements and employment;
Enrolling and rewarding you as an associate or employee.
Please refer to the relevant contractual documents, staff handbooks, business manuals and Terms and Conditions of Business for further details of the data processing purposes.
2) Within the context of weighing up interests
Processing is performed to protect our legitimate interests or those of third parties unless overridden by your interests which require protection of personal data. For example:
The need to build and maintain permanent and productive relationships with clients, suppliers, partners, employees and all other stakeholders;
Managing our risks, maintaining accurate records and operating our business efficiently;
Data processing and analysis to ensure a personalized appeal and tailored offerings;
Data processing and analysis for the purpose of improving and developing intelligent and innovative services and products;
Data processing and analysis for creating automated evaluations e.g. as the basis for price adjustments;
Assertion of legal claims and defense in case of legal disputes;
Ensuring IT security and IT operations;
Video surveillance to exercise the right of who shall be allowed or denied access to premises and for collecting evidence in case of criminal activities;
Processing of incoming requests from interested parties and non-customers.
3) On the basis of your consent
Provided you have consented to us processing your personal data for specific purposes, processing is legal on this basis. Consent may be revoked at any time. This also applies to the revocation of declarations of consent that were granted to us before the PDPA came into effect, thus before 27 May 2020. Revocation of consent is only effective for the future and does not affect the legality of data processing up to the date of the revocation.
4) On the basis of legal requirements
Processing may be performed in order to fulfill legal obligations. For example:
Communicating with national or regional governments in relation to company registrations or taxation;
Securing or archiving data for specified purposes and periods;
Health and safety reporting;
Communicating with embassies, consulates or visa issuing authorities;
Managing the employee lifecycle.
The relationship between our main operational processes and our lawful bases for processing personal data are as follows:
Project management
Purpose: Coordinating the delivery of services to clients using project methodologies
Legal bases: contract; legitimate interest
Business development
Purpose: Informing prospective clients about the services offered; issuing proposals; building sustainable client relationships
Legal bases: contract; legitimate interest
Contact management
Purpose: Maintenance of contact details, facilitating communications between employees, associates and all other stakeholders
Legal bases: contract; legal obligation; legitimate interest
Resourcing services
Purpose: Coordinating the recruitment, registration and remuneration of associates
Legal bases: contract; legal obligation; legitimate interest
Travel management
Purpose: Organizing business travel for Vnohow staff and associates
Legal bases: contract; vital interest; legal obligation; legitimate interest
Office administration
Purpose: Performing all activities associated with administrative support for the Vnohow businesses
Legal bases: contract; legitimate interest
Company legal administration
Purpose: Administering the legal requirements for registering companies within Vnohow
Legal bases: legal obligation; legitimate interest
External auditing
Purpose: Periodic visits from certified auditors with access to all data
Legal basis: legitimate interest
Corporate archiving
Purpose: Secure storage of business records for extended periods in offsite locations
Legal bases: contract; legal obligation; legitimate interest
Training, Testing and education services
Purpose: Managing all information pertaining to the enrolment and performance of clients and staff on training and education programs
Legal bases: contract; legitimate interest
Financial management
Purpose: Payments to suppliers of goods and services to Vnohow; billing clients for work completed
Legal bases: contract; legal obligation; legitimate interest
Accident reporting
Purpose: Administering the reporting of workplace incidents and injuries
Legal bases: vital interest; legal obligation; legitimate interest
IT change management
Purpose: Undertaking technical and administrative changes to IT systems in response to personnel changes
Legal bases: contract; legitimate interest
Employee HR management
Purpose: Management and administration of the employee lifecycle
Legal bases: contract; legal obligation; legitimate interest.
5. Recipients of personal data
Within our organization, departments with access to your data are those which require them to fulfill their respective duties in the organization and to fulfill our contractual and legal obligations.
Service providers deployed by us and partners may also receive data. They may include:
Business partners
Post and printing service providers
IT service providers
Telecommunication service providers
Payroll processors
Sales partners
Web service providers
Credit agencies
Collection agencies
Legal advisors
Auditors
Insurance providers
Pension providers
Banks
Suppliers of references.
In certain circumstances, personal data may also be forwarded to public departments (e.g. tax authorities, job centres), judicial and law enforcement authorities (e.g. police, district attorney’s offices, courts), attorneys, notaries and chartered accountants.
6. Transmission to third countries or international organizations
We transmit personal data to organizations outside Thailand while we engage in legitimate business activities. These organizations include:
International offices of clients and partner organisations
Operational hubs of global postal and courier organisations
Travel agents and suppliers
Government visa and immigration services.
Transmission of your personal data to EU, the USA or Canada, should this occur, is performed in line with the relevant data protection regulations, guaranteed by EU-GDPR and Commission Implementing Decisions (EU) 2016/1250 of 12 July 2016 and 2001/4539 respectively.
7. Period of retention
We always delete your personal data when the purpose of processing expires; all mutual claims are fulfilled and no further legal retention obligations or legal basis for justifying retention exist. The retention periods laid down by the latter are generally 15 years. Insofar as it is necessary, for instance to secure evidence, customer data are stored up to the expiry of the statutory period of limitation.
As an aim to further operate as international business worldwide, Vnohow adopts a standard minimum retention period for data of 15 years, except where a shorter period has either been mandated in law, or where this is specified in contractual terms agreed between us and a third party.
All personal data is subject to periodic (typically annual) reviews. It will then be maintained or erased in accordance with our obligations and legitimate interests.
8. Your data protection rights
In line with the statutory provisions, you hold the following data protection rights:
the right to access to information about data stored by Vnohow
the right to correction,
the right to erasure,
the right to restriction of processing,
the right to data portability,
and the right to object.
In addition, you hold the right to lodge a complaint with the responsible supervisory authority.
9. Obligation to provide data
As part of our business relationship (which may include employment or partnership), you must provide the personal data required to commence, perform and terminate the relationship and to fulfill the contractual obligations it entails or those data that we are required by law to collect. Without these data we will generally be unable to enter into a contract with you and to perform it. For example:
Contract staff or associates may be obliged to provide information required by tax authorities or for security clearance;
Information may be required in order to take commercial flights and/or cross borders;
Health and safety authorities require data about affected persons in accident and incident reports.
Furthermore, in both our contract forms and on our websites, it is clearly indicated when the entry of details is optional or mandatory.
10. Automated decisions in individual cases
We do not use automated decision-making for establishing and performing business relationships.
However, in some cases we may choose to use profiling so that we can provide you with information on specific products. This means that we process your data to assess certain personal aspects, thereby enabling tailored communications.
11. Right to object
Right to object in individual cases:
You are entitled to object to processing of your personal data at any time, for reasons resulting from your particular personal situation, if processing is conducted on the legal basis. This also applies to profiling based on this provision.
If you lodge an objection we will stop processing your personal data, with the exception of cases in which we can prove compelling justified grounds for the necessity of processing that override your interests, rights and freedoms, or processing serves the assertion, exercising or defense of legal claims.
Right to object against processing of data for the purpose of direct advertising:
In individual cases, it may be that we process your personal data for direct advertising purposes. You are entitled to object to processing of your personal data for the purpose of said advertising. This also applies to profiling in relation to said direct advertising.
Recipient of the objection:
You can send your objection to us informally with the subject “Objection”, stating your name, address and date of birth. Contact our Data Protection Representative at the address given in Section 1 above.
12. Collection of personal data during visits to our website
(1) If the website is used purely for information purposes, i.e. if you do not register or transfer information to us in any other way, we shall only gather personal data that your browser transfers to our server. If you wish to view our website, we will collect the following data, which are technically necessary for us to display our website to you and to guarantee stability and security.
IP address
Date and time of request
Time zone difference to Greenwich Mean Time (GMT)
Content of request (specific page)
Access status / HTTP status code
Volume of data transferred each time
Website from which the request comes
Browser
Operating system and its interface
Language and version of browser software.
(2) In addition to the data stated above, cookies will also be stored on your computer when you use our website. Cookies are small text files which are stored on your hard disk and assigned to the browser used. They allow certain information to flow to the place that set the cookie (in this case by us). Cookies are not able to execute programs or to infect your computer with viruses. They are used to make the internet offering as a whole more user-friendly and effective.
(3) Use of cookies
(a) This website uses two types of cookies, whose scope and operating principle are explained below.
(b) Transient cookies: these are automatically deleted when you close your browser. These include, in particular, session cookies. They save a so-called session ID which allow various requests from your browser to be assigned to the common session. This enables your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close the browser.
(c) Persistent cookies: these are automatically deleted after a period, which can differ according to the cookie concerned. You can delete cookies at any time in the security settings of your browser.
(d) You can configure your browser settings in line with your wishes, for example by rejecting third party cookies or all cookies. Please be aware that you may not be able to use all functions of this website.
(4) Use of Google Analytics
(a) This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files stored on your computer that make it possible to analyze how you use the website. The information generated by the cookie about how you use this website is usually transmitted and stored on a Google server in the USA. In the event of IP anonymization being activated on this website, your IP address will first be shortened by Google within any member state of the European Union or any other signatory state of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to analyze how you use the website, to compile reports about website activities and to provide other services to the website operator associated with how the website and the internet are used.
(b) Google will not merge the IP address transmitted by your browser and registered by Google Analytics with any other data.
(c) You can prevent cookies from being stored by making a corresponding setting in your browser software. Please be aware that if you do this, you may not be able to use all functions of this website to their full extent. In addition, you can also prevent the data generated by the cookie relating to how you use the website (including your IP address) being registered and processed by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
(d) This website uses Google Analytics with the extension “_anonymizeIp()”. This processes IP addresses in a shortened form, ruling out the possibility of personal reference. In the event that there is a personal reference in the data collected, this will be ruled out immediately and the personal data deleted forthwith.
(e) We use Google Analytics to analyze how our website is used, enabling us to improve it regularly. The statistics gained allow us to improve our offering and make it more interesting for you as a user. If in exceptional cases personal data are transmitted to the USA, Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. Legal basis for the use of Google Analytics is Article 6, Paragraph 1, Sentence 1, lit. f of the EU GDPR.
(f) Information from the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of service: http://www.google.com/analytics/terms/us.html, Privacy overview: http://support.google.com/analytics/answer/6004245?hl=en, and the privacy policy: http://policies.google.com/privacy?hl=en&gl=en.
(5) Use of social media plug-ins
Addresses of the respective plug-in providers and URLs with their privacy policies:
(a) Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA; https://policies.google.com/technologies/partner-sites?hl=en. Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(b) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/en/privacy. Twitter is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(c) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(d) Facebook, Inc. Privacy Operations, 1601 Willow Road, Menlo Park, CA 94025, USA; https://www.facebook.com/policy.php. Facebook is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(e) LINE Corporation, 23th Floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku-ku, Tokyo, 160-0022, Japan; http://terms.line.me/line_rules/?lang=en.
(6) Integration of YouTube videos
(a) Our online offering includes integrated YouTube videos which are stored on http://www.YouTube.com and which can be played directly from our website. (This is all included in “advance data protection mode”, i.e. no data about you as a user are transmitted to YouTube if you don’t play the videos. Only when you play the videos will the data stated in Paragraph 2 be transmitted. We have no influence over this data transmission.)
(b) When you visit the website, YouTube receives information that you have called up the corresponding page of our website. In addition, the data stated in Article 3 of this privacy policy will also be transmitted. This is done regardless of whether you have a YouTube user account which you are logged on to or whether you do not have a user account. If you are logged on to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your YouTube profile, you must log off before you activate the button. YouTube will store your data as a usage profile and will use this for the purposes of advertising, market research and/or requirement-orientated design of its website. Such analysis is also performed with users who are not logged on, in particular to provide requirement-orientated advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles. To exercise this right, please contact YouTube.
(c) Further information about the purpose and extent of data collection and how they are processed by YouTube can be found in the privacy policy. There, you will also find further information about your rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en. Google will also process your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(7) Integration of Google Maps
(a) We use the offering of Google Maps on this website. This allows us to display interactive maps directly on the website, enabling you to conveniently use the map function.
(b) When you visit the website, Google receives information that you have called up the corresponding page of our website. In addition, the data stated in Article 3 of this privacy policy will also be transmitted. This is done regardless of whether you have a Google user account which you are logged on to or whether you do not have a user account. If you are logged on to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your Google profile, you must log off before you activate the button. Google will store your data as a usage profile and will use this for the purposes of advertising, market research and/or requirement-orientated design of its website. Such analysis is also performed with users who are not logged on, in particular to provide requirement-orientated advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles. To exercise this right, please contact Google.
(c) Further information about the purpose and extent of data collection and how they are processed by the plug-in provider can be found in the privacy policy of the provider. There you will also find further information about your relevant rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en. Google will also process your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Further functions and offers of our website
(1) Besides the purely informational use of our website, we also offer various services that you can use if you are interested. For this, you will as a rule have to enter further personal data which we shall use to provide the service concerned and for which the above data processing principles apply.
(2) In part, we make use of external service providers to process your data. These have been carefully chosen and contracted by us, are bound by our instructions and are regularly checked.
(3) Moreover, we may share your personal data with third parties if services are offered by us together with our partners. Further information will be given when you submit your personal data or below in the description of the offer.
(4) In the event that our service providers or partners have their head office in a state outside Thailand, we will inform you about the consequences of this situation in the description of the service.