Privacy Notice (For External Use)
Bangkok R.I.A. Lab Co., Ltd., and affiliated companies (collectively referred to as the “Company”) are aware of the importance of Personal Data (defined below) protection of the Company’s customers and trading and business partners (collectively referred to as “you” or “Data Subject”). The collection, use and/or disclosure (collectively referred to as “Processing” or “Data Processing”) of Personal Data shall act in accordance with the Personal Data Protection Act BE 2562 as the Personal Data protectionis a social responsibility so as to build trust and strong business relations between the Company and its customers and trading and business partners. The Company hereby announces this Privacy Notice in order to inform you of your rights and legal duties, as well as terms and conditions concerning the collection, use, or disclosure of your Personal Data.
Personal Data
The term “Personal Data” means any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons in particular.
The term “Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks to the Person’s fundamental rights and freedoms, which includes data regarding racial or ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disabilities, trade union information, genetic data and biometric data
Collection of Personal Data
The Company shall collect Personal Data within the purpose, scope, and lawful and fair methods as is necessary which is defined in the scope of the Company’s objectives. The Personal Data that the Company collects shall include:
1. Personal Data, including but not limited to given name, family name, Hospital Number, Lab Number, date of birth, and signature;
2. Contact information, including but not limited to home address, phone number, social media account, and email address;
3. Government documents, including but not limited to copy of national identification card, identification number, copy of passport, copy of civil registration from the Government registration database, and copy of travel document;
4. Financial information, including but not limited to bank account information, credit card number, transaction information, payment method, and other payment details;
5. information obtained by the Company or automated methods from other devices, including but not limited to username, password, MAC address, IP Address, photo, cookies, log, voice, photos or video from CCTV, audio file, and video.
In this regard, the Company shall request consent from Data Subject before such collecting, except for where:
1. it is necessary for the performance of a contract where the collection, use, or disclosure of Personal Data is required to provide service or for performance of a contract between Data Subject and the Company;
2. it is to prevent or suppress a danger to a Person’s life, body or health;
3. it is necessary for compliance with the law;
4. it is necessary for legitimate interests of the Company so as to fulfill its operational objectives in which suitable measures to safeguard Data Subject’s rights and freedoms are put in place, including but not limited to fraud prevention, network security and safeguards for the Data Subject’s rights and freedoms;
5. it is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for other purposes relating to research or statistics, in which suitable measures to safeguard Data Subject’s rights and freedoms are put in place; and
6. it is necessary for the performance of a task carried out in the public interest, or it is necessary for the exercising of official authority.
Sensitive Personal Data
The Company may be required to collect Sensitive Personal Data from Data Subject, including but not limited to medical data. By doing so, the Company shall request for explicit consent from Data Subject upon each collecting, using and/or disclosing of such Sensitive Personal Data accordingly, except for where:
1. it is to prevent or suppress a danger to a person’s life, body or health;
2. it is carried out in the course of legitimate activities with appropriate safeguards by the foundations, associations or any other not-for-profit bodies with a political, religious, philosophical, or trade union purposes for their members, former members of the bodies, or persons having regular contact with such foundations, associations or not-for-profit bodies in connection with their purposes, without disclosing the Personal Data outside of such foundations, associations or not-for-profit bodies;
3. it is information that is disclosed to the public with the explicit consent of Data Subject;
4. it is necessary for the establishment, compliance, exercise or defense of legal claims; and
5. it is necessary for compliance with the law so as to achieve the purposes with respect to:
5.1. preventive medicine or occupational medicine, the assessment of working capacity of Employee, medical diagnosis, the provision of health or social care, medical treatment, the management of health or social care systems and services
5.2. public interest in public health, such as protecting against cross-border dangerous contagious disease or epidemics which may be contagious or pestilent;
5.3. employment protection, social security, national health security, social health welfare of the entitled person by law;
5.4. the scientific, historical, or statistic research purposes, or other public interests; and
5.5. the substantial public interest.
Source of Personal Data
1. Personal Data can be directly obtained from Data Subject through any activities, including but not limited to membership sign-up, newsletter sign-up, and marketing activities;
2. Data can be obtained from automated system, including but not limited to recordings from CCTV; and
3. Personal Data can be obtained from other sources, including but not limited to public data and partners of the Company.
Personal Data of minors, incompetent or quasi – incompetent persons
The Company will process the personal data of Incapacitated Person only where it is permitted by data protection law. The Company will arrange to obtain the consent from parent, curator or guardian who is the legal representative of such Incapacitated Person (as the case may be). This does not apply in a case of obtaining consent for processing of personal data of Minor over 10 years old which is strictly personal, suitable to his condition in life and actually required for reasonable needs which such minor can provide consent to The Company directly. If Company discovers that the collection, use and/or disclosure of Personal Data of minors, the incompetent or quasi – incompetent persons is undertaken without (i) consent from the guardian, the appointed guardian, the appointed curator or minors who may give consent by itself pursuant to law (as the case may be) and (ii) any lawful basis, The Company shall delete or destroy such Personal Data.
Purposes of Processing Personal Data
The Company may use Personal Data for the following purposes or for other purposes notified at the time of collecting Personal Data or for which you have given consent after the Company has collected such Personal Data. Reasons for collecting, using or disclosing are provided below:
1. it is to enter into a contract or for the performance of a contract between the Company and Data Subject or third party for Data Subject’s interests;
2. it is to respond to Data Subject’s enquiry and assist Data Subject;
3. it is to improve the quality of goods, products and services of the Company so as to satisfy Data Subject’s need;
4. it is to inform and recommend Data Subject about goods, products and services or to publish marketing and promotional materials or other benefits to contact details given by Data Subject upon the consent of Data Subject;
5. it is to survey feedbacks, analyse, research, and gather statistical data for marketing purposes or in order to develop and improve the Company’s corporate operations upon the consent of Data Subject;
6. it is for the Company’s internal corporate operations and business practices required for the Company’s legitimate interests;
7. it is to inspect, supervise and secure the safety in the Company’s sites;
8. it is for the Company’s corporate operations, including but not limited to tax withholding;
9. it is required to give or disclose Personal Data to it is required by law to authorized official organisations, including but not limited to the Royal Thai Police Headquarters, the AntiMoney Laundering Office, the Revenue Department and courts;
10. it is to carry out any accounting and financial activities; including but not limited to auditing, debt notification and collection, tax operations and transactions as prescribed by law;
11. It is for the Company’s legitimate interests, including but not limited to recordings obtained from CCTV;
12. It is for compliance with law, investigation process, relevant regulations and the Company’s legal duties; and
13. it is for other purposes upon the explicit consent from Data Subject.
Transferring and Disclosing of Personal Data
The Company shall not disclose and transfer Personal Data to third party unless explicit consent is given, or except for where:
1. the Company is subject to disclosing or sharing Personal Data with partners, service provider or third party if necessary, in order to fulfill and achieve the purposes contemplated in this Privacy Notice; by doing so, the Company shall create a Data Processing Agreement in accordance with the law;
2. the Company may disclose or share Personal Data to the Company’s affiliates; in this regard, the Processing of Personal Data shall merely be in keeping with the purposes contemplated in this Privacy Notice; and
3. it is required to disclose Personal Data by law or legal procedures or to disclose Personal Data to officers, authorities or authorized organizations in order to comply with lawful order or request.
International Transfers of Personal Data
The Company may send or transfer Personal Data to a foreign country. In this regard, the Company shall ascertain that the destination country or international organization that receives such Personal Data shall have adequate data protection standards and measures.
Personal Data Protection
The Company has provided and adopted Personal Data storage system equipped with appropriate mechanism and technical features by encrypting the transferring of Personal Data via internet network, as well as safeguard measures in accordance with the law concerning the protection of Personal Data and relevant relegations. The Company also restricts its employees, contractors and representatives from accessing to the use, disclosure, destroying or unauthorized access of Personal Data.
Retention Period of Personal Data
The Company shall retain and use Personal Data as long as necessary for the purposes of Processing Personal Data contemplated in this Privacy Notice or as prescribed by law, except for where it is necessary to retain such Personal Data for other reasons, including but not limited to acting in accordance with the law, to fulfilling the Company’s legal duties and obligations or to inspecting in case where any disputes arise. Under such circumstances, the Company may retain Personal Data longer than the abovementioned period.
Changes to Privacy Notice
The Company may amend this Privacy Notice or parts of it and will inform you of the respective amendments as well as the recent date of such amending on www.brianet.com The Company suggests you regularly check this Privacy Notice. By using products or service on the Company’s website after the amending of this Privacy Notice, you are deemed to acknowledge such amending
Data Subject Rights
Data Subject may exercise Data Subject rights with respect to the law and as contemplated in this Privacy Notice, details as specified below:
1. Right to access and obtain copy of Data Subject’s Personal Data;
2. Right to have inaccurate Personal Data rectified, or completed if it is incomplete;
3. Right to Data Portability in case where the Company has made such Personal Data publicly accessible in the format readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated methods;
4. Right to erase, destroy or anonymize Personal Data, should such Personal Data be no longer necessary or unless there are certain circumstances where the Company has legal grounds to reject Data Subject’s request;
5. Right to restrict the use of Personal Data under circumstances where Personal Data is subject to erasure or is no longer necessary;
6. Right to withdraw consent given by Data Subject; and 7. Right to object the Processing of Personal Data at any time.
Should you have any questions or wish to rectify or erase your Personal Data or to exercise the aforementioned rights or contact the Company regarding Personal Data issues or the Company’s Personal Data protection practices, please contact the Company
Contact Details
Data Protection officer
Address : No. 6, Sonthiwattana 3, Ladprao 110, Plubpla Sub-district, Wang Thonglang District, Bangkok, 10310
Tel: +66(2) 1066-999
Fax: +66(2) 530-4619
E-mail: dpo@brianet.com