This Personal Data Protection Policy for Clients (“Policy”) explains how Tilleke & Gibbins International Ltd. and our Affiliates and Partner Firms (collectively “Tilleke”, “we”, “us” or “our”) collect, use, disclose, transfer, and otherwise process (“process” or “processing”) your Personal Data in the course of our business, in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).

We advise you to read this Policy in its entirety.

1. 1. When does this Policy apply to you?

This Policy applies to you if you are: (a) an individual client (“Individual Client(s)”); or (b) a person who is associated with a corporate client (“Corporate Client(s)”) such as the authorized director(s), authorized representative(s), and/or contact person(s) (“Associated Person(s)”). Throughout this Policy, Individual Client(s) and/or Corporate Client(s) may be referred to individually or collectively as the “Client(s)”. This Policy also applies even if you have not engaged Tilleke for our services, but you contact us for any purpose, such as for inquiries, or you attend a seminar which is hosted/provided by us, or you subscribe to our communications (“Prospective Client(s)”).

2. 2. What types of Personal Data does Tilleke collect and process from you?

1. For our Individual Clients and Associated Persons, we collect various types of data from you that can be used to identify you as an individual, whether directly or indirectly (“Personal Data”), including your full name, date of birth, home address, personal email address, contact number(s), place of work, job title, business email address, data contained in your identification document (e.g. identification card, passport, or work permit), signature, and any other types of Personal Data you may provide to us during the course of our communication. There is also a possibility that we may collect your Personal Data that are considered as sensitive personal data pursuant to Section 26 of the PDPA, such as health-related data, race, ethics, sexual behavior, religious belief, political opinion, or criminal offense (“Sensitive Personal Data”) which you may voluntarily provide to us or which may be required for the provision of our legal services;
2. For Prospective Clients, the Personal Data that we collect will normally depend on how you contact us and the purpose of such contact, which may include your full name, personal or business email address, mobile phone number, and your place of work;
3. When you visit our office, we will collect details pertaining to your full name, place of work, contact number(s), and car license plate number, as well as images or motions captured and recorded by video cameras that are installed in our premises;
4. In the event that you contact us via any social media platform, including, without limitation, Facebook and LinkedIn, we may collect Personal Data that you have provided to us via such platforms. In this case, Tilleke is not responsible for the privacy or information security practices of such platforms. Therefore, you should carefully review the applicable privacy and information security policies and notices, for any of the websites/platforms that you use;
5. Tilleke does not aim or have any intention to collect Personal Data that is not necessary for, or not relevant to, our business operations, or our purposes relating to the processing of Personal Data. If you are required to provide us with a copy of a Thai national identification card, Tilleke encourages you to blind, or cross out, data pertaining to your religious belief and/or blood type (if any), before delivering such document to us. If the copy of your identification card that has been delivered to Tilleke still contains such data, Tilleke will blind or cross it out from the document ourselves. The blinding or crossing-out of such data on the copy of your Thai national identification card will be conducted merely for the purpose of refraining from the collection of any unnecessary or irrelevant Personal Data, and without any criminal intent; and
6. In certain circumstances, we may collect the Personal Data and/or Sensitive Personal Data of your family member(s) such as your spouse and children (“Family Member(s)”), which may include Personal Data of minors, who are under 20 years of age, when it is necessary for us to provide our legal services, including, without limitation, services related to family matters, immigration, and work permits.

3. 3. Why does Tilleke collect and process your Personal Data?

Tilleke collects your Personal Data for different purposes, relying on various lawful bases, as set out below:

1. Consent:
   
   1. In the case of Prospective Clients, we may process your Personal Data in order to provide you with legal updates, articles, newsletters, or any materials in relation to your business and our services, including invitations to seminars, training, or any events, which we believe may be interest of you. In this regard, you are entitled to opt-out, or withdraw your consent, at any time by using the ‘unsubscribe’ function as provided in the email which is sent to you.
   2. A Prospective Client may withdraw his/her consent at any time, subject to the conditions under the applicable laws. Withdrawal of consent will not affect any processing of the Personal Data for which consent was lawfully provided prior to such withdrawal.
2. Contractual Necessity (Only applicable to Individual Clients):
   
   1. Tilleke collects and processes your Personal Data to proceed with your request to engage our firm for legal services, including providing our legal services and performing our rights and duties under the engagement agreement between you and This would include the processing of your Personal Data for payment, tax, and financial matters pursuant to our contract or engagement.
   2. Where the processing of Personal Data relies on contractual necessity as a legal basis, failure to provide required or necessary Personal Data may result in Tilleke being unable to proceed with your request to engage or enter into an agreement with Tilleke for legal services, or Tilleke may not be able to perform our rights and duties under the engagement agreement with you or provide you with legal services, either in part or in whole.
3. Legal Obligation:
   
   1. Tilleke collects and processes your Personal Data to comply with applicable laws or regulations and to comply with any order of the court, competent authorities, and/or government agencies.
   2. Where the processing of Personal Data relies on legal obligation as a legal basis, failure to provide required or necessary Personal Data may result in Tilleke being unable to proceed or undertake any act relating to the provision of our legal services, either in part or in whole. Further, it may cause Tilleke and/or the Client to be in violation of applicable law or regulation, or an order of the court, competent authority, and/or government agency.
4. Legitimate Interest:
   
   1. Tilleke collects and processes your Personal Data for identification and verification purposes, including performing a conflict-of-interest review, prior to providing our services or entering into an agreement with the Client.
   2. Tilleke collects and processes your Personal Data to contact and communicate with Individual Clients, Associated Persons, and Prospective Clients—for example, to respond to your inquiries or concerns. This also includes the collection and maintenance of your business card which you may have provided to us for communication purposes.
   3. Tilleke collects and processes your Personal Data to provide legal updates, articles, newsletters, or any materials in relation to your business and our services, including invitations to seminars, trainings, or any events that we believe may be interest of you. We rely on our legitimate interest, whereby you are an Individual Client or an Associated Person of our Corporate Client who has engaged us.
   4. Tilleke collects and processes your Personal Data to maintain records of our Individual Clients, Associated Persons, and Prospective Clients who have attended seminars, trainings, or any events that are organized by us or between us and our business partners, as well as to collect and retain your feedback as to such seminars, trainings, or events for us to plan and improve our future seminars, trainings, or events.
   5. Tilleke collects and processes your Personal Data to protect our rights, property, personnel, safety, business operations, and customers, such as for instance, in the case of recording your images and motions via our installed video cameras when you enter our premises, and to maintain records of your entrance registration.
   6. Tilleke collects and processes your Personal Data to manage our information technology systems, and to ensure the adequacy of the security relating to such systems.
   7. Tilleke collects and processes your Personal Data to detect, prevent, investigate, and prosecute fraudulent and other criminal activity.
   8. Tilleke collects and processes your Personal Data to monitor and analyze our services for the purpose of risk assessment and control, and statistical and trend analysis, for compliance with the respective policies, system administration, operation, testing and support, and to operate control and management information systems.
   9. Tilleke collects and processes your Personal Data for any other activities which are necessary for us to carry out our business.
5. Legal Claims:
   
   1. Tilleke collects and processes your Personal Data for the establishment, compliance, exercising, or defense of Tilleke’s legal claims.
   2. Tilleke collects and processes your Personal Data for the processing of your Sensitive Personal Data in order for us to provide our legal services which include, without limitation, legal advice, litigation proceedings, etc.

4. Where does Tilleke collect your Personal Data?

1. 1. Individual Clients
      
      1. Directly from you: We normally collect your Personal Data directly from you when you contact, communicate, or correspond with us either via email or through direct interaction. For example, we may collect your Personal Data when you register to attend a seminar, training, or for any event that is hosted/provided by us or jointly between us and our business partners, or when you contact us for legal or other business inquiries.
      2. Referring persons: We may collect your Personal Data from other persons, such as our partner firms, business partners, relevant associations, or our existing Clients, which are permitted to contact us, or to introduce or refer you to us.
      3. Public sources: We may collect your Personal Data that is available on public sources, such as websites that are operated by authorities (e.g. the Department of Business Development), or via websites which are provided by private operators.
   2.  Associated Persons
      
      1. Directly from you: We may collect your Personal Data directly from you when you contact, communicate, or correspond with us either via email or through direct interaction. For example, we may collect your Personal Data when you register to attend a seminar, training, or for any event that is hosted/provided by us or jointly between us and our business partners, or when you contact us for legal or other business inquiries.
      2. Corporate Client: We may collect your Personal Data from other personnel within your organization which is our Corporate Client in order to contact and communicate with you and to provide our services and to maintain our relationship with you.
      3. Public sources: We may collect your Personal Data which is available on public sources, such as websites that are operated by authorities (e.g. the Department of Business Development), or via websites which are provided by private operators.
   3. Family Members

We generally collect your Personal Data from the Individual Clients or Associated Persons, as the case may be.

5. 5. To whom does Tilleke disclose your Personal Data?

Depending on the service we are providing to you, we may disclose your Personal Data to the following parties:

1. To our Affiliates and Partner Firms which are located both within and outside Thailand for the purposes of managing your relationship with us, providing you with our services, performing our contractual obligations, and for other purposes as identified in this Policy. In this regard, please see ‘Where does Tilleke transfer your Personal Data?’ for more information;
2. To third-party vendors, suppliers, and outsourced companies, in order to support the services we provide to our Client;
3. To our business partners and the relevant associations in which Tilleke is a member, including, but not limited to, partner firms, Lex Mundi, and Multilaw—for example, when you would like us to assist in providing a referral to a law firm in another jurisdiction to provide you with legal services;
4. To any competent regulators, prosecuting, courts or other tribunals in any jurisdiction, Ministry of Commerce, the Revenue Department, Immigration Department, Labor Departments, Food and Drug Administration, courts, arbitrators, and any other governmental agencies we deal with on your behalf;
5. To third parties in connection with a change of ownership in Tilleke, or any of its assets or properties; and
6. To any other persons or entities to whom Tilleke is required to make disclosure by applicable law.

6. 6. Where does Tilleke transfer your Personal Data?

1. We regularly transfer your Personal Data to our Affiliates and Partner Firms, and in certain circumstances, to third parties (e.g. service providers), which are located outside Thailand, and which may have different data protection standards to those prescribed by the data protection authority in Thailand. Notwithstanding that, we ensure that we will protect your Personal Data by implementing adequate personal data protection standards for the transfer of your Personal Data outside Thailand. We will also ensure that any entity to whom your Personal Data will be disclosed will implement adequate personal data protection standards, and where your Personal Data will be transferred within our Affiliates and Partner Firms, we will use the relevant data transfer mechanisms in accordance with the requirements of the PDPA.
2. The majority of the transfers of your Personal Data are undertaken for the purpose of the provision of our services and the management of our business. In addition, your Personal Data is primarily transferred to our Affiliates and Partner Firms, which are located in Cambodia, Indonesia, Laos, Myanmar, and Vietnam.
3. In all cases, we will transfer your Personal Data only where it is permitted and in compliance with the PDPA.

7. 7. For how long does Tilleke retain your Personal Data?

We retain your Personal Data for as long as is required in order to fulfil our contractual obligations, or for the performance of our services to our Client, and for 10 years after the cessation of the contractual relationship between us and the Client, or the last performance of our services or communication, whichever is later, unless otherwise agreed with you in writing, or required or permitted by applicable law.

Where we process your Personal Data in connection with a legal obligation, your Personal Data will be retained for the duration of the prescribed legal retention period, as stipulated under the applicable law.

Where we process your Personal Data solely with your consent, your Personal Data will be deleted, destroyed, or de-identified, subject to the requirements and conditions prescribed by the applicable law.

8. What are your rights in relation to your Personal Data?

You are entitled to:

1. Request to have access to and obtain a copy of your Personal Data, and to request the disclosure of the source of the Personal Data, in the event that your Personal Data was collected without your consent;
2. Receive your Personal Data in a commonly used and machine-readable format (if any), and to have your Personal Data in said format transmitted to another Data Controller;
3. Request that your Personal Data be deleted, destroyed, or de-identified;
4. Object to the collection, use, and disclosure of your Personal Data;
5. Request that the processing of your Personal Data be suspended;
6. Request that your Personal Data be corrected, updated, or completed;
7. Withdraw your consent at any time, provided that there is no other legal ground for Tilleke to continue with the processing of your Personal Data; and
8. Lodge complaints to the Office of Personal Data Protection Commission and any other competent authorities

Your request may be refused, and the exercise of your rights is subject to the conditions and limitations prescribed by law.

9. 9. Changes to this Policy

Tilleke may amend, change, or update this Policy from time to time, whereby Tilleke will notify you about such changes via your selected communication channel or any other communication channels as Tilleke deems appropriate. In the event that the amendment, change, or update will affect the purposes for which your Personal Data has originally been collected, Tilleke will notify you about such changes and obtain your consent (if applicable), prior to such changes becoming effective.

10. 10. How can you contact us?

If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your rights, you may contact us at:

Tilleke & Gibbins International Ltd.

Supalai Grand Tower, 26th Floor
1011 Rama 3 Road, Chongnonsi, Yannawa
Bangkok 10120, Thailand

T: +66 2056 5555

F: +66 2056 5678

Email: [email protected]

Or you may contact our Data Protection Officer at:

Papitchya Supinananda

T: +66 2056 5555

F: +66 2056 5678

Email: [email protected]

This Policy is effective from June 1, 2022, onward.