This Personal Data Protection Policy for Contract Parties (“Policy”) explains how Tilleke & Gibbins International Ltd. and our Affiliates and Partner Firms (collectively “Tilleke”, “we”, “us” or “our”) collect, use, disclose, transfer, and otherwise process (“process” or “processing”) your Personal Data in the course of our business, in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).

We advise you to read this Policy in its entirety.

1. When does this Policy apply to you?
This Policy applies to you if you are (a) an individual who is our outsource service provider, supplier, vendor, business partner, contractor, or subcontractor (collectively called a “Individual Contract Party(ies)”); or (b) an individual who is associated with our corporate outsource service provider, supplier, vendor, business partner, contractor, or subcontractor (“Corporate Contract Party(ies)”), e.g. authorized person(s)/director(s), authorized representative(s), and/or contact person(s) (collectively called “Associated Person(s)”. Throughout this Policy, Individual Contract Party(ies) and/or Corporate Contract Party(ies) may be referred to individually or collectively as the “Contract Party(ies)”.

2. What types of Personal Data does Tilleke collect and process from you?

(a) General Personal Data: Tilleke collects various types of your Personal Data that can be used to identify you, either directly or indirectly (“Personal Data”), including the following:

a. Personal Data may include your name, surname, national identification number, passport number, tax identification number, company, title, job description, and contact details, such as your email address, telephone number, business address, and bank account number and details as well as images and motions captured by video cameras that are installed at our premises.

b. Any other categories of Personal Data that may be provided or included within any emails and other communications between you and Tilleke.

c. Personal Data that we learn or obtain about you from our dealings with you.

d. Personal Data that we obtain from any government-issued documents that you provide to us, including your passport, house registration, tax-related documents, and national identification card.

e. Personal Data that we learn about you from economic or trade sanctions lists.

(b) Tilleke does not aim or have any intention to collect Personal Data that is not necessary for, or not relevant to, our business operations, or our purposes relating to the processing of Personal Data, and especially Personal Data which are considered as sensitive personal data pursuant to Section 26 of the PDPA (“Sensitive Personal Data”).

If you are required to provide us with a copy of a Thai national identification card, Tilleke encourages you to blind, or cross out, the Sensitive Personal Data on your identification card (i.e. religion and/or blood type related data), before delivering such document to us. If the copy of your Thai national identification card that has been delivered to Tilleke still contains such data, Tilleke will blind or cross it out from the documents ourselves. The blinding or crossing-out of such data on the copy of your Thai national identification card will be conducted merely for the purpose of refraining from the collection of any unnecessary or irrelevant Personal Data, and without any criminal intent.

(c) Where a Corporate Contract Party provides Tilleke with the Personal Data of its Associated Person, the Corporate Contract Party warrants that it has duly informed such Associated Person about the information in relation to the processing of the Personal Data as specified in this Policy and obtained proper and informed consent from such Associated Person (if required), or that the collection and disclosure of the Personal Data of such Associated Person can rely on any other legal basis which enables Tilleke to process such Personal Data for the purposes specified in this Policy.

3. Why does Tilleke collect and process your Personal Data?
Tilleke collects your Personal Data for different purposes, relying on various lawful bases, as set out below:

(a) Contractual Necessity (Only applicable to Individual Contract Parties):
a. Tilleke collects and processes your Personal Data in order to enter into and take any necessary steps to enter into a contract with you as per your request.

b. Tilleke collects and processes your Personal Data for the purposes of performing Tilleke’s obligations and duties under such contract which include, without limitation, to make necessary payments for your products and/or services.

c. Where the processing of Personal Data relies on contractual necessity as a legal basis, failure to provide required or necessary Personal Data may result in Tilleke being unable to perform its obligations under the contract with you, or to proceed with any of your requests in relation to the contract, either in part or in whole. In other words, Tilleke may not be able to obtain your products or services, or may not be able to arrange for payments for your products or services.

(b) Legal Obligation:
a. Tilleke processes the Personal Data of Individual Contract Parties and Associated Persons in order to comply with applicable law or regulation, and to comply with orders of the court, competent authorities, and/or government agencies. In particular, for Individual Contract Parties, Tilleke may need to process your Personal Data for accounting and tax filing purposes.

b. Where the processing of Personal Data relies on legal obligation as a legal basis, failure to provide required or necessary Personal Data may result in Tilleke being unable to perform its obligations or duties under applicable laws or regulations, either in part or in whole, or it may cause Tilleke and/or you to be in violation of applicable law or regulation, or an order of a court, competent authority, and/or government agency.

(c) Legitimate Interest:
a. In the event that the contract will be or is entered into by and between a Corporate Contract Party and Tilleke, Tilleke processes Personal Data of Associated Persons in order to make necessary determination and undertake necessary steps to enter into the contract as well as to perform Tilleke’s obligations under the contract.

b. Tilleke processes Personal Data of Individual Contract Parties and Associated Persons in order to manage and administer our business, and to manage our relationships with our Contract Parties.

c. Tilleke processes Personal Data of Individual Contract Parties and Associated Persons to undertake risk management activities in connection with the operation of the business of Tilleke and the relevant contracts with the Contract Parties.

d. Tilleke processes Personal Data of Individual Contract Parties and Associated Persons to detect, prevent, investigate, and prosecute fraud and/or the criminal activity.

e. Tilleke collects Personal Data of Individual Contract Parties and Associated Persons while visiting Tilleke’s premises, including your images and motions captured by video cameras that are installed at our premises in order to protect property, personnel, rights, and interests of Tilleke.

f. Tilleke processes Personal Data of Individual Contract Parties and Associated Persons in order to grant access to our premises and systems.

g. Tilleke processes Personal Data of Individual Contract Parties and Associated Persons to manage our information technology and to ensure the security of our systems.

h. Tilleke collects Personal Data of Individual Contract Parties and Associated Persons in order to conduct compliance activities, such as assessing and managing risk in accordance with our internal policies such as in relation to fraud, anti-money laundering, anti-bribery, etc. If you are unwilling to provide your Personal Data in these circumstances, then we may be unable to receive (or continue receiving) the relevant products or services from the Contract Party or other persons/entities with which you are associated.

(d) Legal Claims: Tilleke processes Personal Data of Individual Contract Parties and Associated Persons when it is necessary for the establishment, compliance, exercising, or defense of legal claims by Tilleke.

4. Where does Tilleke collect your Personal Data?

(a) Individual Contract Parties
a. Directly from you: We normally collect your Personal Data directly from you before, during, and after the contract term between you and Tilleke.

b. Third Parties: We may collect your Personal Data from online public sources, court orders, court judgments, orders of the competent authorities, and any other governmental agencies.

(b) Associated Persons
a. Directly from you: We normally collect your Personal Data directly from you before, during, and after the contract term between the Corporate Contract Party with whom you are associated and Tilleke.

b. Third Parties: We may also collect your Personal Data from online public sources, your colleagues or employers, court orders, court judgments, orders of the competent authorities, and any other governmental agencies.

5. To whom does Tilleke disclose your Personal Data?

(a) Tilleke discloses Personal Data of the Individual Contract Party and the Associated Person to our Affiliates and Partner Firms, both within and outside Thailand, for purposes relating to the acquisition of products and/or services from the Contract Party.

(b) Tilleke may disclose Personal Data of the Individual Contract Party and the Associated Person if Tilleke is compelled or required to do so under applicable law or in response to an order of a court, competent authority, or, government agency, both in Thailand and overseas, including, without limitation, the Revenue Department.

(c) Tilleke discloses Personal Data of the Contract Party and the Associated Person to any person or entity who provides services to Tilleke such as information technology service providers, auditors, accounting firms, etc.

6. Where does Tilleke transfer your Personal Data?

(a) We regularly transfer your Personal Data to our Affiliates and Partner Firms, and in certain circumstances, to third parties (e.g. service providers), which are located outside Thailand, and which may have different data protection standards to those prescribed by the data protection authority in Thailand. Notwithstanding that, we ensure that we will protect your Personal Data by implementing adequate personal data protection standards for the transfer of your Personal Data outside Thailand. We will also ensure that any entity to whom your Personal Data will be disclosed will implement adequate personal data protection standards, and where your Personal Data will be transferred within our Affiliates and Partner Firms, we will use the relevant data transfer mechanisms (e.g., binding corporate rules or other mechanisms as the applicable data protection laws may require or otherwise permit). In addition, your Personal Data is primarily transferred to our Affiliates and Partner Firms located in Cambodia, Indonesia, Laos, Myanmar, and Vietnam.

(b) In all cases, we will transfer your Personal Data only where it is permitted and in compliance with the PDPA.

7. For how long does Tilleke retain your Personal Data?

We retain your Personal Data for as long as is required in order to fulfil our contractual obligations, or for the performance of our services to our Contract Party, and for 10 years after the cessation of the contractual relationship between us and the Contract Party, or the last performance of our services or communication, whichever is later, unless otherwise agreed with you in writing, or required or permitted by applicable law.

Where we process your Personal Data in connection with a legal obligation, your Personal Data will be retained for the duration of the prescribed legal retention period, as stipulated under the applicable law.

8. What are your rights in relation to your Personal Data?
You are entitled to:

(a) Request to have access to and obtain a copy of your Personal Data, and to request the disclosure of the source of the Personal Data, in the event that your Personal Data was collected without your consent;

(b) Receive your Personal Data in a commonly used and machine-readable format (if any), and to have your Personal Data in said format transmitted to another Data Controller;

(c) Request that your Personal Data be deleted, destroyed, or de-identified;

(d) Object to the collection, use, and disclosure of your Personal Data;

(e) Request that the processing of your Personal Data be suspended;

(f) Request that your Personal Data be corrected, updated, or completed;

(g) Withdraw your consent at any time, provided that there is no other legal ground for Tilleke to continue with the processing of your Personal Data; and

(h) Lodge complaints to the Office of Personal Data Protection Commission and any other competent authorities

Your request may be refused, and the exercise of your rights is subject to the conditions and limitations prescribed by law.

9. Changes to this Policy
Tilleke may amend, change, or update this Policy from time to time, whereby Tilleke will notify you about such changes via your selected communication channel or any other communication channels as Tilleke deems appropriate. In the event that the amendment, change, or update will affect the purposes for which your Personal Data has originally been collected, Tilleke will notify you about such changes and obtain your consent (if applicable), prior to such changes becoming effective.

10. How can you contact us?
If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your rights, you may contact us at:

Tilleke & Gibbins International Ltd.

Supalai Grand Tower, 26th Floor
1011 Rama 3 Road, Chongnonsi, Yannawa
Bangkok 10120, Thailand
T: +66 2056 5555
F: +66 2056 5678
Email: [email protected]

Or you may contact our Data Protection Officer at:

Papitchya Supinananda
T: +66 2056 5555
F: +66 2056 5678
Email: [email protected]

This Policy is effective from June 1, 2022, onward.