1. Introduction

      TTK Logistics (Thailand) Co., Ltd. is a company engaged in the business of packaging, warehousing, transporting, loading and unloading goods. In accordance with our Code of Conduct and Ethics, the Company respects the privacy rights of the data subjects of personal data that the Company collects, uses, processes, stores, discloses and/or transfers for business activities.

2. Purpose of this Privacy Policy

      This Privacy Policy is intended to provide you with information on how it is processed (including collection, use, storage, disclosure and transfer) (hereinafter referred to as “Processing”) by TTK Logistics (Thailand) Co., Ltd. (hereinafter referred to as “the Company”, “we”, “us” or “our” in this Privacy Policy) to the personal data relating to an identified or identifiable natural person in Thailand; and let such natural person be “Personal Data Subject” and let such personal data be “Personal Data”) as a Personal Data Controller (or a personal data processor, if appropriate).

      In accordance with our Global Code of Conduct and Ethics, we will respect the privacy rights of individuals and comply with the Personal Data Protection Act B.E. 2562 (2019).

3. The Processed Personal Data

      Personal data means any information relating to the subject of personal data that directly or indirectly identifies such person, such as first name, last name, address, date of birth, telephone numbers, photographs, biometric data, including customer or supplier information; employee information, information of directors, shareholders, contractors, etc., but does not include the information in the event that the personal data subject cannot be identified or can no longer be identified (Anonymous Information).

We may process the personal data as follows:

• “Personal Details and Identification” (such as first name, middle name, last name, username or similar identifiers, marital status, position, date of birth, gender, residence, family status, house registration address, vehicle information, visa, work permit, ID card, passport, taxpayer card and other identification cards issued by the government)
• “Contact Information” (such as billing address, delivery address, email address, phone number)
• “Payment Information” (such as bank account details and debit or credit card)
• “Marketing and Communications Data” (such as the personal data subject's privileges in marketing from us or third parties and the personal data subject's privileges in communications)
• “Personal History” (such as education history, transcripts, educational certificates, skills, qualifications, work history and any other information that may be necessary to determine the suitability for the role and function of the Personal Data Subject)
• “Safety Information” (such as recording of photographs and/or audio via closed-circuit television (CCTV), photographs, videotapes, video recordings, voice recordings of conversations)
• “Technical Information” (such as IP address, cookies, device location accessed while using this website)
• “Sensitive Personal Data” (such as health information/medical records, health check results, biometric information, disability, race, religion, blood type, vaccination record, criminal record)

      Personal data may be converted to statistical or aggregate data in such a way that the personal data subject will not be personally identifiable or identifiable from such personal data and may be used for the purposes of analysis and research.

4. How is personal data collected?

We collect the personal data in the following ways.:

• Direct Collection :
  • We collect personal data directly from the personal data subject, including when the personal data subject fills out the required forms, electronic forms and/or by contacting us by post, e-mail, or otherwise when the personal data subject:
    • Requests the information about our products or services.
    • Gives us your business card.
    • Places an order or make a request for our products or services.
    • Comments or contacts us; or
      • In case of application for jobs and additional interviews appointment.
• Indirect Collection :
  • We may also collect the personal data regarding the personal data subject from third parties, such as organizations to which the personal data subject is affiliated and/or public sources to the extent permitted by the PDPA and other applicable laws.

5. How do we process the personal data?

5.1 In accordance with lawful processing of personal data

      We will process the personal data when the law and/or related regulations (especially PDPA) only allow us to do so.

      When we process the personal data, we rely on one or more of the following legal bases for legal processing:

• “Consent from Personal Data Subject” (processing of personal data in the event that personal data subject has given consent to such processing for one or more specific purposes)
• “Contract Performance” (processing of personal data where it is necessary for the performance of a contract to which the personal data subject is a party or for various operations at the request of the personal data subject before entering into such contracts)
• “Legal Compliance” (processing of personal data where it is necessary for the performance of our legal obligations to which the Company is subject)
• “Life-critical Benefits” (in the case of preventing or suppressing harm to a person's life, body or health)
• “Legitimate Interest” (processing of personal data where it is our legitimate interest to operate and manage our business in order to provide you with the most suitable services and/or products)

      Prior to the processing of personal data in accordance with this lawful basis, we will assess the potential impact (both positive and negative) to the personal data subject and to the rights of the personal data subject and to make a comparison between the aforementioned impact on the personal data subject and the legitimate interests of the Company. We will not process the personal data on the basis of this legitimate interest if the adverse effect on the data subject and the rights of the data subject exceeds the Company's legitimate interest.

5.2 Purposes for processing the personal data

      We have set out a typical description of (1) the purpose for processing the personal data, (2) the type of personal data, and (3) the legal bases for the lawful processing of personal data in the table below.

      (We may process the personal data for more than one legal base depending on the specific purpose of processing the personal data. In addition to the purposes listed in the table below, please note that we may also process the personal data for the purposes of complying with our legal obligations for the sake of righteousness or for the important benefits as permitted by law.)

Purpose for Processing the Personal Data	Type of Personal Data	Legal Bases for the Lawful Processing
1.  to register customers, material supplier, or a new service provider	(a) personal details and identification (b) contact information	(a) obtaining consent from the personal data subject (b) performance of the contract (c) legitimate interests (for management)
2. to procure (or purchase) goods or provide (or receive) services appropriately, including: (a) making (or receiving) an order; (b) delivery (or receiving delivery) (c) payment (or receipt) of fees (d) debt and credit management; and (e) giving (or receiving) services under the enforcement of a foreign business license.	(a) personal details and identification (b) contact information (c) payment information	(a) obtaining consent from the personal data subject (b) performance of the contract (c) legitimate interests            (for properly fulfillment of our business obligations)
3. to contact and communicate on marketing communications, perform data analysis, and improve the company's business	(a) personal details and identification (b) contact information (c) information for marketing and communications	(a) obtaining consent from the personal data subject (b) performance of the contract (c) legitimate interests       (for development of Company's business through the effective communication)
4. to manage the contact details which include: (a) providing advices on changes in information related to the Company (b) requesting participation in a market survey	(a) personal details and identification (b) contact information	(a) obtaining consent from the personal data subject (b) performance of the contract (c) compliance with the law (d) legitimate interests       (for updating the customer contact details and for product and/or service inspection)
5. to manage and protect our business and this website (which includes troubleshooting data analysis, testing, system maintenance, support, reporting and data hosting).	(a) personal details and identification (b) contact information (c) technical data	(a) obtaining consent from the personal data subject (b) legitimate interests      (for management and services of IT, network security and fraud prevention) (c) compliance with the law
6. to manage the company's human resources to make appropriate decisions about recruiting and human resource management. (This includes payroll management, compliance with employment contracts and labor laws and conducting a training)	(a) personal details and identification (b) contact information (c) payment information (d) personal history	(a) obtaining consent from the personal data subject (b) performance of the contract (c) legitimate interests      (for recruitment of suitable persons that meet the specified job characteristics and for proper human resource management) (d) compliance with the law (e) life-critical benefits
7. to carry out security measures by controlling access to the building to ensure the safety of our employees and visitors and to record and preserve photographic, image and/or audio recordings via closed-circuit television (CCTV), photographs, videotapes, visual recordings and audio recordings of conversations	(a) personal details and identification (b) contact information (c) safety information	(a) performance of the contract (b) compliance with the law (c) legitimate interests (for the safety of our staff and visitors)
8. to investigate or deal with claims or disputes related to the business of the Company or to comply with the requirements of applicable laws, regulations or operating licenses	(a) personal details and identification (b) contact information (c) payment information (d) personal history (e) safety Information	(a) performance of the contract (b) compliance with the law (c) legitimate interests (for investigation and response to the claims and disputes related to the Company's business)
9. to carry out an assessment of our internal controls and monitoring (e.g. by means of external and internal audits) of: (a) efficiency and effectiveness in business operations (b) reliability of financial reporting (c) compliance with applicable laws and regulations related to business activities; and (d) protection of assets	(a) personal details and identification (b) contact information (c) payment information (d) personal history	(a) obtaining consent from the personal data subject (b) compliance with the law (c) legitimate interests (for fraud prevention and protection of both physical and intangible corporate resources)

5.3 Change of Purpose, etc.

      We will process the personal data only for the stated purposes for which we have collected it unless we consider it appropriate that we need to process the personal data for other purposes and such purposes are consistent with the original stated purposes.

      If we need to process the personal data for a purpose that is clearly not related to the purpose for which it was originally stated, we will notify the personal data subject of the new purpose and obtain the consent of the personal data subject first in cases where the consent of the personal data subject is required in accordance with applicable law.

      We may process the personal data without the knowledge or consent of the personal data subject if it is necessary to do so or it is permitted to do so by applicable laws and/or regulations.

6. Disclosure of Personal Data

      We may disclose the personal data to the following third parties subject to the availability of security measures for the protection of personal data and compliance with applicable laws and regulations of such third parties:

• “Internal Third Party”
• “External Third Party”
• “Third parties whom we may choose to sell and transfer our business (or vice versa) or with whom we may merge.”

      When we request a third party to process the personal data on our behalf, we will not allow them to use the personal data for their own purposes. We will allow them to process the personal data only within the scope of our directives and applicable laws and regulations.

      Our new business owner (Business Transferee) will be able to process the relevant personal data to the same extent as permitted by this policy and in accordance with data protection laws.

For the purpose of interpretation in this section:

      “Internal Third Party” includes our parent company, subsidiaries and affiliates of the Company in which the Company holds a majority of shares or interests in Thailand and/or other countries.

      “External Third Party” includes the following third parties:

• (a) Our service providers, service providers of internal third party in Thailand and/or any other relevant country. (acting as their designated personal data processor or joint data controller, etc.);
• (b) Our professional advisors, professional advisors of internal third party in Thailand and/or any other relevant country. (acting as a lawyer, accountant, auditor, financier, insurer and consultant, etc.); and
• (c) The controller and/or the personal data/data/privacy protection authority in Thailand and/or any other relevant country which has the authority to require the reporting of processing activities, etc., in certain circumstances under applicable law.

7. Transfer of Personal Data Abroad

      Disclosures of the personal data described in section 6 (Disclosure of Personal Data) mentioned above may include the overseas transfers of personal data.

      We transfer the personal data from Thailand to foreign countries only if one of the following applies;

• (a) The transfer of personal data from Thailand to a foreign country provided that the destination country or international organization receiving such personal data has adequate data protection standards and the transfer is carried out in accordance with the rules for personal data protection according to the stipulation of the Personal Data Protection Committee; or
• (b) The transfer of personal data from Thailand to foreign countries is;
  • (1) for compliance with the law.
  • (2) with the consent of the personal data subject.
  • (3) for the performance of a contract to which the personal data subject is a party or for a pre-contracting request of the personal data subject.
  • (4) for the performance of contracts between the Company and other parties for the benefit of the personal data subject.
  • (5) for prevention or suppression of danger to the life, body or health of the data subject; or
  • (6) necessary for carrying out various activities related to the public interest in a significant way.

8. Data Security

      We have determined the reasonable security measures to prevent any unauthorized or unlawful loss, access, use, alteration, or disclosure of personal data and will ensure that the security measures are complied with the minimum standards that the Personal Data Protection Committee has stated and announced in accordance with the Personal Data Protection Act.

      We restrict the access to personal data to employees, agents, contractors and other individuals and third parties mentioned in section 6 (Disclosure of Personal Data) mentioned above only as necessary. They are permitted to process the personal data only within the scope of our instructions and will be subject to confidentiality obligations.

      If we find that there is a personal data breach that poses a risk to the rights and freedoms of the personal data subject, the Company will report to the Office of the Personal Data Protection Committee without undue delay and if possible, no later than 72 hours when it is found.

      If the infringement could result in a high risk to the rights and freedoms of the individual, we will notify the personal data subject concerning the breach and will provide the information about the breach and remedial action without undue delay.

9. Retention Period of Personal Data

      We will retain the personal data only to the extent reasonably necessary to fulfill the purpose for which personal data was collected.

      We may retain the personal data for a longer period in the event of a lawsuit by the personal data subject or if we have a reason to believe that there will be a legal action against the personal data subject. We may retain the personal data even after the purpose of collecting the personal data has been achieved where necessary because the Company has a legitimate interest in doing so or is in compliance with applicable laws, including the Computer-Related Crime Act B.E. 2550 (2017).

      In order to determine the appropriate retention period of the personal data, we will consider the amount, nature and sensitivity of personal data, risk of damage that may arise from unauthorized use or disclosure of personal data, purpose of processing the personal data, opportunity to achieve such objectives by other means and any applicable legal, tax, accounting or other requirements.

10. Legal Rights of Personal Data Subject

10.1 Legal Rights

      In relation to the personal data of the personal data subject, the personal data subject may request to the Company using the contact details pursuant to section 12 of this Privacy Policy to exercise the rights of the personal data subject as follows:

• (a) Right to access and obtain a copy: (This right enables the relevant personal data subject to request an access to and obtain a copy of the personal data subject of the personal data we hold and check the status of the processing. Such personal data is legally valid. This also includes the right to request the disclosure of the acquisition of the personal data obtained without the consent of the personal data subject).
• (b) Right to request data transfer: (The right that the relevant personal data subject is able to obtain the personal data in a readable or commonly used form by means of automated tools or devices; including to request that personal data sent or transferred to another personal data controller or to a personal data subject unless technically unable to do so).
• (c) Right to object: (The right to the relevant personal data subject to be able to object to the personal data subject's processing of personal data in the event that the Company:
  • 1) Processes the personal data on the basis of legitimate interests or public interest unless the Company is able to show the legitimate grounds that are reasonable or has carried out the processing of the personal data for the establishment, compliance or exercising legal claims or fighting legal claims;
  • 2) Processes the personal data for direct marketing purposes; or
  • 3) Processes the personal data for scientific, historic or statistics research purposes, unless it is necessary for the conduct of public interest activities by the Company.
• (d) Right to the erasure of personal data: (The right that the relevant personal data subject is able to ask us to delete, destroy or not disclose the relevant personal data if there is no legitimate reason for us to continue processing it. This includes when the personal data is no longer needed in connection with the purpose for which personal data was collected or when the personal data subject withdraws his/her consent on which the processing is based and there are no other legal grounds. However, please note that we may not be able to comply with the personal data subject's request to delete the personal data subject's personal data at any time for legal reasons as required and permitted by the PDPA and other relevant regulations.)
• (e) Right to the suspension of use : (The right that the relevant personal data subject is able to ask us to suspend the processing of personal data of the personal data subject in the following situations.:
  • (1) If the company is in the process of verifying the accuracy of personal data as requested by you;
  • (2) In the case of personal data to be deleted or deleted pursuant to Clause 10.1(d), but you request to limit its use instead.;
  • (3) The Company no longer requires the personal data. However, the personal data subject is required to request that it be retained for the benefit of legal claims or to defend against legal claims.; or
  • (4) The Company is currently investigating in accordance with Clause 10.1(a) or is in the process of investigating regarding 10.1(c) to reject your objection request.
• (f) Right to rectification: (The right that the relevant personal data subject is able to request the rectification of your personal data if the personal data is inaccurate and not current or incomplete or may cause misunderstandings);
• (g) Right to withdraw a consent by the personal data subject to the processing of personal data: (This right does not affect the legality of any processing that had been carried out prior to such revocation. If the data subject revokes his/her consent, we may not be able to provide him/her with certain products or services. We will notify him/her if this is the case at the time of revocation by such personal data subject.)
• (h) Right to lodge a complaint: (The right to allow the relevant personal data subject to file a complaint with the Office of the Personal Data Protection Committee.)

      When we receive a request to exercise the rights of the above personal data subject. We will process the request without undue delay if the request is made in accordance with the PDPA and other related regulations and we have no legitimate reason to reject such requests as permitted by law.

      The personal data subject has the right to lodge a complaint with the relevant supervisory authority responsible for competent data protection issues. If you have concerns about your personal data, you will inform us first before contacting such regulators.

10.2 Expenses, etc.

      In principle, the personal data subject does not incur any costs in exercising any of the aforementioned rights. However, we may ask the personal data subject to bear reasonable costs if it becomes apparent that the personal data subject's request is unfounded, redundant, or excessive. We may choose to refuse to respond to the personal data subject’s requests in such circumstances in accordance with the PDPA and other applicable laws and regulations.

10.3 Providing Additional Information

      When we receive a request to exercise the rights of the personal data subject, we may need to obtain specific information from the personal data subject to assist us in verifying the identity of the personal data subject and maintaining the rights of the personal data subject. This is a security measure to ensure that the personal data is not disclosed to anyone, who does not have the right to receive that personal data.

      We may contact the personal data subject to obtain the additional information about the personal data subject's specific request in order to expedite our response.

10.4 Revision of this policy

      This Policy may be revised from time to time. You can find the latest issue on our website.

11. Third Party’s Link

      This website may include the links to the third-party websites. Clicking on those links or enabling those connections may allow the third parties to collect or share your personal data. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.

12. Contacting the Personal Data Controller

      If you have questions about this privacy policy, please contact us or our Data Protection Officer (DPO) at the following contact information:

12.1 Personal Data Controller:

• TTK Logistics (Thailand) Co., Ltd.
• Contact 700/187, 700/189 Moo.1, Bankhoa, Panthong, Chonburi, Thailand 20160
• Tel 038-468020-7 ext. 504

12.2 Personal Data Protection Officer

• Tel: 038-468020-7 ext. 504
• email: [email protected]