Turtle 23 Co., Ltd.
Turtle 23 Co., Ltd. (the “Company”, “we”, “us”, or “our”) recognizes the importance of the protection of personal data. We follow security measures when collecting, using, and/ or disclosing Personal Data (as defined below).
This privacy policy (“Privacy Policy”) was made to inform you that, in the Company’s restaurant business, the Company may be required to collect, use and/or disclose Personal Data relating to you, who is a customer who uses the products and services of the Company and the BTS Group Companies (“BTS Group Companies”), in spite of being past customer, current customer and potential customer in the future, including any natural person from whom the Company may receive Personal Data.
This Privacy Policy applies to our business operation at the restaurants, via websites, telephone, email, call center, activity or press release registration, post, online social media, online communication channels and other channels or places where we receive your Personal Data.
From time to time, we may change and/or update this Privacy Policy. We will notify you in addition if any significant update has been made. We will specify the date of our Privacy Policy’s latest update at the top of the Privacy Policy. We encourage you to carefully read this Privacy Policy and regularly check the Privacy Policy to review any changes we might take in accordance with the terms of this Privacy Policy.
1. WHAT PERSONAL DATA WE COLLECT
For the purposes of this Privacy Policy, “Personal Data” means any directly or indirectly identified or identifiable information as listed below.
We may collect your Personal Data directly or indirectly from other sources, such as the BTS Group Companies, the Company’s service providers (e.g., survey service providers, independent advisors, project advisors, financial advisors, legal advisors or accounting advisors), the Company’s business partners who are third parties, other third parties (e.g. reference persons, complainants), public domain (e.g. online social media), and third-party website or the relevant government agencies. The specific type of Personal Data which we collect will depend on the context of your relationship with us or the BTS Group Companies and the services or products you wish to receive from us or the BTS Group Companies. The followings are examples of Personal Data which we may collect:
- Personal information, such as title, name-surname, nickname, age, date of birth, educational backgrounds, identifiable information on documents issued by government agencies (e.g., national identification card, passport, house registration, work permit, driving license), information on name card, photograph, information from CCTV and signature;
- Contact information, such as postal address, house registration address, national identification card address, workplace address, phone number, facsimile number, email address, LINE user account or Facebook account, and other information related to online social media;
- Financial information, such as credit card, debit card or bank account information, credit card number, debit card number, payment type, card type, bank account details, payment information and history;
- Technical information, such as Internet Protocol (IP) address, web beacon, log, device model and type, hardware-based identifiers such as universal device identifier (UDID), media access control information, software-based identifier such as identifier for advertisers for iOS operation system (IDFA), or identifier for advertisers for Android operation system (AAID), connection information, access information, single sign-on (SSO) information, login log, access time, time spent on our webpage, cookies, login data, search history, browsing detail, browser type and version, time zone setting and location, plug-in browser types and versions, operating system and platform, and other technology on devices used to access the platform;
- CCTV details, please see details on how we collect, use and/or disclose Personal Data in the “CCTV Privacy Policy” at https://turtle23.com/t23_cctv_pdpa_policy/ ;
- Sensitive data, such as sensitive data as shown in the identified document (e.g., religion) and health information (for the control of communicable diseases or epidemics).
If you provide Personal Data of any third party (such as emergency contact person or disputant) to us, e.g., their name-surname, address, relationship and contact information, you represent and warrant that you have the authority to do so by (1) informing such other person about this Privacy Policy; and (2) obtaining consents (where required by law or necessary) to permit the Company to use the Personal Data in accordance with this Privacy Policy.
We do not intentionally collect sensitive data (“Sensitive Data”). However, in case that we do, we will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.
We only collect the Personal Data of children, quasi-incompetent person and incompetent person where their parent or guardian has given their consent. We do not knowingly collect Personal Data from persons under the age of 20 without their parental consent when it is required, or from quasi-incompetent person and incompetent person without their legal guardian’s consent (as the case may be). In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from quasi-incompetent person and incompetent person without their legal guardians, we will delete it immediately or collect, use and/or disclose if we can rely on other legal basis apart from consent or where permitted by law.
2. THE PURPOSE FOR COLLECTION, USE, AND/OR DISCLOSURE OF PERSONAL DATA
We collect, use and/or disclose Personal Data for the following purposes:
1. THE PURPOSES OF WHICH WE RELY ON CONSENT: We rely on your consent for the collection, use, and/or disclosure of Personal Data and/or Sensitive Data for the following purposes:
- Personal Data for the purposes of marketing and communications which we cannot rely on other legal bases: To provide marketing communications, re-marketing, advertisement, privilege, sales, special offers, notification, newsletter, update report, announcement, promotional activity, news and information relating to our products or services, including products and services of BTS Group Companies and our business alliances, to you;
- Sensitive Data as shown in the identified document (e.g., religion information on the national identification card) for authentication and verification.
Where we rely on consent for the collection, use and/or disclosure of Personal Data, you have the right to withdraw your consent by contacting email: it@turtle23.com or telephone: 02-180-8950. The withdrawal of consent will not affect the collection, use and/or disclosure of Personal Data and Sensitive Data that was previously consented before the withdrawal. However, if you do not give consent for Sensitive Data, do not provide us your Sensitive Data, or withdraw your consent later, we may not be able to provide our services to you.
2. THE PURPOSE THAT WE MAY RELY ON OTHER LEGAL BASES FOR COLLECTION, USE, AND/OR DISCLOSURE OF PERSONAL DATA
We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties. We will balance the legitimate interest pursued by us and your interest, fundamental rights and freedoms in relation to the protection of your Personal Data; (4) for preventing or suppressing a danger to a person’s life, body or health; and/or (5) public interest, for the performance of a task carried out in the public interest or for the exercising of the state authorities (6) for establishment and raising of potential legal claims or other legal bases permitted under applicable laws relating to personal data protection (as the case may be). Depending on the context of the relationship with us, we may collect, use and/ or disclose Personal Data for the following purposes:
- To procure products and services: such as to process your request before entering into a contract, to enter into a contract and manage the contract between the Company and you, to facilitate, to reserve a table, for preparation and delivery of the food you ordered;
- To conduct questionnaires: such as to conduct satisfaction survey, to develop and improve the service or marketing and facilitation;
- To receive complaints and resolve problems: such as to consider complaints related to the Company’s services to resolve the complaints and improve the services and to coordinate with relevant departments in solving problems and improving the services;
- To communicate and provide services: such as to use in any communication related to products and services (e.g., in the case of confirmation of food items and food delivery), to send information about products and services and news to you, to publicize and invite to participate in various activities, to provide benefits, to request necessary details, to use as a reference, to carry out financial and payment-related transactions and to issue receipts;
- To register and verify: such as to register, record, and examine the information, authenticate, and verify;
- To improve business operation, products and services: such as, to analyze, evaluate, and prepare an internal report for the Company and the BTS Group Companies to oversee operation, coordinate, monitor, examine, and control the operation within the group companies in order to comply with the policies, rules, and standards, and to evaluate the reliability and completeness of internal operation, to lay out the plans and strategies in relation to the public relations operation and organizational policies, and to improve the business operation or advance other lines of businesses;
- To ensure the function of our websites, mobile applications, and platforms: such as, to administer, operate, track, monitor and manage our websites, applications and platforms to facilitate and ensure that they function properly, efficiently and securely; to facilitate and enhance users experience on our websites, applications and platforms; to improve layout and content of our websites, applications and platforms;
- To manage IT-related matter: such as, for IT management, management of communication system, IT security system and to control access to data and system and to conduct IT security audit; internal business management for internal compliance requirements, policies and procedures; and to revise and update our database;
- To comply with legal obligations and orders from the government agencies: such as, where the Company or the BTS Group Companies has a reasonable ground to believe that they shall comply with the laws and/or orders or provide cooperation to such cases, to follow the legal proceedings or government authorities’ orders which include government authorities outside Thailand and/or cooperate with court, regulators, government authority and law enforcement bodies. We may have to disclose Personal Data to comply with the said legal provisions, proceedings or government orders. This includes internal investigation proceedings or crime/fraud prevention and/or establishment of legal claims;
- To protect our interests: such as, to protect the security and integrity of our business operation and the businesses of the BTS Group Companies or other relevant entities; to exercise our rights and protect the interests of the Company and the BTS Group Companies or other relevant entities where it is necessary and lawful to do so, for example to detect, prevent and proceed with matters in relation to any corruptions or misconducts, intellectual property infringement claims or violations of law; to manage and prevent loss of our assets; to detect and prevent misconduct within the premises of the Company or the BTS Group Companies to secure the compliance of the terms and conditions of the Company, BTS Group Companies or other relevant entities, to monitor incidents, to prevent and report criminal offences and to protect the security and confidence in the businesses of the Company and BTS Group Companies;
- Business transfer or merger: in case of sale, transfer, merger, organizational restructuring, or other event of the same nature, the Company may transfer your Personal Data to one or many other third party(ies) as part of such transaction; and/or
- To manage risks: such as, to perform performance monitoring, risk assessments and risk management; and/or
- To provide security: such as, to prevent or suppress a danger to a person’s life, body, health, or property, e.g. for the control of communicable diseases or epidemics, catching theft, taking action in an emergency, to coordinate and cover insurance and injury.
In case the Personal Data we collect from you is needed to meet our legal or contractual obligations or enter into an agreement with you, if we do not receive the Personal Data when requested, we may not be able to achieve the abovementioned purposes.
3. TO WHOM WE DISCLOSE YOUR PERSONAL DATA
We may disclose or transfer your Personal Data to the following third parties who collect, use, and/or disclose Personal Data in accordance with the purposes under this Privacy Policy. These third parties may be located inside or outside Thailand. You can read their privacy policy to learn more on how they collect, use and/or disclose Personal Data since you will be subject to their privacy policies.
- BTS Group Companies
As the Company is part of the BTS Group Companies, all may collaborate and partially share customer services and systems, e.g. service system and website-related systems, we may need to transfer your Personal Data to, or otherwise allow such Personal Data to be accessible by the BTS Group Companies for the purposes set out above. In this regard, the BTS Group Companies could also rely on the consent obtained by us to use your Personal Data. Please see the list of BTS Group Companies and their scope of business activities at https://www.btsgroup.co.th/storage/download/privacy-policy/list-of-companies-under-bts-group-en.pdf - Our service providers
We may engage other companies, agents or contractors to perform services on our behalf or to accommodate the provision of services. We may disclose Personal Data to the third-party service providers, including, but not limited to, (1) infrastructure, software, internet and website developers and IT service providers; (2) data storage and cloud service providers; (3) data storage and/or document destruction service providers; (4) marketing agencies, advertising agencies, design agencies, creative agencies and communications agencies; (5) research service providers; (6) data analytics service providers; (7) booking system providers; and/or (8) food ordering and payment system providers.
In the course of providing such services, the service providers may have access to Personal Data. However, we will provide the Personal Data only that is necessary for them to perform the services, and we ask them not to use your Personal Data for any other purposes. We will ensure that all service providers we work with will keep your Personal Data secure. - Our business partners
We may transfer Personal Data to our business partners to conduct business and provide services, including but not limited to, third-party hotel booking sites, banks, financial institutions, securities companies, insurance companies, hospitals, insofar as business partners receiving Personal Data agree to treat Personal Data in a manner consistent with this Privacy Policy. - Third parties permitted by law
In certain circumstances, we may be required to disclose or share your Personal Data to third parties in order to comply with a legal or regulatory obligation. This includes any law enforcement agency, court, embassy, consulate, regulator, or other government authorities, or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety; or to detect, prevent, or otherwise address fraud, security or safety issues. - Expert advisors
We may have to disclose Personal Data to our expert advisors including, but not limited to,
(1) independent advisors, project advisors, financial advisors;
(2) legal advisors who assist us in our business operations and provide litigation services such as defending or initiating legal actions; and/or
(3) auditors who provide accounting services or conduct financial audit for the Company. - Other third parties
We may be required to disclose Personal Data based on the legal bases in accordance with the purposes as specified in this Privacy Policy to other third parties, such as the public, complainants or other third parties that we receive a request to access our CCTV records etc. (as the case may be). - Third parties connected with business transfer
We may disclose or transfer your Personal Data to our business partners, investors, major shareholders, assignees or transferees in the event of any rehabilitation, amalgamation, business transfer in whole or in part, purchase or sale, establishing joint venture, assignment, or any similar event involving transfer or other disposition of all or any portion of our business, assets or stock. In case that such event happens, the receiving party will comply with this Privacy Policy to respect your Personal Data.
4. CROSS-BORDER TRANSFERS OF PERSONAL DATA
We may disclose or transfer Personal Data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards as Thailand’s. We take steps and measures to ensure that Personal Data is securely transferred, the receiving parties have in place suitable data protection standard and the transfer is legal or lawfully permitted under the applicable laws.
5. HOW LONG DO WE KEEP PERSONAL DATA
We retain Personal Data for as long as is reasonably and appropriately necessary to fulfil purposes for which we obtained them and to comply with the relevant legal and regulatory obligations. However, we may have to retain Personal Data for a longer duration, as required by the applicable laws.
6. COOKIES AND HOW THEY ARE USED
Cookies is a technology that tracks certain information which will be used to analyze trends, administer our websites, track users’ movements around the websites, or to remember users’ settings. Some of the cookies are necessary because without them, the site would not be able to function properly. While some type of cookies will help users browse websites more convenient as such type of cookies will remember the users (in a secure manner) as well as language preferences of the service provider.
Cookies will gather or track specified information relating to your website usage and your computer. When you visit websites, the cookies will remember the users (in a secure manner) as well as your language preferences which will enable us to improve your website usage experience, modify the content to your preferences and make your website browsing more convenient.
Usually, most internet browsers allow you to control whether or not to accept cookies. If you reject cookies, it might affect your use of the websites and your ability to use some or all of the features or areas of our websites may be limited. Please see our “Cookie Policy” for more details at [https://turtle23.com/cookie-policy/].
7. DATA SECURITY
As a mean to protects personal privacy of your Personal Data, we maintain appropriate security measures, which includes administrative, technical and physical safeguards in relation to access control, to protect the confidentiality, integrity, and availability of Personal Data against any accidental or unlawful or unauthorized loss, alteration, correction, use, disclosure or access, in compliance with the applicable laws.
In particular, we have implemented access control measures which are secured and suitable for our collection, use, and disclosure of Personal Data. We restrict access to Personal Data as well as storage and processing equipment by imposing access rights or permission, user, access management to limit access to Personal Data to only authorized persons, and implement user responsibilities to prevent unauthorized access, disclosure, perception, unlawful duplication of Personal Data or theft of device used to store and process Personal Data. This also includes measures that enables the re-examination of unauthorized access, alteration, erasure, or transfer of Personal Data which is suitable for the method and means of collecting, using and/or disclosing of Personal Data.
8. RIGHTS AS A DATA SUBJECT
Subject to applicable laws and exceptions thereof, a data subject may have the following rights to:
- Access: Data subjects may have the right to access or request a copy of the Personal Data we are collecting, using and/or disclosing. For privacy and security, we may require proof of the data subject’s identity before providing the requested Personal Data;
- Rectification: Data subjects may have the right to have incomplete, inaccurate, misleading or not up to date Personal Data that we collect, use and/or disclose rectified;
- Data Portability: Data subjects may have the right to obtain Personal Data relating to them in a structured, electronic format, and to transmit such data to another data controller, where this is (a) Personal Data which you have provided to us, or (b) if we are collecting, using and/or disclosing that data on the basis of data subject’s consent or to perform a contract with the data subject;
- Objection: Data subjects may have the right to object to certain collection, use and/or disclosure of Personal Data;
- Restriction: Data subjects may have the right to restrict our use of Personal Data where the data subject believes such Personal Data to be inaccurate, that our collection, use and/or disclosure is unlawful, or that we no longer need such Personal Data for a particular purpose;
- Withdraw Consent: For the purposes the data subjects have consented to our collection, use and/or disclosure of Personal Data, data subjects may have the right to withdraw consent at any time;
- Deletion: Data subjects may have the right to request that we delete, destroy or anonymize Personal Data that we collect, use, and/or disclose, except we are not obligated to do so if we need to retain such Personal Data in order to comply with a legal obligation or to establish, exercise or defend legal claims; and
- Lodge a complaint: Data subjects may have the right to lodge a complaint to the competent authority where the data subject believe our collection, use and/or disclosure of Personal Data is non-compliance with applicable data protection laws.
9. OUR CONTACT DETAILS
If you wish to contact us to exercise the rights relating to Personal Data or if there is any queries about your Personal Data under this Privacy Policy, please contact our Data Protection Officer (DPO) at:
- Turtle 23 Co., Ltd. (Branch 00001)
No. 18, The Unicorn Building, 20th Floor, Room No. 2001 – 2006, Phaya Thai Road,
Thung Phaya Thai Subdistrict, Ratchathewi District,Bangkok 10400
Email: it@turtle23.com Telephone: 02-180-8950 - Data Protection Officer (DPO)
Turtle 23 Co., Ltd. (Branch 00001)
No. 18, The Unicorn Building, 20th Floor, Room No. 2001 – 2006, Phaya Thai Road,
Thung Phaya Thai Subdistrict, Ratchathewi District,Bangkok 10400
Email: it@turtle23.com Telephone: 02-180-8950