Turtle 23 Co., Ltd.
Turtle 23 Co., Ltd. (the “Company”, “we”, “us”, or “our”) recognizes the importance of the protection of personal data. We follow security procedures when collecting, using, and/ or disclosing your Personal Data (as defined below).
The Company collects, uses and/or discloses your Personal Data because we currently have business relationship with you or may have business relationship with you in the future, or because you work for, represent, or proceed on behalf of our business partners, e.g., companies which supplies or provide services for the Company, or which we have business communication with which may involve you.
1. WHAT PERSONAL DATA WE COLLECT
We may directly or indirectly collect your Personal Data from other sources. For example, we may directly collect your Personal Data (such as, when you do business with the Company or sign a contract or fill out a form when you interact with the Company, including having interactions through the Company’s online platform, through the Company’s website or mobile application, communication via email, telephone, questionnaires, business cards, postage, during meetings and events, scheduling meetings with you or from a source in the system, central drive system/central database of the Company or transport software and/or electronic files).
In addition, we may indirectly collect your Personal Data, e.g., from business partner or service provider you work for, act on its behalf, or represent, the BTS Group Companies (as defined in “TO WHOM WE MAY DISCLOSE PERSONAL DATA” section below), public sources (e.g., social media and websites of third parties or relevant government agencies), other third parties (e.g. other business partners of the Company, reference persons and complainants). The specific types of Personal Data collected will depend on the relationship which you have with the Company or the BTS Group Companies. The followings are example of Personal Data that may be collected:
- Personal details, such as name – surname, title, age, gender, photo, video, CCTV record, geographic location, date of birth, nationality, marital status, financial status, educational and professional information (e.g. position, division, division code, occupation, information contained in job application, company that you worked for or past employer, certification of employment, salary confirmation letter, professional license, work permit, visa, training information, income and salary, first date of work), identifiable information on government-issued document (e.g., national identification card number, passport number, taxpayer identification number, driving license number, house registration number), vehicle-related information (e.g., vehicle identification number or vehicle registration number), signature (including electronic signature), business partner’s identification number (including type of business partner, type of business, area of business), business partner’s information (e.g., evaluation score of business partner/service provider, merchant identification number, business partner registration date), bank account and payment information (e.g., bank account name, bank, bank account type and number, beneficiary account name, payment date, payment method, payment currency and payment account, domestic and cross-border transfer details), credit card details (e.g., credit card number, cardholder name, expiration date), including information relating to pricing strategy, discount rate, sales volume, disbursement items, disbursement amount, details relating to lands that you own (e.g., land rights certificate number), number of shares, securities holder registration number, number of securities and dividend amount);
- Contact details, such as phone number, mobile phone number, facsimile number, address, place of business address, email address, postal code, social media account information (e.g., LINE ID, Facebook account and available time) and other similar information;
- Information relating to the interactions between the Company and the business partner, such as information that you have given to the Company (as appeared in agreement, form or survey), transactional information between you and the Company (e.g., lease agreement or purchase and sale agreement, contractor agreement, consultancy agreement, tendering or bidding document), information relating to purchase and sale transaction with related person/third party, product type, budget type, disbursement budget, expense details, traveling expense, date of purchasing product/service, amount of products/services purchased, number of disbursement items, budget, headquarter number, document number, project name, registered company, creditors, branch, area and payment terms, computer data (e.g., IP address or cookies), vendor and service provider status inspection result, including information from the terms of reference or scope of tendering/bidding/procurement, report of interests, incident report, litigation information, details of quotation in procurement project, annual vendor/service provider evaluation report, CCTV record and construction details for each project;
- Information of your related person, such as identified information of your spouse or children, information about employee working for company relating to you;
- Sensitive data, such as health data, Sensitive Data from national identification card (e.g., nationality and religion) or Sensitive Data which can be used in litigation.
We do not intentionally collect your sensitive data (“Sensitive Data”). However, in case that we do, we will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.
We only collect the Personal Data of children, quasi-incompetent person and incompetent person where their parent or guardian has given their consent. We do not knowingly collect Personal Data from any person under the age of 20 without their parental consent when it is required, or from quasi-incompetent person and incompetent person without their legal guardian’s consent. In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from quasi-incompetent person and incompetent person without their legal guardians’ consent, we will immediately delete such Personal Data or only collect, use and/or disclose if we can rely on other legal basis apart from consent or where permitted by law.
2. WHY WE COLLECT, USE AND/OR DISCLOSE PERSONAL DATA
We collect, use and/or disclose Personal Data for the following purposes:
2.1 THE PURPOSES OF WHICH WE RELY ON CONSENT
We rely on consent for the collection, use, and/or disclosure of Personal Data and/or Sensitive Data for the following purposes:
- Health data: for food preparation and facilitation.
2.2 The purpose THAT WE may rely on legal BASEs in processing your Personal Data
We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties. We will balance the legitimate interest pursued by us and any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; or other legal grounds permitted under applicable data protection law (as the case may be). Depending on the context of the interactions with us, we may collect, use and/ or disclose Personal Data for the following purposes:
- For business purposes, such as to proceed business transactions with business partners and fulfil our duties and/or requests from business partners, to contact business partners regarding products, services and projects of the Company or the business partners (e.g., to respond to questions or requests);
- For selection of business partners, such as to verify you and status of business partners, to check status of business or perform other background checks and screen you and business partners, to assess your and business partners’ suitability and qualifications, to assess your and business partners’ risks (including the verification of public information from law enforcement agencies and/or the Company’s blacklist record), to prepare quotations or bidding offer, to enter into agreements, prepare purchase orders or purchase requests with you or business partners and to evaluate your and business partners’ management;
- For relationship management, such as to keep your Personal Data up-to-date, to maintain the accuracy of Personal Data, to keep agreements, relating documents, agreement’s reference documents and evidence of the work of business partners which may mention you, to plan, operate and manage (contractual) relationships and rights with business partners
(e.g., to appoint, withdraw or authorize business partners to engage in transaction and order products or services, process payment, to conduct activities relating to accountancy, audit, invoice issuance, management of product and service delivery), to manage your requests or complaints, to improve, support, monitor, and record;
- For business communications, such as communication with business partners about products, services and projects of the Company or business partners (e.g., communication via document, response to questions, requests or operational progress report);
- For marketing purposes,such as to inform you about news and public information which may be useful, including activities, new product and service offers, product and service price negotiation and survey, as well as for to evaluate and consider providing financial aid
(e.g., financial loan) to you or business partners;
- For internal management and communication within the organization,such as to publish internal activities and to comply with business codes of conduct, including but not limited to, procurement, disbursement, internal management, training, inspection, report, document delivery and management, data processing, risk control or management, trend and statistical analysis and planning, and other similar or relating activities;
- For business analysis and improvement,such as to research, analyse data, estimate, survey and evaluate and report on our products and services and your or business partners’ performance, including to develop and improve our marketing strategy, and our products and services;
- For registration and authentication,such as for your registration, verification, identification and authentication;
- For IT systems and IT support systems,such as to support IT and IT support departments,
to administrate system access in which the Company has granted the right to access to you,
to delete unused accounts, implement business control measures to continue business, and for the Company to identify and solve problems in the IT systems, and to safeguard the security of our systems, to develop, implement, operate and manage the IT systems;
- For business partner information management,such as to compile list of business partners, record data in the system and update the list and directory of business partners (which includes your Personal Data), as well as to store and manage agreements and relating documents which may contain your name;
- For system monitoring and security,such as to control access, monitor systems, equipment and internet, and safeguard IT security;
- For dispute management, such as to resolve dispute, enforce the Company’s agreements, establish, exercise, or raising legal claims, including to grant authorization;
- For investigation, complaint and/or crime and fraud prevention;
- For compliance with internal policy and relating/applicable laws, rules, regulations, guidelines (such as to apply for business licences as required by law) and to coordinate or communicate with government agencies, courts or relevant agencies (such as the Revenue Department, the Royal Thai Police Headquarter and the State Audit Office) including to investigate, complain and/or prevent crime and fraud;
- For danger prevention towards life, body or health of a person, such as to control contagious disease or epidemic;
- For organizing corporate social and environmental responsibility
Where the Personal Data we collect from you is needed to meet our legal, regulatory, or contractual obligations or enter into an agreement with you, if you do not provide your Personal Data when requested, we may not be able to achieve the aforementioned purposes.
3. TO WHOM WE MAY DISCLOSE YOUR PERSONAL DATA
3.1 BTS Group Companies
3.2 The Company’s service providers
The Company may use other companies, agents or contractors to perform services on our behalf or to assist us in our business with you. The Company may share Personal Data to third parties, including but not limited to (1) infrastructure, software and website developers and IT service providers;
(2) marketing, advertisement, design, creative advertising and communication service providers;
(3) hospitals; (4) data storage and cloud service providers; (5) banks and financial institutions;
(6) insurance companies, sub-insurance companies, insurance brokers, insurance agents, lost adjustors and risk surveyors; (7) logistics and transportation service providers; (8) payment and payment system service providers; (9) voting and vote counting service providers; (10) analysts; (11) travel service agencies; (12) garages and auto parts stores; (13) booking system service providers; (14) outsource internal operation service providers; (15) printing houses; and (16) surveying service providers.
In the course of providing such services, the service providers may have access to your Personal Data. However, the Company will only provide the Company’s service providers with the Personal Data that is necessary for them to perform the services, and we will ask them not to use your Personal Data for any other purposes. The Company will ensure that all the service providers we work with will keep your Personal Data secure.
3.3 Our business partners