Vana Nava Personnel’s Privacy Policy

Vana Nava Personnel’s Privacy Policy

Vana Nava Personnel’s Privacy Policy

(Vana Nava Privacy Policy)

[Latest updated: 31 March

Abstract

Vana Nava Co., Ltd. (referred to as “Vana Nava”, “we”, “us” and “our”) processes personal data of employee, director and employee’s family members (referred to as “Personnel”, “you” and “your”) with the reasonable measures to act in compliance with the Thailand’s Personal Data Protection Act

B.E. 2562 (“PDPA”). You may find the full version of our Personnel’s Privacy Policy (“Privacy Policy”) through the attached QR code, however the summary of the Privacy Policy is shown below.

Topic Overview
What data do we process? We process collected personal data including, but not limited to, identity data, address/contact data, profile data, employment data, financial data, supporting documents, transaction data, IT data, biometric data, family data, property data and health data.
How do we use those data? We process personal data according to our purposes and scope, and with the legal bases as explained in our Privacy Policy.
Who do we transfer information to? In some circumstances, we may be required to disclose and/or transfer your personal data to third – party organisations, which are clarified in our vendors/partners list.
What are your rights as   a data subject? As a data subject, you are entitled to the data subject rights which include, but not limited to, right of access, right to rectification and right to erasure.
Revision of the policy Any revision made will be notified to all related parties under this Privacy Policy.

Privacy Policy

1. Purposes and Scope of the Privacy Policy

2. Personal Data We Collect

3. How We Collect Your Personal Data

4. How We Process Your Personal Data

5. Usage of Personal Data with Third-Party Organisations

6. Transferring of Personal Data to Foreign Countries

7. Security Measures for Personal Data Protection

8. Time Period of Personal Data Storage

9. Personnel’s Personal Data Rights

10. Policy Revision

1. Purposes and Scope of the Privacy Policy

This Privacy Policy applies to all of our Personnel. In this regard, we mainly act as the data controller under the PDPA. Therefore, we are committed to collect and process Personnel’s personal data in accordance with our purposes and scope as specified herein this Privacy Policy.

Data Controller Contact Information Vana Nava Co., Ltd. 129/99 Soi Moobaan Nongkae, Nongkae, Hua Hin, Prachuapkhirikhan 77110 Thailand Tel.: 032-909-606 Email: info@vananava.com Data Protection Officer (DPO) Contact Information Tel.: 032-909-606  Email: hr@vananava.com

This Privacy Policy covers data subjects who are our employee, director (Internal) and Employee’s family members.

As used in this Privacy Policy, the following terms shall have the meanings set forth below:

“process” means anything done with Personnel’s personal data, including collection, storage, use, disclosure and deletion of personal data.

“legal bases” means justifiable reasons to process personal data in accordance with Article 24 and Article 26 of the PDPA.

This Privacy Policy may be revised at any given time as notified to Personnel through appropriate channels.

  1. Personal Data We Collect

We collect the following categories of Personnel’s personal data;

  • identity data including, but not limited to, full name, signature and portrait photo;
  • address/contact data including, but not limited to, address, phone number, email and line ID;
  • profile data including, but not limited to, date of birth, gender, weight and height;
  • employment data including, but not limited to, applied position, department and company name;
  • financial data including, but not limited to, credit card number, account number and salary;
  • supporting documents including, but not limited to, copy of ID card, copy of house registration, company affidavit and copy of passport;
  • property data including, car registration;
  • transaction data including, but not limited to, service date and number of users;
  • family data including, but not limited to, family member’s occupation and emergency contact person;
  • IT data including, Mac Address;

In addition, we may process the following certain type of sensitive personal data;

  • health data including, but not limited to, blood type, health examination results and drug allergy information;
  • biometric data including, but not limited to, finger print, and Facial Recognition.
  1. How We Collect Your Personal Data

In general, we will directly collect Personnel’s personal data through process or channel including, but not limited to;

  • When directly received from Personnel via email, Line, phone, and working applications such as Factorium;
  • When directly received on website, shared drives and intranet;
  • When directly taking photos of Personnel;
  • When directly received from Personnel by paper form and electronic file;

However, we may collect additional personal data through third-party organisations which include;

  • When received from our affiliates including, but not limited to, Proud Head Office;
  • When receive data from eyewitness;
  • When receive data from contracted companies including but not limited to, contract hospitals;
  1. How We Process Your Personal Data

We process Personnel’s personal data to carry out tasks per our scope and purposes of providing groups of activities.

Group of Activities Group of PIIs Legal Bases
Arranging personnel’s work schedule [ROP ID:VN-HK03, VN-EN10] • Identity data • Employment data • Contract
Collecting personnel’s profile record [ROP ID: VN-LD08, VN-LD15, VN-HR07, VN-HR08, VN-HR09, VN-HR10, VN-HR18, VN-HR31, VN-HR32, VN-HR33, VN-HR40] • Identity data • Address/contact data • Employment data • Biometric data • Health data • Supporting documents • Profile data • Family data • Contract • Legal Obligation • Consent
Conducting Internal reports [ROP ID: VN-EN09, VN-OPR01, VN-OPR02, VN-OPR03, VN-HR21, VN-HR43] • Identity data • Address/contact data • Employment data • Profile data • Health data • Supporting documents • Contract • Legitimate interest • Consent • Vital interest
Drafting or approving documents/contract [ROP ID: VN-EXE08, VN-LD17, VN-LD19, VN-FIN08] • Identity data • Address/contact data • Supporting documents • Employment data • Financial data • Transactional data • Contract
Holding meeting and Seminar [ROP ID: VN-EXE04, VN-EXE05, VN-EXE06, VN-EXE07] • Identity data • Address/contact data • Financial data • Legitimate interest • Contract
Providing personnel welfare [ROP ID: VN-HR12, VN-HR15, VN-HR17, VN-HR23, VN-HR24, VN-HR37, VN-HR39, VN-HR44, VN-EXE01, VN-EXE02, VN-EXE03] • Identity data • Address/contact data • Supporting documents • Employment data • Property data • Profile data • Employment data • Transactional data • Financial data • Contract • Legitimate interest • Legal Obligation
Providing Personnel Training [ROP ID: VN-LD01, VN-LD02, VN-LD04, VN-LD07, VN-LD16] • Identity data • Employment data • Contract • Legitimate interest
Managing personnel payment [ROP ID:VN-HR11, VN-HR34, VN-HR38] • Identity data • Address/contact data • Employment data • Contract
Conducting test and maintenance for internal system [ROP ID:VN-EN01, VN-IT02, VN-IT12] • Identity data • Employment data • Contract • Legitimate interest
Tax operation [ROP ID: VN-FIN02, VN-HR13, VN-HR35] • Identity data • Address/contact data • Financial data • Legal Obligation
Conducting Internal Auditing [ROP ID: VN-LD23] • Identity data • Employment data • Contract • Legal Obligation
Proceeding according to Labor Protection Law [ROP ID: VN-HR14, VN-HR36] • Profile data • Identity data • Financial data • Legal Obligation
Monitoring the operations of vendors [ROP ID: VN-EN04, VN-EN05, VN-EN06] • Identity data • Employment data • Legitimate interest • Contract
Providing Personnel Medical Examination [ROP ID: VN-HR05, VN-HR16, VN-HR29] • Identity data • Address/contact data • Employment data • Health data • Profile data • Legitimate interest • Consent
Contacting and contracting with vendors  [ROP ID: VN-HK02, VN-HK04, VN-EN03, VN-SA02, VN-FIN07] • Supporting documents • Identity data • Address/contact data • Employment data • Financial data • Contract
Recruiting and Employment Contract Process  [ROP ID: VN-HR06, VN-HR30, VN-HR01] • Supporting documents • Identity data • Address/contact data • Employment data • Profile data • Contract
Personnel Evaluation and Assessment [ROP ID: VN-EN07, VN-EN08, VN-HR19, VN-HR20, VN-HR22, VN-HR41, VN-HR42] • Supporting documents • Identity data • Employment data • Contract
Staff Cooperation and Services[ROP ID: VN-AD04] • Identity data • Address/contact data • Employment data • Contract
Security Operation [ROP ID: VN-IT06, VN-IT16] • Identity data • Legitimate interest
Room Reservation Services [ROP ID: VN-SA15] • Identity data • Address/contact data • Employment data • Contract
Providing IT Supporting [ROP ID: VN-IT01, VN-IT03, VN-IT04, VN-IT09, VN-IT10, VN-IT11, VN-IT13, VN-IT14, VN-IT19] • Identity data • Address/contact data • Employment data • IT data • Contract • Legitimate interest
Providing laundry service [ROP ID: VN-HK01] • Identity data • Employment data • Contract
Providing food service [ROP ID: VN-FB04] • Identity data • Contract
Legal documentation and business license [ROP ID: VN-LD09, VN-LD10, VN-LD11, VN-LD12, VN-LD13, VN-LD14, VN-LD18, VN-LD22] • Identity data • Employment data • Supporting documents • Address/contact data • Profile data • Legal Obligation

We will process Personnel’s personal data according to the stated purposes and scope. If there came upon a case where Personnel’s personal data were to be processed for other purposes, and it is unlikely to rely on other legal bases, we would ask for new consent to process Personnel’s personal data on such uses.

  1. Usage of Personal Data with Third-Party Organisations

We may be required to disclose and/or transfer Personnel’s personal data to third-party organisations, in order for such organisations to process personal data in accordance with agreements with us and/or legal obligations. These organisations may include;

  • Our affiliates including, but not limited to, Andamanda Phuket, True Arena and Proud Group-Head Office
  • government authorities including, but not limited to, the excise department, department of labor protection and welfare, department of energy, Hua Hin municipality and department of skill development;
  • business vendor including, but not limited to, med medical Co., Ltd.;
  • external auditors including, but not limited to, UICC Certification Services Co. Ltd.;
  • airline companies including, but not limited to, Thai Smile, Air Asia, BKK Airways and Qatar Airways;
  • insurance companies including, but not limited to Dhipaya Insurance Public Co., Ltd.;
  • educational institutions including, but not limited to, Rajabhat University;
  • financial institution including, but not limited to, Siam Commercial Bank of Thailand;
  • service providers including, but not limited to, visa agency;
  • Hospital including, but not limited to, Bangkok Hospital, Hua Hin Hospital, San Paolo Hospital;.

However, for the cases where personal data are being disclosed and/or transferred to third-party organisations, we will ensure that the minimum amount of personal data are being disclosed and/or transferred, and may consider anonymization and psuedonnymisation techniques for greater security. Further, the third-party organisations who will process Personnel’s personal data for us will be required to have in place appropriate privacy policy. We do not permit these third-party organisations to use Personnel’s personal data in a way that diverge from the agreed scope and purposes.

  1. Transferring of Personal Data to Foreign Countries

According to the scope and purposes specified herein this Privacy Policy, at this moment, we are currently not required to pass on personal data to foreign country.

However, we will only disclose or transfer Personnel’s personal data if any of the following requirements has been met;

  • the receiving foreign country has adequate personal data protection standards as certified by the Personal Data Committee;
  • the receiving organisation has in place a comprehensive privacy policy which has been certified by the Personal Data Committee;
  • the receiving organisation is obligated to follow a substantial privacy policy with sufficient remedial measure in accordance with the procedures identified by the Personal Data Committee including, but not limited to, standard contractual clauses and code of conduct.
  • a pre-requisite to the exercise of legal rights;
  • consent has been obtained from Personnel who is well-aware of the inadequate personal data protection standards of the receiving countries or international organisations;
  • a requirement for the execution of an agreement to which Personnel is a party of, or the fulfillment of a request Personnel made prior to entering into the agreement;
  • a necessary task to carry out under a contractual obligation between us and other persons or entities for the benefits of Personnel;
  • to ensure the safety or limit further damage to an individual’s health who cannot give consent at the current time; and
  • a necessary task for the good of the public.
  1. Security Measures for Personal Data Protection

We have implemented certain security measures to ensure the security of Personnel’s personal data. In this connection, third-party organisations are required to carry out the processing of personal data in accordance with our security policy, and to ensure the security of Personnel’s personal data (More details are available at “Information Security Policy”).

  1. Time Period of Personal Data Storage

We will store Personnel’s personal data throughout appropriate period according to our scope and purposes, including other important matters such as legal requirements, accounting and auditing purposes. (More details are available at Vana Nava’s Data Protection Officer.

  1. Personnel’s Personal Data Rights

Your personal data rights include:

  • right to revoke consent – for the case where we have obtained your consent in order to process your personal data;
  • right of access – you have the right to request a copy of all your personal data and assess if we are processing your personal data in accordance with relevant laws;
  • right to data portability – for the case where we have in place an automated platform allowing you to access your personal data automatically:
    • you have the right to ask for your personal data to be transferred automatically to other organisations, and
    • you have the right to request for your personal data in such a format that has been transferred from us to other organisations, except for the case where there is a technological limitation;
  • right to erasure – you have the right to request for data deletion or anonymization, in accordance to the following cases:
    • where processing required terms become expired
    • where consent has been withheld, and we cannot rely on other legal bases to process your personal data, and
    • where data processing activity is not in accordance with relevant laws;
  • right to restrict processing – you have the right to restrict any data processing activity in accordance with the following cases:
    • during pending examination process
    • for cases related to personal data which shall initially be deleted and/or destroyed, but was followed by an additional request of processing restriction instead, and
    • for cases where the data processing terms have passed, but you have requested for processing restriction due to legal reasons; and
  • right to rectification – you have the right to edit your personal data to be correct and concurrent to the present. If any mistake was detected, we might not edit this ourselves.

In the cases where we may not be able to carry out and support exercise of your rights, including, but not limited to, the cases where a legal process is taking place, you will continue to have the right to retract your consent by emailing all related parties. We will therefore be required to terminate all processes as soon as possible. However, the retraction only applies to the data processing carried out thereafter.

Any data processing activity carried out before the retraction will not be reversed.

Please be informed that we do record all requests to ensure all issues are resolved. For any queries regarding your personal data protection and rights, more details are available at: TDPG3.0-C5-20201224-1.pdf (chula.ac.th)</a >

In the case where you have the intention to exercise your personal data protection rights, or to file complaint against your personal data processing, please contact our DPO (contact details have been provided above). We will process this request in a secure and timely manner. Also, in case that we fail to preserve your rights under the PDPA, you can file complaint to the Office of the Personal Data Protection Commission (“PDPC”).

  1. Policy Revision

This Privacy Policy applies to all of our Personnel, and was last updated on [•]. We hold the rights to review and edit this Privacy Policy as we see fit. Any revision made will be notified to all related parties under this Privacy Policy.