Privacy statement of PERI Ltd


Privacy Policy
PERI Formwork & Scaffolding (Thailand), Ltd.

 

1. Introduction

PERI Formwork & Scaffolding (Thailand), Ltd., with its headquarters located in Germany (hereinafter referred to as the "Company" or "Organization"), acknowledges the importance of personal and other information related to you (collectively referred to as "Information"). This policy ensures that you can trust the Company to handle the collection, use, or disclosure of your information transparently and responsibly, in accordance with the Personal Data Protection Act B.E. 2562 (2019) ("Personal Data Protection Law") and other relevant laws. This Privacy Policy ("Policy") has been created to clarify the details of the collection, use, or disclosure (collectively referred to as "Processing") of personal data carried out by the Company, including its officers and relevant persons acting on behalf of the Company. The content is as follows:

 

2. Scope of Policy Enforcement

This Policy applies to the personal data of individuals who are currently or may in the future be associated with the Company. Such data is processed by the Company, its employees, contracted workers, business units, or other entities operated by the Company, as well as contractors or external parties processing personal data on behalf of the Company ("Personal Data Processors"). The scope includes products and services such as websites, systems, applications, documents, or other services managed by the Company (collectively referred to as "Services").

Individuals associated with the Company, as outlined in the preceding paragraph, include:

  1. Individual customers.
  2. Officers, employees, or workers.
  3. Partners and service providers who are individuals.
  4. Directors, authorized representatives, agents, shareholders, employees, or others with similar relationships to legal entities associated with the Company.
  5. Users of the Company's products or services.
  6. Visitors to or users of the website www.peri.co.th, including systems, applications, devices, or other communication channels managed by the Company.
  7. Other individuals whose personal data is collected by the Company, such as job applicants, family members of staff, guarantors, and beneficiaries of insurance policies.

 

Clauses 1) to 6) are collectively referred to as "you."

 

In addition to this Policy, the Company may issue Privacy Notices ("Notices") for specific products or services to inform personal data owners who use the Company's services about: personal data being processed, purposes and lawful reasons for processing, retention periods of personal data, and specific rights of personal data owners concerning those products or services.

In the event of any significant conflict between the provisions of a Privacy Notice and this Policy, the terms in the Privacy Notice for the specific service will prevail.

 

3. Definitions

  • Company: Refers to PERI Formwork & Scaffolding (Thailand), Ltd.
  • Personal Data: Information relating to a natural person that can identify that person, whether directly or indirectly. This excludes data specifically related to deceased persons.
  • Sensitive Personal Data: Refers to personal data as defined under Section 26 of the Personal Data Protection Act B.E. 2562, including information on race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health information, disabilities, union memberships, genetic data, biometric data, or other similar information that impacts the personal data owner, as specified by the Personal Data Protection Committee.
  • Processing of Personal Data: Any action performed on personal data, such as collecting, recording, copying, organizing, storing, updating, altering, using, retrieving, disclosing, transferring, publishing, transmitting, combining, erasing, or destroying the data.
  • Personal Data Owner: A natural person who owns the personal data collected, used, or disclosed by the Company.
  • Personal Data Controller: A person or legal entity authorized to make decisions regarding the collection, use, or disclosure of personal data.
  • Personal Data Processor: A person or legal entity that processes personal data on behalf of or according to the instructions of the Personal Data Controller. This excludes individuals or entities acting as the Personal Data Controller.

 

4. Sources of Personal Data Collected by the Company

The Company collects or obtains various types of personal data from the following sources:

  1. The Company collects personal data directly from the data owner through various service channels, such as during application processes, registrations, job applications, contract signing, document submission, surveys, or the use of products, services, or other service channels managed by the Company. This also includes when the data owner communicates with the Company at its office or through other contact channels managed by the Company.
  2. The Company collects data from the data owner's use of the website, products, or services under contractual or operational obligations. Examples include tracking user behavior on the Company’s website, products, or services via cookies or software installed on the data owner's devices.
  3. The Company collects personal data from sources other than the data owner. Such sources must have lawful authority, legitimate reasons, or prior consent from the data owner to disclose the information to the Company. Examples include Integration of digital services from government agencies to provide seamless public services to the data owner, receiving personal data from other government agencies where the Company is tasked with facilitating centralized data exchange centers to support governmental digital services for the public, Necessary exchanges of personal data with contracting entities to fulfill contractual obligations.

If you provide the Company with personal data of third parties, you are responsible for informing them of the details outlined in this Policy or the relevant product/service notice. You must also obtain their consent, where required, to disclose their personal data to the Company.

In cases where the data owner refuses to provide the necessary personal data required for the Company's services, the Company may be unable to fully or partially provide such services to the data owner.

 

5. Legal Basis for Collecting Personal Data

The Company determines the legal basis for collecting your personal data based on the appropriateness and context of the services provided. The legal bases for data collection by the Company include the following:

Legal Basis for Collecting Personal data /Details

Compliance with Legal Obligations

To enable the Company to comply with laws governing its operations, such as:

- Collecting computer traffic data in accordance with the Computer Crime Act, B.E. 2560 (2017).

- Compliance with the Official Information Act, B.E. 2540 (1997).

- Adherence to the Public Organization Act, B.E. 2542 (1999).

- Compliance with tax laws

and court orders, among others.

Necessity for Legitimate Interests

To serve the legitimate interests of the Company or other parties, where these interests are significant and do not override the fundamental rights of the data owner such as ensuring the security of Company buildings and premises, and processing personal data for internal operations of the Company.

Necessity to Prevent or Mitigate Harm to the life, body or health of individuals

To prevent or mitigate harm to the life, body, or health of individuals. For instance, this may such as providing applications for epidemic monitoring in line with government policies.

Compliance of a contract

To fulfill contractual obligations or carry out necessary actions related to contracts in which the data owner is a party such as employment contracts, service agreements, memoranda of understanding or other contractual agreements.

Your consent

To collect, use, or disclose personal data in cases where the Company requires the data owner's consent as the Company will inform the data owner of the purposes of collection, use, or disclosure before obtaining consent such as collecting sensitive personal data for purposes not covered by the exceptions under Sections 24 or 26 of the Personal Data Protection Act, B.E. 2562 (2019) or offering, marketing you the products and services of business partners or affiliates.

If the Company needs to collect personal data to fulfill a contract, comply with legal obligations, or for other necessary actions, refusal to provide such data or objection to processing may result in the Company being unable to fully or partially provide the requested services.

 

6. Types of Personal Data Collected by the Company

The Company may collect or obtain the following types of data, which may include personal data, depending on the services used or the context of the relationship between the data owner and the Company, as well as other considerations influencing data collection.

The categories of personal data specified below serve as a general framework for the Company’s data collection. Only data related to the products or services you use or are associated with will apply.

Catergories of Personal Data/ Details and Examples

Personal Identification Data

Data identifying your name or information from official documents that specify your identity, such as: title, first name, last name, middle name, nickname, signature, national ID number, nationality, driver’s license number, passport number, household registration information.

Business registration number, professional license number (specific to each profession), social security number, social insurance number.

Copies of national ID cards and household registration documents.

Personal Characteristics Data

Information detailing your characteristics, such as date of birth, gender, height, weight, age, marital status, military service status., photographs, spoken languages, behavioral information, preferences., information regarding bankruptcy, legal incapacity, or quasi-incapacity.

Contact Information

Data used to contact you such as home phone number, mobile phone number, fax number, email address, postal address, online social media usernames (e.g., Line ID, MS Teams), residential location maps.

Employment and Educational Data

Employment and educational history details, such as type of employment, profession, rank, position, responsibilities, expertise, work permit status, references, taxpayer identification number, employment history, salary information, start and end dates of employment, evaluation results, benefits and entitlements, company property, academic institutions, educational qualifications, academic results, graduation dates.

Insurance Policy Data

Details of employee insurance policies, such as insurer, policyholder, beneficiary, policy number, type of policy, coverage amount, and claims-related information.

Social Relationship Data

Information regarding your social relationships, such as political affiliations, political positions held, or board memberships., relationships with Company employees, status as a contractor with the Company, stakeholder information related to dealings with the Company.

Company Service Usage Data

Details regarding the Company’s products or services, such as user account names, passwords, PIN codes, Single Sign-On (SSO ID), and OTP codes, computer traffic data, location information, photographs, videos, audio recordings, and usage behavior, fata related to websites under the Company’s management, such as www.peri.co.th, and applications used by the Company, such as SAP, B Plus, CRM, browsing history, cookies or similar technologies, device numbers (Device ID), device types, connection details, browser information, preferred language, and operating system details.

Sensitive Personal Data

Sensitive personal data, such as racial or ethnic origin, religious beliefs, disability information, political opinions, criminal records, biometric data (e.g., facial image templates), and health information.

 

7. Cookies

The Company collects and uses cookies and similar technologies on websites under its management, such as www.peri.co.th, or on your devices depending on the services you use. However, to ensure service security and provide users with convenience and an enhanced experience when using the Company’s services, this data is also used to improve the Company’s website to better meet user needs. You can manage or delete cookies yourself by adjusting the settings in your web browser.

 

8. Personal Data of Minors, Incompetent Persons, and Quasi-Incompetent Persons

If the Company becomes aware that the personal data requiring consent belongs to a minor, an incompetent person, or a quasi-incompetent person, the Company will not collect such data until obtaining consent from the legal guardian, custodian, or curator, as applicable, in compliance with legal requirements.

In cases where the Company unknowingly collects the personal data of a minor, incompetent person, or quasi-incompetent person without the required consent from their legal guardian, custodian, or curator, the Company will promptly delete or destroy the data unless there is a lawful basis other than consent to retain, use, or disclose such data.

 

9. Purposes for Collecting Personal Data

The Company collects your personal data for various purposes, depending on the type of products, services, or activities you engage in, as well as the nature of your relationship with the Company or other contextual considerations. The purposes outlined below serve as a general framework for the Company’s use of personal data. Only the purposes directly related to the products or services you use or are associated with will apply to your data.

  1. To enter into or fulfill a contract between the Company and the data owner, or to fulfill obligations under a contract between the Company and a third party for the benefit of the data owner.
  2. To conduct accounting and financial activities, such as auditing, invoicing, debt collection, managing benefits, handling taxes, and maintaining legally required transaction records.
  3. To monitor, manage, and facilitate the use of services to align with your needs.
  4. To store and update your information, including documents referencing you.
  5. To prepare and maintain records of personal data processing as required by law.
  6. To survey feedback, analyze data, conduct research, and create statistical reports for marketing purposes, as well as to improve and resolve issues related to the Company’s services.
  7. To improve and enhance the quality of the Company’s products, services, and offerings.
  8. To evaluate and manage potential risks effectively.
  9. To facilitate internal operations, such as recruitment, selection of directors or key personnel, and qualification assessments.
  10. To prevent, detect, avoid, and investigate fraud, security breaches, prohibited actions, or illegal activities that may harm both the Company and the personal data owner.
  11. To authenticate, verify, and review information when you apply for services, contact the Company, or exercise legal rights. This includes spam prevention and addressing unauthorized or illegal actions.
  12. To send notifications, confirm transactions, communicate, and provide updates or news to you.
  13. To prepare and deliver relevant and necessary documents or information.
  14. To analyze how personal data-owners access and use the Company’s services, both collectively and individually, for research and analytical purposes.
  15. To fulfill the Company's obligations to regulatory authorities, tax agencies, law enforcement, or other legal requirements.
  16. To take actions necessary for the legitimate interests of the Company, other individuals, or entities related to the Company’s operations.
  17. To prevent or mitigate harm to life, body, or health, including monitoring public health risks (e.g., pandemic surveillance) for legitimate purposes, such as recording complaint calls via call centers or video recordings via CCTV.
  18. To comply with laws, regulations, enforceable orders, legal proceedings, court orders, and the exercise of legal rights related to your data.

 

10. Categories of Company Recipients of Your Personal Data

The Company may disclose your personal data to the following categories of individuals or entities as necessary for the purposes outlined in clause 9 as above mentioned. Disclosure applies only to recipients related to the products or services you use or are associated with.

Categories of Data Recipients/Details

Contractual Partners related to Company Employee Benefits

External parties engaged by the Company to manage employee benefits, such as insurance companies, hospitals, payroll providers, banks, and telecommunications providers.

Business Partners

The Company may disclose your data to collaborators for service-related purposes, such as marketing agencies, advertising media, financial institutions, platform providers, and telecommunications service providers.

Service Providers

The Company may delegate certain operations or receive support from third-party service providers, including data storage (cloud storage or physical document warehouses), developers of systems, software, applications, or websites; delivery and courier services, payment processing service providers, digital and communication services, internet providers, phone operators, social media platforms, and digital ID providers, risk management consultants or external advisors, logistics and transportation service providers and so on.

Other Categories of Data Recipients

The Company may disclose your personal data to other types of recipients such as contacts of the Company, family Members, Non-Profit Organizations, Foundations, or Religious Institutions such as temples, hospitals, educational institutions, or other entities. Furthermore, this disclosure aims to facilitate the Company’s services, such as training, award distribution, charity participation, and donations.

 

11. Transfer or Transmission of Personal Data Abroad

In certain cases, the Company may need to transfer or transmit your personal data to foreign countries to fulfill the service purposes, such as hosting personal data on cloud servers located abroad, e.g., in Germany which is the parent company’s country to utilize technology systems hosted outside Thailand. Furthermore, the specific transfers depend on the service or activity related to you.

By the way, at the time of drafting this policy, the Personal Data Protection Committee has not issued a list of foreign countries with adequate personal data protection standards. Therefore, when transferring data abroad, the Company will ensure sufficient protection measures are in place according to international standards or follow the legal requirements for such transfers such as:

  1. To comply with legal prescribed by the Company or transfer personal data to abroad.
  2. To inform you and obtain your consent if the destination country lacks adequate data protection standards, as per the official list issued by the Personal Data Protection Committee.
  3. To transfer data necessary for the performance of a contract to which you are a party or to fulfill your pre-contractual requests.
  4. To fulfill the Company’s contractual obligations with another individual or entity for your benefit.
  5. To protect or prevent harm to life, body, or health when you cannot provide consent.
  6. It is necessary actions to serve an important public interest.

 

12. Retention Period of Personal Data

The Company will retain your personal data only as long as necessary to fulfill the purposes for which it was collected, as outlined in this policy, announcements, or applicable legal requirements.

For job applicants who are not selected, personal data will be retained for one year as evidence that the application was fairly considered and to assess suitability for future job opportunities. For employees, personal data will be retained in accordance with labor protection laws, primarily for verification purposes in case of disputes, for a period not exceeding 10 years after the end of employment with the Company.

Upon the expiration of the retention period and when personal data is no longer necessary for the stated purposes, the Company will delete, destroy, or anonymize it. The methods and standards for data deletion will comply with regulations issued by the Personal Data Protection Committee, applicable laws, or recognized international standards. However, in the event of disputes, exercising rights, or legal proceedings related to personal data, the Company reserves the right to retain such data until the dispute is conclusively resolved or a final judgment has been issued.

 

13. Services Provided by Third Parties or Sub-Processors

The Company may assign or outsource third parties (personal data processors) to process personal data on its behalf. These third parties may provide services in various forms, such as Hosting services, Outsourcing arrangements, Cloud computing services, or Provider, or Other types of contracted work.

When engaging a third party as a personal data processor, the Company will establish agreements that clearly define the rights and responsibilities of both the Company as the data controller and the third party as the data processor including defining details related to categories of personal data that the company assigned to be processed covering the purposes and scope of the data processing, and other relevant contractual terms. The data processor is required to process personal data strictly within the agreed scope and instructions from the Company and is prohibited from processing the data for any other purposes.

If the data processor assigned to the sub-processor (sub-processor) to process personal data on its behalf or on behalf of the sub-processor, the Company will regulate the data processor enters into a written agreement with the sub-processor in the same or higher standards as those between the Company and the data processor.

 

14. Personal Data Security

The Company has measures in place to protect personal data by restricting access to personal data only to specific personnel or individuals with authority, duties, or assignments that require the use of such data in accordance with the purposes communicated to the data subjects. These individuals must strictly adhere to the Company's data protection measures and are obligated to maintain the confidentiality of personal data obtained through their assigned duties. The Company ensures the security of personal data through organizational and technical measures that meet international standards and comply with regulations issued by the Personal Data Protection Committee.

Additionally, when the Company transfers, discloses, or shares personal data with third parties, whether for services under its mission, contractual obligations, or other forms of agreements, the Company will establish appropriate personal data security and confidentiality measures in compliance with applicable laws. This ensures that the personal data collected by the Company remains consistently secure.

 

15. Connection to External Websites or Services

The Company’s services may include links to third-party websites or services. Such websites or services may have privacy policies with content differing from this policy. The Company recommends that you review the privacy policies of those websites or services in detail before using them. Furthermore, the Company is not associated with or in control of the personal data protection measures of such websites or services and cannot be held responsible for their content, policies, damages, or actions arising from the use of third-party websites or services.

16. Personal Data Protection Officer

The Company has appointed a Personal Data Protection Officer to monitor, supervise, and provide advice on the collection, use, or disclosure of personal data. This officer also coordinates and cooperates with the Office of the Personal Data Protection Committee to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019).

 

17. Your Rights Under the Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2562 (2019) establishes several rights for data subjects. These rights take effect when the relevant legal provisions are enforced. The details of these rights include:

  1. Right to be Informed: The data controller must notify you of the details of data collection, its intended use, or disclosure before or during the collection process. You have the right to know what data is being collected, the retention period, storage location, and how to contact the data controller.
  2. Right to Access Personal Data: You have the right to access, receive a copy of, and request the disclosure of the source of your personal data collected by the Company without your consent, except in cases where the Company has the legal right to deny your request under applicable laws or court orders or exercising your rights may adversely impact the rights and freedoms of others or cause damage to others.
  3. Right to Receive, Transfer, or Share Personal Data: You have the right to request your personal data from the Company in a format that is readable or usable through commonly used tools or devices that operate automatically and can be used or disclosed through automatic means. You may also request that the Company send or transfer your data in such a format to another data controller. The exercise of this right will be subject to the conditions as prescribed by law.
  4. Right to Object to the Processing of Personal Data: You have the right to object to the collection, use, or disclosure of your personal data, except where the Company has valid legal grounds to deny your request (for example, the Company can demonstrate that the collection, use, or disclosure of your personal data is justified by legal reasons, for establishing legal claims, or for the compliance with legal obligations, or for the public interest of the Company).
  5. Right to Delete or Destroy Personal Data: You have the right to request that the Company delete or destroy your personal data or anonymize your personal data so that it can no longer be identified as belonging to you. The exercise of this right will be subject to the conditions as prescribed by law.
  6. Right to Suspend the Use of Personal Data: You have the right to request the suspension of the use of your personal data under the following circumstances:
    1. When the Company is in the process of verifying a request from the data subject to correct the personal data to ensure it is accurate, complete, and up to date.
    2. When the personal data has been collected, used, or disclosed unlawfully.
    3. When the personal data is no longer necessary for the purposes for which it was collected, but the data subject wishes the Company to retain it for legal purposes.
    4. When the Company is in the process of proving the legal grounds for the collection of your personal data or verifying the necessity of the data collection, use, or disclosure for the public interest due to the data subject exercising their right to object to the collection, use, or disclosure of personal data.
  7. Right to Correct Personal Data to Ensure Accuracy, Completeness, and Up-to-date Information: If you find that your personal data is incorrect, incomplete, or outdated, you have the right to request that the data be corrected to ensure accuracy, completeness, and to prevent any misunderstanding.
  8. Right to File a Complaint: You have the right to file a complaint with the officers and the committee under the Personal Data Protection Act (PDPA) if the data controller, processor, or their employees or contractors violate or fail to comply with the law.

 

18. Consequences for Non-Compliance with Personal Data Protection Policy

Failure to comply with the policy may result in disciplinary action according to the company's regulations (for employees or staff of the company) or the terms of the personal data processing agreement (for data processors). Depending on the case and your relationship with the company, you may also face penalties as specified by the Personal Data Protection Act B.E. 2562 (2019), as well as subordinate laws, rules, regulations, and orders related to it.

 

19. Complaints to the Regulatory Authority

If you believe that the company has not complied with the Personal Data Protection Act, you have the right to file a complaint with the Personal Data Protection Committee or any other regulatory authority appointed by the Committee or according to the law. Before filing a complaint, the company requests that you contact us so that we can have the opportunity to review the facts, clarify the issues, and address your concerns at the earliest possible time.

 

20. Amendment of Personal Data Protection Policy

The company may consider reviewing, amending, or changing this policy as deemed appropriate and will notify you through our website www.peri.co.th, with the effective date of each amended version indicated. However, the company recommends that you regularly check the website or other specific channels related to company activities to stay informed about the latest version of the policy, especially before disclosing personal data to the company.

By continuing to use the company's products or services after the new policy takes effect, you are deemed to have acknowledged and agreed to the terms of the new policy. If you do not agree with the details in this policy, please stop using the service and contact the company to clarify the facts.

 

21. Inquiries or Exercising Rights

If you have any questions, suggestions, or concerns regarding the collection, use, or disclosure of personal data by the company or about this policy, or if you wish to exercise your rights under the Personal Data Protection Act, you can contact us at:

 

  1. Data Controller
  • Personal Data Protection Officer: Human Resources Manager
  • Contact Address: 33/4, The Ninth Tower Grand Rama 9 Tower B, 27th Floor, Unit TNB01 Rama 9 Road, Huaykwang, Bangkok 10310 Thailand
  • Contact Channels: Tel. 02-168-1320#1301, 092-801-6884
  • Email: Wasinee.Chusananalin@perithailand.com
  • Website: www.peri.co.th

 

  1. Data Protection Officer (DPO)
  • Data Protection Officer: Human Resources Manager
  • Contact Address: 33/4, The Ninth Tower Grand Rama 9 Tower B, 27th Floor, Unit TNB01 Rama 9 Road, Huaykwang, Bangkok 10310 Thailand
  • Contact Channels: Tel. 02-168-1320#1301, 092-801-6884

 

This Personal Data Protection Policy was approved by the company’s board of directors No. 002 on 1 August 2023, and is effective from 1 August 2023, until further changes.

                      

Mr. Thomas James Prince

Director of PERI Formwork & Scaffolding (Thailand), Ltd.