Privacy Policy
AEON TOPVALU (Thailand) Co., Ltd., subsidiary, associated company, and representative of the company, herein after called the “company”, is determined to protect the privacy of the customer, service provider, business partner, and business alliance to collect, use, and disclose the personal data (collectively called “data processing”) to comply with Personal Data Protection Act, B.E. 2562 and the relevant laws. Therefore, the company has developed this Privacy Policy to inform and describe about details related to personal data processing as well as the rights according to the law of the data subject. The details are as follows:
In this regard, this policy is to apply with service providing, product, and incorporation in various aspects of the company, including those conducted through online channel, electronic media, such as e-mail address, website of the company, etc. and to apply with all individuals who are customer, service provider, business partner, business alliance, website user and visitor, representative of corporate, director, agent, employee, officer, trustee of customer, service provider, business partner, and business alliance of the company, as well as any other relevant people. The company may consider to amend this policy from time to time as necessary or as seen appropriate.
1. Definition
1.1 “Personal data” refers to data about individual that can identify such person directly or indirectly, such as name, surname, address, identification number, photograph, telephone number, etc. but not included the data of the decease.
1.2 “Sensitive personal data” refers to personal data related to race, ethnicity, political belief, cult belief, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biometric data, such as facial images, iris scans, or fingerprints, data that is the genuinely private matter of individuals which is sensitive and vulnerable to unfair discrimination, and any other data which affects the data subject in the same way.
1.3 “Data subject” refers to customer, service provider, business partner, business alliance, website user and visitor, representative of corporate, director, agent, employee, officer, trustee of customer, service provider, business partner, and business alliance of the company, who is individual that personal data can identify the identity of such person directly or indirectly (herein after referred to as “you” or “the data subject”).
1.4 “Personal data protection committee” refers to the committee appointed to have the authority and power to supervise, issue rules, measures, or any other practices related to personal data protection according to Personal Data Protection Act, B.E. 2562
2. Personal data processing
The company will process your personal data by using lawful method and limited to only necessity according to the objectives of the company operation and for the objective as specified in this policy. The types of personal data that the company will process, includes:
1) Personal data, such as name, surname, gender, marital status, age, date of birth, identification number, passport number, signature, copy of ID card, copy of driver's license, photograph, copy of house registration, etc.
2) Contact information, such as address, telephone number, e-mail address, workplace, etc.
3) Transaction information such as bank account information, copy of bank book, taxpayer identification number, debit card number, credit card number, etc.
4) Technical information, such as the name and password of the website/application user, Internet Protocol Address (IP Address), Service Set Identifier (SSID), any other device identifiers, usage history, search history, cookies, etc.
5) Demographic data and interest, such as interest in goods and services, gender, age, marital status, occupation, income, other demographic data, social media, satisfaction with goods and services, etc., subject to the consent of the data subject.
6) Sensitive personal data such as race, ethnicity, political belief, cult belief, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biometric data, etc., subject to the consent of the data subject or where necessary and in accordance with applicable law.
7) For personal data of minors, the company may process personal data of minors in accordance with civil and commercial law or with the prior consent of the parent or legal guardian.
8) For personal data of other people, in case you gave personal data of other person to the company, you must inform such person about the personal data processing of such person by the company before giving the data to the company and you must obtain prior consent from such person unless, the consent is not required by law and in any cases, you must inform such person to acknowledge and understand about this policy as well.
3. Source of personal data
The company receives your personal data from the following sources:
1. The company receives data from the data subject directly as you have given to the company for purchasing products, using services, contacting, visiting/using website of the company and conduct any activities related to the operation of the company, such as entering into contract, conducting procurement, etc. in any measures both in writing or verbally or by online channel through electronic media.
2. The company receives data from other sources, such as your employer or the company you work for or represent, any other third party to whom you have given consent to disclosure personal data to the company, government agencies, partners, alliances, service providers, subsidiary, associated company of the company.
4. Objective of personal data processing
4.1 The company needs to process your personal data for the following objectives and the company can process your data for such objectives as necessary without obtaining your consent. In this regard, if you reject to give such data to the company or do not allow the company to process your personal data for such purpose due to any reason, it may affect the service providing, communication, facilitation and any other operation between you and the company.
1) It is necessary to run the business and comply with obligation according to the contract between the company and the data subject who are the contract parties or to comply with the request of the data subject before entering into the contract, such as entering into the contract, procurement, financial transaction, coordination to run the business of the company, etc.
2) To prevent or suspend danger to life, body or health of a person.
3) It is necessary to perform duties in the operation of mission for public interest or to perform duties in the exercise of state powers assigned to the company.
4) It is necessary for the legal benefits of the company or individual or other corporate, except when such benefits are less important than fundamental right in personal data of the data subject.
5) To comply with legal obligations, such as the Computer Crime Act, Civil and Commercial Code or the Criminal Code, Tax Law, money laundering prevention, prevention and combating corruption, including lawful orders of relevant officials, etc.
6) For the benefit of study, research, statistical preparation, or for the public benefit.
4.2 The company may process your personal data for the objectives other than those mentioned above. The company will inform you about such objective and must explicitly obtain consent from the data subject prior to or during the collection and/or use and/or disclosure of the personal data. In this connection, the company will not take any actions that differ from the above mentioned objective of personal data processing that has been notified to the data subject and has obtained consent from the data subject, except as specified by law.
5. Personal data disclosure
The company will not disclose or pass your personal data to external party, except when explicitly obtain consent from you or in the following case:
1) To achieve the objectives as informed above, the company may be necessary to disclose or share information as necessary to the subsidiary and the associated company of the company, business partner, service provider, or external parties. In this regard, the company will proceed to ensure that such persons will keep the personal data confidential and have appropriate measure to protect the information and not to use the data for any other objectives outside the scope set by the company.
2) Law or legal procedure enforced the company to disclose the data or reveal to the official, government officer, or the authorized organization to comply with lawful order or request.
6. Sending or transfer of personal data to foreign country
The company may send, transfer, and share your personal data with the subsidiary, associated company, and service provider of the company in foreign country. In this regard, the company will proceed to ensure that the destination country or company have the standard and policy of personal data protection that is adequate as specified by law.
7. Security measure for personal data
The company has set the safety and security measure for personal data according to the law concerning personal data protection and the relevant law to prevent the personal data that has been gathered from loss by accident or being accessible, disclosed, or changed, without authorization or unlawfully. In this regard, the access to personal data will be limited. The company will give permission to only those who have necessity to access such personal data to perform their obligations, for both data in the form of document or electronic data.
8. Personal data retention period
The company will collect personal data only for as long as it is necessary for processing for the purposes as mentioned above, or any other period as prescribed by law, unless there is a need to keep the personal data for any other reason. For example, the company will keep your personal data for a period of 10 years in order to comply with the law, or for the purpose of proving a potential dispute within the age limit as required by law, etc.
9. Right of the data subject
The data subject has the rights according to personal data protection law and can request to use the rights as specified by law as follows:
9.1 Right to withdraw consent at any time to the processing of the data that the data subject has previously provided to the company. If you withdraw your consent, the company may provide you with limited services or unable to provide service.
9.2 Right to request to access and obtain copy of personal data collected and maintained by the company.
9.3 Right to transfer your personal data from the company to another company in the event that the company has made the personal data in a format that can be read or commonly used by using tool or device that works automatically and can be used or disclosed the personal data in an automated method.
9.4 Right to object the data processing. The data subject has the right to object to its collection, use or disclosure at any time.
9.5 Right to request for deletion or destruction or to make personal data unidentifiable in various cases, such as when the data is no longer needed or when the data subject revokes its consent.
9.6 Right to request for suspension of the use of personal data in various cases, such as in the case of personal data that must be deleted or when such data is no longer necessary, etc.
9.7 Right to request to amend personal data to be accurate, complete and up-to-date.
9.8 Right to file complain to personal data protection committee if you believe that the processing of your personal data violates or fails to comply with the relevant laws.
The data subject can request to exercise the above rights by submitting a request to exercise the right to the company in writing or via electronic mail in the form prescribed by the company (the Data Subject Rights Request Form) through the “Contact channel of the company” as set forth below, whereby the company will consider and notify the data subject's request for consideration within 30 days from the date of receipt of the request. The exercise of such right must be in accordance with applicable law and the company may reject your request in some cases.
10. Amendment of the Privacy Policy
The company will review this policy on a regular basis to ensure compliance with legal requirements. This policy may be revised from time to time as it deems appropriate, in the sole discretion of the company. If there is a change in the Privacy Policy, the company will clearly notify the data subject of such change via the website of the company before starting to make changes.
This Privacy Policy was announced and effective from 9 May 2022.
11. Contact channel of the company
General Administration Department (GA)
AEON TOPVALU (THAILAND) CO., LTD.
140/48 ITF TOWER II, 21st Floor, Silom Road,
Suriyawong, Bangrak, Bangkok 10500
Tel. 02-231 6190 to 192
Email: atvth-info@email.aeon.biz
Data Protection Officer (DPO)
AEON TOPVALU (THAILAND) CO., LTD.
140/48 ITF TOWER II, 21st Floor, Silom Road,
Suriyawong, Bangrak, Bangkok 10500
Tel. 02-231 6190 to 192
Email: atvth-dpo@email.aeon.biz