Business Partner Privacy Notice 

Last Update 27 May 2020

CRC Thai Watsadu Limited  (the “Company,” “we”, “us, or “our”) takes protection of personal data as an important matter in our businesses. This Business Partner Privacy Notice (“Privacy Notice”) describes how we collect, use and disclose personal data of employees, personnel, authorized persons, directors, shareholders and other contact persons  of our business partners (e.g. suppliers, vendors) ( “Business Partner”, “you” or “your”) in connection with our business relationship, tells you about data protection rights and how we use such personal data.  

Your Personal Data is collected, used and disclosed by us because we have an existing or potential business relationship with you or the Business Partner you work for, act for or represent. For example, our Business Partner provides products or services to us, or work together with us to provide our customers products or services, or otherwise communicates with us in relation to any business.

For the purpose of this Privacy Notice, “Personal Data” means “any information relating to an identified or identifiable natural person”.

We reserve the right to modify this Privacy Notice from time to time, so please review it frequently to see when this Privacy Notice was last revised. Any changes to this Privacy Notice will become effective when we post the revised Privacy Notice on our website or application. We will provide additional notice of significant updates. In case any modification deprives your rights of sensitive data in relation to this Privacy Policy, the Company will first obtain your consent, except as otherwise required by law.

1. What Personal Data we collect

We may collect or obtain the following types of information which may include your Personal Data directly or indirectly from various sources, e.g., you may provide us such Personal Data directly by signing contract with us or filing in a form or through our affiliates, subsidiaries, other companies or other business partners; or from publicly available sources where you allow such Personal Data to be shared publicly. The specific type of data collected will depend on the context of your interactions with us and within Central Group's data ecosystem.

1)  Personal details: such as, first name, last name, title, age, date of birth, gender, nationality, photos, education, qualification, insurance details, house registration, work-related information (e.g., job title, company you work for), information on government-issued cards (e.g., national identification number, passport number), signatures, your license or permit and other identifiers. 

2)      Contact details: such as, telephone numbers, fax number, LINE ID, address, country, e-mail, contact person and other similar information including your involved employees.

3)    Vehicle related data: such as driver's license, information on license plate, information on vehicle registration, including any other vehicle details.

4)    Financial details: such as bank account, bank passbook, bank statement, bank guarantee and other financial details.

5)      Credit:  Information regarding the risk profile for the business partner, including credit rating and solvency, and information in accordance with the declaration of suitability including contract data on other correspondence (e.g. written communication with you).

6)    Other information collected, used or disclosed in connection with the relationship between us and the Business Partner, such as, information you give us in contracts, forms or surveys.

If you provide Personal Data of any third party to us, e.g. their name and telephone number for emergency contact, please provide this Privacy Notice for their acknowledgement and/or obtaining consents where applicable.

2.  Why we collect, use or disclose your Personal Data

Depending on the nature of our relationship with you, we collect, use or disclose your Personal Data for the following purposes, on the legal basis of legitimate interests; entering into or performance of contract; legal compliance; public interest; consent; or any other basis as permitted by applicable laws, as the case may be:

·          Business communication: such as, proceed with transaction, communicating with the Business Partners about products, services and projects of us or Business Partners, e.g., by responding to inquiries or requests, informing you of updates, events and managed related aspects of our relationship;

·          Business Partner selection: such as, verifying your identity and Business Partner status, conducting due diligence or any other form of background checks or risk identification on you and the Business Partner (including screening against publicly available government law enforcement agency and/or official sanctions lists), evaluating suitability and qualifications of you and the Business Partner, issuance of request for quotation and bidding, execution of contract with you or the Business Partner;  

·      Business Partner data management: such as, maintaining and updating lists/directories of Business Partners (including your Personal Data), keeping contracts and associated documents in which you may be referred to;

·       Relationship management: such as, planning, performing, and managing the (contractual) relationship with the Business Partners, e.g., by performing transactions and orders of products or services, providing trainings, processing and handling payments, performing accounting, auditing, billing, guarantee and collection activities, arranging shipments and deliveries, providing support services and keeping tracks and records;

·       Business analysis and improvement, such as, conducting research, data analytics, assessments, surveys and reports on our products, services and your or the Business Partner's performance, development and improvement of marketing strategies and products and services;

·    IT systems and support, such as providing IT and helpdesk supports, creating and maintaining and managing your access to any systems to which we have granted you access, removing inactive accounts, implementing business controls to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure, performing IT systems development, implementation, operation and maintenance;

·       Security and system monitoring, such as authentication and access controls and logs where applicable, monitoring of system, devices and internet, ensuring IT security, prevention and solving crimes, as well as risk management and fraud prevention;

·       Dispute handling, such as solving disputes, enforcing our contracts, establishing, exercising or defense of legal claims;

·       Any investigation, complaints and/or crime or fraud prevention;

  •  Compliance with internal policies and applicable laws, regulations, directives and regulatory guidelines or in relation to any anticipated disputes for the purposes of obtaining advice from our professional advisors;
  • Liaising and interacting with and responding to government authorities or courts or tribunals;
  • Marketing purposes such as informing you of news and publications which may be of interest, events, offering new services, conducting surveys;
  •  Complying with reasonable business requirements including but not limited to internal management, training, service quality, auditing, reporting, submissions or filings, data processing, control or risk management, statistical, trend analysis and planning or other related or similar activities:

·       Business administration including but not limited to our general organizational management and business record keeping, correspondence in relation to our relationship with you or administration and troubleshooting.

Where we need to collect your Personal Data as required by law, or for entering into or performing the contract we have with you and you fail to provide that data when requested, we may not be able to fulfill the relevant purposes as listed above.

Where consent is required for certain activities of collection, use or disclosure of your Personal Data, we will request and obtain your consent for such activities separately. 

3.  To whom we may disclose or transfer your Personal Data

We may disclose or transfer your Personal Data to the following third parties who collects, uses and discloses Personal Data in accordance with the purpose under this Privacy Notice. These third parties may be located in Thailand and areas outside Thailand. You can visit their privacy notice to learn more details on how they collect, use and disclose your Personal Data as you could also be subject to their privacy notices.

3.1. Central Group

As CRC Thai Watsadu Limited is part of a Central Group's data ecosystem which all collaborate and partially share business partner services and systems including website-related services and systems, we may need to transfer your Personal Data to, or otherwise allow access to such Personal Data by other companies within Central Group for the purposes set out in this Privacy Notice. Please see list of companies and scope of activities within Central Group's data ecosystem for further details [here.]

3.2. Our service providers

We may use other companies, agents or contractors to perform services on behalf of or to assist with the business relationship with you. We may share your Personal Data including, but not limited to (1) infrastructure, software, and website developer and IT service providers; (2) payment service providers; (3) research agencies; (4) analytics service providers; (5) survey agencies and/or loss adjusters; (6) auditors or financial advisories; (7) marketing, advertising media, and communications agencies; (8) payment, payment system, authentication service providers and agents; (9) outsourced administrative service providers; (10) data storage and cloud service providers.

In the course of managing our business relationship, the service providers may have access to your Personal Data. However, we will only provide our service providers with the information that is necessary for them to perform the services, and we ask them not to use your information for any other purposes.

3.3. Our business partners

We may transfer your Personal Data to our business partners to conduct business and services. Any Personal Data shared in this way will be governed by the third party’s privacy notice and not this Privacy Notice.  

3.4. Third parties required by law

In certain circumstances, we may be required to disclose or share your Personal Data in order to comply with a legal or regulatory obligation. This includes any law enforcement agency, court, regulator, government authority or other third party where we believe it is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security, or safety issues.

3.5. Professional advisors

This includes lawyers, technicians and auditors who assist in running our business and defending or bringing any legal claims.

4.  International transfers of your Personal Data

We may disclose or transfer your Personal Data to third parties or servers located overseas, which the destination countries may or may not have the same equivalent level of protection for Personal Data protection standards. We take steps and measures to ensure that your Personal Data is securely transferred and that the receiving parties have in place an appropriate level of protection standards or other derogations as allowed by laws. We will request your consent where consent to cross-border transfer is required by law.

5.  How long do we keep your Personal Data

We retain your Personal Data for as long as is reasonably necessary to fulfil the purpose for which we obtained it, and to comply with our legal and regulatory obligations. However, we may have to retain your Personal Data for a longer duration, as required by applicable law.

6.  Your rights as a data subject

Subject to applicable laws and exceptions thereof, you may have the following rights to:

1)     Access: You may have the right to access or request a copy of the Personal Data we are collecting, using and disclosing about you. For your own privacy and security, we may require you to prove your identity before providing the requested information to you.

2)   Rectification:  You may have the right to have incomplete, inaccurate, misleading, or or not up to date Personal Data that we collect, use and disclose about you rectified.

3)  Data Portability: You may have the right to obtain Personal Data we hold about you, in a structured, electronic format, and to send or transfer such data to another data controller, where this is (a) Personal Data which you have provided to us, and (b) if we are collecting, using and disclosing such data on the basis of your consent or to perform a contract with you. 

4)     Objection: You may have the right to object to certain collection, use and disclosure of your Personal Data such as objecting to direct marketing.

5)     Restriction: You may have the right to restrict the use of your Personal Data in certain circumstances.

6)   Withdraw Consent: For the purposes you have consented to our collecting, using and disclosing of your Personal Data, you have the right to withdraw your consent at any time. Such withdrawal of the consent does not affect the lawfulness of the processing done prior to withdrawal. In the case where consent is withdrawn, we will only further process said Personal Data IF AND ONLY IF there are other valid legal grounds for the processing.

7)     Deletion: You may have the right to request that we delete or de-identity Personal Data that we collect, use and disclose about you, except we are not obligated to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.

8)   Lodge a complaint: You may have the right to lodge a complaint to the competent authority where you believe our collection, use and disclosure of your Personal Data is unlawful or noncompliant with applicable data protection law.

7.  Contact Us

If you wish to contact us to exercise the rights relating to your Personal Data or if you have any queries about your Personal Data under this Privacy Notice, please contact us or our Data Protection Officer at:

1)     CRC Thai Watsadu Limited

·       CRC Thai Watsadu Limited

·       88/88 Moo 13 Bangkaew, Bangphli, Samut Prakan 10540

·       Email: [email protected]

2)     Data Protection Officer

·       Data Protection Officer

·       Data Protection Office, Central Group

22 Soi Somkid Ploenchit Road, Lumpini, Pathumwan, Bangkok, 10330 Thailand

·       email: [email protected]