Privacy Policy

Privacy Policy

Oxfam Thailand is committed to protect personal data that makes it possible to directly or indirectly identify a specific person, and other information that requires special precautions when collecting or processing. Data Controller may use the Registrant’s information to invite Registrant to participate in Oxfam’s events or activities. This privacy policy, hereinafter referred to as the “Policy”, first effective on October 23, 2020, with the following details;

1. Definition

Within this policy;

             “Website” means the website named “dearconsumers.com” the website address is www.dearconsumers.com/petition

             “Data Controller” means the service provider/s or the website’s owner, which according to this policy it is Oxfam Thailand.

             “Data Processor” means a third-party that processes data for the benefit of or on behalf of the Data Controller.

             “Data” means anything that conveys a meaning to the facts, information, or anything else whether the interpretation can be done by itself or other means. It can be created in the form of documents, reports, books, diagrams, maps, drawings, photographs, films, recording of video or sound, recording by computer, electronic recording or any other way.

             “Personal Data” means any data relevant to any specific individual that can identify such person whether directly or indirectly.

             “Sensitive Personal Data” means personal data of the registrant relating to nationality, race, ethnicity, political opinion, religion, creed, philosophy, sexual behavior, criminal history record, health information, disability, genetics, biometrics, union information, or any other data that the Personal Data Protection Committee has announced under the Personal Data Protection Act as sensitive personal data.

             “Registrant” means you, guest, registered individual, member of the website who owned the personal data according to this Policy.

2. Registrant’s consent

By registering to the website, the registrant agrees and gives consent to collecting and using of personal data, as follows;

(a)  The objective of collecting and using of personal data, the registrant acknowledges, agrees, and give consent to the Data Controller in collecting and using the personal data only for these following purposes; to support and file a petition to the 4 Supermarkets requesting the Supermarkets to change and amend in accordance to the registrant’s request. Data Controller may use the Registrant’s information to invite Registrant to participate in Oxfam’s events or activities.

(b)  The collected and registered personal data, the registrant acknowledges, agrees, and give consent to the Data Controller in collecting and using the personal data only for these purposes;

Name: Nirermol

Surname: Singhsachakul

Address: 15th Floor, Gypsum Metropolitan Tower, Sri Ayutthaya Rd., Ratchathewi District, Bangkok

Telephone number: 02-248-1003

E-mail:  nsinghsachakul@oxfam.org.uk

(c)  Duration of the data collection, the registrant acknowledges, agrees, and give consent to the Data Controller in collecting and using the personal data in the period of 15 (fifteen) months starting from the date of the consent to collect and use of the personal data in accordance with this Policy.

3. Data link between registrant of the website and third-party service provider.

The registrant acknowledges, agrees, and give consent that the Data Collector may link registrant’s data with the third-party service provider. Every time that the data will be linked or shared with third-party service provider, the Data Controller will notify the registrant of which data will be linked or shared with the third-party service provider. In this connection, when the registrant expresses of the consent in linking or sharing which is not limited only pressing for consent, linking, sharing or any act clearly shown that the registrant has consented to linking or sharing of data to third-party service provider.

4. The registrant’s consent withdrawal.

The registrant acknowledges that the registrant may withdraw any consent that the registrant gave to the Data Controller in accordance with this policy at any time. The withdrawal must be done in writing and send to the E-mail: nsinghsachakul@oxfam.org.uk

5. The registrant’s right.

Any website registrations and any consents in accordance with this policy, the registrant acknowledges of their right as the owner of the personal data according to Personal Data Protection Act including but not limited to the right of the registrant, as follows;

(a) The registrant may withdraw any given consent in accordance with this policy at any time in writing to the Data Controller as stated in this policy.

(b) The registrant has the right to access and request a copy of their personal data or data relating to them that the Data Controller has collected in accordance with this policy.

(c) The registrant has the right to the disclosure from the Data Controller in the acquisition of their personal data or data relating to them, which were not given consent by them if any.

(d) The registrant may make objection to the collection, use or disclosure of their personal data or data relating to them in the following cases;

(1) The Data Controller collects, uses or discloses the registrant’s personal data as necessary for the lawful benefit the Data Controller or of another person, which the registrant may prove that they had better rights than the Data Controller.

(2) The Data Controller collects, uses or discloses the registrant’s personal data in order to comply with the laws of the Data Controller. The registrant may prove that they have better rights than the Data Controller.

(3) The Data Controller collects, uses or discloses the registrant’s personal data for the purpose of direct marketing.

(4) The Data Controller collects, uses or discloses the registrant’s personal data for the purpose of education, scientific research, historical or statistic, where such research studies are not necessary for the benefit of public interest.

(e) The registrant may allow the Data Controller to delete, destroy or make the data anonymous in the following cases;

(1) when the personal data is no longer necessary in keeping under the purposes of correction, use or personal disclosure.

(2) when the registrant, who owned the personal data has withdrawn the consent for the collection, use, or disclosure of that personal data and the Data Controller has no longer the authority to withdraw the consent for collection, use, or disclosure according to the law.

(3) when the registrant lawfully objected the collection, use or disclosure of the data.

(4) when personal data was unlawfully collected, used, disclosed or against the laws, rules and regulations of Personal Data Protection.

(f) The registrant may request the Data Controller to suspend the use of the personal data while the data still retain in the following cases;

(1) The Data Controller is currently being investigated by an investigator under the law on the Personal Data Protection as complained by the registrant.

(2) The personal data was unlawfully collected, used or disclosed and against the laws, rules and regulations of Personal Data Protection.

(3) In the event that the registrant requires the Data Controller to keep the personal data for the benefit of the registrant’s claims, namely the establishment of legal claims of the registrant, compliance with or exercising legal claims, or defence on legal claims. The registrant may require the Data Controller suspend the use of the data instead of deleting, destroying or making the data anonymous.

(4) The Data Controller is in process of investigation or verification to deny the objection on collecting, using or disclosing of the registrant’s personal data in accordance with the law on the Personal Data Protection lawfully objected by the registrant.

(g) If the registrant finds that the personal data is inaccurate, outdated, uncleared, the registrant has the right to request the Data Controller to amend the personal data to be corrected, updated and cleared for avoiding any misunderstanding.

(h) The registrant may submit a complaint to the Data Protection Appeal Committee under the law of Personal Data Protection in case there is any breach or non-compliance with the laws, rules and regulations of the Data Controller’s personal data protection.

6. Security

In collecting and using personal data in accordance with this policy, the Data Controller will arrange appropriate security measures to prevent the loss, access, use, alteration or disclosure that is not in compliance with the law under the standard measures in technology and/or system.

Providing the Access Right to the relevant party in encryption data transfer and security: Firewalls and Internet Protocol Security (IPsec)

7. Correction and update of the personal data.

The Data Controller will arrange a system and validation measures, as follows;

(a) Proceed to correct, update and complete personal data and to be not misleading.

(b) Delete, destroy the personal data beyond collection period for which the registrant has consented to, and;

(c) Delete, destroy the personal data unrelated to the use of personal data consented by the registrant.

8. Collection, use and/or disclose personal data in accordance with the law of Personal Data Protection.

The registrant acknowledges and agrees that the Data Controller may collect, use and/or disclose the registrant’s data without prior consent from the registrant as necessary and only as long as it is for the objective and only in the following cases;

(a) To achieve objectives related to the preparation of historical documents or archives for the public interest or education, research or statistics in which appropriate security to protect the rights and freedoms of the registrant’s personal data have been provided.

(b) To prevent or suppress harm to life, physical or health of any person.

(c) It is necessary for the execution of a contract in which the registrant, owner of the personal data is a party to a contract, or in order to process with the request of the registrant prior to entering into a contract.

(d) It is necessary for Data Controller’s process that benefit the public interest or to exercise the authority of the state given to the Data Controller.

(e) It is necessary for the lawfully interest of the Data Controller or other person in which such benefits are more important than the basic rights in the registrant’s personal data.

(f) In compliance with the law of the Data Controller. In this regard, the Data Controller will record the collection, use or disclosure of the registrant’s personal data by focusing on the preceding paragraph.

9. Collection, use and/or disclose Sensitive Personal Data.

The registrant acknowledges and agrees that in addition to the collection, use and/or disclose personal data that the registrant gave consent to and clearly stated to collect, use, and/or disclose personal data in the preceding paragraph, the Data Controller may collect, use and/or disclose the registrant’s sensitive personal data without prior consent from the registrant as it deems necessary and within the purpose and only within the following cases;

(a) To prevent or suppress harm to life, physical or health of the owner of the registrant’s personal data who is unable to give consent for whatever reason.

(b) The data that is disclosed to the public with the explicit consent of the owner of the registrant’s personal data.

(c) It is necessary for the establishment, compliance, exercising or defence of the legal claims.

(d) It is necessary to comply with the law for the following objectives;

(1) Preventive medicine or occupational medicine, employee performance assessment, medical diagnosis, providing health or social services, medical treatment, health management or systems and services in social welfare.

(2) Public benefits in the public health, such as health protection from dangerous infectious disease or epidemics that maybe transmitted into the Kingdom or control standards or quality of drugs, medical supplies or medical equipment, in which specific measures to protect the registrant’s rights and freedoms, particularly the privacy of personal data according to their duties or professional ethics have been appropriately provided.

(3) Labor protection, social security, national health coverage, statutory health care benefits, car accident protection or social protection. In which, the collection of the registrant’s personal data is necessary to comply with the rights or obligations of the Data Controller or the registrant. In this regard, appropriate measures have been arranged to protect the basic rights and interests of the registrant.

(4) Scientific research, historical, or statistical research, or other public interest. In this regard, by collecting, using and/or disclosing only as necessary and taking appropriate measures to protect the basic rights and interests of the registrant as specified by Personal Data Protection Committee.

(5) Important public interest in which appropriate measures have been arranged to protect the basic rights and interests of the registrant.

However, the Data Controller will record the collection, use or disclosure of the registrant’s personal data focusing on the preceding paragraph.

10. The website’s registration of a person who is minor, under the guardianship, curatorship or custodian of the registrant.

The registrant warranted that the registrant is not incapacitated person or legal disability under the law and the registrant is capable of visit, register and become the member of website lawfully. 1

11. Sending or transferring of the personal data abroad.

The Data Controller may send or transfer the registrant’s personal data abroad in the following cases;

(a) The destination country or the international organization that receives personal data has sufficient standard on data protection as required by applicable personal data protection laws and regulations.

(b) Receiving the consent of the owner of the personal data, by which the registrant has been informed and acknowledged of the under-standard of the data protection of the destination country or the international organization that received the personal data.

(c) Proceeding in accordance with the law.

(d) It is necessary in complying with contract in which the registrant, owner of the personal data is a party to a contract, or in order to process with the request of the registrant prior to entering into a contract.

(e) It is in complying with contractual action between the Data Controller and another person for the benefit of the registrant and/or the owner of the personal data.

(f) To prevent or suppress harm to life, physical or health of the owner of the registrant’s personal data who is unable to give consent for whatever reason.

(g) It is necessary of the operation for the benefit of important public interest.

12. Notification in the breach of personal data.

In the event that the Data Controller becomes aware of the breach of personal data, regardless of the breach committed by any person. The Data Controller will do the following;

(a) In the event that there is a risk of impact on the rights or liberties of any person, the Data Controller will notify the Personal Data Protection Committee of the breach of the personal data without delay to the extent that it can be done within 15 (seventy-two) hours from the moment of acknowledge.

(b) In the event that there is a high risk of impact on the rights or liberties of any person, the Data Controller will notify the Personal Data Protection Committee and the registrant of the breach of the personal data and reparation without delay to the extent that it can be done within 72 (seventy-two) hours from the moment of acknowledge.

13. Complaints and reporting problems relating to personal data.

The registrant may make complaints and reporting any problem relating to the personal data, including but not limited to requesting the Data Controller to amend and update the data to be correct and current. Any objection to the data collection or suspend the use of the data at the following channels;

Name: Nirermol

Surname: Singhsachakul

Address: 15th Floor, Gypsum Metropolitan Tower, Si Ayutthaya Rd., Ratchathewi District, Bangkok

Telephone: 02-248-1003

E-mail: nsinghsachakul@oxfam.org.uk

14. Recording of the important information.

Unless the data protection law provides the Data Controller’s rights otherwise, the Data Controller will record the important information about the collection, use, or disclosure of data in writing or electronically for examination by the registrant, owner of the data or from a government agency. Including but not limited to the following;

(a) Personal data that is collected.

(b) Objectives for which each type of personal data is collected.

(c) Information about the Data Controller.

(d) Period of personal data retention.

(e) The rights and accesses to personal data including the conditions for the right to access the personal data and conditions for accessing that personal data.

(f) The collection, use or disclosure of personal data that is exempt from requesting the consent of the registrant.

(g) Any rejection of requests and objections.

(h) The details of security standards for protection of personal data.

15. Revision and amendment of policy.

The Data Controller may revise and amend the details of this policy at any time, whether in whole or in part. The Data Controller will notify the registrant when there is any change for the registrant to consider by electronic or any other means. If the registrant accepted, the revised policy shall be considered to be part of this policy.

16. Relationship of the parties.

Both parties understand and acknowledge that entering into this policy does not affect each party’s contractual and employee relationship as an employee under labor law or a partnership under the partnership and company law in any way.

17. Assignment.

Unless clearly provided in this policy otherwise, both parties agree not to transfer their rights, duties and/or liabilities under this policy to any person without prior written consent from the other party.

18. Dispute resolution.

If there is any dispute arising out of this policy, which both parties cannot reach an agreement, both parties agree to file the case of dispute to the court in Thailand.

I hereby give my consent to Oxfam Thailand in collecting and using the personal data only for these following purposes; to support and file a petition to the 4 Supermarkets requesting the Supermarkets to change and amend in accordance to the registrant’s request. Data Controller may use the Registrant’s information to invite Registrant to participate in Oxfam’s events or activities.

 

[1] In case the registrant is (a) a minor under 20 years old (b) an incompetent person who is under the guardianship of the registrant. or (c) a quasi-incompetent person who is under the curatorship of the registrant. The registrant warranted that the registrant obtains express consent to visit, register and become a member of website under this privacy policy. Otherwise the registrant shall not and will not allow the abovementioned persons with legal disabilities to visit, register or become a member of the website.

In case the legal representative, the guardian or the custodian allow the registrant to visit, register and become a member of website. It shall be deemed that the legal representative, the guardian or the custodian as the case may be exercised the right guardianship, curator or custodian of such person to agree with this privacy policy on behalf of such person.

.