Privacy Notice

Privacy Notice

(For Service Users/Customers/Business Partners)

Thai Vegetable Oil Public Company Limited recognizes the importance of personal data protection, as it is a part of corporate social responsibility and serves as a foundation for building trustworthy business relationships with customers and partners. The Company is committed to complying with the personal data protection laws and relevant regulations.

This Privacy Policy has been prepared to establish appropriate personal data management practices and security measures for protecting the personal data of customers that the Company collects, uses and discloses in accordance with personal data protection laws and other applicable regulations.

Executives and employees must process and safeguard personal data as confidential information and ensure that it is not lost, misused or accessed without authorization. Only authorized executives and employees may access personal data as necessary to meet legitimate business needs within the scope of their roles and responsibilities. Executives and employees are prohibited from using or accessing personal data beyond the Company's scope of work, disclosing data to unauthorized individuals inside or outside the Company, or processing personal data in ways that are inconsistent with this policy.

1. Definitions

The CompanyRefers to Thai Vegetable Oil Public Company Limited.

Service Users/Customers/PartnersRefers to individuals or entities that own personal data and use the services of Thai Vegetable Oil Public Company Limited.

Authorized Approver Refers to an individual assigned by the Company with the authority to approve any actions within the scope of authority granted by the Company

System Administrator Refers to a department or individual assigned by the system or personal data owner to be responsible for managing a specific system.

System OwnerRefers to a business or departmental executive who is responsible for managing a specific system.

Executives and Employees Refers to executives, directors, officers, employees, temporary workers, and any individuals hired or contracted to work for Thai VegetableOil Public Company Limited.

Data Subject Refers to an individual who can be identified by their personal data, whether directly or indirectly, and is identified by the data, not theowner or creator of the data.

Minor Refers to a natural person under the age of 20, except for individuals under the age of 20 who are married in accordance with the law, whichgrants them full legal capacity.

Incompetent Person Refers to individuals who are disabled or mentally impaired, chronically negligent, habitual drunkards, or those with similar conditions that prevent them from managing their own affairs, as determined by a court decision, and are under the guardianship of a court-appointed protector

ProtectorRefers to an individual appointed by the court to care for an incompetent person, as requested by the prosecutor.

GuardianRefers to an individual responsible for caring for an incompetent person, including managing their assets and acting on their behalf.

Personal Data Refers to information that can identify an individual, either directly or indirectly, but does not include specific data of deceased persons (as per Section 6 of the Personal Data Protection Act, B.E. 2562). This includes names, surnames, emails, images, fingerprints, identification numbers, location data, or cookies. Additionally, data that, when combined with other information, can identify an individual, such asaddress, gender, and age, is also considered personal data.

Sensitive Personal Data Refers to personal data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records,health information, disabilities, union membership, genetic data, and biometric data.

Biometric Data Refers to personal data obtained from physical or behavioral characteristics used to uniquely identify an individual, such as facialrecognition data, iris scans, or fingerprint data.

Public Data Refers to personal data that has been made public by the data subject, such as social media profiles. When using social media credentials (such as Facebook, Twitter, or Line) to connect to company services, public information like social media account IDs, interests, likes, andfriends lists may be collected. Data subjects can control this through the privacy settings of the respective social media platform.

Data Controller Refers to the individual or entity with the authority and responsibility to make decisions regarding the collection, use, or disclosure ofpersonal data.

Data ProcessorRefers to individuals or entities that process personal data on behalf of or as instructed by the data controller.

Data Processing Refers to any operations performed on personal data, whether automated or not, such as collection, recording, organization, storage,alteration, retrieval, use, disclosure, transmission, combination, restriction, deletion, or destruction.

Application Refers to a program or set of instructions that controls the operation of mobile devices and peripherals, ensuring they perform as instructed.Applications must have a user interface (UI) for interaction with users.

IP Address Refers to a numerical label assigned to each device (such as a computer or printer) participating in a computer network that uses InternetProtocol for communication.

Cookies Refers to small data files sent by the Company’s website to the computer or internet-connected device to store personal data, which is sentback to the originating website each time it is revisited.

OfficeRefers to the Office of the Personal Data Protection Commission.

2. Roles, Duties, and Responsibilities

2.1 The Board of Directors is responsible for overseeing the protection of personal data in accordance with laws and governmental regulations.

2.2 The Personal Data Management Task Force, as assigned by the Board of Directors, shall:

  • Supervise the management of personal data.
  • Establish guidelines for the formulation and review of policies, as well as the framework for personal data management operations.
  • Provide recommendations and scrutinize objectives, policies, plans, practices, processes, and documents related to personal data management.
  • Oversee and evaluate the performance of personal data management.
  • Invite relevant departments to provide explanations or insights beneficial to the operations.
  • Supervise compliance with the policy and have the authority to approve changes, amendments, or reviews of this policy.

2.3 Senior management is responsible for managing and controlling operations related to the collection, use, and disclosure of personal data to ensure compliance with laws and governmental regulations, as well as ensuring effective data security.

2.4 Employees must strictly comply with this policy, Company regulations, and orders, as well as related laws and governmental regulations.

3. General Provisions

3.1 The protection of personal data under this policy covers the personal data of individual customers.

3.2 The Company assigns the Data Protection Officer (DPO) to review this policy at least once a year or when significant changes occur affecting operations under this policy. Any changes will be announced via the Company’s website at https://www.tvothai.com.

3.3 The Company collects, uses, or discloses personal data only with the consent of the data subject, unless the Company makes the data anonymous or has a legal basis to support such actions, as follows:

  • When it is necessary to fulfill a contract.
  • To comply with the law.
  • When necessary for legitimate interests within reasonable expectations of the data subject.
  • When necessary for public interest missions.
  • To prevent or halt danger to life.
  • For the preparation of historical or archival records for public benefit.

3.4 The Company collects personal data only to the extent necessary for legitimate purposes and informs the data subject of the details as required by law.

3.5 The Company deletes, destroys, or anonymizes personal data when the retention period has expired, or the data is no longer necessary for the purpose for which it was collected, or as requested by the data subject, or when the data subject withdraws consent, unless there is a legal or regulatory requirement that obliges the Company to retain the data.

3.6 The Company ensures the security of personal data, considering the privacy of data subjects and maintaining confidentiality.

4. Consent from Data Subjects

4.1 Requests for consent to collect, use, or disclose personal data must be explicit and made in writing or through electronic means, unless such methods are impractical. Other methods must provide credible evidence that the data subject has given their consent.

4.2 The data subject must be clearly informed of the purpose for collecting, using, or disclosing their personal data in a clear and straightforward manner, without deception, ensuring the data subject's independence in giving consent.

4.3 If the data subject is a minor who has not reached legal age through marriage or does not have legal capacity, consent must be obtained from the guardian or legal representative.

4.4 If the data subject is an incompetent person, consent must be obtained from their legal guardian.

4.5 If the data subject is a quasi-incompetent person, consent must be obtained from their legal curator.

4.6 In cases where the data subject or their legal representative (as mentioned in 4.3, 4.4, or 4.5) wishes to withdraw their consent, it must be as easy to do as giving consent. If the withdrawal affects the data subject, they must be informed of the consequences.

4.7 The Company may collect, use, or disclose personal data only for the purposes previously notified to the data subject. Any deviation from the original purpose requires the data subject's prior consent.

5. Purpose of Personal Data Collection

5.1 Personal data collection must be for the purpose of utilizing the data in the Company’s operations, as required by law or governmental regulations.

5.2 When collecting personal data, the data subject must be informed beforehand or at the time of collection, including details such as:

  • The purpose of collection, use, or disclosure.
  • The necessity for the data subject to provide personal data to comply with legal obligations or contracts, and the potential consequences of failing to provide such data.
  • The types of personal data to be collected and the retention period.
  • The types of individuals or entities that may receive disclosed personal data, including a list of those individuals or entities (if applicable).
  • The data subject’s legal rights.
  • Information about the Company and its Data Protection Officer, contact details, and methods of communication.

5.3 Collected personal data must be accurate and complete based on the information provided by the data subject. If there are changes to the data, it must be updated to remain accurate and current.

5.4 The collection of sensitive personal data requires explicit consent from the data subject unless supported by legal grounds, which must be approved by the appropriate authority.

5.5 If personal data is collected from sources other than the data subject, the data subject must be informed within 30 days, and consent must be obtained unless legally justified, with approval from the appropriate authority.

5.6 Personal data collection must include a record of the purpose for collecting each type of personal data, information about the data controller, retention period, rights and access methods, and conditions regarding access rights. Other details as required by law must be recorded to enable data subjects or regulatory bodies to inspect them.

5.7 Personal data may be collected for the purpose of verifying or identifying customers participating in the Company’s activities.

5.8 Personal data may be collected for promotional and marketing activities related to the Company’s products and services, including advertising, promotional campaigns, and providing recommendations to best meet the needs of customers.

5.9 Personal data may be collected for educational purposes, research, statistics, and to develop and improve the Company’s products and services for the benefit of customers.

5.10 Personal data may be collected for communication and the preparation of public relations materials distributed through various communication channels.

6. Access and Use of Personal Data

6.1 Employees of the Company may access or use personal data only to the extent necessary for their duties and within the rights assigned by the Company. If an employee requires access to personal data beyond their assigned rights, they must obtain approval from the authorized personnel.

6.2 Employees must use personal data solely for the purposes for which the data was collected or in accordance with the consent given by the data subject, unless supported by lawful grounds.

6.3 System administrators and owners of the systems must only grant access to personal data to employees who are entitled or have been authorized by the relevant authority.

7. Methods of Data Collection

The Company collects personal data through the following processes:

7.1 Directly from the data subject: Before participating in the Company's activities or any other operations, the Company will inform the data subject of the reasons and necessity for collecting, using, or disclosing their personal data. This will be done prior to or at the time of data collection. The data subject will also be informed if their personal data may be disclosed to third parties as mentioned above. Once informed, if the data subject consents, they may do so via written channels or electronic systems provided by the Company. The Company ensures that the consent process is free, easily accessible, and understandable, meeting legal standards.

7.2 From affiliated companies

7.3 From third parties such as agents, vendors, or service providers involved in data collection, business partners, or collaborators.

7.4 From the Company's websites: Direct consumer interactions through websites operated by the Company, including those under the Company's domains/URLs and mini-sites on third-party social media platforms, such as Facebook.

7.5 From mobile websites/applications: Consumer interactions via mobile websites or applications operated by or for the Company, such as smartphone apps.

7.6 From emails and other electronic content: Interactions through electronic communications between you and the Company.

7.7 From offline registration forms: Registration through print or digital forms, similar methods collected via postal mail, product demonstrations at points of sale, contests, promotions, and various activities.

7.8 From advertising interactions: Engagements with Company advertisements (e.g., if you interact with one of the Company’s ads on a third-party website, the Company may receive data about such interaction).

7.9 From data generated during interactions: The Company may create personal data about you during your interactions with the Company (e.g., records of your purchases from the Company’s website).

7.10 From other sources: Third-party social networks (e.g., Facebook, Google), market research (if not conducted anonymously), third-party data aggregators, promotional partners, public sources, and data acquired when the Company purchases other businesses.

8. Disclosure and Receipt of Personal Data

8.1 Disclosure of personal data to individuals or organizations outside the Company requires the consent of the data subject and approval from the Personal Data Protection Steering Committee (PDPA Steering Committee), unless it is in compliance with legal or regulatory obligations.

The Company may disclose personal data to external parties and/or entities in the following circumstances:

  • 8.1.1 Authorized intermediaries such as delivery companies, data storage providers, and systems development and maintenance service providers, for Company operations.
  • 8.1.2 Business partners, affiliates, and/or external service providers: To provide services or offer benefits related to the Company's products or services, including data analysis, processing, IT services, and customer platform development, etc. Such entities must adhere to a confidentiality agreement and maintain recognized standards of personal data protection.
  • 8.1.3 Government bodies or other legal entities: To comply with laws, orders, or official requests.

8.2 The Company ensures that any received personal data from external individuals or organizations is legally valid and approved by the PDPA Steering Committee, unless required by law or regulation.

8.3 When the Company engages third-party processors, they must have appropriate and equivalent security measures in place, as defined by the Company. Agreements are required to ensure that the processors act in accordance with the Company's instructions and data protection regulations.

9. International Transfer of Personal Data

If the Company transfers personal data abroad, it will ensure that the recipient entity has an acceptable level of personal data protection and complies with applicable laws. The Company will:

9.1 Transfer or store personal data as necessary.

9.2 Use international-standard cloud processing services, ensuring data encryption or other non-identifiable methods.

10. Data Security and Confidentiality

The Company adheres to data security policies to prevent unauthorized access, leaks, modifications, or loss of personal data. This includes:

  • Following internationally accepted information security standards.
  • Limiting data access to authorized individuals.
  • Implementing both physical and electronic safeguards.

When engaging third parties, the Company ensures that they meet confidentiality and security standards for personal data protection.

11. Rights of Data Subjects

Data subjects have the following rights:

  • The right to know about the existence and nature of their personal data and the purposes for which it is used by the Company.
  • The right to access and request a copy of their personal data, subject to appropriate identity verification by the Company.
  • The right to request corrections or updates to ensure the data is accurate and up to date.

12. Data Retention Period and Storage Locations of Personal Data

The Company will retain personal data only for as long as necessary, considering the purpose and necessity of collecting and processing the data, including compliance with applicable legal requirements. Personal data may be kept for a certain period after the data subject ceases to interact with the Company, in accordance with relevant legal timeframes and statutes of limitations. The Company will store personal data in appropriate locations based on the type of data. In some cases, it may be necessary to retain personal data beyond the statutory period, such as when legal proceedings are ongoing.

The Company will retain all types of personal data collected from the data subject for the period mandated by law, such as accounting and tax laws, which may specify different retention periods. The Company may also retain personal data longer if required by law. Once the legal retention period has ended, the Company will delete or destroy the data or anonymize it, ensuring that it can no longer identify the individual, through secure methods that prioritize the interests of the data subject.

However, the Company may delete, destroy, or anonymize personal data before the legally required retention period if requested by the data subject. Such requests must be in writing and go through a verification process similar to when the data subject consents to the collection, use, and disclosure of personal data. This is to ensure that the deletion, destruction, or anonymization is accurate and applies to the correct person.

Additionally, for certain types of personal data, the Company may set specific deletion periods, such as one year from the date of collection or the last transaction with the Company. For example, data of job applicants who were not selected, website visitors, or former shareholders may be subject to specific deletion timelines. Even when personal data is anonymized, the Company may retain it for statistical analysis or to improve services, such as personnel development, credit services, new product development, or IT system improvements.

Once personal data is deleted, destroyed, or anonymized at the request of the data subject, the Company may no longer be able to provide certain services to the individual (excluding services provided prior to the deletion). Any costs incurred from processing the request may be charged to the data subject if deemed necessary by the Company.

Types of Personal Data Collected and Storage Methods

The type of personal data the Company collects depends on the individual’s interaction with the Company (online, offline, via phone, etc.). The Company will collect various types of data as explained below:

Contact Information: Data provided by the individual, enabling the Company to contact them, such as name, postal address, email address, social media details, or phone number.

Account Access Information: Data required for the individual to access specific accounts, such as user/email accounts, usernames, encrypted passwords, or security questions and answers.

User Preferences and Interests: Data describing user characteristics or behavior, such as birth date, age, gender, geographical location (e.g., postal code), product preferences, hobbies, and interests.

Computer/Mobile Device Information: Data regarding the systems or devices used to access the Company’s websites or applications, including IP address, operating system type, browser type and version, and mobile device details (if applicable).

Website Usage and Communications Data: Information about the individual’s interaction with the Company’s website or newsletters, such as clicked links, page views, content duration, and engagement statistics. This data is collected via automatic technologies like cookies and third-party tracking for analytics and advertising purposes.

Marketing Research and Consumer Opinions: Voluntarily disclosed information about experiences with the Company’s products and services.

User-Generated Content: Any content provided by individuals through third-party social networks or by uploading to the Company’s websites, such as images, videos, and personal or similar media. The Company may collect and publish such content in connection with activities like contests or promotions.

Third-Party Social Network Data: Information that individuals make public or allow the Company to access from third-party social networks (e.g., Facebook), such as basic account details, user profiles, and activities.

Payment and Financial Information: Data necessary to process orders, including debit or credit card details, or other payment methods. Payment providers will handle financial information in compliance with applicable laws and security standards (e.g., PCI DSS).

Customer Support Communications: Communications with customer service may be recorded or monitored for quality or training purposes, with prior notice as required by law.

Sensitive Personal Data: The Company will not collect or process sensitive personal data in the normal course of its business operations. When it is necessary to process the sensitive personal data of clients for any reason, the Company will obtain explicit prior consent from clients for the voluntary processing of such data (e.g., for marketing purposes). If the Company processes clients' sensitive personal data for any purpose, it will comply with the following legal bases: (i) crime detection and prevention (including fraud prevention); and (ii) compliance with relevant laws (e.g., adherence to the Company’s various reporting requirements).

13. Use of Personal Data for Marketing Purposes

In addition to the purposes stated above and in compliance with legal requirements, the Company will use personal data for marketing purposes, such as sending promotional materials via mail, email, or other methods, including conducting direct marketing activities. This is intended to enhance the benefits that personal data owners receive as clients of the Company by recommending related products and services.

Clients may choose to opt out of receiving marketing communications from the Company, except for communications related to the data owner and/or services that the Company provides to the client, such as receipts, etc.

14. Cookies

Cookies are small computer files (text files) that are installed or stored on your computer or electronic devices when you visit a website. Cookies remember your website usage information. The Company also refers to similar technologies that serve the same purpose as cookies.

How the Company Uses Cookies
  • To study your website usage behavior to improve usability, speed, and efficiency.
  • To understand the patterns and history of your website usage, and the information or services you are interested in, for analysis purposes.
  • To enhance services, display content, advertise, or promote relevant activities and services based on your interests to increase your satisfaction.
  • To display advertisements on the Company's website or to manage the Company's advertisements on other websites. The Company’s website partners may use cookie technology to collect information about your activities on this and other websites to show you ads based on those activities and interests.
Types of Cookies the Company Uses

The Company uses the following types of cookies on its website:

Necessary Cookies

These cookies are essential for the operation of the website. They allow you to access information and use the Company's website securely, including managing networks and accessing all parts of the website.

Preferences Cookies

These cookies remember your preferences and selections when you return to the website, such as language, region, or font size, for a personalized experience.

Statistics Cookies

These cookies help the Company recognize and count website visitors, as well as track their browsing behavior to improve the website. They collect and report information on how you use the site, allowing the Company to better understand user interests and measure the effectiveness of its advertisements. The data collected cannot be directly used to identify individuals.

Marketing Cookies

These cookies are used for marketing purposes, such as promotions and analyzing your behavior to tailor the Company's products and services to your preferences.

Managing Cookies

Although most internet browsers are set to accept cookies automatically, most browsers also allow you to modify settings to block cookies or notify you when cookies are sent to your device.

In addition to the options above, you may refuse, accept, or remove cookies from websites at any time by adjusting your browser settings. Information on how to enable or disable cookies, or remove cookies, can be found on your browser provider’s website.

Please note that if you disable or remove cookies, some features of the website may not function as intended. For example, you may not be able to access certain parts of the website, or you may not receive personalized information when visiting the site.

If you use different devices to access the website (such as computers, smartphones, or tablets), you will need to adjust the settings for each browser on each device to align with your cookie preferences.

15. Links to External Websites

The Company's website may contain links to third-party websites, which may have different privacy policies than those of the Company. Personal data owners are advised to review the privacy policies of those websites to understand their data protection practices before disclosing personal information. The Company will not be responsible for the content, policies, damages, or actions of third-party websites.

16. Data Protection Officer

The Company has appointed a Data Protection Officer to oversee activities related to the collection, use, or disclosure of personal data to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019) and the Company's policies, regulations, and directives. The officer will also coordinate and cooperate with the Office of the Personal Data Protection Committee.

17. Questions Regarding the Privacy Policy

If you have any questions or concerns regarding this privacy policy or the management of your data, please contact:

Name: Mr. Peeratchai Veerasoonthorn

Contact address: Thai Vegetable Oil Public Company Limited, 149 Ratchadapisek Road (Thapra-Taksin), Bukkhalow, Thonburi, Bangkok

Contact number: +66-2-477-9020 ext. 580

Email: dpo@tvothai.com

18. Contact Information

If you have any concerns about the Company's privacy policy, the data collected, or wish to exercise your rights under the Personal Data Protection Act, please contact:

Company name: Thai Vegetable Oil Public Company Limited

Address: 149 Ratchadapisek Road (Thaphra-Taksin), Bukkhalo, Thonburi, Bangkok

Website: https://www.tvothai.com

Customer Service (Call Center): +66-2-477-9020

Email: dpo@tvothai.com

19. Contacting the Appropriate Authority

If you wish to file a complaint or feel that the Company has not addressed your concerns satisfactorily, you may contact and/or file a complaint with the Office of the Personal Data Protection Committee at the following details:

Office of the Personal Data Protection Committee

Ministry of Digital Economy and Society

Email: pdpc@mdes.go.th

Telephone: +66-2-142-1033

Notice Date: May 26, 2023(Mr. Pachai Chanpitaksa)Chief Executive Officer

Headquarter

149 Ratchadapisek Road (Thapra-Taksin) Bukkhalow Thonburi Bangkok 10600

Factory

81/7 Moo 1, Tambon Thaiyawas Nakorn Chaisri District, Nakorn Pathom Province 73120

CONTACT

+66 2 477 9020
info@tvothai.com