EVOLUTION WELLNESS (THAILAND) COMPANY LIMITED (“the Company”) realizes the importance and obligation under the Personal Data Protection Act B.E. 2562, which focuses on respecting the privacy rights of the Clients. This includes a natural person who acts on behalf of a juristic person which is the Data Subject (hereinafter referred to as “Clients”). The Company is committed to protecting your Personal Data as pursuant to Personal Data Protection Law and other relevant laws. Therefore, the company has prepared this Privacy Notice to inform about the details relating to the collection, use and disclosure of Personal Data (collectively referred to as “Processing”) as well as the Data Subject’s right as described below.

This Privacy Notice applies to the Personal Data of the Clients including a natural person acting on behalf of a juristic person who is the Data Subject. This includes directors, consultants, executives, employees, representatives, and other related Company personnel.

“Client” is a person who is the target of the Company to sell its products or services including participants in marketing campaigns or activities, those who are interested in the Company's products or services through various channels and/or the users of the Company's services through social media and electronic media, as the case may be. This includes authorized persons who acts on behalf of the Clients such as a guardian of a minor, a guardian of an incompetent, a guardian of a quasi-incompetent, etc.

2.1. “Personal Data” refers to any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased person in particular. This Personal Data includes first name, last name, nickname, address, phone number, ID card number, passport number, social security card number, tax identification number, bank account number, credit card number, email address, IP Address, Cookie ID, Log File, etc.
 
Personal Data, however, does not include business contact information that does not identify an individual personally. These would include items such as company name and address, registration number, company telephone number, or a business email address such asinfo@company.co.th. Personal Data also does not include anonymous data or pseudonymous data, or that of deceased persons.
 
2.2. “Sensitive Data” is defined as Personal Data pertaining to racial or ethnic origin, genetic and biometric data, political views, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union association, or any other data which would affect the Data Subject in such manner defined by the Personal Data Protection Committee. The Company shall process such data with special care and attention. The Company will collect, use and/or disclose sensitive Personal Data only after having received your explicit consent, or in cases where it is required by law.
 
When there is no specific mention of “Personal Data” or “Sensitive Data”, it shall be collectively referred to as “Personal Data”.
 
In the cases that the Company obtained information your ID Card copies or accessed your information from the identification card through an electronic means for the purpose of authentication to establish legal obligation and/or any transactions with the Company. The collected data will also include religious data, which is Sensitive Data. The Company shall determine how to manage such Sensitive Data in accordance with applicable Company guidelines and as permitted by law.

The Company collected your Personal Data as necessary according to the purposes of using the data that the Company will inform in the next part.
 
(1). In this regard, the Company has classified the types of Personal Data collected by the company as shown below Type of Data- Personal Data Types of Data that the Company Collects, Uses and/or Discloses- Title, First name, Middle name, Last name, ID Card number / Passport number, Date of birth, Customer taste, Gender, Emergency contacts, Health information, Vaccination information, Occupation, AIA insurance status, Payment details, Photograph, Signature.
Type of Data- Sensitive Data Types of Data that the Company Collects, Uses and/or Discloses
1).  Physical Examination Records: Heart disease information: history and current condition, Chest pain or tightness condition, Prescription history of Heart disease, Blood pressure or Diuretics, Bone and joint issues, Balance and dizziness issues, other diseases that affect exercise, such as gout,
2).  Collecting data from Boditrax: pH Impedance, Fat-free mass, Muscle rate, Fat rate, Bone rate, BMR rate, Age, BMI rate, Weight, Height.
3).  Other health data Type of Data- Contact Information Types of Data that the Company Collects, Uses and/or Discloses– Current address, Phone number, Mobile phone number, E-mail address. Type of Data- Educational Information and work experience Types of Data that the Company Collects, Uses and/or Discloses– Occupation, Company Name. Type of Data- Financial Information Types of Data that the Company Collects, Uses and/or Discloses- Bank account number, Credit card number, Payment or debt settlement records, The Company's services and products usage, Purchase and sales history and balance, Payment and transaction history. Type of Data- Visual and audio information Types of Data that the Company Collects, Uses and/or Discloses- CCTV footage, Communication record via online or other channels. Type of Data- Usage information Types of Data that the Company Collects, Uses and/or Discloses- usage Information of the Company’s website or platform, Use of the Company's products and services, Cookies data, other data collected through the Company's platforms
(2). Sensitive Data refers to that is purely personal but sensitive and may cause risk of discrimination, such as racial, ethnic origin, political opinions, cult, religious of philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union data, genetic data, biometric data or any other data which affects the data subject in such manner as prescribed and announced by the Personal Data Protection Committee.
The Company has explicitly requested your consent prior the collection of such personal data unless there is a legal basis to collect such information without obtaining consent, details appear in the consent form.
(3) Personal Data of minor. The minimum requirement for determining the age of users of the Company is 15 years and above, which is a minor who is a person under 20 years of age. In this regard, the collection of personal data of the minor, the Company has requested consent from the holder of parental responsibility over the minor before taking any action regarding the collection, use and/or disclosure of personal data, details appear in the consent form from the holder of parental responsibility.
The minimum age requirement for Company users is 15 years old. Under these criteria, the user is minor who is a person under 20 years of age. Regarding the collection of Personal Data of a minor, the Company shall request consent from the responsible parent before taking any action. This action includes the collection, use and/or disclosure of Personal Data. Details are specified in the parental consent form
 

The company will collect your Personal Data and Sensitive Data through the following process.

4.1 Personal Data that you give directly to the Company.

Such as information used to subscription including attached documents, requests to change personal data or other information, service requests or requests regarding products or services, product, complaint information regarding product and/or service, information used to register and create an account or profile with the company in order to take the Company’s services both offline and online, communicate information with the company whether in written or electronic form, your information provided through surveys, suggestions, or comments from various channels including information collected at the head office or branch office, the customer service center or booth, etc.

4.2 Personal Data automatically collected by the Company.

When you access services through the Company's system or website via mobile phone, computer, laptop, etc. Your Personal Data may automatically collected with a technology called “cookies” or other technologies with the same or similar figures.

4.3 Personal Data collected from external sources or liable public information.

These sources include the Department of Provincial Administration, the Department of Business Development, as well as commercial resources, websites, applications, social media, data providers, agencies, or related entities, etc.

4.4 Personal Data collected through contact with the Company.

Personal Data is collected through your contact with the Company, employees, agents, business partners, associates, authorized representatives, or other entities related to the Company. This Personal Data may also be collected through channels including websites, applications, social media, phone, e-mail, meetings, interviews, short message (SMS), fax, or letters. Data may be collected in text form as well as pictures and audio.

4.5 Personal Data collected when engaging in Company activities.

Personal Data may be collected in connection with marketing activities, events or competitions organized approved, or authorized by or on behalf of the Company and/or its partners and associates.

When you agree and consent to provide the Company with personal data of third parties such as family members, etc., you have certified the accuracy of it. Additionally, any third parties must be fully informed of this Privacy Notice.

ses for Collecting, Using, and Disclosing Personal Data the Company will collect, use, or disclose your personal data according to the following basis.

5.1 Contractual Basis: for compliance with contractual obligations that you have entered into. These include service contracts, sale and purchase contracts, subscription contracts or other contracts. These also include the processing your requests or application form prior to entering into a contract

5.2 Legal Obligation: for compliance with obligations required by law. These include Tax Laws, Electronic Transaction Laws, Civil and Commercial Laws as well as Public Health Laws, etc.

5.3 Legitimate Interest: for the legitimate interest of the Company. However, these must not violate your fundamental rights or freedoms

5.4 Consent: the Company must request your consent as required by law or the company cannot apply any of the abovementioned basis to process Personal Data collected from you.

The company will collect, use or disclose your Personal Data for the following purposes:

    (1). The purposes that require consent Purpose
  • 1)    Check Health Condition Identity Verification.

    Description

    1.1 Health information to check health conditions before physical exercise and body measurement for processing, analysis

    1.2 Religious information for Identity verification

    Lawful basis – Consent

    2)    Analyze Website Usage

    Description

    Collection of unnecessary cookies for the website using to improve the functionality and quality of the web service and also to analyze data for marketing.

    Lawful basis – Consent

  • (2). The purposes require another lawful basis than consent. Purpose
  • 1)    Carry Out your Requests Prior to Entering Contracts or Comply with Contractual Obligations

    Description

    • For the sale of products and/or services or to comply with contracts, account management.
    • Membership application.
    • Deliver, conduct accounting or financial processes and after sales service and returned products.
    • Process requests / assist you to receive products and services.

    Lawful basis– Contractual Basis

    Purpose

    2)    Manage Advertising and Public Relations.

    Description

    • Advertising and public relations
    • Conduct marketing campaigns, data analysis, and product development
    • Contact Clients to give advice or offer products

    Lawful basis– Legitimate Interest

    Purpose

    3)    Manage Operations and After-Sales Customer Care.

    Description

    • Review and analyze personal data.
    • Develop prompt, high quality, convenient, online Company service.
    • To be able to access or transfer information in your account, member number or various personal codes that the company has provided to you through computer and/ or other electronic devices and the company can effectively monitor the access to your account, member number or various personal codes. In order to prevent unauthorized usage or access by another person or fraudulent use or wrongful use, and to improve Company services to be more efficient.

    Lawful basis– Legitimate Interest, Contractual Basis.

    Purpose

    4)    Information Technology Management

    Description

    • Provide information systems to collect and process data; connect with clients and representatives.
    • Provide information technology systems to process clients data through access of the Company's website, applications, and social media such as Facebook, Line, etc.

    Lawful basis– Legal obligation, Legitimate Interest, Contractual Basis.

    Purpose

    5)    Manage, develop, and take action as required in order to conduct business more efficiently

    Description

    • Management of products, and services (this includes websites and applications), Detection and prevention of fraud or other crimes, Clients and prospect relationship management, Maintenance and use of IT systems.
    • Measure the effectiveness of Company marketing policies and advertising.

    Lawful basis– Legal obligation, Legitimate Interest.

    Purpose

    6)    Investigations Complaints, Disputes, Litigation and Risk Management

    Description

    • Investigations Complaints, Disputes, Litigation and Risk Management.
    • Take any action in regard to inspection, investigation, or inquiries that may lead to prosecution, take measures to exercise contractual and legal rights, and manage settlement of disputes or conflicts that may arise between the Company and Clients relating to the Company's services.

    Lawful basis– Legal obligation, Legitimate Interest.

    Purpose

    7)    Security Management

    Description

    • CCTV footage to maintain security in and outside the building. This will proceed without violating your privacy rights.

    Lawful basis– Legitimate Interest.

To carry out the purposes stated in this Privacy Notice, your Personal Data may be disclosed or sent to various departments within the Company and/or to persons or external entities as detailed below.

Type of recipient- Internal Departments

Description

Your Personal Data may be disclosed or submitted to internal departments of the Company. The following people or teams will be allowed access as necessary and appropriate:

  • Sales staff or other relevant department officers according to their roles and responsibilities
  • Executive or supervisors responsible for management and decision-making
  • Supporting departments or teams such as Marketing, Corporate, Call Center, Club Operations, Fitness, Admin and Accounting, HR, Procurement, Leasing, Property, IT, etc.

Type of recipient- Government Agencies, Regulators, or other Departments as Required by Law.

Description

Your Personal Data may be disclosed or delivered to external organizations such as the Revenue Department, Social Security Office, Department of Labor Protection and Welfare, Legal Execution Department, Ministry of Commerce, Ministry of Labor or other departments according to relevant laws.

Type of recipient- External Organizations or Third Parties.

Description

The Company may disclose your Personal Data to external organizations or third parties who contact us to verify your transactions and to provide services or products according to your preferences.

7.1 In the event that the Company collects, uses or discloses personal data under your consent, you are entitled to have the right to withdraw your consent at any time. However, the withdrawal of consent shall not affect the collection, use or disclosure of Personal Data already given.

7.2 Under the Civil and Commercial Code, before giving consent, minors must provide their guardian’s details to the Company. This is to ensure that consent is agreed upon by the guardian as well.

 

You may withdraw consent for the Company to collect or disclose Personal Data either entirely or partially according to this privacy notice by notifying the Company.

 

However, if you decides to withdraw the consent given to the Company to collect, use or disclose your Personal Data for other purposes except marketing purpose, the Company may not be able to carry out certain processes or services and/or manage products or relationship or your existing account. That may affect you to lose the benefits in using the Company’s service as same as when you gave your consent for the collection, use or disclosure of personal data to the Company.

8.1 The Company may transmit or transfer Personal Data to both domestic and international third parties when necessary to perform its contractual obligations that you are a party, or to perform contractual obligations between the company and other persons or other entities for your benefits, or to perform any requests prior to entering a contract, or in order to prevent or deter any danger to your life, body or health or other persons, or to comply with applicable laws and to carry out responsibilities regarding public interest.

8.2 The Company may collect your Personal Data from computers, servers, cloud storage, or file sharing services provided by a third party. The Company may also use third-party applications such as software or platform services for processing your Personal Data. The Company shall not allow any unauthorized, independent, or non-related parties to access this Personal Data. The Company shall require such third parties who do have permission to access this Personal Data to have appropriate measures for data security.

8.3 In the event that it is necessary to transmit or transfer your Personal Data overseas, the Company shall comply with applicable personal data protection laws and implement appropriate measures to ensure that your Personal Data is duly protected and shall be able to exercise your rights related to your Personal Data as permitted by law. In addition, the Company shall require these overseas parties to take appropriate measures for data security. The Company shall also take necessary steps to prevent unauthorized use or disclosure of Personal Data.

9.1 The Company will retain your Personal Data for the required period in compliance with applicable laws, taking into account the necessity, purpose, use and processing for which it was collected.

9.2 The Company will collect, use, and disclose your Personal Data that was collected, even if the relationship with the Company has been terminated. This is allowed by law for the purpose of legitimate interest. The Company will do this in such a way as to make the data non-identifiable, either directly or indirectly. For example, “Anonymous Data” or “Pseudonymous Data” may be used.

9.3 The Company will erase or destroy Personal Data or convert it permanently into anonymous data or other means when the retention period has expired, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected. The Company will also erase or destroy Personal Data in order to comply with your request for such action.

The Company prioritizes the security of your Personal Data such as encryption, and restriction of access to Personal Data to ensure that our personnel and third parties acting on our behalf have complied with appropriate standards for Personal Data protection. This includes the duty to prevent data leakage and the Company will take appropriate security measures in relation to the processing of data.

The Company will keep your Personal Data discreetly in accordance with technical and organizational measures to secure proper processing and prevent Personal Data breaches. The Company has established policies, rules, and regulations for Personal Data Protection. These include measures to prevent third-party recipients of information from using or disclosing information beyond the intended purpose or unauthorized or wrongfully. The Company periodically updates its policies, rules, and regulations as necessary. In addition, the Company's executives, employees, contractors, agents, consultants, and recipients of data are obliged to maintain the confidentiality of Personal Data in accordance with the confidentiality measures set by the Company.

The Company regularly reviews and updates Personal Data security procedures and measures in order to maintain a high level of security for risk factors involved. Data security protection involves data collection and access, data usage, modification, amendments, or unauthorized disclosure of Personal Data. These measures ensure the confidentiality of Personal Data, integrity, accessibility, and flexibility in the processing of Personal Data. The Company will apply various measures to maintain proper security when processing all types of Personal Data both in electronic and document format.

11.1 You have the right to perform as follows:

1) Right to withdraw consent

You are entitled to withdraw the consent previously given to the Company to collect, use and disclose your Personal Data (whether such consent has been given prior to or after the Personal Data Protection Law was enacted). You may withdraw consent at any time when it is being held by the Company unless there is a rights restriction by law or valid contract.

However, be informed that withdrawing consent may affect in using of products and/or services such as you will be unable to receive benefits, new promotions or offers, unable to receive better products or services that suit to your preferences or unable to receive useful information, etc. It is therefore advised to inquire about the impact before taking this step.

2) Right to access of Personal Data

You are entitled to have access to your Personal Data and to request the Company to provide copies of these documents and also have the right to request to reveal how your Personal Data was obtained. However, the Company is entitled to reject such a request based on applicable laws or court orders, or if such a request will adversely affect the rights and freedoms of other individuals.

3) Right to Data portability

You are entitled to have the right to obtain your Personal Data which has been processed by the Company in a format that is readable or useable with an automated device and can be used or disclosed via automated means. You also have the right to request the Company to transfer your personal data in such format to another Data Controller if it can be processed via the automated means and to request Personal Data of said format which is directly sent or transferred by the Company to other data controllers unless it cannot be processed due to technical difficulties.

However, the above Personal Data must be Personal Data that you have given consent to the company for collecting, using and/or disclosing or Personal Data that the Company is required to collect, use and/ or disclose in order to use products or services according your wishes that you are a party to the contract with the company or to comply with your request prior the usage of the Company’s products or services or Personal Data as determined by competent authorities.

4) Right to object

You are entitled to lodge an objection to the collection, use or disclosure of your Personal Data at any time. However, if this collection, use, or disclosure is undertaken for the legitimate interests of the Company or other persons or entities under your reasonable expectation, or for public interest. If you have lodged an objection, the Company shall continue to collect, use and/or disclose this Personal Data. In this case, the Company must provide compelling and legitimate grounds for such collection, use and/or disclosure that are more important than your fundamental rights or to verify the right according to the law, to comply in accordance with applicable laws or for the litigations as the case may be.

In addition, you are entitled to lodge an objection to the collection, use and/or disclosure of your Personal Data if it was collected/used/disclosed for direct marketing purposes or for the purpose of scientific, historical or statistical studies and research.

5) Right to erasure

You are entitled to request the Company to delete or destroy your Personal Data or make it anonymous if you believe that it has been collected, used and/or disclosed illegitimately and is not in compliance with applicable laws or contend that it is no longer necessary for the Company to keep such data according to the objectives of this Privacy Notice or when you have withdrawn consent or lodged an objection. This would apply unless the Company is obliged to collect this Personal Data for the purpose of compliance with the law or establish a legal claim related to the retention of such data.

6) Right to restriction

You are entitled to request the Company to restrict or suspend the use of your Personal Data if the Company is conducting an investigation per your request. This also applies in cases where it is no longer necessary for the Company to keep this Personal Data and must delete or destroy your Personal Data in accordance with applicable laws but you request for the restriction instead.

7) Right to rectification

You are entitled to correct your Personal Data to keep it accurate, up-to-date, complete and not misleading.

8) Right to file a complaint

You are entitled to file a complaint to relevant authorities if you believe that the collection, use and disclosure of your Personal Data violates applicable laws.

If you have concerns or inquiries about the Company's policies related to your personal data, please contact the Company by using the contact details in Clause 14 of this Privacy Notice. If there is a reason to believe that the Company has violated data protection laws, you have the right to file a complaint with the proper legal authorities or authorities appointed by the Personal Data Protection Committee.

If the Data Subject submits a request to exercise the rights under the Personal Data Protection Law, the Company will proceed with such request within the period specified by law. In addition, the Company reserves the right to refuse or not act upon such request if it is not required by law.

11.2 The Company has all rights and sole discretion to accept and process your request or to reject it.

Exercising the rights under Clause 11.1 may be restricted by applicable laws, and, in certain cases, there may be compelling reasons for the Company to deny your request or that prevent the Company from complying with your request. These may include compliance with laws, court orders, for the purpose of public benefit or, potentially violate another person’s rights or freedoms. If a request is denied, the Company shall provide the reason(s) for such denial.

The Company's website may have links to social networks, platforms and other websites operated by third parties. The Company attempts to only link to websites that have high standards for personal data protection. However, the Company cannot be held responsible for the content or standards of personal data protection of third-party websites unless stated otherwise. Any personal data provided by you to third-party websites is therefore subject to that website’s data protection policies (if any). Therefore, the Company recommends you carefully read third-party privacy notices and personal data protection policies appearing on these websites.

The Company will review this Privacy Notice for Clients regularly to be in line with related procedures, laws, and regulations. The Company shall keep you informed of important changes, or revisions of this Privacy Notice. You are encouraged to periodically check for updates to this Privacy Notice.

If you have questions or need further clarification about the collection, use or disclosure, exercise your rights according to this Privacy Notice, please contact as below. Email: DataProtection.TH@evolutionwellness.co.thTel:02-118-6665

You hereby acknowledge and agree that this Privacy Notice is governed and applied in accordance with Thai laws and that Thai courts have jurisdiction over any disputes that may arise.

Announced on 30 May B.E. 2565(2022)