EVOLUTION WELLNESS (THAILAND) COMPANY LIMITED (the “Company”) realizes the importance and obligation under the Personal Data Protection Act B.E. 2562, which focuses on respecting the privacy rights of the current business partners, approved vendors, business alliances including suppliers (hereinafter referred to as “Partner”). The Company is committed to protecting your Personal Data as pursuant to Personal Data Protection Law and other relevant laws. Therefore, the company has prepared this Privacy Notice to inform about the details relating to the collection, use and disclosure of Personal Data (collectively referred to as “Processing”) as well as the Data Subject’s right as described below.

This Privacy Notice applies to the Personal Data of current business partners, approved vendors, business alliances and suppliers. These include both natural person and persons who act on behalf of a juristic person. These Data Subject include directors, consultants, executives, employees, representatives, and other individuals associated with the Company.

          “Partner” is defined as a natural person or a juristic person having business transactions with the Company. These have been approved to enter into a purchase/hire/lease contract with the Company. These include current business partners, approved vendors, business alliances and suppliers who provide products and services to the company.

2.1 “Personal Data” refers to any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased person in particular. This Personal Data includes first name, last name, nickname, address, phone number, identification card number, passport number, social security card number, driver license number, tax identification number, bank account number, credit card number, email address, license plate number, land title deed, IP Address, Cookie ID and Log File, etc.

Personal Data, however, does not include business contact information that does not identify an individual personally. These would include items such as company name and address, registration number, company telephone number, or a business email address such as info@company.co.th.  Personal Data also does not include anonymous data or pseudonymous data, or that of deceased persons.

2.2 “Sensitive Data” is defined as Personal Data pertaining to racial or ethnic origin, genetic and biometric data, political views, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union association, or any other data which would affect the Data Subject in such manner defined by the Personal Data Protection Committee. The Company shall process such data with special care and attention. The Company will collect, use and/or disclose sensitive Personal Data only after having received your explicit consent, or in cases where it is required by law.

When there is no specific mention of “Personal Data” or “Sensitive Data”, it shall be collectively referred to as “Personal Data”. 

In the cases that the Company obtained information your ID Card copies or accessed your information from the identification card through an electronic means for the purpose of authentication to establish legal obligation and/or any transactions with the Company. The collected data will also include religious data, which is Sensitive Data.  The Company shall determine how to manage such Sensitive Data in accordance with applicable Company guidelines and as permitted by law.

The Company collected your Personal Data as necessary according to the purposes of using the data that the Company will inform in the next part. In this regard, the Company has classified the types of Personal Data collected by the company as shown below

Type of data: Basic Personal Data

Description: Such as title, first name, last name, gender, photos, date of birth, age, nationality, identification number, current address, and house registration address.

The company will collect your Personal Data and Sensitive Data through the following process

4.1 Personal Data that you give directly to the Company

Such as the information that appears in the procurement process for the third party services or rent area, signing any services contract/ lease contract, sale and purchase contract or other business contracts, filling in forms, completing surveys, registering, or procedure for submitting a petition or a request to exercise the rights, the information used to register and create an account or profile with the company in order to take the Company’s services both offline and online.

4.2 Personal Data that the Company automatically collects.

When you access services through the Company's system or website via mobile phone, computer, laptop, etc.  Your Personal Data may automatically collected with a technology called “cookies” or other technologies with the same or similar figures.

4.3 Personal Data collected from external sources or liable public information

These sources include the Department of Provincial Administration, Department of Business Development, commercial resources, websites, applications, Social Media Resources, Data Providers, entities or companies or associations or confederations that are related to entering into a legal contract and/or the operations of business partner, etc.

4.4 Personal Data collected through contact with the Company

Personal Data is collected through your contact with the Company, employees, agents, business partners, associates, authorized representatives, or other entities related to the Company.  This Personal Data may also be collected through channels including websites, applications, social media, phone, e-mail, meetings, interviews, short message (SMS), fax, or letters. Data may be collected in text form as well as pictures and audio.

The Company will collect, use, or disclose your personal data according to the following basis.

 5.1 Contractual Basis, for compliance with the contractual obligation, such as hire contract or any other contract or to process a request or application form prior to entering into a contract, as the case may be.

The Purpose for Collecting, Using and Disclosing Personal Data of Partner

The company collects, uses or discloses your Personal Data for the following purposes:

Purpose: 1. For consideration and signing of a commercial contract.

Description: Consideration and signing of commercial contracts and the necessity of performing the contract, Engaging in various transactions related to the Company's business, Compliance with employment contracts, service contracts, confidentiality contracts Memorandum of Understanding (MOU) , other commercial contracts and related agreements or cooperation between the company and the contracting party, Preparation of information before entering the procurement process, such as making a procurement request. Preparation of details, conditions, requirements for procurement (TOR), etc.

Lawful basis: Performance of the contract

Purpose: 2. To consider the qualifications of the approved vendor list.

Description: Consideration of the qualifications of the registrant and register as the approved vendor list according to the requirements of each department or register as the approved vendor list through the company's online system.

Lawful basis: Performance of the contract.

To carry out the purposes stated in this Privacy Notice, your Personal Data may be disclosed or sent to various departments within the Company and/or to persons or external entities as detailed below.

6.1 Internal department

Your Personal Data may be disclosed or submitted to internal departments of the Company. The following people or teams will be allowed access as necessary and appropriate:

• Procurement officer or other relevant department officers according to their roles and responsibilities

• The executives or direct supervisor who is responsible for managing or making decisions regarding a Partner or when dealing with procurement procedures.

• Supporting departments or teams

6.2 External organizations

Your personal data may be disclosed or submitted to external organizations as follows:

6.2.1 Official departments, Regulators or other departments as required by law, such as the Royal Thai Police, the Revenue Department, the government, the courts, the Legal Execution Department, or any other legal authorities.

6.2.2 External Organizations or Third Parties, the Company may disclose your data to external organizations or third parties who contact us to verify your transactions and to provide services or products according to your preferences.

7.1 In the event that the Company collects, uses or discloses personal data under your consent, you are entitled to have the right to withdraw your consent at any time.  However, the withdrawal of consent shall not affect the collection, use or disclosure of Personal Data already given.

7.2 Under the Civil and Commercial Code, before giving consent, minors must provide their guardian’s details to the Company. This is to ensure that consent is agreed upon by the guardian as well.

You may withdraw consent for the Company to collect or disclose Personal Data either entirely or partially according to this privacy notice by notifying the Company.

8.1 The Company may transmit or transfer Personal Data to both domestic and international third parties when necessary to perform its contractual obligations that you are a party, or to perform contractual obligations between the company and other persons or other entities for your benefits, or to perform any requests prior to entering a contract, or in order to prevent or deter any danger to your life, body or health or other persons, or to comply with applicable laws and to carry out responsibilities regarding public interest.         

8.2 The Company may collect your Personal Data from computers, servers, cloud storage, or file sharing services provided by a third party. The Company may also use third-party applications such as software or platform services for processing your Personal Data. The Company shall not allow any unauthorized, independent, or non-related parties to access this Personal Data.  The Company shall require such third parties who do have permission to access this Personal Data to have appropriate measures for data security.

8.3 In the event that it is necessary to transmit or transfer your Personal Data overseas, the Company shall comply with applicable personal data protection laws and implement appropriate measures to ensure that your Personal Data is duly protected and shall be able to exercise your rights related to your Personal Data as permitted by law. In addition, the Company shall require these overseas parties to take appropriate measures for data security. The Company shall also take necessary steps to prevent unauthorized use or disclosure of Personal Data.

9.1 The Company will retain your Personal Data for as long as it is reasonably necessary, taking into account the necessity and purpose which the Company must collect, use and process including to comply with the requirements of applicable law.

The requirement that is used to determine the retention period, such as the period that the Company still has an obligation with you as an approved vendor list, business partner, director, representative, authorized person or a person who performs on behalf of a natural person or a juristic person registered as a business partner of the Company, and the Company may continue to retain your personal data for a necessary period in compliance with the law or the period prescribed by law, for establishment, compliance or exercise of legal claims or set up against legal claims or for other reasons in accordance with internal policies and requirements of the Company.

9.2 The Company will collect, use, and disclose your Personal Data that was collected, even if the relationship with the Company has been terminated. This is allowed by law for the purpose of legitimate interest. The Company will do this in such a way as to make the data non-identifiable, either directly or indirectly. For example, “Anonymous Data” or “Pseudonymous Data” may be used.

9.3 The Company may retain your personal data as long as it is necessary to fulfill the purpose of processing your personal data as stated in this Privacy Notice. The Company will retain your personal data not exceeding 10 years commencing from the date you terminate the relationship or the last contact with the Company. The Company may retain your Personal Data for a longer duration, as permitted by law.

9.4 For the consistency of the relevant duration and period prescribed by law, the Company will retain your personal data in an appropriate format according to the type of personal data. However, it is necessary for the Company to continue to collect your personal data even after the prescription period has expired for the legitimate interests of the Data Controller unless such interests are less important than your fundamental rights in your personal data.

9.5 The Company will conduct an inspection to delete or destroy the Personal Data, or make the Personal Data permanently become anonymous data or any other methods to restrict the Personal Data when the retention period has expired or unrelated or beyond the necessity according to the purpose of collecting such personal data or when the Company has to comply with your request to delete your personal data.

The Company prioritizes the security of your Personal Data such as encryption, and restriction of access to Personal Data to ensure that our personnel and third parties acting on our behalf have complied with appropriate standards for Personal Data protection. This includes the duty to prevent data leakage and the Company will take appropriate security measures in relation to the processing of data.

The Company will keep your Personal Data discreetly in accordance with technical and organizational measures to secure proper processing and prevent Personal Data breaches. The Company has established policies, rules, and regulations for Personal Data Protection. These include measures to prevent third-party recipients of information from using or disclosing information beyond the intended purpose or unauthorized or wrongfully.  The Company periodically updates its policies, rules, and regulations as necessary. In addition, the Company's executives, employees, contractors, agents, consultants, and recipients of data are obliged to maintain the confidentiality of Personal Data in accordance with the confidentiality measures set by the Company.

The Company regularly reviews and updates Personal Data security procedures and measures in order to maintain a high level of security for risk factors involved. Data security protection involves data collection and access, data usage, modification, amendments, or unauthorized disclosure of Personal Data. These measures ensure the confidentiality of Personal Data, integrity, accessibility, and flexibility in the processing of Personal Data.  The Company will apply various measures to maintain proper security when processing all types of Personal Data both in electronic and document format. 

11.1 You have the right to perform as follows:

1) Right to withdraw consent

You are entitled to withdraw the consent previously given to the Company to collect, use and disclose your Personal Data (whether such consent has been given prior to or after the Personal Data Protection Law was enacted).  You may withdraw consent at any time when it is being held by the Company unless there is a rights restriction by law or valid contract.

However, be informed that withdrawing consent may affect in using of products and/or services such as you will be unable to receive benefits, new promotions or offers, unable to receive better products or services that suit to your preferences or unable to receive useful information, etc. It is therefore advised to inquire about the impact before taking this step.

2) Right to access of Personal Data

You are entitled to have access to your Personal Data and to request the Company to provide copies of these documents and also have the right to request to reveal how your Personal Data was obtained. However, the Company is entitled to reject such a request based on applicable laws or court orders, or if such a request will adversely affect the rights and freedoms of other individuals.

3) Right to Data portability

You are entitled to have the right to obtain your Personal Data which has been processed by the Company in a format that is readable or useable with an automated device and can be used or disclosed via automated means. You also have the right to request the Company to transfer your personal data in such format to another Data Controller if it can be processed via the automated means and to request Personal Data of said format which is directly sent or transferred by the Company to other data controllers unless it cannot be processed due to technical difficulties.

However, the above Personal Data must be Personal Data that you have given consent to the company for collecting, using and/or disclosing or Personal Data that the Company is required to collect, use and/ or disclose in order to use products or services according your wishes that you are a party to the contract with the company or to comply with your request prior the usage of the Company’s products or services or Personal Data as determined by competent authorities.

4) Right to object

You are entitled to lodge an objection to the collection, use or disclosure of your Personal Data at any time. However, if this collection, use, or disclosure is undertaken for the legitimate interests of the Company or other persons or entities under your reasonable expectation, or for public interest. If you have lodged an objection, the Company shall continue to collect, use and/or disclose this Personal Data. In this case, the Company must provide compelling and legitimate grounds for such collection, use and/or disclosure that are more important than your fundamental rights or to verify the right according to the law, to comply in accordance with applicable laws or for the litigations as the case may be. 

In addition, you are entitled to lodge an objection to the collection, use and/or disclosure of your Personal Data if it was collected/used/disclosed for direct marketing purposes or for the purpose of scientific, historical or statistical studies and research.

5) Right to erasure

You are entitled to request the Company to delete or destroy your Personal Data or make it anonymous if you believe that it has been collected, used and/or disclosed illegitimately and is not in compliance with applicable laws or contend that it is no longer necessary for the Company to keep such data according to the objectives of this Privacy Notice or when you have withdrawn consent or lodged an objection. This would apply unless the Company is obliged to collect this Personal Data for the purpose of compliance with the law or establish a legal claim related to the retention of such data.

6) Right to restriction

You are entitled to request the Company to restrict or suspend the use of your Personal Data if the Company is conducting an investigation per your request. This also applies in cases where it is no longer necessary for the Company to keep this Personal Data and must delete or destroy your Personal Data in accordance with applicable laws but you request for the restriction instead.

7) Right to rectification

You are entitled to correct your Personal Data to keep it accurate, up-to-date, complete and not misleading.

8) Right to file a complaint

You are entitled to file a complaint to relevant authorities if you believe that the collection, use and disclosure of your Personal Data violates applicable laws.

If you have concerns or inquiries about the Company's policies related to your personal data, please contact the Company by using the contact details in Clause 13 of this Privacy Notice. If there is a reason to believe that the Company has violated data protection laws, you have the right to file a complaint with the proper legal authorities or authorities appointed by the Personal Data Protection Committee.

If the Data Subject submits a request to exercise the rights under the Personal Data Protection Law, the Company will proceed with such request within the period specified by law. In addition, the Company reserves the right to refuse or not act upon such request if it is not required by law. 

11.2 The Company has all rights and sole discretion to accept and process your request or to reject it.

Exercising the rights under Clause 11.1 may be restricted by applicable laws, and, in certain cases, there may be compelling reasons for the Company to deny your request or that prevent the Company from complying with your request. These may include compliance with laws, court orders, for the purpose of public benefit or, potentially violate another person’s rights or freedoms.  If a request is denied, the Company shall provide the reason(s) for such denial.

The Company will review this Privacy Notice for Clients regularly to be in line with related procedures, laws, and regulations. The Company shall keep you informed of important changes, or revisions of this Privacy Notice.  You are encouraged to periodically check for updates to this Privacy Notice.

You hereby acknowledge and agree that this Privacy Notice is governed and applied in accordance with Thai laws and that Thai courts have jurisdiction over any disputes that may arise.

Announced on 30 May B.E. 2565(2022)