We, STEPS CONSULTING CO., LTD. (referred to in this policy as “Company”, “we” or “us”), are determined to protect the privacy of our trainees, clients and partners (collectively, “you”, or “Data Owner”) in the collection, use, disclosure and/or overseas transfer of your personal data (“Data Processing”). To comply with the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”), the Company has issued this policy to inform you details of personal data we collect from you, how and why we collect such data, your rights, and other terms and conditions with regards to our Data Processing of your personal data, including security measures that we adopt to protect your personal data.
- Personal Data
“Personal Data” means any information related to you which can directly or indirectly identify you (excluding the deceased’s information).
“Sensitive Data” means Personal Data that relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal records, health information, disability, trade union membership information, genetic and biometric information or any data which may affect the you in the same manner as prescribed by the Personal Data Protection Committee under the PDPA.
- Personal Data we collect when we interact with you
In collecting and storing Personal Data, the Company will use lawful measures and will only do so for the purpose of the operation of Company, which consists of the following:
- Information of trainees and employees
- personal information of trainees and employees such as name, surname, photo, date of birth, identification card, passport, and disability card;
- contact information such as address, email address, phone number, and emergency contact;
- education information such as education level and background;
- family information such as names of your family members and their contact details;
- employment information such as internship and employment records;
- financial and accounting information such as bank account number and copy of book bank;
- CCTV footage of trainees and employees at our locations;
- your Sensitive Personal Data such as religion as shown in the identification card, blood type as shown in the identification card, medical information (which includes medical records, diagnosis and medication, including therapy and psychological assessment records), criminal records, biometric data
- Legal basis for Data Processing of your Personal Data
We will collect, use and/or disclose your Personal Data when it is necessary and there is a lawful basis for such collection, use or disclosure. Your consent may not necessarily be required if we have other legal basis to collect, use and/or disclose your Personal Data. Circumstances where your consent may or may not be required are as follows:
- Personal Data necessary for compliance with law
We may be required by laws, regulations and/or orders of competent authorities or courts, such the labour department or the tax authority, to collect, use or disclose your Personal Data in which case your consent will not be required.
- Personal Data necessary for contract
We may need to collect, use or disclose your Personal Data in order to (a) process your request prior to entering into a contract with us, (b) authenticate your identity prior to entering into a contract with us or (c) perform our obligations under the contract. Your consent will not be required for these purposes.
- Personal Data necessary for protecting our legitimate interest
We may need to collect, use or disclose your Personal Data in order to protect our legitimate interest or a third party’s legitimate interest. This is include circumstances where your Personal Data is required for development or improvement of our services, maintain our relationship, maintain security and prevention of fraud, internal compliance and good governance of the Company. If the Data Processing of your Personal Data relies on this legal basis, we will ensure that it will not violate your fundamental rights. Your consent will not be required for this purpose.
- Other legal basis
In addition to the legal basis described above, we may rely on other legal basis, as described under the PDPA, to collect, use or disclose your Personal Data. Such legal basis include circumstances where your Personal Data is required for performing public tasks or exercising official authority or preventing harm on a person’s life or health.
- Personal Data which requires your consent
We may ask for your consent prior to a Data Processing in the following circumstances:
- a Data Processing of your Personal Data which is Sensitive Personal Data when other legal basis do not apply;
- when we would like to contact you to offer additional services or products;
- when you are minor, incompetent or quasi-incompetent whose consent must be given by parents, guardian or curator (as the case may be);
- other circumstances which PDPA requires your consent.
- Sources of our collection
- We may collect Personal Data directly from you through the process of our services, i.e. the process of enrolment or engagement and in the course of our interactions and communications with you.
- We may collect Personal Data from other sources such as public resources or social media.
- Purposes of the processing of Personal Data
We may process the Personal Data collected for the following purposes. If the Personal Data shall be used for other purposes apart from the below, we will inform you before or when the data is being collected.
- Information of trainees and employees
- To conduct our business such as the customization of the trainings, the evaluation of trainee’s progress and the necessary communications in relation to the services;
- To improve our services such as the assessment and amendment of the programmes;
- To promote and market our services to other trainees or business partners;
- To carry out financial and tax activities such as the payment of employees’ salary and the issuance of tax related documents;
- To perform and fulfil our contractual and legal obligations. The Company may require your Personal Data such as name, surname, photo, date of birth, identification card, passport, disability card, phone number and email for the purpose of entering into an employment agreement. If such Personal Data cannot be provided, the Company may not be able to enter into an employment agreement with you; and
- For a legitimate interest of the Company such as recording CCTV footage for the safety of our trainees and employees and our business.
- Disclosure or sharing of Personal Data
We will not disclose or share your Personal Data to any third parties unless under such disclosure complies with the following criteria:
- Information of trainees and employees
- We may share your Personal Data with government officers, the court or other competent authorities or organizations as required by law.
- We may share your Personal Data, to the extent necessary, including your health and disability information, on our website, press documents or presentations to our clients or the public for marketing activities such as sharing your success stories on our website and our annual impact reports. However, we will ask for your explicit consent prior to any of the disclosure or sharing of your Sensitive Personal Data.
- Transfer of Personal Data outside Thailand
Currently, we do not transfer your Personal Data to a destination outside Thailand. However, if our Data Processing requires the transfer of your Personal Data to any person or entity outside Thailand in the future, we will comply with the requirement of the PDPA.
- Protection of Personal Data
- We apply physical and electronic safeguards in connection with the collection, storage and disclosure of your Personal Data;
- We use computer safeguards such as firewalls and data encryption to keep your Personal Data safe;
- We only authorise access to employees and trusted partners who need it to carry out their responsibilities; and
- Duration of Personal Data storage
Type of personal data
1. Information of trainees and employees
(a) personal information of trainees and employees such as name, surname, photo, date of birth, identification card, passport, and disability card
(b) contact information such as addresses, email addresses, phone numbers, and emergency contacts
(c) education information such as education level and background
(d) family information such as names of your family members and their contact details
(e) medical information such as medical records, diagnosis and medication, including therapy and psychological assessment records
Up to 10 years from the date of the termination of the relevant contract with the relevant trainee or employee
(f) employment information such as internship and employment records
(g) financial and accounting information such as bank account number and copy of book bank
(h) CCTV footage of trainees and employees
- Your rights as the data owner
- a right to withdraw consent to the Data Processing previously granted;
- a right to access to, and ask for, a copy of the Personal Data;
- a right to request the Company to provide a copy of your Personal Data in a machine readable format and to request the Company to transfer your Personal Data to a third party or to receive your Personal Data which was sent or transferred to the third party (unless it is technically impossible to do so or we are entitled to reject your request pursuant to the PDPA);
- a right to object the Data Processing at any time relating to your Personal Data collected (a) for public interest and legitimate interest purpose (b) for direct marketing purpose and (c) for scientific, historical or statistic research (unless we have compelling legitimate interest to retain or continue using or disclosing your Personal Data, for example, your Personal Data is required for us to initiate or defend a claim);
- a right to request the Company to erase, destruct or anonymise your Personal Data (unless we have legal grounds to reject your request) in case that the consent for the Data Processing is withdrawn, the Data Processing was lawfully objected, or the Personal Data is unlawfully obtained;
- a right to restrict the Data Processing of Personal Data if it is the data that must be erased, is no longer needed, or is pending a verification on objection or the accuracy of the Personal Data; and
- a right to raise a claim against the Company or its employees upon its or their violation of the PDPA.
- Personal Data collected before 1 June 2022
Any Personal Data which the Company have collected prior to the effective date of the PDPA (1 June 2022), the Company shall be entitled to continue to collect and use such Personal Data for the original purposes. If you do not wish for the Company to continue collecting and using such Personal Data, please contact the Company via the channel in Clause 13 of this Policy below to make your request.
- Our contact details
If you have any queries or requests relating to your Personal Data, please contact us through the below channel.
Contact person: [Max Simpson]
Address: 29/11 Charonmitr, Klongtan Nua, Wattana, Bangkok, 1011