We, STEPS SOCIAL ENTERPRISE CO., LTD. (referred to in this policy as “Company”, “we” or “us”), are determined to protect the privacy of our trainees, clients, and partners (collectively, “you”, or “Data Owner”) in the collection, use, disclosure and/or overseas transfer of your personal data (“Data Processing”). To comply with the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”), the Company has issued this policy to inform you details of personal data we collect from you, how and why we collect such data, your rights, and other terms and conditions with regards to our Data Processing of your personal data, including security measures that we adopt to protect your personal data.
- Personal Data
“Personal Data” means any information related to you which can directly or indirectly identify you (excluding the deceased’s information).
“Sensitive Data” means Personal Data that relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal records, health information, disability, trade union membership information, genetic and biometric information or any data which may affect you in the same manner as prescribed by the Personal Data Protection Committee under the PDPA.
- Personal Data we collect when we interact with you
In collecting and storing Personal Data, the Company will use lawful measures and will only do so for the purpose of the operation of Company, which consists of the following:
- personal information of your representative or contact person as name, surname, identification card or passport, contract number;
- CCTV footage of clients at our locations; and
- other data such as records of our correspondence with your representative.
- Legal basis for Data Processing of your Personal Data
We will collect, use and/or disclose your Personal Data when it is necessary and there is a lawful basis for such collection, use or disclosure. Your consent may not necessarily be required if we have other legal basis to collect, use and/or disclose your Personal Data. Circumstances where your consent may or may not be required are as follows:
- Personal Data necessary for compliance with law
We may be required by laws, regulations and/or orders of competent authorities or courts, such the labour department or the tax authority, to collect, use or disclose your Personal Data in which case your consent will not be required.
- Personal Data necessary for contract
We may need to collect, use, or disclose your Personal Data in order to (a) process your request prior to entering into a contract with us, (b) authenticate your identity prior to entering into a contract with us or (c) perform our obligations under the contract. Your consent will not be required for these purposes.
- Personal Data necessary for protecting our legitimate interest
We may need to collect, use, or disclose your Personal Data to protect our legitimate interest or a third party’s legitimate interest. This includes circumstances where your Personal Data is required for development or improvement of our services, maintain our relationship, maintain security and prevention of fraud, internal compliance, and good governance of the Company. If the Data Processing of your Personal Data relies on this legal basis, we will ensure that it will not violate your fundamental rights. Your consent will not be required for this purpose.
- Other legal basis
In addition to the legal basis described above, we may rely on other legal basis, as described under the PDPA, to collect, use or disclose your Personal Data. Such legal basis includes circumstances where your Personal Data is required for performing public tasks or exercising official authority or preventing harm on a person’s life or health.
- Sources of our collection
- We may collect Personal Data directly from you through the process of our services, i.e. the engagement and in the course of our interactions and communications with you.
- Purposes of the processing of Personal Data
We may process the Personal Data collected for the following purposes. If the Personal Data shall be used for other purposes apart from the below, we will inform you before or when the data is being collected.
Information of client from business service centre
- To provide our services such as the digitisation and classification of documents;
- To perform and fulfil our contractual and legal obligations. The Company may require your Personal Data such as name, surname, photo, date of birth, identification card, passport, disability card, phone number, email, company name and company registration number for the purpose of entering into a service agreement. If such Personal Data cannot be provided, the Company may not be able to enter into a service agreement with you;
- To promote and market our service; and
- For a legitimate interest of the Company such as recording CCTV footage for the safety of our trainees and employees and our business.
- Disclosure or sharing of Personal Data
We will not disclose or share your Personal Data to any third parties unless under such disclosure complies with the following criteria:
Information of client from business service centre
- We may share Personal Data of your representative or contact person such as his or her name and contact details to promote and market our service on our website.
- Transfer of Personal Data outside Thailand
Currently, we do not transfer your Personal Data to a destination outside Thailand. However, if our Data Processing requires the transfer of your Personal Data to any person or entity outside Thailand in the future, we will comply with the requirement of the PDPA.
- Protection of Personal Data
- We apply physical and electronic safeguards in connection with the collection, storage and disclosure of your Personal Data;
- We use computer safeguards such as firewalls and data encryption to keep your Personal Data safe;
- We only authorise access to employees and trusted partners who need it to carry out their responsibilities; and
- Duration of Personal Data storage
|No.||Type of personal data||Storage period|
(a) corporate information of the client such as name, corporate identification number, registration documents, and tax registration documents; and
(b) CCTV Footage of clients at our locations.
Up to 10 years after the contract is completed or terminated
(The client information in this section refers to the information of the client when they enter into a contract with Steps (not the information they send Steps for storage).
- Your rights as the data owner
- a right to withdraw consent to the Data Processing previously granted;
- a right to access to, and ask for, a copy of the Personal Data;
- a right to request the Company to provide a copy of your Personal Data in a machine readable format and to request the Company to transfer your Personal Data to a third party or to receive your Personal Data which was sent or transferred to the third party (unless it is technically impossible to do so or we are entitled to reject your request pursuant to the PDPA);
- a right to object the Data Processing at any time relating to your Personal Data collected (a) for public interest and legitimate interest purpose (b) for direct marketing purpose and (c) for scientific, historical or statistic research (unless we have compelling legitimate interest to retain or continue using or disclosing your Personal Data, for example, your Personal Data is required for us to initiate or defend a claim);
- a right to request the Company to erase, destruct or anonymise your Personal Data (unless we have legal grounds to reject your request) in case that the consent for the Data Processing is withdrawn, the Data Processing was lawfully objected, or the Personal Data is unlawfully obtained;
- a right to restrict the Data Processing of Personal Data if it is the data that must be erased, is no longer needed, or is pending a verification on objection or the accuracy of the Personal Data; and
- a right to raise a claim against the Company or its employees upon its or their violation of the PDPA.
- Personal Data collected before 1 June 2022
Any Personal Data which the Company have collected prior to the effective date of the PDPA (1 June 2022), the Company shall be entitled to continue to collect and use such Personal Data for the original purposes. If you do not wish for the Company to continue collecting and using such Personal Data, please contact the Company via the channel in Clause 13 of this Policy below to make your request.
- Our contact details
If you have any queries or requests relating to your Personal Data, please contact us through the below channel.
Contact person: Max Simpson
Address: 29/8 Charonmitr, Klongtan Nua, Wattana, Bangkok, 10110