Privacy Center

Privacy Center

Tangerine company prioritizes the establishment of measures to protect the personal data of customers and/or users, particularly the right to privacy of visitors and/or website users. It is important to be aware of the expectations of visitors/website users regarding the protection of data provided to the company through this website. The information that visitors/website users provide to Tangerine Ltd. through this website will be appropriately protected. Therefore, Tangerine would like to announce the following personal data protection policy.

Section 1: General information about Tangerine

1. What services does Tangerine offer?

Tangerine Co., Ltd. (“Tangerine”) was established in 2003 as a subsidiary of Yip In Tsoi Co., Ltd. The Company provides consulting services, and develops, designs, sets up computer and network systems and information system security with the goal of becoming “the consultant who understands customers’ businesses” by applying technology to create maximum benefits, thus enhancing our customers’ competitiveness.

Tangerine has consistently received numerous awards from business partners, including Google, Cisco, Dell Technologies, and VMware.

2. Tangerine’s services

2.1 Google Cloud services: Tangerine has been entrusted by Google as a Premier Partner, making us the first company in Thailand to offer Google Cloud services. Our range of services includes:

  • Google Workspace
  • Maps Platform
  • Big Data Analytics
  • Apigee
  • Cloud Infrastructure
  • MapTIST
  • Additional services such as Tangerine Log Manager and Tangerine Message Recall

2.2 Installation and support services for enterprise products, including Cisco, Dell Technologies, and VMware.

2.3 Application development: in-house software design and development services to support the implementation of new technologies and facilitate business growth in digital channels. 

2.4 Cyber Security solutions: consulting services and security solution designs to assist organizations in preparing against cyber attacks.

2.5 IoT: consulting services and designing IoT solutions that leverage technology to create new business opportunities.

Section 2: Personal Data Protection Principles

Tangerine has been involved in providing consulting services, developing, designing, and setting up computer and network systems, as well as information system security. Our goal is to become a consultant who understands our customers’ businesses. Tangerine takes pride in stating that our services, particularly Google Cloud services, are globally reliable and secure. These services have undergone audits and certifications conducted by independent international auditors, covering all aspects, including installation services and support for various solutions and services. Tangerine places great importance on measures to protect Personal Data and ensure security. These are the key criteria that Tangerine prioritizes when serving our customers or service users. It also demonstrates our commitment to comply with the Personal Data Protection Act B.E. 2562.

1. The fundamental principles to protect privacy and information security

Tangerine offers infrastructure services related to information systems that require global-scale security. When providing these services, we adhere to three fundamental principles to protect the privacy of Personal Data and ensure information security, as follows:

1.1 Confidentiality  

1.2 Integrity 

1.3 Availability 

2. Audits and certifications according to international standards

2.1 Google Cloud services have successfully undergone assessments and received certifications in accordance with international standards.

Google Cloud services strictly adhere to the fundamental principles of Confidentiality, Integrity, and Availability. The services have been assessed and certified by independent auditors to instill confidence in our users that our services have measures to protect Personal Data and maintain security in accordance with international standards. These certifications include:

  • ISO/IEC 27001
    (Information Security Management Systems: ISMS) 
  • ISO/IEC 27017
    (Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services)
  • ISO/IEC 27018
    (Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII)
    in public clouds acting as PII processors) 
  • PCI DSS (Payment Card Industry (PCI)
  • Data Security Standards (DSS)) 
  • SOC 1 (Security Operation Center)
  • SOC 2 (Security Operation Center)
  • SOC 3 (Security Operation Center)
  • CSA Star 
  • California Consumer Privacy Act (CCPA)
  • GDPR (General Data Protection Regulation) 

2.2 In addition to the Google Cloud services mentioned in clause 2.1, other services offered by Tangerine also prioritize the implementation of measures to protect Personal Data and maintain security.

3. Personal Data Protection Act B.E. 2562

The Personal Data Protection Act B.E. 2562 (“PDPA”) aims to safeguard Personal Data. Therefore, important principles have been set forth in the Personal Data Protection Act, as follows:

3.1    To determine the definition of Personal Data and its types.

3.2    Any action involving Personal Data, including collection, use, disclosure, or transfer, should adhere to specific purposes.

3.3   The rights of the Personal Data Subject to access, update, and delete Personal Data.

3.4   Responsibilities of the Data Controller and Data Processor.

4. What is “Personal Data”?

“Personal Data” refers to any information relating to a person that allows for their direct or indirect identification, but not including the information of deceased individuals and business contact information such as the name and address of a company or its Juristic Person’s Registration Number.

4.1 Personal Data that directly identifies an individual includes name, address, ID card number, passport number, Social Security number, etc.

Biometric data is information obtained through techniques or technologies that use physical features or behavior of an individual to identify them, such as facial recognition, iris recognition, fingerprints, etc.

4.2 Data that may indirectly identify an individual

Data that can be linked, such as when two sets of information, whether within the same system or across different systems, can be combined to identify a person.

5. How many types of Personal Data are there?

Personal Data can be divided into two categories:
5.1 Personally Identifiable Information (PII), which may also indirectly identify an individual.

5.2 Sensitive Data, such as race, ethnicity, political opinions, religion, genetic data, biometric data, etc.

6. Collection of Personal Data

This must be carried out with the consent of the Personal Data Subject unless otherwise prescribed by law.

7. Use or disclosure of Personal Data

This must align with the purpose for which the Personal Data Subject has provided consent unless otherwise prescribed by law.

8. Processing of Personal Data

refers to any action that involves automated methods of collecting, using, disclosing, rectifying, providing summary reports, as well as sending or transferring Personal Data.

9. Implementation of security measures

to safeguard Personal Data from unauthorized disclosure or to prevent information leakage.

10. Cross-border transfer of Personal Data

or to locations outside the kingdom, which requires obtaining prior consent from the Personal Data Subject, unless it is a legally mandated action.

11. The Data Subject

refers to a natural person whose Personal Data, whether directly or indirectly, can identify them. For example, a password that needs to be used together with another set of information, such as the Personal Data Subject’s name and surname, to identify their identity.

12. The Data Controller

refers to an individual who has the authority to make decisions regarding the processing of Personal Data, including its collection, use, or disclosure. They are also responsible for processing Personal Data in accordance with the request of the Personal Data Subject, allowing them to exercise their rights to access, edit, and correct their Personal Data to ensure its accuracy or update it, as well as request the deletion of Personal Data.

13. The Data Processor

refers to an individual or juristic person who operates in the collection, use, or disclosure of Personal Data in accordance with the instructions or on behalf of the Data Controller.

Section 3: Compliance with the Personal Data Protection Act

To comply with the requirements of the Personal Data Protection Act, Tangerine has formulated a policy to operate in alignment with the principles outlined in the aforementioned law, as follows:

1. The collection and purposes of Personal Data collection

Tangerine collects Personal Data only as deemed necessary for legitimate purposes. The data will be collected directly from the Personal Data Subject, and Tangerine will inform the Personal Data Subject prior to or at the time of collection unless they are already aware of the details. The mentioned details encompass the following:

1.1 Purpose of collecting Personal Data for use or disclosure.

1.2 Personal Data which shall be collected, used, or disclosed.

1.3 In the event that the Personal Data Subject must provide Personal Data to comply with a law or contract or if it is necessary to provide Personal Data to enter into a contract, as well as informing about the potential consequences of not providing the Personal Data.

1.4 The types of individuals or organizations to which Personal Data collected may be disclosed.

1.5  Rights of the Personal Data Subject.

1.6  Collection of Personal Data in other cases where the consent of the Personal Data Subject is not required, in accordance with the Personal Data Protection Act.

2. Use of cookies

The Tangerine website utilizes cookies, which are text files designed to record the usage or origin of visits to the Tangerine website. Customers or users of the Tangerine website have the ability to manage their browser cookies through their browser settings. Generally, customers or service users can set up their browser to prevent accepting cookies from the website, receive notifications when they receive new cookies, refuse new cookies, and delete cookies from the Tangerine website when needed.

3. Collecting Personal Data from other sources

In cases where Tangerine needs to collect data from a source other than directly from the Personal Data Subject or where Personal Data is not collected without the explicit consent of the Personal Data Subject in accordance with the Personal Data Protection Act, Tangerine will only do so when absolutely necessary for the Company’s business operations and to provide benefits to its customers or users. The Personal Data Subject will be promptly notified about such actions, either directly or through announcements on the Company’s website. This applies to the following cases:

3.1 Research studies or statistics

3.2 Sales and Marketing

3.3 Advertising

3.4 Recruitment

3.5 Any other necessary and relevant actions

Tangerine is committed to implementing appropriate protection measures to safeguard the rights and freedoms of Personal Data Subjects. The Company places great importance on defining the conditions or principles individuals must prioritize when sharing necessary data with Tangerine. This ensures that their actions are righteous and in compliance with the Personal Data Protection Act.

4. Usage or disclosure of Personal Data

Tangerine will only use or disclose Personal Data when necessary and in accordance with the purpose of collection. Prior consent or notification (as applicable) will be obtained or provided to ensure that the Personal Data Subject is aware of such usage or disclosure, enabling effective services or fulfillment of legal obligations. Tangerine may disclose Personal Data to the following parties:

4.1 Affiliates

4.2 Business partners

4.3 Domestic and international data processing service providers

4.4 Government agencies or officials exercising legal authority

By disclosing Personal Data to such parties, Tangerine will ensure that they maintain the confidentiality of the Personal Data and restrict its use to the defined scope established by Tangerine. The Personal Data provided to Tangerine will be stored in the data center (cloud) of a third-party data processing provider, with servers located overseas. The transfer of customer Personal Data to the third-party data processing service provider is conducted with the objective of facilitating service provision, ensuring secure data storage, facilitating data retrieval services, and serving as a backup. Tangerine has undertaken a thorough review and selection process for the service provider and has established an agreement regarding data security measures and the extent of data processing. By providing Personal Data to Tangerine, you are deemed to have consented to the cross-border transfer and overseas storage of your Personal Data for the aforementioned purposes.

However, if you suspect that an individual to whom Tangerine has disclosed your Personal Data as mentioned above has utilized it beyond the specified scope, you can notify Tangerine as outlined in this Privacy Policy to initiate the appropriate action.

Furthermore, Tangerine may need to disclose your Personal Data to fulfill legal obligations. This may occur when data needs to be shared with government agencies, regulatory bodies responsible for overseeing service provisions, or entities supervising service users. Additionally, Tangerine may receive requests, supported by lawful authority, to disclose data for purposes such as legal prosecutions or from private agencies or other third parties involved in the legal process. In addition, the disclosure of data may occur when it is reasonably necessary to enforce Tangerine’s Terms and Conditions or in the context of organizational restructuring, amalgamation, or business acquisition. In such cases, Tangerine may transfer your Personal Data, either in whole or in part, to the relevant companies as required.

5. Retention of Personal Data

Tangerine will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes stated in this Personal Data Privacy Policy and as required by applicable laws. If legal or disciplinary actions are initiated, Tangerine may be obligated to retain your Personal Data until the completion of such proceedings, including the duration for any appeals. Subsequently, your Personal Data will be deleted or archived in compliance with relevant laws. Once your Personal Data is no longer necessary or when there is no legal obligation to retain it, Tangerine will delete or destroy the Personal Data without prior notification.

6. Sending or transferring Personal Data

In the event that Personal Data is sent or transferred overseas, Tangerine will proceed with such transfer only if the receiving country possesses adequate Personal Data protection standards and meets the criteria established by the Personal Data Protection Committee of that country. This will be done unless prescribed by laws or with the consent of the Personal Data Subject, and the Personal Data Subject is informed of the inadequate personal data protection standards of the destination country.

Tangerine will implement the aforementioned measures when sending or transferring Personal Data overseas. This applies when sending or transferring Personal Data to Data Controllers or Processors who are located overseas and are affiliated with or in the same business network for the purpose of conducting joint business. In such case, Tangerine will take appropriate protective measures to comply with the criteria set forth by the Personal Data Protection Committee. These measures include enforcing the rights of the Personal Data Subject and implementing effective legal remedial measures.

7. Processing the Personal Data of minors

Tangerine does not provide services to minors under 20 years of age unless such a person is using the service solely under the supervision or approval of a parent or guardian.

8. Security measures

Tangerine understands the importance of implementing security measures when providing services to customers or service users to prevent unauthorized access, usage, disclosure, sharing, alteration, duplication, or deletion of Personal Data.

Tangerine would like to assure customers or service users that its services have been certified and have implemented security measures and Personal Data protection in accordance with international standards, as specified in Article 5. Regular reviews and assessments are conducted to enhance security measures, ensuring their appropriateness and effectiveness in handling technological advancements and countering the increasing complexity of online threats. These actions are taken to comply with the regulations established by the Personal Data Protection Committee.

9. Rights of the Data Subject

9.1 Customers or service users who are the owners of the Personal Data have the right to request access and obtain a copy of their Personal Data. They also have the right to request disclosure regarding the acquisition of any Personal Data that they have not given consent to. In addition, they have the right to request rectification to ensure that their Personal Data is current, as well as to obtain Personal Data related to them in a format that can be read or used by an automated tool or device. Furthermore, they have the right to request the transfer of their Personal Data to another Data Controller if such transfer can be facilitated in an automated manner. However, it is important to note that these actions must not infringe upon the rights or freedoms of other individuals and must comply with the provisions specified in the Personal Data Protection Act.

9.2 Customers or service users who are the owners of the Personal Data have the right to request the Data Controller to delete, destroy, or anonymize their data if its retention is no longer necessary for the purpose for which it was collected, used, or disclosed.

9.3 Customers or service users who are the owners of the Personal Data have the right to withdraw their consent for the collection, use, or disclosure of their Personal Data. However, it is important to note that the withdrawal of consent will not affect the collection, use, or disclosure of the Personal Data that has already been legally obtained with the individual’s consent. The Data Controller is responsible for informing the Personal Data Subject about the consequences of withdrawing consent.

10. Actions when Personal Data is infringed

Tangerine has established procedures and processes to manage cases where there is a breach of Personal Data. In the event of such a breach, Tangerine will report the incident to the Office of the Personal Data Protection Commission without delay, within 72 hours from the date of knowledge of the incident, unless it is determined that the violation poses no risk to the rights and freedoms of the individual. If the violation has a high risk of affecting the rights and freedoms of the individual, Tangerine will take appropriate measures to notify the Personal Data Subject about the breach and provide guidelines for remedies without delay, or take any other action as prescribed by the Personal Data Protection Committee.

11. Appointment of the Data Protection Officer

Tangerine has appointed a Data Protection Officer (DPO) to manage and protect the Personal Data in accordance with the legal requirements of the Personal Data Protection Act B.E. 2562. The DPO is responsible for providing advice, monitoring the handling of Personal Data, and collaborating with the Office of the Personal Data Protection Commission (PDPC).

12. Data Governance

Tangerine acknowledges the significance of data governance in safeguarding the privacy and security of Personal Data, demonstrated by granting DPOs the autonomy to fulfill their legal responsibilities. Additionally, Tangerine places emphasis on conducting regular assessments of its service systems by independent auditors who hold certifications aligned with international standards. Tangerine’s systems are certified in accordance with ISO/IEC 27001 (Information Security Management Systems (ISMS)).

Tangerine has established a system to monitor actions for the protection of Personal Data and ensuring its deletion and destruction after the designated retention period, such as removing data stored in cookies. Furthermore, if requested by the Personal Data Subject or if the Personal Data Subject withdraws their consent, their Personal Data will be deleted unless the collection of such data without consent is required by the Personal Data Protection Act and appropriate safeguards are in place to protect the rights and freedoms of the Personal Data Subject. Exceptions to this may include:

12.1 Fulfilling the purpose of documenting history or creating archives for the public benefit or to support educational or research endeavors.

12.2 Preventing or suppressing a danger to a person’s life, body, or health.

12.3 When it is necessary to comply with a contract in which the Personal Data Subject is a party or to process the Personal Data Subject’s request prior to entering into that contract.

12.4 When it is necessary for the Data Controller to carry out duties for the public interest or exercise the authorized power granted by the state.

12.5 In cases where sensitive Personal Data, such as race, ethnicity, religion, biometric data, etc., needs to be collected in compliance with the Preventive Medicine Law for purposes such as medical treatment, health management, public health benefits, labor protection, social security, National Health Insurance, scientific research studies, history or statistics, or other public interest or important public interest as prescribed by the Committee.

13. Contacting Tangerine

Tangerine Co., Ltd.

23 Fl., Bangkok Insurance Building, 25 Sathorn Tai Road,

Tungmahamek, Sathorn, Bangkok 10120

Tel: +66 2 285 5511

Email: dpo@tangerine.co.th

1. Purpose

With the enforcement of the Personal Data Protection Act B.E. 2562 on June 1, 2022, the Company recognizes the importance of law compliance. This includes prioritizing the protection of our employees’ Personal Data to ensure that the collection, use, disclosure, and retention of their data comply with the provisions of the Act. To achieve this, the Company has established a policy for internal use that addresses actions related to Personal Data and serves as guidelines for employees who handle Personal Data as part of their duties.

2. Scope of the policy and guidelines

This policy and these guidelines are established to set forth the policy for any operations involving the Personal Data of the Company’s employees and to provide guidelines for employees who have duties, responsibilities, or assignments related to Personal Data in accordance with the enforcement of the Personal Data Protection Act B.E. 2562. The Company assumes the status of both the Data Controller and Processor under the Act, as applicable.

3. Definition

  • “Personal Data” refers to any information relating to a person that allows for their direct or indirect identification, but not including the information of deceased individuals in particular.
  • “Sensitive Data” refers to Personal Data about race, ethnicity, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any data that may affect the Personal Data Subject in the same manner, as prescribed by the Personal Data Protection Committee.
  • “Personal Data Subject” refers to an individual who owns the Personal Data.
  • “Data Controller” refers to an individual or juristic person who has the authority to make decisions regarding the collection, use, or disclosure of Personal Data.
  • “Data Processor” refers to an individual or juristic person who operates in the collection, use, or disclosure of Personal Data in accordance with the instructions or on behalf of the Data Controller. The individual or juristic person who performs such operations is not the Data Controller.
  • “Office” refers to the Office of the Personal Data Protection Commission.
  • “Committee” refers to the Personal Data Protection Committee.
  • “Company” refers to Tangerine Co., Ltd.

4. Key details of the Employee Privacy Policy

4.1 The Company considers it a very important policy for the protection of Personal Data, including the Personal Data of its employees.

4.2 The Company only collects, uses, or discloses the Personal Data of employees when it is deemed necessary for management or legal purposes, as outlined below:

  • For human resources management, employee welfare, and employee hygiene purposes.
  • For job bidding or offers with client companies or in alignment with the Company’s business operations objectives.
  • For marketing or public relations activities to promote the Company’s image, which may involve the presentation of employee data.
  • For information submitted or presented to government agencies as required by applicable laws or as ordered or requested by government officials, such as tax payments to the Revenue Department.

However, if it becomes necessary to collect the Personal Data of employees beyond the purposes mentioned above, the Company will seek additional consent from employees on a case-by-case basis.

 4.3 The Company can only collect, use, or disclose Personal Data for the stated purposes.

4.4 The Company will define the duties and responsibilities of the Data Controller, Data Processor, custodian, user, and authorizer, including implementing clear inspection procedures to ensure the security and proper use of Personal Data.

4.5 The Company can collect, use, or disclose Personal Data upon obtaining written consent or through an electronic system from the Personal Data Subject.

4.6 The Company may collect, use, or disclose Personal Data without the consent of the Personal Data Subject in the following cases:

  • To prevent or suppress a danger to a person’s life, body, or health.
  • If necessary for the performance of a contract, such as an employment contract.
  • If necessary for the legitimate interests of the Company, such as recordings from CCTV cameras.
  • If in compliance with the laws of the Company, such as submitting information to the Revenue Department or complying with the Labor Protection Act.

4.7 The Company will not collect, use, or disclose Sensitive Data of employees except in the following cases:

  • With written or electronic consent from the Personal Data Subject.
  • To prevent or suppress a danger to a person’s life, body, or health when the Personal Data Subject is unable to provide consent for any reason.
  • If the information is publicly available by the Personal Data Subject.
  • If it is necessary for the establishment, compliance, exercise, or defense of the legal claim.
  • If it is necessary to comply with the law, labor protection, social security, or other related regulations.

4.8 Employees who own the Personal Data have the right to request to view, inspect, and easily access their Personal Data at all times during the retention period. They also have the responsibility to provide additional information in the event of a change in Personal Data or to provide data in case of additional requests from the organization or relevant agencies.

4.9 The Company will notify the Personal Data Subject about the following before collecting Personal Data:

  • Objectives for collecting, using, or disclosing Personal Data. If the Company changes such objectives, the Company must notify the Personal Data Subject and obtain consent again.
  • Retention period throughout employment with the Company. In addition, the Personal Data of an employee who has left the company will be stored for a period of no more than ten years from the date of termination of the legal relationship as stipulated by relevant laws, taking into account the legal limitation period for potential legal proceedings that may arise from or relate to documents or Personal Data collected by the Company. Once the specified retention period has elapsed, the Company will proceed to delete, destroy, or anonymize the Personal Data in a manner that no longer allows identification of the Personal Data Subject.
  • The types of individuals or agencies to which the Personal Data collected may be disclosed.
  • Information about the organization’s channels, methods, and contact details.
  • Rights of the Personal Data Subject under the Personal Data Protection Act B.E. 2562.
  • In the event that the Personal Data Subject must provide Personal Data to comply with a law or contract, or it is necessary to provide Personal Data to enter into a contract, the Company will notify the Personal Data Subject and inform them of the potential impact that may occur from not providing their Personal Data.

4.10 The Company will not collect Personal Data from sources other than the employee who is the Personal Data Subject. Tangerine has a strict policy prohibiting related employees or those assigned to handle employees’ Personal Data, such as the Human Resources department, from collecting Personal Data from any sources other than the Personal Data Subject. In the event that Personal Data is obtained from other sources, they must notify the Personal Data Subject within 30 days and seek their consent for such collection.

4.11 The Company will ensure that the Personal Data collected is accurate, current, complete, and does not cause any misunderstanding.

4.12 The Company will comply with lawful requests from Personal Data Subject, which include:

  • Request to access their Personal Data
  • Request to receive a copy of their Personal Data
  • Request to suspend the use of their Personal Data
  • Request to delete or destroy their Personal Data
  • Request disclosure regarding the acquisition of their Personal Data that they have not given consent to
  • Request to send or transfer their Personal Data to another Data Controller
  • Request to withdraw consent to the collection, use, or disclosure of their Personal Data
  • Request for their Personal Data to be accurate, current, complete, and not cause any misunderstanding

4.13 The Company reserves the right to reject the request from the Personal Data Subject if it is deemed necessary, such as when it may affect other Personal Data. In such cases, the Company will document the denial of the request along with the supporting reasons.

4.14 The Company implements appropriate security measures to protect Personal Data, ensuring a level of security no lower than what is required by law. These measures aim to prevent the loss, unauthorized access, use, alteration, correction, or unlawful disclosure of Personal Data.

4.15 The Company will ensure that the Personal Data is securely stored, retained, and used with strict confidentiality.

4.16 The Company will conduct reviews of security measures as needed or in response to technological advancements.

4.17 The Company will regularly conduct inspections of the collection, use, disclosure, deletion, or destruction of Personal Data to ensure ongoing compliance with the organization’s policy and applicable laws.

4.18 In the event that an individual or an external agency requests access to any Personal Data of an employee, they are required to submit a letter stating the reason for their request to the Data Controller. The Controller must consider and approve the request before disclosing or providing the Personal Data. Unauthorized disclosure or provision of Personal Data is strictly prohibited.

4.19 In the event that a government agency requests an employee’s Personal Data, they are required to notify the Data Controller. The Data Controller must consider or review the request before providing the Personal Data, except in cases where it is required for regular legal obligations, such as social security, revenue, or labor protection. In such cases, the data may be shared and documented for review purposes.

4.20 In the event that an employee’s Personal Data needs to be transferred across borders, the managing director must authorize and ensure strict compliance with the laws. The transfer should strictly adhere to the purposes specified in Clause 4.2 and Clause 4.7(1) only.

4.21 Personal Data of employees collected by the Company will be considered the property of the Company. Any violation, disclosure, unauthorized access, personal use, or destruction without approval from authorized personnel designated by the Company will be subject to the highest level of punishment and/or prosecuted to the maximum extent permitted by law. Additionally, individuals involved will be required to provide full compensation for any damages incurred, as prescribed by law.

4.22 Storage, use, inspection, review, approval, or any action related to Personal Data in accordance with this policy must be conducted discreetly and only as deemed necessary in good faith. The Personal Data of employees shall be considered for internal use only and treated as confidential.

4.23 The Company will promptly notify the Office of any breach of Personal Data within 72 hours from the date of becoming aware of the incident unless there is no risk to the rights and freedoms of the individual. In cases where the breach poses a high risk to the rights and freedoms of the individual, the organization is obligated to notify the Personal Data Subject and provide appropriate remedies.

4.24 The Company will prepare and maintain records of transactions that include, at a minimum, the following for the inspection of the Personal Data Subject and the Office:

  • Personal Data which shall be collected
  • The purpose of collecting each type of Personal Data
  • Information about the Data Controller
  • Retention period of Personal Data
  • Information about the rights and procedures for accessing Personal Data, including the conditions regarding individuals who have the right to access the Personal Data
  • Use or disclosure of Personal Data
  • Refusal of the request
  • Description of security measures

4.25 The Company will prepare and record a list of Personal Data processing activities as mandated by the Committee.

4.26 The Company will adhere to Thailand’s Personal Data Protection Act.

5. List of employee Personal Data necessary for administrative purposes

In order to facilitate efficient, timely, and transparent management of employee Personal Data, the Company may require additional Personal Data from employees at any point during their employment.

5.1 The Personal Data provided in the job application and related documents, as specified by the Company, is considered essential information for evaluating and assigning tasks based on each employee’s knowledge, skills, experience, and personal qualifications. The specific list of Personal Data and the reasons for its necessity shall be as specified in the Company’s documents.

5.2 Examples of additional Personal Data that the Company may request during employment include:

  • Marital status, spouse’s name, and the name(s) of the employee’s child or children for additional welfare provisions or tax deduction calculations.
  • Medical certificates, health check-up results or documents, medications, medical supplies, or any other equipment related to the treatment of illnesses. This information will be used in good faith only for the purpose of:
    • providing appropriate and prompt medical assistance;
    • considering job adjustments based on health conditions;
    • preventing the spread of diseases to colleagues or the public.
  • Maps, photographs, or other information about housing to facilitate visits to employees who are sick, on maternity leave, or require other forms of assistance, as well as to build good relationships with their families.
  • Vehicle or motorcycle license plate number for entry-exit permission within the Company’s premises or for arranging safe and sufficient parking spaces.
  • Any other Personal Data that the organization deems necessary for administrative purposes or as required by law to be collected and retained by the Company in the future.

6. References

  • Personal Data Protection Act B.E. 2562
  • Notification of the Ministry of Digital Economy and Society on Personal Data Security Standards B.E. 2563

Tangerine Co., Ltd. recognizes the importance of protecting the Personal Data of our Trade Partners and Persons Having Business Relationships (referred to collectively as “Partners”). We understand the need for our Partners to have confidence in our ability to handle and safeguard their Personal Data in accordance with the Personal Data Protection Act. Therefore, the Company developed this Personal Data Privacy Policy to provide our Partners with information about how we collect, use, disclose, and protect Personal Data, as well as their legal rights as Personal Data Subjects under the Personal Data Protection Act B.E. 2562.

1. Definition

“Company” refers to Tangerine Co., Ltd.

“Partners” refers to Trade Partners and Persons Having Business Relationships.

“PDPA” refers to the Personal Data Protection Act B.E. 2562.

“Privacy Policy” refers to this Personal Data Privacy Policy.

“Person” refers to an individual.

“Personal Data” refers to any information relating to a person that allows for their direct or indirect identification, but not including the information of deceased individuals in particular.

“Data Controller” refers to an individual or juristic person who has the authority to make decisions regarding the collection, use, or disclosure of Personal Data (in this case, the Company).

“Trade Partners” refers to individuals who sell or will sell products and/or services to the Company, regardless of their registration as trade partners. This includes contractual parties, service providers, consultants, as well as natural persons associated with or acting as representatives of the juristic person that is a trade partner, such as executives, directors, employees, agents, representatives, or any other persons. It also includes individuals whose Personal Data appears in documents related to transactions between the Company and the juristic person, such as coordinators, delivery personnel, payors, and any other persons for whom the juristic person has provided data to the Company.

“Persons Having Business Relationships” refers to individuals other than customers, Trade Partners, or employees of the Company who have a relationship related to the conduct of business. This includes individuals working in government agencies responsible for regulating or overseeing business operations, individuals interested in participating in or who have joined a business project, and representatives or agents involved in procuring goods or services for the Company. It also encompasses natural persons associated with or acting as representatives of a juristic person, such as executives, directors, employees, agents, representatives, or any other persons. It also includes individuals whose Personal Data appears in documents related to transactions between the Company and the juristic person.

2. Personal Data that the Company collects, uses, or discloses, as well as its retention period

The Company generally collects Personal Data from Trade Partners and Persons Having Business Relationships through direct requests or inquiries. However, in certain cases, the Company may acquire such data from alternative sources, such as from affiliated companies of our Partners, their employees, secretaries, or coordinators acting on their behalf, as well as from Persons Having Business Relationships or government agencies. Furthermore, data may be obtained from other publicly available sources, such as websites accessible on the Internet, etc.

The Company collects the Personal Data of our Partners as follows:

2.1 General Personal Data

  • Identity data, such as name, surname, identification card number, passport number, date of birth, gender, age, nationality, signature, photo, professional license identification number, driving license, username, etc.;
  • Contact data, such as an address, a copy of house registration, phone number, fax number, email, Geolocation, emergency contact details, social media account, LINE ID, secretary information, etc.;
  • Financial data, such as bank account number, etc.;
  • Communication data with the Company, such as information concerning date, time, and place of contact, recording of images and/or voice upon having contact with the Company, etc.;
  • Data regarding the company or agency that they are working in, such as the name of their company or agency, location, position, etc.;
  • Data regarding educational profile, work profile, training, skills, projects, etc.;
  • Data regarding personal preferences and interests;
  • Recording of videos by closed-circuit television (CCTV);
  • Data on the participation of meetings between the Company, including data on the participation of training, seminars, activities, or other projects held by the Company, as there may be recordings of photos, videos, or voice during such meetings, training, seminars, or activities;
  • Other necessary data for profile inspection, evaluation on the appropriateness, or risk assessment before entering into relevant transactions, including for legal proceedings or execution, such as marriage status, data concerning assets, etc.;
  • Opinions, recommendations, and complaints;
  • Records on the participation of relevant activities or projects with the Company;
  • Screening data pursuant to communicable disease prevention measures;
  • Data concerning the utilization of relevant information systems of the Company including applications or website browsing information such as browsing history, IP address information, etc.;
  • Other Personal Data for the provision of facilitations as necessary, such as preferred food or beverage, etc.

2.2 Sensitive Personal Data

In general, the Company has no intention of collecting or using religious and blood group data specified on the copy of the Partner’s identification card for any specific purpose. If the Partner provides the Company a copy of their identification card, it is requested that the Partner conceal such data. If the Partner fails to conceal the aforementioned data, it shall be deemed that the Partner authorized the Company to conceal those data and it shall be deemed that such documents with concealed data be valid and legally enforceable in all respects. In case the Company is unable to conceal those data due to some technical limitation, the Company shall collect and use such data as part of your identification documents only.

In case it is necessary for the Company to collect Sensitive Personal Data from its Partners, explicit consent will be sought on a case-by-case basis unless otherwise prescribed by law.

The Company may process the following Sensitive Personal Data:

  • Religious data;
  • Data concerning health and/or disability.

2.3 Retention Period of Personal Data

The Company will retain the Personal Data of Partners only for as long as necessary to fulfill the purposes of collection, use, or disclosure of the Personal Data as specified in this Privacy Notice. The criteria for determining the retention period are the period necessary for the Company to utilize the Partner’s Personal Data in accordance with the purposes. Additionally, it shall be further retained pursuant to the period necessary for compliance with laws or the statutory prescription period, for the establishment, compliance, exercise, or defense of a legal claim, or for other reasons pursuant to the internal policies and rules of the Company within the maximum statutory retention period, for example, no more than ten years from the end of the contract.

The Company will retain images and/or audio recordings of Partners captured through Closed Circuit Television (CCTV) for three months from the date of recording. After this period, the images and/or audio recordings will be automatically deleted from the system, or the Company will delete or render the Personal Data unidentifiable.

The Company will delete or destroy the Partner’s Personal Data or make it unidentifiable when it is no longer needed or at the end of the mentioned period.

In the event that the Company uses the Personal Data of Partners with their consent, the Company will process such Personal Data until the Partners notify them of the withdrawal of consent and the Company has fulfilled their requests.

3. Purposes for the collection, use, or disclosure of Personal Data

The Company collects, uses, and discloses the Personal Data of its Partners as deemed necessary for its operations to achieve the Company’s objectives.

3.1 In general, for both Trade Partners or Persons Having Business Relationships
The Company may proceed with the processing of data for the following purposes:

Clause
Purposes
Lawful Basis
1 For contacting and coordinating concerning the business operations of the Company. Legitimate basis interest
2 For the collection and use of Partners’ Personal Data, including their name, surname, position, work unit, and pictures/videos pertaining to the operations and activities of the Company for public relations through various channels. These may include the Company's internal email, website, Facebook, LINE, YouTube, other online media channels operated by the Company, and other media platforms such as television and publications. Legitimate basis interest
3 For the purpose of using the information for applications to use electronic systems or granting the right to access or use the internet or relevant electronic systems. Legitimate basis interest
4 For business planning, reporting, estimation, risk management, and audit supervision, including internal audit and internal management within the organization, as well as for the benefit of internal operations within the Company related to the disbursement of payments by the accounting and finance unit. Legitimate basis interest
5 For use as information in proceedings related to Know Your Customer (KYC) and/or Due Diligence concerning the Company's operation, including due diligence investigations on the business status or other types of inspections for evaluation of appropriateness or risk assessment before entering into relevant transactions. This also includes identity identification and verification and/or verification of authority, granting and obtaining authority for the execution of any agreement or contract with the Company. Legitimate basis interest
6 For proceedings related to the assignment of any right, duty, and benefit, such as the merger, separation, or transfer of business conducted in accordance with the laws. Legitimate basis interest
7 For use as a stakeholder database of the Company and/or as information for relationship management or relevant coordination related to the Company, including opinion surveys for analysis and improvement of the Company's operations. Legitimate basis interest
8 For the disclosure of information necessary to comply with relevant evaluation criteria in which the Company participates. Legitimate basis
9 For the investigation and inquiry of complaints in the organization, corruption prevention, or any other legal proceedings, including the inspection and administration of complaints and allegations related to the operation of the Company or related persons for transparency and justification of all parties. Legitimate basis interest
10 For maintaining security within the building area and premises, including the exchange of access cards for entry Legitimate basis interest
11 and exit, as well as the recording of videos of visitors to the Company or its buildings and premises through closed-circuit television (CCTV). Legitimate interest and
legal obligation basis
12 For the establishment of a legal claim, granting or obtaining of authority, compliance, exercise, or defense of a legal claim and relevant legal proceedings, as well as proceedings for legal execution. Legal obligation basis
13 For compliance with laws or court summonses, letters, or orders from authorities, independent organizations, or officers with duties and powers under the laws. This includes compliance with summonses, attachment orders, court orders, police officers, prosecutors, and government authorities. It also encompasses the reporting or disclosing information to shareholders, government authorities, or independent organizations such as the Revenue Department, the Office of National Anti-Corruption Commission, etc., to ensure compliance with relevant laws. Legal obligation basis
14 For compliance with laws concerning public interest in relation to public health, such as health protection against dangerous communicable diseases or epidemics that may be contagious or spread within the kingdom. Legal obligation basis
15 For the management and administration concerning the health, hygiene, and safety of Partners. Vital interest basis

In addition to the above purposes, the Company may further process the Personal Data of Partners for the following cases:

3.2 For Trade Partners
The Company may process the Partners’ data for the following additional relevant purposes:

Clause
Purposes
Lawful Basis
1 For proceedings in accordance with relevant procedures prior to entering into an agreement, such as:
  • Trade Partner registration;
  • Consideration of Trade Partner qualifications; Preparation of information before entering into the procurement process, including creating median prices and specifying names and details of the Trade Partner in the Company's internal system;
  • Purchase or acceptance of bidding forms, attending clarifications and presentations regarding procurement works (as the case may be), price bargaining, and announcement of the winning bidder;
  • Invitation to bid, bidding, verification of authority, granting or obtaining of authority for submission of bidding documents, and consideration of the Company's bidders' qualifications in accordance with the Company's procurement procedures. This may include cases where bidders are service providers, legal advisors, accounting advisors, business advisors, tax advisors, auditors, financial advisors, financial institutions, or advisors on accounting and finance system development;
  • Preparation of Confidentiality Agreement, Non-Disclosure Agreement (NDA), and Data Processing Agreement.
Contractual and legitimate interest basis
2 For the necessity of conducting transactions between the Trade Partner and the Company, such as:
  • Identity verification, verification of authority, and the granting or obtaining of authority, including for use as supporting documents for conducting relevant transactions;
  • Proceedings in accordance with the rules, regulations, and relevant internal procedures of the Company; Consideration, preparation, and execution of commercial agreements;
  • Compliance with hiring agreements, service agreements, other commercial agreements, and relevant agreements or cooperations between the Company and Trade Partner. This may include procedures for requesting and considering relevant documents that may contain the Personal Data of third-party directors or representatives of state authorities;
  • Acceptance of work pursuant to agreements between the Company and Trade Partner, administration of commercial supplies and products, and issuance of work certification until completion.
Contractual and legitimate interest basis
3 For compliance with relevant laws concerning the conducting of transactions between Trade Partner and the Company, such as taxation and Anti-Money Laundering (AML) laws. Legal obligation basis

3.3 For Persons Having Business Relationships
The Company may process the Partners’ data for the following additional relevant purposes:

Clause
Purposes
Lawful Basis
1 For the purpose of business communication, such as contacting, scheduling meetings, arranging appointments, participating in business discussions regarding products or services, and various projects of the Company or projects related to the Company, including recording details of the aforementioned communications. Legitimate interest basis
2 For qualification checks or evaluation on the appropriateness before entering into relevant transactions, risk assessment for entering into relevant transactions, identity identification and verification and/or verification of authority, granting or obtaining authority for the execution of any agreement or contract with the Company, due diligence investigations on the business status or other types of inspections, and proceedings in accordance with relevant internal procedures of the Company. Legitimate interest basis
3 For consideration, preparation, and execution of relevant contracts or agreements, including the administration of such contracts or agreements. Legitimate interest basis

In the event that the Personal Data collected by the Company for the aforementioned purposes is necessary for the performance of agreements or compliance with relevant applicable laws if the Partner refuses to provide such necessary Personal Data, the Company may be unable to consider entering into transactions or fulfill administrative obligations in accordance with the agreement with the Partner (as the case may be).

Furthermore, if the Partner has provided the Personal Data of other individuals to us, the Partner shall be responsible for informing those individuals about this Personal Data Privacy Notice and/or obtaining their consent (if necessary).

4. Disclosure of Personal Data

The Company may need to disclose, send, or transfer the Personal Data of Partners to the following third parties:

4.1 Affiliates;

4.2 Government authorities, regulatory authorities, state enterprises, state authorities, public organizations, independent organizations established under the laws, or other authorities as prescribed by laws. This includes officers who exercise powers or perform duties under the laws, such as courts, police, Revenue Department, Anti-Money Laundering Office, Department of Labor Skill Development, Welfare and Labor Protection Department, Department of Legal Execution, Office of the Attorney General, etc.;

4.3 Authorities, organizations, or individuals related to the exercise of the right to claim, the commencement of legal proceedings, objection to complaints or allegations, or defense of the Company’s case. This includes parties involved in the case and witnesses, etc.;

4.4 Agents, contractors/sub-contractors, and/or service providers for any operations provided to the Company. This includes professional advisors, transportation service providers, marketing service firms, travel and accommodation agencies, organizers of activities, training or seminars, media producers, public relations contractors, insurers, auditors, legal advisors, etc.

4.5 Persons Having Business Relationships (if necessary for compliance with agreements in case of joint operation of projects or business);

4.6 Training participants;

4.7 Banks or financial institutions;

4.8 Other third parties, such as the disclosure of data on the Company’s social media channels or the public relations of activity photos or news and information on the Company’s activities or projects to the mass media and third parties, etc.;

4.9 Hospitals or clinics.

5. Cross-border submission or transfer of Personal Data

In certain circumstances, it may be necessary for the Company to disclose our Partners’ Personal Data overseas, which may have different Personal Data protection standards compared to those in Thailand. This may be due to the Company’s business operations or the execution of relevant transactions with companies located overseas. Consequently, we may be obligated to disclose our Partners’ Personal Data to such companies, including government authorities, professional advisors, and individuals who are associated with and require access to such Personal Data within the normal course of the Company’s business operations. Furthermore, data may be disclosed overseas to support potential legal proceedings or arbitrations that may arise in the future. Additionally, the Company may store Partners’ Personal Data on computer servers or in the cloud, utilizing overseas service providers. Data processing may also involve the utilization of programs or applications provided by overseas service providers.

However, when transferring such data, the Company will ensure strict compliance with the Personal Data Protection Act B.E. 2562.

6. Rights of Partners as Data Owners

As owners of Personal Data, Partners are entitled to the following rights as prescribed by the Personal Data Protection Act B.E. 2562:

6.1 Right to Withdraw Consent
Partners have the right to withdraw their consent for the processing of their Personal Data that they have already provided to the Company unless such withdrawal of consent is restricted by laws or by an agreement that confers benefits to the Partners. The withdrawal of consent will not affect the processing of Personal Data for which the Partners have previously provided lawful consent.

6.2 Right to Access
Partners have the right to access their Personal Data held by the Company and to obtain a copy of such data. Additionally, they can request disclosure regarding the acquisition of any Personal Data that they have not given consent to (if applicable).

6.3 Right to Request the Submission or Transfer of Personal Data (Data Portability Right)
Partners have the right to request the Company to transfer the Personal Data that they have provided, as prescribed by law.

6.4 Right to Object
Partners have the right to object to the processing of their Personal Data concerning the collection, use, or disclosure of their Personal Data, as prescribed by law.

6.5 Right to Erasure
Partners have the right to request the Company to erase or destroy their Personal Data or render it unidentifiable if the Company no longer needs to collect, use, or disclose the data. This right also applies when Partners exercise their right to withdraw their consent or object or when the Personal Data has been unlawfully collected, used, or disclosed.

6.6 Right to Restrict Processing
Partners have the right to request the restriction of processing of their Personal Data, as prescribed by law. This may include situations where the Company is verifying the accuracy and completeness of the Personal Data, when the data has been collected, used, or disclosed in violation of the PDPA (Personal Data Protection Act), or when the Company no longer needs to collect, use, or disclose the data, etc.

6.7 Right to Rectification
If Partners notice any incorrect Personal Data held by the Company or if they have updated their Personal Data, they have the right to request the Company to rectify their Personal Data to ensure accuracy, currency, completeness and to avoid any misunderstandings.

6.8 Right to Lodge a Complaint
Partners have the right to lodge a complaint with the authorities under the Personal Data Protection Act B.E 2562 if they suspect that the collection, use, and/or disclosure of their Personal Data breaches or fails to comply with the provisions of the Act.

7. Review and improvement of Personal Data

The Company may review this Privacy Policy to ensure its alignment with future interpretations, enforcement, and changes to the PDPA by government agencies (if any). Any revisions will be communicated through the Company’s website and other appropriate channels. Therefore, Partners are kindly requested to regularly read, review, and familiarize themselves with the policy.

8. Contact channels

To exercise the rights outlined in Clauses 6 (1)-(8) mentioned above, please submit a request to the Company using the provided form. The form should be sent to the Company’s Data Protection Officer. You can access the form on the Company’s website through the following link:DSAR

If you have any questions or require further details regarding the protection of Personal Data, the collection, use, or disclosure of Partner’s data, the exercise of Partners’ rights, or if you have any complaints, you can contact the Company through the following channels:

Tangerine Co., Ltd.

Address: 23rd Fl., Bangkok Insurance Building, Sathorn Tai Road, Tungmahamek, Sathorn, Bangkok, 10120

Telephone number: +66 2 285 5511

Data Protection Officer

Address: 23rd Fl., Bangkok Insurance Building, Sathorn Tai Road, Tungmahamek, Sathorn, Bangkok, 10120

Telephone number: +66 2 285 5511

Email: DPO@tangerine.co.th

Tangerine Co., Ltd. (“Tangerine”) places significant emphasis on implementing measures to protect the Personal Data of its customers and/or service users, especially the privacy rights of website visitors and/or users. The Company understands the expectation of viewers/users that the data they provide to the Company through this website will be appropriately protected. Tangerine hereby announces its Cookies Policy, which shall apply to this website as follows:

What is a cookie?

A cookie is a small data file that is stored on your computer or device’s browser. It assists your browser in navigating various sections of the website. However, it is important to note that cookies cannot collect data stored on your computer or in other files.

When a server requests the web browser to read the information stored in cookies, the data from cookies helps websites provide a more user-friendly and personalized experience for users. To safeguard your privacy, browsers only allow websites to access cookies that have already been sent to you.

Reasons for using cookies

We utilize cookies to better understand how you interact with the content on our website and enhance your overall experience, thereby increasing your satisfaction when you visit our site.

Cookies remember your preferred browser type and any additional browser programs you have installed. They also store your preferences, such as language and region, which are automatically set when you revisit the website. Moreover, cookies enable you to rate web pages and provide comments.

Some of the cookies we use are session cookies, which remain active until you close your browser. Others are persistent cookies that are stored on your computer for a longer period of time.

Details of the different types of cookies that may be used on the website are as follows:

  1. Strictly Necessary Cookies: These cookies are essential for the operation of the website and cannot be disabled in our system. They are typically set in response to your service requests, such as privacy settings, login, or form filling. While you can configure your browser to block or receive reminders about these cookies, doing so may result in certain parts of the site not functioning optimally.
  2. Analytic and Performance Cookies: These cookies help us track the number and origin of visits, enabling us to measure and improve the effectiveness of our website. They also provide insights into which pages are the most and least popular and which sections are viewed by visitors. All information collected by these cookies is aggregated, making it impossible to identify individuals. Disabling these cookies will prevent us from tracking your visits to our site.
  3. Functional Cookies: This type of cookie enables the proper operation and personalization of the website, including features like videos and live chat. They can be set by us or by third-party service providers whose services are integrated into our pages. Disabling these cookies may result in certain functions of the site not working properly.
  4. Targeting Cookies: These cookies are set through our site by our advertising partners. The purposes of these cookies are to create a profile of your interests and display relevant advertisements on other websites. They work by identifying each of your browsers and devices. If you choose to disable these cookies, you may not receive targeted ads on other websites based on your interests.

Third-party cookies

Our website utilizes third-party cookies, including Analytic and Performance Cookies such as Google Analytics and Targeting Cookies from providers like google.com, youtube.com, and facebook.com. These providers are widely recognized and trusted for their analysis and personalization services. By using these cookies, our Company gains insights into how you use our website, allowing us to improve your overall website experience.

However, it is important to note that there may be cookies set by third parties over which we have no control regarding their use of data. Therefore, we recommend that you review the Privacy Notice and Third-Party Cookie Policy on the respective third-party websites, as they may have different policies compared to our website.

Changing cookies settings

You have the option to configure each type of cookie, with the exception of Strictly Necessary Cookies, by accessing the ‘Cookies Settings’ or settings in your web browser. For instance, you can choose to prohibit the installation of cookies on your device.

However, Tangerine would like to inform you that disabling certain cookies may affect the functionality of this website and may impede your ability to use it efficiently.

If you wish to exercise your rights as a Personal Data Subject, you can proceed by visiting DSAR

For any inquiries regarding the exercise of Data Subject rights and our Personal Data Protection Policy, please contact us at:

Data Protection Officer: DPO Email: dpo@tangerine.co.th