Tangerine company prioritizes the establishment of measures to protect the personal data of customers and/or users, particularly the right to privacy of visitors and/or website users. It is important to be aware of the expectations of visitors/website users regarding the protection of data provided to the company through this website. The information that visitors/website users provide to Tangerine Ltd. through this website will be appropriately protected. Therefore, Tangerine would like to announce the following personal data protection policy for customers.
Section 1: General information about Tangerine
1. What services does Tangerine offer?
Tangerine Co., Ltd. (“Tangerine”) was established in 2003 as a subsidiary of Yip In Tsoi Co., Ltd. The Company provides consulting services, and develops, designs, sets up computer and network systems and information system security with the goal of becoming “the consultant who understands customers’ businesses” by applying technology to create maximum benefits, thus enhancing our customers’ competitiveness.
Tangerine has consistently received numerous awards from business partners, including Google, Cisco, Dell Technologies, and VMware.
2. Tangerine’s services
2.1 Google Cloud services: Tangerine has been entrusted by Google as a Premier Partner, making us the first company in Thailand to offer Google Cloud services. Our range of services includes:
- Google Workspace
- Maps Platform
- Big Data Analytics
- Cloud Infrastructure
- Additional services such as Tangerine Log Manager and Tangerine Message Recall
2.2 Installation and support services for enterprise products, including Cisco, Dell Technologies, and VMware.
2.3 Application development: in-house software design and development services to support the implementation of new technologies and facilitate business growth in digital channels.
2.4 Cyber Security solutions: consulting services and security solution designs to assist organizations in preparing against cyber attacks.
2.5 IoT: consulting services and designing IoT solutions that leverage technology to create new business opportunities.
Section 2: Personal Data Protection Principles
Tangerine has been involved in providing consulting services, developing, designing, and setting up computer and network systems, as well as information system security. Our goal is to become a consultant who understands our customers’ businesses. Tangerine takes pride in stating that our services, particularly Google Cloud services, are globally reliable and secure. These services have undergone audits and certifications conducted by independent international auditors, covering all aspects, including installation services and support for various solutions and services. Tangerine places great importance on measures to protect Personal Data and ensure security. These are the key criteria that Tangerine prioritizes when serving our customers or service users. It also demonstrates our commitment to comply with the Personal Data Protection Act B.E. 2562.
1. The fundamental principles to protect privacy and information security
Tangerine offers infrastructure services related to information systems that require global-scale security. When providing these services, we adhere to three fundamental principles to protect the privacy of Personal Data and ensure information security, as follows:
2. Audits and certifications according to international standards
2.1 Google Cloud services have successfully undergone assessments and received certifications in accordance with international standards.
Google Cloud services strictly adhere to the fundamental principles of Confidentiality, Integrity, and Availability. The services have been assessed and certified by independent auditors to instill confidence in our users that our services have measures to protect Personal Data and maintain security in accordance with international standards. These certifications include:
- ISO/IEC 27001
(Information Security Management Systems: ISMS)
- ISO/IEC 27017
(Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services)
- ISO/IEC 27018
(Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII)
in public clouds acting as PII processors)
- PCI DSS (Payment Card Industry (PCI)
- Data Security Standards (DSS)
- SOC 1 (Security Operation Center)
- SOC 2 (Security Operation Center)
- SOC 3 (Security Operation Center)
- CSA Star
- California Consumer Privacy Act (CCPA)
- GDPR (General Data Protection Regulation)
2.2 In addition to the Google Cloud services mentioned in clause 2.1, other services offered by Tangerine also prioritize the implementation of measures to protect Personal Data and maintain security.
3. Personal Data Protection Act B.E. 2562
The Personal Data Protection Act B.E. 2562 (“PDPA”) aims to safeguard Personal Data. Therefore, important principles have been set forth in the Personal Data Protection Act, as follows:
3.1 To determine the definition of Personal Data and its types.
3.2 Any action involving Personal Data, including collection, use, disclosure, or transfer, should adhere to specific purposes.
3.3 The rights of the Personal Data Subject to access, update, and delete Personal Data.
3.4 Responsibilities of the Data Controller and Data Processor.
4. What is “Personal Data”?
“Personal Data” refers to any information relating to a person that allows for their direct or indirect identification, but not including the information of deceased individuals and business contact information such as the name and address of a company or its Juristic Person’s Registration Number.
4.1 Personal Data that directly identifies an individual includes name, address, ID card number, passport number, Social Security number, etc.
Biometric data is information obtained through techniques or technologies that use physical features or behavior of an individual to identify them, such as facial recognition, iris recognition, fingerprints, etc.
4.2 Data that may indirectly identify an individual
Data that can be linked, such as when two sets of information, whether within the same system or across different systems, can be combined to identify a person.
5. How many types of Personal Data are there?
Personal Data can be divided into two categories:
5.1 Personally Identifiable Information (PII), which may also indirectly identify an individual.
5.2 Sensitive Data, such as race, ethnicity, political opinions, religion, genetic data, biometric data, etc.
6. Collection of Personal Data
This must be carried out with the consent of the Personal Data Subject unless otherwise prescribed by law.
7. Use or disclosure of Personal Data
This must align with the purpose for which the Personal Data Subject has provided consent unless otherwise prescribed by law.
8. Processing of Personal Data
refers to any action that involves automated methods of collecting, using, disclosing, rectifying, providing summary reports, as well as sending or transferring Personal Data.
9. Implementation of security measures
to safeguard Personal Data from unauthorized disclosure or to prevent information leakage.
10. Cross-border transfer of Personal Data
or to locations outside the kingdom, which requires obtaining prior consent from the Personal Data Subject, unless it is a legally mandated action.
11. The Data Subject
refers to a natural person whose Personal Data, whether directly or indirectly, can identify them. For example, a password that needs to be used together with another set of information, such as the Personal Data Subject’s name and surname, to identify their identity.
12. The Data Controller
refers to an individual who has the authority to make decisions regarding the processing of Personal Data, including its collection, use, or disclosure. They are also responsible for processing Personal Data in accordance with the request of the Personal Data Subject, allowing them to exercise their rights to access, edit, and correct their Personal Data to ensure its accuracy or update it, as well as request the deletion of Personal Data.
13. The Data Processor
refers to an individual or juristic person who operates in the collection, use, or disclosure of Personal Data in accordance with the instructions or on behalf of the Data Controller.
Section 3: Compliance with the Personal Data Protection Act
To comply with the requirements of the Personal Data Protection Act, Tangerine has formulated a policy to operate in alignment with the principles outlined in the aforementioned law, as follows:
1. The collection and purposes of Personal Data collection
Tangerine collects Personal Data only as deemed necessary for legitimate purposes. The data will be collected directly from the Personal Data Subject, and Tangerine will inform the Personal Data Subject prior to or at the time of collection unless they are already aware of the details. The mentioned details encompass the following:
1.1 Purpose of collecting Personal Data for use or disclosure.
1.2 Personal Data which shall be collected, used, or disclosed.
1.3 In the event that the Personal Data Subject must provide Personal Data to comply with a law or contract or if it is necessary to provide Personal Data to enter into a contract, as well as informing about the potential consequences of not providing the Personal Data.
1.4 The types of individuals or organizations to which Personal Data collected may be disclosed.
1.5 Rights of the Personal Data Subject.
1.6 Collection of Personal Data in other cases where the consent of the Personal Data Subject is not required, in accordance with the Personal Data Protection Act.
The Tangerine website utilizes cookies, which are text files designed to record the usage or origin of visits to the Tangerine website. Customers or users of the Tangerine website have the ability to manage their browser cookies through their browser settings. Generally, customers or service users can set up their browsers to prevent accepting cookies from the website, receive notifications when they receive new cookies, refuse new cookies, and delete cookies from the Tangerine website when needed.
3. Collecting Personal Data from other sources
In cases where Tangerine needs to collect data from a source other than directly from the Personal Data Subject or where Personal Data is not collected without the explicit consent of the Personal Data Subject in accordance with the Personal Data Protection Act, Tangerine will only do so when absolutely necessary for the Company’s business operations and to provide benefits to its customers or users. The Personal Data Subject will be promptly notified about such actions, either directly or through announcements on the Company’s website. This applies to the following cases:
3.1 Research studies or statistics
3.2 Sales and Marketing
3.5 Any other necessary and relevant actions
Tangerine is committed to implementing appropriate protection measures to safeguard the rights and freedoms of Personal Data Subjects. The Company places great importance on defining the conditions or principles individuals must prioritize when sharing necessary data with Tangerine. This ensures that their actions are righteous and in compliance with the Personal Data Protection Act.
4. Usage or disclosure of Personal Data
Tangerine will only use or disclose Personal Data when necessary and in accordance with the purpose of collection. Prior consent or notification (as applicable) will be obtained or provided to ensure that the Personal Data Subject is aware of such usage or disclosure, enabling effective services or fulfillment of legal obligations. Tangerine may disclose Personal Data to the following parties:
4.3 Domestic and international data processing service providers
4.4 Government agencies or officials exercising legal authority
By disclosing Personal Data to such parties, Tangerine will ensure that they maintain the confidentiality of the Personal Data and restrict its use to the defined scope established by Tangerine. The Personal Data provided to Tangerine will be stored in the data center (cloud) of a third-party data processing provider, with servers located overseas. The transfer of customer Personal Data to the third-party data processing service provider is conducted with the objective of facilitating service provision, ensuring secure data storage, facilitating data retrieval services, and serving as a backup. Tangerine has undertaken a thorough review and selection process for the service provider and has established an agreement regarding data security measures and the extent of data processing. By providing Personal Data to Tangerine, you are deemed to have consented to the cross-border transfer and overseas storage of your Personal Data for the aforementioned purposes.
Furthermore, Tangerine may need to disclose your Personal Data to fulfill legal obligations. This may occur when data needs to be shared with government agencies, regulatory bodies responsible for overseeing service provisions, or entities supervising service users. Additionally, Tangerine may receive requests, supported by lawful authority, to disclose data for purposes such as legal prosecutions or from private agencies or other third parties involved in the legal process. In addition, the disclosure of data may occur when it is reasonably necessary to enforce Tangerine’s Terms and Conditions or in the context of organizational restructuring, amalgamation, or business acquisition. In such cases, Tangerine may transfer your Personal Data, either in whole or in part, to the relevant companies as required.
5. Retention of Personal Data
6. Sending or transferring Personal Data
In the event that Personal Data is sent or transferred overseas, Tangerine will proceed with such transfer only if the receiving country possesses adequate Personal Data protection standards and meets the criteria established by the Personal Data Protection Committee of that country. This will be done unless prescribed by laws or with the consent of the Personal Data Subject, and the Personal Data Subject is informed of the inadequate personal data protection standards of the destination country.
Tangerine will implement the aforementioned measures when sending or transferring Personal Data overseas. This applies when sending or transferring Personal Data to Data Controllers or Processors who are located overseas and are affiliated with or in the same business network for the purpose of conducting joint business. In such case, Tangerine will take appropriate protective measures to comply with the criteria set forth by the Personal Data Protection Committee. These measures include enforcing the rights of the Personal Data Subject and implementing effective legal remedial measures.
7. Processing the Personal Data of minors
Tangerine does not provide services to minors under 20 years of age unless such person is using the service solely under the supervision or approval of a parent or guardian.
8. Security measures
Tangerine understands the importance of implementing security measures when providing services to customers or service users to prevent unauthorized access, usage, disclosure, sharing, alteration, duplication, or deletion of Personal Data.
Tangerine would like to assure customers or service users that its services have been certified and have implemented security measures and Personal Data protection in accordance with international standards, as specified in Article 5. Regular reviews and assessments are conducted to enhance security measures, ensuring their appropriateness and effectiveness in handling technological advancements and countering the increasing complexity of online threats. These actions are taken to comply with the regulations established by the Personal Data Protection Committee.
9. Rights of the Data Subject
9.1 Customers or service users who are the owners of the Personal Data have the right to request access and obtain a copy of their Personal Data. They also have the right to request disclosure regarding the acquisition of any Personal Data that they have not given consent to. In addition, they have the right to request rectification to ensure that their Personal Data is current, as well as to obtain Personal Data related to them in a format that can be read or used by an automated tool or device. Furthermore, they have the right to request the transfer of their Personal Data to another Data Controller if such transfer can be facilitated in an automated manner. However, it is important to note that these actions must not infringe upon the rights or freedoms of other individuals and must comply with the provisions specified in the Personal Data Protection Act.
9.2 Customers or service users who are the owners of the Personal Data have the right to request the Data Controller to delete, destroy, or anonymize their data if its retention is no longer necessary for the purpose for which it was collected, used, or disclosed.
9.3 Customers or service users who are the owners of the Personal Data have the right to withdraw their consent for the collection, use, or disclosure of their Personal Data. However, it is important to note that the withdrawal of consent will not affect the collection, use, or disclosure of the Personal Data that has already been legally obtained with the individual’s consent. The Data Controller is responsible for informing the Personal Data Subject about the consequences of withdrawing consent.
10. Actions when Personal Data is infringed
Tangerine has established procedures and processes to manage cases where there is a breach of Personal Data. In the event of such a breach, Tangerine will report the incident to the Office of the Personal Data Protection Commission without delay, within 72 hours from the date of knowledge of the incident, unless it is determined that the violation poses no risk to the rights and freedoms of the individual. If the violation has a high risk of affecting the rights and freedoms of the individual, Tangerine will take appropriate measures to notify the Personal Data Subject about the breach and provide guidelines for remedies without delay, or take any other action as prescribed by the Personal Data Protection Committee.
11. Appointment of the Data Protection Officer
Tangerine has appointed a Data Protection Officer (DPO) to manage and protect the Personal Data in accordance with the legal requirements of the Personal Data Protection Act B.E. 2562. The DPO is responsible for providing advice, monitoring the handling of Personal Data, and collaborating with the Office of the Personal Data Protection Commission (PDPC).
12. Data Governance
Tangerine acknowledges the significance of data governance in safeguarding the privacy and security of Personal Data, demonstrated by granting DPOs the autonomy to fulfill their legal responsibilities. Additionally, Tangerine places emphasis on conducting regular assessments of its service systems by independent auditors who hold certifications aligned with international standards. Tangerine’s systems are certified in accordance with ISO/IEC 27001 (Information Security Management Systems (ISMS)).
Tangerine has established a system to monitor actions for the protection of Personal Data and ensuring its deletion and destruction after the designated retention period, such as removing data stored in cookies. Furthermore, if requested by the Personal Data Subject or if the Personal Data Subject withdraws their consent, their Personal Data will be deleted unless the collection of such data without consent is required by the Personal Data Protection Act and appropriate safeguards are in place to protect the rights and freedoms of the Personal Data Subject. Exceptions to this may include:
12.1 Fulfilling the purpose of documenting history or creating archives for the public benefit or to support educational or research endeavors.
12.2 Preventing or suppressing a danger to a person’s life, body, or health.
12.3 When it is necessary to comply with a contract in which the Personal Data Subject is a party or to process the Personal Data Subject’s request prior to entering into that contract.
12.4 When it is necessary for the Data Controller to carry out duties for the public interest or exercise the authorized power granted by the state.
12.5 In cases where sensitive Personal Data, such as race, ethnicity, religion, biometric data, etc., needs to be collected in compliance with the Preventive Medicine Law for purposes such as medical treatment, health management, public health benefits, labor protection, social security, National Health Insurance, scientific research studies, history or statistics, or other public interest or important public interest as prescribed by the Committee.
13. Contacting Tangerine
Tangerine Co., Ltd.
23 Fl., Bangkok Insurance Building, 25 Sathorn Tai Road,
Tungmahamek, Sathorn, Bangkok 10120
Tel: +66 2 285 5511