Privacy Policy

Privacy notice for business partners

Privacy Notice for Business Partner

1. General Provisions

1.1 This Privacy Notice for Business Partner has prepared by collection, use, or disclosure of your personal data by Kangwal Holding Company Limited or under the name of 137 Pillars Hotels and Resorts and its affiliates (hereinafter referred to as “company” or “we”, “us” or “our”), to explain about the collection, use, disclosure and/or transferring of personal data of employees, contractors, staffs, authorized persons, directors, shareholders, and other visitors (hereinafter referred to as “you” or “your”), who are our business partner, for instance, supplier, vendor, service provider and outsourcer (each party referred to as “business partner”), as well as any information of third party submitting to us to protect the privacy of your personal data.

1.2 This Privacy Notice applies to online and offline communication, where we collect your personal data whether directly or via email or social media (such as Webpage, Facebook or Line) and other platforms related to our business operations.

1.3 For the purpose of this Privacy Notice, “Personal data” means personal information or identifiable information as defined in the applicable law. It also includes general data only

1.4 The Company is committed to ensure that your privacy will be protected, and the processing of your personal data will be in accordance with the applicable laws and regulations as well as subordinate laws issued thereunder, including but not limited to any amendments which may be made thereto, to protect personal data in the countries where we carry out our business. The company hereby declare that we will collect, use, retain, disclose, and/or transfer to a foreign country as stipulated in this Privacy Notice only.

1.5 Please read this Privacy Notice carefully to understand our practices regarding your personal data and how we process it. Where it is required by the laws on business relationship, your personal data that we possess or may be made thereto, will be enforce in accordance with the laws. In the case that you do not agree to provide such information, we will be unable to perform our duties or obligations to you.

1.6 The company reserves the right, at its sole discretion, to modify, amend, delete, and update this Privacy Notice from time to time. Any changes to the terms of this Privacy Notice (for example, by emailing the policy revised to you with a new effective date or information of such changes on our website), the company will endeavor to notify you appropriately for any significant changes at our receiving area.

2. Collected your Personal Data

We will collect or obtain your personal data, whether directly or indirectly from you,
either from other sources or government agencies or other public sources. “Personal Data” means any information given to us by our communication or any data collected by the company from you. The example of personal data that may be collected include:

(a) Personal information, such as, title, first-name, surname, sex, age, date of birth, nationality, family status, photograph, job descriptions (for example, title, categories of goods and services, the company that you work for, the company employs you, the company that you are a partner), copy of identification card, copy of passport, copy of house registration, copy of work permit, or identified documents issued by the government, financial information (for example, account name and account number), and other identified documents.

(b) Contact information, such as phone number, fax number, address, workplace, Line ID and others similar information.

(c) Other information collected, used, disclosed and/or transferred to a foreign country, and the personal data relating to the relationship between us and our business partner, such as, information provided in the contract, form, survey, or other documents.

3. Processing of Personal Data and Lawful Basis

The company and third party who act on our behalf, may collect, use, retain, disclose and/or transfer to a foreign country your personal as described therein, on the ground of legal basis for the following purposes:

3.1 Contract Basis

If the Company is required to collect your personal data as required by law or
to enter into or perform an obligation under a contract with the company, you yet fail to provide such personal data to the Company where is requested by the Company. The company may not be able carrying out the purposes stated above. In the case that the company is moreover obliged to obtain your consent carrying out activities in which the collection, use or disclosure of your personal data, the company will request your consent in such matters on a case-by-case basis, for example:

(a) For procurement and the selection of business partners: To evaluate the suitability, your qualification, and its business partner and to facilitate to attend in the bidding, to issue a request for a quotation and to enter a contract with you and business partners.

(b) For business purposes: To communicate, initiate, or manage the contractual relationship with business partners and to communicate with you and business partners concerning goods and/or services, to carry out transaction executed by business partner (such as, delivery, exchange, and return goods, issuing bill, tax invoice and receipt) and to comply with any obligations and/or request of business partners.

(c) Relationship management: To create seller code, to register in the lists / lists of business partner, to support, follow up and record, to issue you a carpark card, and to invite business partner to attend events/activities.

(d) Registration and verification: To register, investigate, identify, and verify your identification.

(e) Marketing communications: To inform you about marketing communications, events, sales, public relations, notices, news, promotions, special offers, trade shows, purchasing and support, special events and direct marketing

(f) Business operations: To comply with internal record requirements, internal management, auditing, reporting, submitting, or filing data, data processing, or other similar activities.

(g) Safety: To ensure safety, prevent the risk, resolve a conflict, record, and manage disputes, act in preventing crime or corruption.

(h) Compliance with the law: To process your personal data in accordance with the obligations required by law, right, and duties under applicable law, including but not limited to, the laws outside your country of residence, to assess compliance with applicable laws, rules, regulations, and internal policies and procedures, and to execute the investigation stipulated by the government officials.

3.2 Legitimate Interest Basis

For example, with the purpose of ensuring safety, risk prevention, conflict resolution, recording, and dispute management, acting in preventing crime or corruption etc.

3.3 Legal Obligation Basis

In order to evaluate compliance with applicable laws, rules, regulations, and internal policies and procedures, and to execute the investigation stipulated by the government officials, we process your personal data on the ground of legal obligation basis where is required by law, right and duties under applicable law as well as the laws of other countries.

4. Disclosure of Personal Data to Others

4.1 We may disclose your personal data complying with the purposes and the rules prescribed by the laws. We will take any steps to ensure that the access of your personal data is restricted to our employees and/or our representatives only, based on need-to-know basis.

4.2 In addition, we may disclose our personal data to the following persons, under the purposes provided herein:

(a) Our affiliates: Parent company and affiliated company. Our company is one of the groups of companies and shares the services and some of business partners systems, therefore, we may need to transfer your personal data or obtain your consent allowing our affiliates to access your personal data in accordance with the purposes in this Privacy Notice. Our affiliates will accordingly access your personal data owing to the consent basis given by you.

(b) Business partners: We may transfer your personal data to other our business partners, in order to carry out a business and provide a service. The recipient business partners agreed to retain your personal data in the same manner as stated in this Privacy Notice.

(c) Vendors and Sales Representatives appointed from time to time: The company may disclose your personal data with an authorized dealer, following your request or staying near your location to provide a service.

(d) Contractors/ Service providers/ sub-contractors: We may use the services of the companies, representatives or others hired by the company to perform the services on the behalf of us or to support our business relationship. In addition, we may disclose your personal data to such persons, including but not limited to, (1) service providers for information technology and information technological companies (2) data recording services and research services (3) statistical analysis services (4) survey services (5) marketing, advertising, materials, design, creative and communication services (6) campaign event and marketing organizers (7) outsource administrative services (8) storage and cloud services, and (9) any other similar or other service providers supporting the company’s business operations

(e) External advisors of the company, such as lawyers, specialized technicians, tax consultants, and auditors who support our business or defense or exercise of legal claims.

(f) Third parties required by law: In some cases, we may need to disclose or share your personal data in accordance with the laws or regulations, law enforcement agencies (e.g., Department of Land and Transport, Revenue Department, Consumer Protection Board), courts, law enforcement officials, governmental agencies, or other third parties in the event that it is necessary to comply with the laws or regulations, to protect our rights, third party rights or the safety of persons, or to detect, prevent, or resolve in the issues of fraud, security or safety.

(g) Hospital and rescue: Your personal data may be disclosed in an emergency to protect your interest.

(h) Assignee of rights and/or obligations: The third party as an assignee in the event of business rehabilitation, mergers, acquisitions, business transfers whether in part or in whole, sales, purchase, joint ventures, sales of all or part of our business, or property or stock, the third

party as an assignee agrees to comply with this Privacy Notice to protect your personal information.

(i) Other sources that are available publicly, such as, websites, advertisements, and/or social media platforms.

4.3 Subject to the applicable law, the company shall not be liable whatsoever arising from the use of your personal data by third parties. Therefore, please check the privacy notice of such third parties to understand how they use your personal data.

4.4 Unless otherwise provided herein, we shall not disclose, sell, distribute, transfer, or lease your personal data to third parties, unless the permission given by you or to complete the remaining transactions.

5. International Transfers of your Personal Data

4.1 We may transfer your personal data collected from you to related to companies or our affiliated companies to fulfil the purposes provided herein. We may necessarily disclose your personal data to third party that are outside of Thailand, according to the purposes in this Privacy Notice. The company received your personal data may be located at United States of America or Japan. Such disclosure may only be done by obtaining your consent, unless there are any other compelling legitimate grounds (e.g., to fulfil the contract terms between us and other persons for your benefit) as permitted by applicable laws.

4.2 In the case that your Personal Data is transferred to destination countries where the standard of protection available is not sufficient under the applicable laws on data protection in Thailand, we will take steps necessary to protect the Personal Data transferred to other persons internationally to reach the same level of protection as providing by us with respect to your Personal Data, and in compliance with the applicable laws on data protection which become effective at that time.

6. Retention Period for your Personal Data

We will retain your personal data for a period as reasonably necessary to use following the purposes of collection provided herein. In the case that the legal or disciplinary action is executing, furthermore, your personal data may be retained until such processing is completed. This shall include the necessary length of period to file an appeal thereafter, your personal data will accordingly be deleted or archived as permitted by applicable law.

7. Security for your Personal Data

The Company furnishes the security measures to keep all personal data collected and obtained securely. We have used the technical, organizational, administrative, and physical security measures to protect and prevent your personal data in our systems from accidental loss, access, use, alteration, modification, damage. Additionally, we will review such measures where is necessary or where there is a change of technology. To retain your personal data appropriately and efficiently, we will implement our security and preventive measures strictly to prevent unauthorized access after we receive your personal data.

8. The Rights of Data Subject

In some cases, we may request you to identify yourself before exercising your rights as a data subject. In this regard, for your privacy and security, you can exercise your rights under the laws on Personal Data Protection and its exceptions as follows:

8.1. Right to access

The data subject can submit a request for personal data accessing or a request to clarify the acquisition of personal data, that the data subject has not given a consent. The Company will prepare or make a copy of the personal data and related information throughout our communication channels. But all these, the company is entitled to refuse such a request, where is required by the law, court order or the access of such personal data may cause damage to the right and freedom of others.

8.2 Right to rectification

The data subject can submit a request to rectify the personal data to be accurate and up-to-date and not misleading, where the evidence or relevant documents must be presented. If the company considers that such request is non-reasonable, the company will reject the request and record the reason of such refusal as an evidence.

8.3 Right to deletion, destruction, or de-identification

The data subject can submit a request for deletion, destruction, or de-identification of the data subject to the company and the request will be proceeded under the following conditions:

  • o Where is not necessary to retain the personal data according to the purposes provided.
  • o The withdrawal of consent is made by a data subject and the company has no legal authority to collect, use or disclose personal data.
  • o The data subject objects to the collection, use or disclosure of personal data for the performance of public tasks and legitimate interests, and it cannot be objected by the company.
  • o Personal information is collected, used, or disclosed unlawfully.

However, the company is entitled to reject the request of data subject as follows:

  • o Retention for the necessity of freedom of expression.
  • o Retention for the purpose of historical documentation, archives, etc.
  • o Retention for carrying out the tasks for public interest of the company or complying with state powers that the company is appointed.
  • o Retention of necessary information to perform legal obligation with the purpose of preventive medicine, occupational medicine, a benefit of public health and others as stated by law.
  • o For establishment of legal claims, compliance or exercise of legal claims, raising the defense of legal claims or compliance with the law.

8.4 Right to withdraw consent

In the event consent given to the company by data subject, the data subject may submit a request for withdrawal that consent. The Company will proceed pursuing to that request and it shall not affect to any other actions taken prior to the exercising of the right to withdraw. Nevertheless, the company has the right to refuse continuing such request; provided that, there is a restriction on the right to withdraw by law or contract providing a benefit to the data subject.

8.5 Right to data portability

The data subject can submit a request to obtain or transfer his/her personal data to another data controller in an electronic format that can be read or used from automatic device, including the right to verify the transferring of such personal data under the following conditions:

  • o Must be the personal data obtained a consent by the data subject for collection, use, or disclosure of personal data.
  • o Collecting, using, or disclosing of personal data for the purpose of providing a service or pursuing to the contract between the data subject and the company.
  • o The data subject must be submit the document for identification to data portability include Requisition the personal data form, Company Certificate(not older than 1 month) , copy of ID card of authorized signatory. And send all the original documents by post to the address specified in item 8

In addition, the company will refuse to data portability if it is necessary for public interests, legal obligations, breaches of the rights or liberties of others, or it technically cannot be operated by the company. The reason of such refusing will be recorded as evidence thereafter.

8.6 Right to restriction

The data subject can submit a request to restrict the company from using of personal data subject to the following conditions:

  • o The company is in the process If it can be verified that such data is accurate and complete, the Company can reject the request.
  • o When the personal data is unlawfully collected, used, or disclosed and the data subject does not exercise his/her right to delete, destroy or de-identified, the data subject otherwise request to suspend that use. The company may reject such request if it can provide others legal evidence for the collection, use or disclosure of personal data.
  • o Where there is not necessary to retain that personal data, the data subject yet asks to retain it for the establishment of legal rights, compliance with, exercising or raising a legal claim.
  • o The company is in the process of proving the right to reject of the data subject’s request subject to the rights.

8.7 Right to object

The data subject can submit a request to object to the collection, use or disclosure of personal data subject to the following conditions:

  • o For the performance of public task and for the legitimate interest, the Company will reject any objection if it is proved that there are more important legitimate grounds or for the establishment, compliance with, exercising or raising a legal claim.
  • o For the purpose of scientific and history research. The company will reject any objection if it is necessary to carry out the tasks for the public interests of the company.

However, the company will record the reason of such refusing as an evidence.
If the refusal of objection is not met an exception, the company will not continue to collect, use, or disclose that personal data. It is explicitly separated from other information when the data subject has notified the objection to the Company.

8.8 Right to be informed

The data subject has the right to be informed of the information in the event that the company has received an information directly from the data subject or obtained it from a third party throughout the company's communication channels.

8.9 Right to lodge a complaint

The data subject has the right to lodge a complaint in the event that a data controller, data processor, employee or service provider for data processor violates or fails to comply with the Personal Data Protection Act B.E. 2562.

In addition, the company reserves the right to reject the request in the following cases:

(a) It is permitted by the law to carry out;
(b) Personal data is anonymized or is unidentified the data subject;
(c) The requester does not provide an evidence identifying that he/she a data subject or is authorized to submit such request;
(d) Such request is unreasonable, for example, in the event that the requester does not have authority or does not submit his/her personal data to the company, etc;
(e) Such request is a redundant request, for example, a request of the same request/content repeatedly without justifiable reason;
(f) The Company may determine an expense/ a fee for the processing of request in accordance with the rules prescribed by the Company.

In addition, the Company may need to request certain information from you in order to verify your identity and ensure your right to access personal information. (or to exercise any other rights) in order to comply with security measures that will ensure that your personal information will not be disclosed to persons who do not have the right to access such information

The Company may request some certain information from you to verify your identity and ensure your right to access personal data (or to exercise any other rights) to observe the security measures ensuring that your personal data will not be disclosed to any person,
who is not entitled to access such information

The Company will endeavor responding to all legitimate requests within 30 days. In some cases, the Company may take more than 30 days if your request is complicated, or you are submitting more than a request. Following to such event, the Company will notify and keep you posted the status of your request at all the times.

9. Contact Us

If the violation of personal data protection, the complaint, or the exercising of data subject under this notice or the Personal Data Protection Act B.E. 2562 has been occurred, or in case you have any concerns or questions regarding this notice, you may contact the company using the contact information provided below:

Working group on Personal Data Protection Act Email Address:
137 Pillars Suites & Residences Bangkok Contact Number +66 (0)2 079 7000
137 Pillars House Chiang Mai Contact Number +66 (0)53 247 788