Employee and Applicant

This Privacy Notice (hereinafter referred to as “Privacy Notice”) is explained about the collection, use, or disclosure of your personal data by Kangwal Holding Company Limited (hereinafter referred to as “company” or “we”, “us” or “our”), in the purpose of collection, use and/or disclosure of the personal data of employees and job applicants of the company. This is a fundamental right to privacy of a person (Privacy Right) that must be protected and comply with the law. including the established rules by having to set up a system to control and supervise rigorously To keep the personal information of the data subject safe. Data is processed or collected. Use or disclose them transparently and in accordance with the statutory standards required by the regulatory bodies.

By this privacy policy The purpose is to inform the data subject about the treatment of your personal data such as collection, use, disclosure, including rights. of the data subject, etc., and this policy It is applicable to all operating activities of the Company. related to personal data as follows:

1. Definition

“Employee” means all employees pursuing to the Company’s rules and regulations.

“Job Applicant” means a job applicant, an applicant for an internship. Regardless of the method of applying for a job through any channel, such as applying by yourself (Walk-in), via e-mail, through third parties. or social media and whether the job application is done by the applicant himself Or is it a job recruitment within the company? or through the recommendation of individuals, agencies and/or educational institutions. or through the operation of the recruitment service provider

“Personal data subject” means personnel, employees or job applicants of the Company. later in this policy, some parts will be abbreviated as “data subject” or “you”

“General Data” means information about an individual that enables an individual to be identified either directly or indirectly. but does not include information of the deceased in particular

“Sensitive Data” means personal data classified as inherently private matter of the Data Subject according to the law, where will be collected, used and/or disclosed by the company when obtaining the express consent of the employee, or where is required by law. In some cases, the Company may require collecting, using and/or disclosing sensitive personal data,
such as, religious beliefs, health data, disability data, criminal records, biometric data and so on.

“Data Processing” means any processing of employee’s personal data by the Company, including the collection, retention, use, disclosure and deletion of such data.

2. Personal Data for Employee

1. The collection of Personal data

The Company will collect personal data of employees as detailed below. Provided that the employees could not provide such personal data, the company may fail to comply with the terms and conditions of employment contract for applying for a job, labor law and/or any other relevant laws as follows:

1.1 Name-Surname, nickname, address according to house registration, address where can be contacted, birth of date, gender, nationality, religion, ID card number, contact information, such as, phone number, email, LINE ID, Facebook, LinkedIn Profile, marital status.

1.2 Education background, work experiences, including the company name of employer, start and end date of working.

1.3 Resume, copy of completed transcript, copy of ID card, copy of house registration, copy of military certificate, copy of income statement/salary slip, copy of employment certificate, copy of name-surname change notification, copy of examination results/certificates, copy of bank account number.

1.4 Wages, other compensation, bonuses, and employees’ welfares.

1.5 Medical certificate, physical examination results before starting work, credit bureau information, a result of bankruptcy checking.

1.6 Health data, data of health check-up, medical history.

1.7 Photos.

1.8 The Company collects personal data of third parties related to employees, including:

(1) Family information (parents, spouses and children) consisting of first name, last name, relationship, occupation, phone number, with the purpose of benefit of the company's provided to employee’s family, such as health insurance.

(2) Emergency contact person, consists of name-surname, relationship, occupation, phone number and address.

(3) Reference person, consists of name-surname, relationship, occupation, phone number and address.

1.9 Attendance (working days and hours), different types of leave, reasons for leaving and related documents.

1.10 Disciplinary actions to employees, including penalty, complaint and other related documents.

1.11 Annual performance and related documents.

1.12 Training history and related documents.

1.13 Other personal data that may be retained additionally for the purposes of Human Resources Management and complying with the relevant laws.

The Company may retain personal data of employees in various forms, such as document or electronic.

2. Purpose of Personal Data Collection

2.1 The company will collect, use, or disclose personal data of employees for the purposes of human resource management according to its work instruction abiding by the relevant law and according to the policy of executive.

2.2 The Company will collect, use, or disclose personal data of third parties related to the employees for the benefit of employees' welfares as specified in Article 2.8 or for communication (as a case may be).

2.3 The Company will collect, use, or disclose personal data of applicants for the benefit of recruitment or for an interview at the next opportunity.

3. Use and Disclosure of Personal Data

The Company will use your personal data for all operations in accordance with the company's purposes related to human resource management activities, whereby the Company processes such data for a reason (data processing basis), or any reasons as provided below:

3.1 Contract Basis: For the fulfillment of performance according to the employment contract between the company and the employees or for the employee’ request pursing to the rules and conditions prescribed by the company, with the purpose of providing services under the contract thereon, for instance, preparing employee salaries, the management of employee welfare, providing an insurance for employees and their family, etc., which the Company may process on its own/or co-process with third parties.

3.2 Legitimate Interests Basis: For the human resources management of the company, for auditing, for preparing a report, for maintaining a safety system and risk management, with the purpose of the legitimate interests of the Company, such as, CCTV recording, handling a complaint, survey of employee engagement with the organization, risk management, etc.

3.3 Legal Obligation Basis: The company may process the personal data of employees in order to carry out any activities related to employees with legal entities, such as, the Revenue Department, Office of Social Securities, Department of Skill Development, etc.

3.4 Consent Basis: The Company will request a consent from employees to process their personal data for the purpose of human resource management within the company, for example, recruitment, selection, assignment of employee, etc.

The Company will only process your personal data in accordance with the stated purpose. In some cases, the company may consider processing your personal data for other relevant purposes and non-contradictory or in addition to the original purpose. Although it is necessary to process your personal data for other purposes that are not related to the original purpose, the new consent will be requested from the data subject for the use of such data under a new purpose.

Furthermore, if the employee wishes to withdraw a consent of such processing, the employee can contact the company and notify his/her wishes in accordance with this notice. Please be advised that the withdrawal of consent may affect employees in respect of the employee’s benefits regarding the human resources management, recruitment, selection, assignment and/or various services provided by the Company, therefore, it is necessary to study and inquire about the impact before withdrawing the consent.

4. Transferring of Personal Data

The company may transfer your personal data to other parties, where is necessary for data processing according to contractual or legal responsibilities or the consent given by the employees. The company may send or transfer personal data of employees to third parties as follows:

4.1 External agencies to carry out any processing related to employees, such as, salary or tax payment, social security, life-health insurance, by submitting or transferring such data to the Revenue Department, Office of Social Securities, Department of Skill Development, or any financial institutions, which collectively has a cooperation agreement, etc.

4.2 Regulatory agencies or governmental agencies.

4.3 For the establishment of contractual or legal claims of the company or raising the defense of legal claims.

4.4 The Company may transfer the personal data of employees to a foreign country (Cloud), whereby that is considered by the Personal Data Protection Committee whether there is adequate personal data protection or data protection measures.

5. Period of Personal Data Retention

The company will collect the personal data of employees during the time of employment and no later than 10 years from the date of termination of employment, or by the consent, or according to the period of legal claims, whichever it is longer.

3. Personal Data for Applicant

1. Purposes of collection, use and/or disclosure of Personal Data

The Company collect, use and/or disclose your Personal Data only where there are proper reasons and/or legal grounds to do so. This includes sharing it to third parties under the following main purposes:

1.1 For recruiting personnel and before the Company enters into an employment contract with you;

1.2 For processing your Personal Data in compliance with the law, obligations under the law or the employment contract;

1.3 For the Company’s legitimate interests in processing your Personal Data while still considering that your fundamental rights does not exceed the benefits of the Company;

1.4 For a specific purpose in accordance with the consent you gave to the Company in processing your Personal Data.

2. Collection of Personal Data

The Company collects and uses many kinds of Personal Data, depending on the circumstances that are relevant to the recruitment process and on-boarding process of the Company.

2.1 Sources of data for the collection of Personal Data

The Company collects your Personal Data from a variety of sources, such as:

(2.1.1) Information obtained directly from you as part of the job, scholarship and internship recruitment process (i.e., job application, scholarship application, internship application, brief work history (CV or resume)) and identity documents such as identity cards, passports, driving license, etc.;

(2.1.2) Information which the Company receives from recruiter websites, headhunters or from current employees of the Company.

(2.1.3) Data that the Company received during the recruitment process, whether from telephone or video call;

(2.1.4) Data that the Company has or may have received when you used the Company’s systems, tools or websites;

(2.1.5) Job application or other information in the documents that you are provided to the Company at the beginning or during the recruiting process;

(2.1.6) Correspondence with you through interviews, meetings or other devices e.g., CCTV, visual and/or voice recording equipment, etc.

In some cases, the Company may collect your personal information from third parties, such as references from previous employers (such as years of services, performance during work for the former employer, etc.), information that can be accessed from various sources such as LinkedIn, JobsDB, Facebook, etc., information obtained from a resume verification service provider, information from credit companies and criminal records.

2.2 Categories of Personal Data collected, used or disclosed

The categories of your Personal Data that the Company collects, uses or discloses (collectively “process” or “processing”), subject to applicable law, includes but is not limited to the following:

(2.2.1) Personal details: First name and surname, gender, date of birth, marital status, military status, personal identification number, passport number, other identification number issued by the government authorities to be used as an identity verification document, nationality, photograph as it appears on the identification card, passport or driving license, signatures, identity verification information, photograph and CCTV image/footage;

(2.2.2) Contact details: Address, telephone number and e-mail address;

(2.2.3) Educational details: Details of educational background, transcript and educational achievements;

(2.2.4) Family details: Names and contact details of family members, including spouse and children;

(2.2.5) Professional details: Details of profession, professional memberships, employer’s feedback, your qualifications, skills, experience and employment history (CV or resume);

(2.2.6) Financial and transactional details: Salary and benefits (i.e., bonus, provident fund, pension and insurance);

(2.2.7) Other details: Information received or may have been received during a job interview; and

(2.2.8) Sensitive Personal Data: such as religion, race, health data and medical data, and criminal record.

The Company may also collect some sensitive Personal Data about you for use in recruiting and considering who will fit the job. However, the Company will not collect, use and/or disclose this type of data without your explicit consent unless the law allows the Company to do so.

2.3 Refusal to give Personal Data to the Company

Under the circumstances where it is necessary for the Company to collect your Personal Data and you refuse to give your Personal Data to the Company, the Company may refuse to take other relevant actions.

3. Processing of Personal Data

Pursuant to the purposes, the Company may process your Personal Data in accordance with applicable law and a legal basis. The legal basis on which the Company performs such processing are as follows:

3.1 The purposes of collection, use and disclosure of Personal Data under contractual basis shall be following:

•  To perform any action in connection with your job or internship application.
• To perform any action in connection with your scholarship.
• To verify your identity.
• To assess competence, qualifications, and suitability for the position.
• To conduct background checks and reference with if it is possible.
• To communicate with you about the recruitment process.
• To prepare a record about the Company's hiring process.

3.2 The purposes of collection, use and disclosure of Personal Data legal obligation basis are for complying with the legal requirements.

3.3 The purposes of collection, use and disclosure of Personal Data under consent basis are for conducting background checks and reference with, if it is possible, to the extent with your consent.

3.4 The purposes of collection, use and disclosure of Personal Data under legitimate interest basis are to prevent crimes and manage the security of the Company’s premises, the Company may, for example, install a closed circuit television (CCTV) in and around the Company’s premises and these may collect your photos, videos or voice recordings.

4. Disclosure of Personal Data

The Company may disclose or send your Personal Data to third parties in order for these individuals to process your Personal Data in the following ways:

4.1 Disclosure of Personal Data to third parties

For the purposes of recruitment, we may disclose your Personal Data to reference person, educational institutions (such as universities, colleges, etc.) to verify information that you provide to the Company, the data processors of the Company, and/or third parties who are performing background checks on behalf of the Company (e.g., credit companies, criminal background examination agencies, etc.).

4.2 Transfer of Personal Data overseas

The Company may be required to send or transfer your Personal Data overseas for storage and/or processing in the performance of a contract entered into between you and the Company. The Company will not allow unrelated persons to access the Personal Data and the Company will lay out appropriate security measures.

5. Retention of Personal Data

The Company will collect your Personal Data for as long as it is necessary to carry out the purposes of processing such Personal Data. The Company will retain your Personal Data for a period of 1 year from the date on which your relationship with the Company as a candidate expires. The Company will destroy, delete or make Personal Data non-personally identifiable information unless there is a legal obligation or technical reasons whereby the Company may keep your Personal Data for a longer period of time.

In case you are selected as an employee or interns, the Company will continue to retain your personal information after the end of the recruitment process, in accordance with the Privacy Notice, for the Company's employees which is separate from this Privacy Notice for Candidates.

4. The Rights of Data Subject for Employee and Applicants

You are entitled to exercise the rights of data subject in accordance with the laws on Personal Data Protection, whereby the Company will respect your rights and proceed complying with the law, statute or regulation relating to the processing of your personal data under certain circumstances promptly. You have the rights to process your personal data as follows:

4.1 Right to withdraw consent

In the event that the company processes your personal data pursuing to your consent, you have the right to withdraw your consent for processing your personal data to the company at any time. The company may however continue to process your personal data on the ground of another lawful basis.

4.2 Right of access

You have right to request for a copy of your personal data from the company.

4.3 Right to rectification;

You have right to rectify your personal data to be accurate, up-to-date and complete.

4.4 Right to erasure

You have the right to request the company to delete, destroy, or anonymize your personal data in the circumstances that there is no reasonable reason for the company to continue processing your personal data. In addition, you can require the company to delete as well as exercise the right to object where is stipulated in the next Article. Nonetheless, the exercise of right hereof shall not be for the purpose of erasure all personal data, and the company shall carefully consider each request by the laws on processing your personal data.

4.5 Right to object

You have the right to raise an objection to the processing of your personal data in certain circumstances prescribed under the laws on personal data protection. Besides, you have the right to object to the processing of your personal data in the case that the company processes your personal data for marketing purposes, recording and analyzing the psychological and behavioral characteristics of individuals (Profiling).

4.6 Right to restriction

You have the right to request the company to restrict of processing of your personal data temporarily, for instance, when you wish the company to correct your personal data or when you request the company justifying the lawful basis for processing under the laws on personal data processing.

4.7 Right to data portability

In some cases, you may request the company to transfer or transmit your general personal data to other data processor via electronics. However, this right is particularly in the case of your personal data submitted to the company by consent basis, or where such personal data is required to be processed in order to fulfil the obligation under the contract.

4.8 Right to lodge a complaint

You have the right to lodge a complaint to the governmental agencies as well as the Personal Data Protection Committee in the case of violation of the law by the company or the company’s staff.

At any time, you may exercise your rights by contact the company following information provided in Article 7 of this privacy notice.

The Company may request some certain information from you to verify your identity and ensure your right to access personal data (or to exercise any other rights) to observe the security measures ensuring that your personal data will not be disclosed to any person,
who is not entitled to access such information

The Company will endeavor responding to all legitimate requests within 30 days. In some cases, the Company may take more than 30 days if your request is complicated, or you are submitting more than a request. Following to such event, the Company will notify and keep you posted the status of your request at all the times, in addition to comply with legal requirements related to the rights of employees, as a data subjects of personal data. Supposing that the employees request the Company to delete, destroy or dispose the processing of your personal data, to temporarily suspend of use, to de-identify the personal data, or to withdraw your consent, it may cause the restriction on the company in the performance of employment contract or in processing in accordance with the relevant laws. In this regard, the Company reserves the right to charge any necessary expenses for any processing of your personal data upon your request.

5. Security for your Personal Data

We have furnished the appropriate security measures covering the administrative safeguards, technical safeguards as well as physical safeguards in the purpose to protect loss of personal data or control the access of personal data to protect from loss, unauthorized access, alteration, modification, or disclosure without authorization in accordance with our Information Security Policy and Practice.

Additionally, with the purpose of retention your personal data as a confidentiality, integrity, and availability, we have also publicly established Privacy Notice in accompany with guidelines for security in the collection, use or disclosure of personal data, which will be reviewed from time to time suitably. In this regard, we will consider upon and abide by the Laws on Personal Data Protection, the Announcement of the Ministry of Digital Economy and Society concerning the Requirements for Personal Data Security Standards B.E. 2563 and the Announcement of the Ministry of Digital Economy and Society concerning the Requirements for Personal Data Security Standards (No.2) B.E. 2564, as well as other announcements or orders of the Office of the Personal Data Protection Commission.

6. Review of Privacy Notice

Subject to the Personal Data Protection Act B.E. 2562, this privacy notice will be amended occasionally, and the update version will be displayed on the company’s website.

7. Contact Us

If you have any concerns or questions about any aspect of the Company’s practices in relation to your personal data, you may contact the company using the contact information provided below:

PDPA Working Group

Email address: dpo@137pillarshotels.com

137 Pillars Suites & Residences Bangkok, contact +66 (0)2 079 7000

137 Pillars House Chiang Mai, contact +66 (0)53 247 788