Vendor Privacy Notice

1. General Information

PDLegal Asia (Thailand) Company Limited ( “we”, “our” or “us”) has prepared this privacy notice (“Privacy Notice”) to describe our standard practice and how we handle personal data of our vendors, potential vendors, and any persons related to our vendors in accordance with the Personal Data Protection Act B.E. 2562 (2019), including any ancillary laws related and any amendment which may be made thereto (“Applicable Data Protection Laws”).

Under this Privacy Notice, we collect and process personal data from the following:

Vendor”, which means any individual or natural person who is our vendor (or prospective vendor), including where such person provided quotations for offering products and/or services to us, or any other persons having similar characteristics, such as employees or potential employment candidates, payroll service providers, internet service providers, service providers for office equipment, couriers, auditors, consultants, suppliers and other contractors, etc.

Persons related to the Vendor”, which means any individual or natural person who is the contact person, representative or personnel of the corporate vendor or any other persons having similar characteristics, such as directors, executives, employees, attorneys-in fact or other authorized persons of such corporate vendor, as well as persons whose personal data appears in relevant documents and processes, such as witnesses, cheque payers, messengers, consignees, etc.

In this Privacy Notice, any reference to the “Vendor” shall be construed so as to include the “Persons related to the Vendor” and the terms “you” “your” or “yours” shall have a corresponding meaning.

2. Personal Data Collected

We may collect and process the following data:

2.1 Identity Information, name, surname and nickname, gender, title, organization, occupation, position, job title and responsibilities, authority, marital status, government issued documents or information (e.g., national identification card, passport, work permit, visa, entry card, house registration, tax identification number, and/or other governmental document/number), photo, signature, curriculum vitae (CVs/resume), assets, working experiences, educational background, family background, and photographs or videos, etc.

2.2 Contact information, such as telephone number, fax number, e-mail, home address, work address, delivery address, billing address and user IDs for communication applications (e.g., Telegram, Line, WhatsApp, WeChat, KaKao) or other social media platforms (e.g., LinkedIn), etc.

2.3 Organizational information, such as name of company you work for, your company’s affiliated agency or organization, your job title, position, division, and department, etc.

2.4 Financial information, such as bank account details, personal data contained in invoices, tax invoices, receipts, and other financial details, etc.

2.5 Information contained in documents, contracts or agreements, such as personal data contained in the original and/or copy of documents you provided to us, including the national identification card (or other similar forms of documentation), passport, visa document, work permit, house registration book, power of attorney, company’s affidavit, memorandum of association, articles of association (or other forms of similar documents), list of shareholders, VAT registration certificate, fee proposals, quotations, service agreements, or any other documents or agreements having similar characteristics, etc.

2.6 Sensitive Personal Data, such as health data (i.e., results of ATK/PCR tests for COVID-19), religious beliefs, criminal records, etc.

2.7 Technical information, such as log file and IP Address, etc.

2.8 Other information, such as license plate number, type of vehicles, records of mail/courier delivery and receipts, and records of e-meetings and telephone conversations, etc.

3. How Data is Collected

3.1 Typically, we collect your personal data in the following ways:

(a) Directly from you
We may directly collect your personal data from you, for instance:

    • When you contact us, whether in written or oral communications, and whether by face-to-face interaction or using any other channels such as telephone, e-mail, mail, website, or any other media platforms;
    • When you express an intention to use our services, engage or enter into contracts, letter of engagements, assignment letters, and/or confidentiality agreements or non-disclosure agreements with us;
    • When you deliver documents containing personal data to us; or
    • When you attend business events, or any other activities organized by us, on our behalf or in which we participated.

(b) From other sources or third parties
We may collect your personal data from other sources or third parties, such as:

    • Your contact persons, secretaries, representatives, personnel, attorneys-in-fact and/or other authorized persons;
    • Our business partners or service providers, such as mailing services and payment services;
    • Our regional offices and affiliates across our global network, including in Singapore, Malaysia, and the United Kingdom; or
    • Government authorities, public agencies, courts of justice.

In some cases, we may collect your personal data from public sources which provide information relating to your business, irrespective of whether you have disclosed the personal data by yourself or have provided consent to those sources to disclose your personal data.

3.2 Where we have previously collected your personal data before the Applicable Data Protection Laws have become effective, we will continue collecting and using your personal data only for the original purposes of such collection. Nevertheless, if you do not intend for us to continue collecting and using your personal data and if we have relied on your consent as a basis for processing your personal data, you may contact us by using the contact details provided at the bottom of this Privacy Notice to request for the timely withdrawal of your consent. We reserve the right to consider your request for the withdrawal of consent and proceed in accordance with the Applicable Data Protection Laws.

4. Purposes and Legitimate Bases for Personal Data Processing

4.1 We process your personal data for the following purposes ( “Purposes”) and under the following legal bases:

Legal Basis

Purposes

Legitimate interests basis: the processing of your personal data is necessary for our legitimate interest in identifying and verifying your identity to ensure that you have the legal capacity or are the authorized person or representative of the company or organization who is capable of entering into any agreement or arrangement with us.

 For the purposes of identifying and verifying your identity prior to entering into any agreement with you.

  • Contractual basis: the processing of your personal data is necessary for the procurement and selection processes prior to entering into a service agreement, to which you are a party.
  • Legitimate interests basis: in case of corporate vendors, the processing of personal data of Persons related to the Vendors is necessary for our legitimate interest in conducting our procurement and selection processes.

 For the purpose of procurement and selection of the Vendor.

  • Contractual basis: when you are an individual Vendor, the processing of your personal data is necessary for the quotation purposes prior to executing any agreement or letter of engagement to which you are a party.
  • Legitimate interests basis: when you are a Person related to the Vendor, the processing of your personal data is necessary for our legitimate interest to review fee quotations, as well as to execute any agreement or letter of engagement with the company or organization you represent.

For the purposes of our fee quotation as well as executing any service agreement or letter of engagement.

  • Contractual basis: when you are an individual Vendor, the processing of your personal data is necessary for managing and/or receiving the services specified under the service agreement or other agreements entered into between you and us, including contacting and coordinating with you with respect to the products and/or services provided.
  • Legitimate interests basis: when you are a Person related to the Vendor, the processing of your personal data is necessary for our legitimate interest in managing and/or receiving the services specified under the service agreement or other agreements entered into between the company or organization you represent and us.

For the purpose of managing and/or receiving the services specified under the service agreement or other agreements, including contacting and coordinating with the Vendor with respect to the products and/or services provided.

  • Contractual basis: when you are an individual Vendor, the processing of your personal data is necessary for administering and making payments pursuant to the service agreement or other agreements entered into between you and us, including performing other accounting procedures.
  • Legitimate interests basis: when you are a Person related to the Vendor, the processing of your personal data is necessary for our legitimate interest in administering and making payments pursuant to the service agreement or other agreements between the company or organization you represent and us, including performing other accounting procedures.

For the purpose of administering and making payments pursuant to the service agreement or other agreements.

  • Contractual basis: when you are an individual Vendor, the processing of your personal data is necessary for the processing of invoices or receipts for you in accordance with the agreement or letter of engagement between us.
  • Legitimate interests basis: when you are a Person related to the Vendor, the processing of your personal data is necessary for our legitimate interest in processing invoices or receipts for the company or organization you represent.
  • Legal Obligation basis: the processing of your personal data is necessary for our compliance with the applicable laws.

For the purpose of processing invoices and receipts.

Legitimate interests basis: the processing of your personal data is necessary for our legitimate interest to perform our internal business operations, such as creating a Vendor database among our affiliate and networks, performing routine and non-routine internal audits, conducting maintenance of the IT system, and other service planning, etc.

For the purpose of creating a database, internal audit, and analysis of information that is necessary for our business operations.

Legal obligation to achieve the purposes relating to public interests in public health: in some cases, the processing of health data is necessary for our compliance with the laws to achieve the purposes with respect to public interests in public health, such as protection from dangerous contagious diseases or pandemics in accordance with laws on communicable diseases. For example, the collection and use of health data (i.e., results of ATK/PCR tests for COVID-19) to safeguard health and safety in the workplace, such as to determine the necessary actions and arrangements to be undertaken.

For the purpose of safeguarding the health and safety in the workplace and of our personnel.

Legal obligation basis: in certain cases, we are required to process your personal data to comply with the applicable laws which are relevant to our business operations, such as tax law, accounting law, Applicable Data Protection Laws, computer crime law, and legitimate orders of the courts, government agencies, and relevant officers.

For the purpose of compliance with the laws relating to our business operations as well as legitimate orders of the courts, government agencies, and relevant officers.

Legal obligation and/or Legitimate interests basis: the processing of your personal data is necessary for the establishment, compliance, exercise or defense of legal claims in various stages according to the laws, such as investigation and/or inquiry by government officials, case preparation, prosecution and/or pursuit of the case in court, etc.

For the purpose of establishment, compliance, exercise or defense of legal claims or proceedings in Thailand or elsewhere.

4.2 The personal data which we process for the purposes of compliance with legal or contractual obligations, or for entering into any contract with you, is necessary to achieve such purposes. If you fail to provide us with certain personal data when requested, we may not be able to perform the contract which we have entered into with you, or we may be prevented from complying with our legal obligations (as the case may be). In such case, we reserve our right to decline to enter into any contract with you or cancel any services related to you, whether in whole or in part.

4.3 We will notify you if there are any other Purposes in addition to the above or when we change the original Purposes.

5. Disclosure of Your Personal Data

5.1 We may disclose your personal data to achieve the Purposes or to comply with our legal obligations to the following recipients or categories of recipients:

(a) Our regional offices and affiliates across the PDLegal network, including Singapore, Malaysia, the United Kingdom, as well as to their management, partners, associates, legal secretaries, accounting managers, staff members and/or other relevant personnel, on a need-to- know or confidential basis, as the case may be.

(b) Our business partners, service providers, and data processors, such as cloud services, IT services, website service providers, payment services, mailing services, delivery services, printing services, and document storage services.

(c) External auditors or any other similar professional advisors.

(d) Courts or relevant government agencies which have supervisory duties under the laws or which have requested the disclosure pursuant to their lawful powers or which are relevant to the legal process or which were granted permission pursuant to the applicable laws, such as the Courts of Thailand, Revenue Department, the Office of the Personal Data Protection Commission and the Office of the Attorney General.

(e) Any third parties who you have provided consent to disclose your personal data to (e.g. the disclosure of photos of our business events through our media platforms to the general public).

5.2 Where we disclose your personal data to any third parties, we will put in place appropriate safeguards to protect the personal data that has been disclosed and to comply with the standards and duties relating to the personal data protection prescribed by the Applicable Data Protection Laws. In the event that we send or transfer your personal data outside Thailand, we will ensure that the recipient country, the international organization or such overseas recipient has sufficient standards for the protection of personal data or such transfer of your personal data outside Thailand has been carried out in accordance with the Applicable Data Protection Laws. In certain cases, we may request your consent for the transfer of your personal data outside Thailand, subject to the requirements under the Applicable Data Protection Laws.

6. Your Rights As Data Subject

You have the following rights in relation to your personal data, subject to certain conditions and restrictions under the Applicable Data Protection Laws. If you intend to make a request to exercise your rights, please contact us by using the contact details provided at the bottom of this Privacy Notice.

6.1 Right of Access
You have the right to access your personal data and may request us to provide you with a copy of such personal data.

6.2 Right to Data Portability
You have the right to obtain your personal data and may request us to transmit your personal data directly to another data controller or to you, except where it is technically unfeasible.

6.3 Right to Object
You have the right to object to the processing of your personal data in certain circumstances prescribed under the Applicable Data Protection Laws.

6.4 Right to Erasure
You may request us to delete, destroy or anonymize your personal data in certain circumstances prescribed under the Applicable Data Protection Laws.

6.5 Right to Restriction
You have the right to restrict the processing of your personal data in certain circumstances prescribed under the Applicable Data Protection Laws.

6.6 Right to Rectification
You have the right to request us to rectify your personal data if the personal data is inaccurate, not up-to-date or incomplete, or may be misleading.

6.7 Right to Withdraw Consent
If we rely on your consent as the legal basis for processing your personal data, you have the right to withdraw such consent which has been provided to us at any time.

6.8 Right to Lodge a Complaint
If you have any concerns or questions about any aspect of our practices in relation to your personal data, please contact us by using the contact details provided at the bottom of this Privacy Notice. Where there is a reason to believe that we are in breach of the Applicable Data Protection Laws, you have the right to lodge a complaint to the expert committee appointed by the Personal Data Protection Commission in accordance with the rules and methods prescribed under the Applicable Data Protection Laws.

Please note that we reserve the right to consider your request and proceed in accordance with the conditions and requirements under the Applicable Data Protection Laws.

7. Cookies

We use and engage certain service providers to use cookies, web beacons, and similar tracking technologies (collectively, “Cookies”) on our websites and our online properties.

7.1 What are Cookies?
Cookies are small amounts of data that are stored on your browser, device, or the page you are viewing. Some cookies are deleted once you close your browser, while other cookies are retained even after you close your browser so that you can be recognized when you return to websites. More information about cookies and how they work is available at www.allaboutcookies.org.

7.2 How Are Cookies Used?
We use cookies to provide the websites and our online properties, and services, gather information about your usage patterns when you navigate the websites and our online properties in order to enhance your personalized experience, and to understand usage patterns to improve our websites and our online properties, products, and services. We also allow certain third parties to place cookies on our websites and our online properties in order to collect information about your online activities on our websites and our online properties over time and across different websites you visit.

7.3 What Are Options if You Don’t Want Cookies?
You can review your browser settings, typically under the sections “Help” or “Internet Options,” to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your Internet browser settings, you might not be able to access or use important functions or features of our websites and our online properties, and you may be required to re-enter your log-in details.

8. Retention Period

We will retain your personal data for as long as it is reasonably necessary to fulfil the purposes for which we obtained it, and to comply with our legal and regulatory obligations. However, we may have to retain your personal data for a longer duration from time to time as required by applicable law.

9. Updates and Revisions

We may make changes to this Privacy Notice and inform you of such from time to time to reflect any changes to the personal data processing and to comply with any changes to the Applicable Data Protection Laws.

10. How to Contact Us

If you have any inquiries or concerns or would like to exercise your rights set out in this Privacy Notice, please contact us:

PDLegal Asia (Thailand) Co., Ltd.
6th Floor, 6 O-NES Tower, Sukhumvit Soi 6, Khlong Toey, Bangkok 10110
+66 2 254 6415
Thailand@pdlegal.com.sg