Personal Data Protection Policy
of MBK Hotel & Tourism Limited
MBK Hotel & Tourism Limited respects and gives precedence to the privacy right and protection of personal data of the customers, business partners, business alliances, and stakeholders, by aiming for protecting data of the customers in collection, use, disclosure, delivery and/or transfer the data of its customers to other person, preventing the misuse of data of the customers, and keeping the said data as confidential according to the international standards to be trusted and relied from the customers in personal data management. Therefore, this Policy has been prepared with the following statements.
In this Personal Data Protection Policy, the words or statements are as follows.
|“Customer”||means the customer or buyer or user of the Company’s services, and user of the Company’s website or application or other services, who is a natural person, including business partner, business alliance, and stakeholder who is a natural person, except staff.|
|“Company”||means MBK Hotel & Tourism Limited.|
|“Company in MBK Group”||means the company of which its shares are held by MBK Public Company Limited in every period both directly and indirectly for at least 20% of the paid-up capital of that company.|
|“Website”||means the website owned or provided for service by MBK Hotel & Tourism Limited as the case may be.|
|“Application”||means MBK Application and/or Application of which the service is provided by MBK Hotel & Tourism Limited. Furthermore, this Personal Data Protection Policy is effective with Application in parts which are altered, improved, updated or added by the Company, except the said altered, improved, updated or added Application will be enforced according to the conditions and agreements separately from this Personal Data Protection Policy.|
|“Personal Data Controller”||means the company that has decision power on the said personal data and acquire personal data from the customers or provide services to the customers or must execute or comply with the contract entered with the customer.|
|“Personal Data Protection Officer”||means the officer who is appointed by the personal data controller to perform the duty as the personal data protection officer according to the Personal Data Protection Act B.E. 2562 (2019).|
|“Personal Data Processor”||means the personal data processor for the Company.|
|“Personal Data”||means the data which is related to a person and can identify the said person either directly or indirectly according to the Personal Data Protection Act B.E. 2562 (2019).|
|“Business Alliance”||means the business partner which is the Company’s business alliance or collaborates with the Company.|
2. General Provision
This Personal Data Protection Policy has been prepared to notify the details and procedure for protecting and managing personal data of the customers. The Company may periodically improve or revise this Personal Data Protection Policy, and what has been prescribed particularly in any part of this Website or Application either in whole or in part to be consistent with the changing service guideline, and rule of laws. Therefore, the customer should always follow up this prescribed Personal Data Protection Policy. However, the Company shall publicize the change in the Personal Data Protection Policy in the page of this Website or Application. In the case of the substantial change, the Company shall notify the customers for acknowledgement.
Furthermore, this Personal Data Protection Policy is available for using with the following.
1) Hotel & Tourism service, leasing immovable properties and spaces, business, hotel, spa & massage, fitness, restaurant space service, and other services of the Company.
2) Registration for applying to use Application services
3) Service or purchase of products, and access to or use of content, feature, technology or function appeared in this Website or Application of the Company; and
4) Other related services including other services of the Company whether they have been currently available and will be developed or provided in the future.
5) Service to all types of the Company’s securities holders, creditors, business partners, and stakeholders, except staffs
3. Personal Data Collection
The Company collects data by various means, and applies technologies, such as cookie which is small piece of data stored in the customer’s device which will make Website or Application memorize data of Website or Application access, or method of each customer usage of Website or Application (the additional data relating to cookie), whereas the customer-related data collected shall contain the following.
3.1 Data directly provided by the customer: The Company shall collect the essential personal data required for providing services to the customer or must execute or comply with the contract or must comply with laws. The Company shall gather data delivered by the customer to the Company, such as data filled by the customer while registering to apply for using services or request for using services of the Company, data used in applying services or requesting for using services, and activity participation data, survey form completing data, user account data, or data revised and updated by the customer in the user account data of the customer, or data acquired from the customer contact with the Company or the Company’s working team, or data acquired from other user accounts reasonably believed by the Company that the said data is under control of the customer, all types of data displayed on the page of the user profile, and the page of service application, such as title, name-surname, Citizen Identification Card No., Passport No. (for foreigners), Identification Card No., birth date, sex, nationality, income, contact address, Contact Mobile Phone No., e-mail, Social network: Line or Facebook, photograph, user-related data, interest, job, signature, and all opinions remarked via Website, etc.
For personal data specified by laws that the customer consent must be requested prior to collection, the Company shall just collect as much as necessary upon customer consent. Unless in case of the legal exception, the Company can collect without request for the customer consent.
In some cases, for service or any other execution purpose of the Company according to the Company’s objective in collecting personal data collection, the Company needs to collect, use, or disclose the personal data which is especially sensitive, such as the personal data relating to race, tribe, political opinion, doctrine, religious, or philosophic beliefs, sexual behavior, disability, labor union data, genetic data, biological data, etc. In such case, the Company shall notify the customer for acknowledgement and ask for customer consent to collect, use, or disclose the special sensitive data according to each objective for that regard, unless being collection or disclosure of the special sensitive data which can be legally performed by Company without request for the customer consent.
3.2 Data acquired from the customer’s service use: The Company shall gather data relating to the services used by the customer, and customer usage method, such as visual and audio data, device data used by the customer for accessing to use Website or Application, Computer Traffic Log, communication data between the customer and other users, and usage recording data, such as device identifier, Computer Internet Protocol Address (IP Address) No., Device ID, type of device, mobile network data, connection data, geographical location data, using positioning technology, such as IP Address, Global Positioning System (GPS), type of browser, website access recording data, data of the customer’s pre- and post- referring website access, website usage profile recording data, Login Log, Transaction Log, customer behavior in usage, prize redemption or privilege usage history, website login statistics, website access time, searching or visiting data of the customer, social media usage data, website function usage, and data collected by the Company via other similar cookies or technologies, etc.
Furthermore, inside the common space of the building and building entrance, CCTVs are installed for security. The Company shall record audio or video, or details of the communication with the Company by other means in communication with the Company or the Company’s working team.
The aforesaid details are just the data samples. The Company shall particularly collect the customer’s personal data which is essential, and collect for the period as long as necessary based on each type of the personal data and collection objective. At present, the Company schedules the collection period of the personal data to be longest for 10 years period from the date of which the customer cancels the use of service or terminates the contract with the Company after the storage period of each type of data is expired. The Company shall destroy the personal data collected by the Company according to the collection and usage objectives of the personal data as specified in Clause 4.
4. Collection Objective of the Personal Data for Use or Disclosure
The Company collects and use, or disclose the personal data in the following objectives.
4.1 To use the services orderly in compliance with the related laws, rules, and regulations, and performing duties according to the laws and criteria which are related or applicable with the Company, and whether they have been currently effective and will be revised or added in the future.
4.2 To be useful for confirming or identifying the customer upon access to use services, entering the contract, complying with the contract, and providing services to the customer, in order to ensure that the said services and all communications of the Company are safe and confidential.
4.3 To verify the customer service usage data according to the safety and security standards of the system in use of services, information technology infrastructure management and protection. The Company may just use the personal data as much as necessary, and may encrypt prior to its usage; and/or take a random sample, conduct a test of the access to use by other person in order to be used in risk management, detection, prevention or elimination of fraud, or other activities which may violate the related laws, regulations of usage or agreement and condition for using the Company’s Website or Application; and to improve the development on the system safety and security standard.
4.4 To develop products and services, and enhance more service efficiency in various areas to the customers.
4.5 To contact the customer via social network, telephone, SMS, E-mail, or post, or via any other channels for inquiry, or notify the customer for acknowledgement or verify or authenticate the data relating to the customer account or opinion survey, or notify any other news information relating to the Company’s services as necessary.
4.6 To process and analyze any other benefits relating to the Company’s business operation, such as for benefit in setting, managing accounting, delivery, marketing, and communication, and educational and research activities; prepare statistics, survey, research, and develop the supplies of products and services, develop the services, prepare, and deliver the internal marketing or advertising data of the Group of the Companies, or for the related target; and deliver contents, and activity and promotion advertising and public relations; as well as provide the proper advices to ensure the conformity of services to the customer’s interest, and privacy of the business data content or experience of the user, and fraud prevention; and comply with laws and requirements of internal audit.
4.7 To prevent or abate harm to the customer’s life, body, or health, and the customer’s property; or to be necessary to perform duties for public interest of the Company, or perform duties in exercise of the government power granted to the Company or the Company’s employee or representative, or observe laws.
4.8 To develop co-marketing with the companies in MBK Group, whereas the Company’s Digital Marketing Department is responsible for processing the personal data for the companies in MBK Group. However, the consent must be firstly given from the personal data owner for the objective of 1) communication, data provision, or product or service recommendation, 2) proposal of the sales promotion program, marketing activities, discount, promotion, and privilege from the Company and/or business alliance, and 3) data processing and analytics in customer behavior and interest (Customer Profiling) to give the good experiences to the individual or appropriate persons, or those may be interested by the customer via Loyalty/Reward Program System.
5. Disclosure of Personal Data
In the case where the customer believes that the persons whom the customer’s personal data as aforesaid is disclosed to misuse the said customer’s personal data other than the scope prescribed by the Company, the customer can inform the Company to further take action in the related part. The Company advises that the customer shall simultaneously verify whether the customer directly uses website, products, or services of the business alliances of the Company or other persons without involvement with the Company’s services or executions since those service providers or other persons may directly collect the personal data with the customer’s use of services from the use of websites, products, or services of those service providers or other persons. In such case, the Company is unable to be responsible for any safety or privacy of the customer’s personal data collected by website, products, or services of the said service providers or other persons. Therefore, the customer should exercise his/her carefulness and verify the personal data protection policy of the websites, products, and services of those service providers or other persons. In addition, the Company shall disclose the customer’s personal data under the rule prescribed by law, such as disclosure of data to the administrative agencies, government agencies, agencies with service compliance, or customer compliance agencies in case of request to disclose data by virtue of laws, such as request of data for litigating or taking legal proceedings or request from private agencies or other third parties that are involved with the process of law, and in case of necessity as appropriate in enforcing the terms and conditions of the Company’s usage, as well as disclosure of the personal data in case of the organizational restructuring, merger, sale of business, sale of some types of assets. The customer’s personal data collected by the Company may be portable by the Company either in whole or in part to the related companies. The customer can verify, from Website, the name list of the companies in MBK Group or business alliances that work with the Company or other persons who must work with the Company or both domestic and foreign customers, and are disclosed with the customer’s personal data by the Company. However, the companies in MBK Group or business alliances that work with the Company or other companies that must work with the Company or both domestic and foreign customers may be increased or decreased. The Company shall always prepare the updated name list of the persons to whom the customer’s personal data will be disclosed by the Company.
6. Personal Data Access and Update
6.1 In the case where the customer has no intention to receive the public relations data and news from the Company, kindly notify his/her intention at MBK Hotel & Tourism.
Contact Center: +(66 (0) 2216-3700 ext.20554 or E-mail: [email protected]
6.2 The customer can fill “Personal Data Request” Form and notify to the Company for action consideration as requested by the customer via the contact channels specified by the Company in Clause 12 in the following cases.
6.2.1 Upon the customer’s belief that the Company collects the customer’s personal data and the customer intends to access or acknowledges the details of the customer’s personal data collected by the Company or requested to receive the copy of such personal data;
6.2.2 Upon the customer’s intention to rectify the customer’s personal data to be correct, complete, and updated;
Remark In the case where the customer is the member, and uses services of MBK Application, the customer can alter the customer’s personal data in part of the data provided by the customer via the use of MBK Application services by login the system and go to “Setting ” > “ Profile” Menu for rectifying the data to be correct, and usage setting in various parts can be performed by the customer.
6.2.3 Upon the customer’s intention to ask the Company to temporarily suspend the use of the customer’s personal data;
6.2.4 Upon the customer’s intention to object the collection, use, or disclosure of the personal data relating to the customer, and object the processing of the customer’s personal data;
6.2.5 Upon the customer’s intention to ask the Company to erase the customer’s personal data from the Company’s system or customer database;
6.2.6 Upon the customer’s intention to withdraw his/her consent ever given to the Company in collection, use, or disclosure of the customer’s personal data;
6.2.7 Upon the customer’s intention to acknowledge the existence, personal data characteristic, and the Company’s objective to use the customer’s personal data;
6.2.8 Upon the customer’s intention to ask the Company to disclose the acquisition of the personal data relating to the customer in case of data without the customer’s collection consent;
The Company shall consider and notify the consideration result according to the customer’s request within 30 (thirty) days from the date of which the Company has received such request;
However, the Company can refuse the customer’s exercise of right subject to the law requirement. If the Company fails to execute according to the customer’s request, the Company shall record the refusal of request and reason.
6.3 In the case where the customer disallows the Company to collect, use, or disclose some type of personal data, or allows the Company to erase the customer’s personal data from the Company’s system, or withdraw the customer’s consent which has ever been given, resulting in the Company’s failure to execute according to the customer’s request, or provide services to the customer, or possibly causing the limitation or inefficiency of the Company’s services used by the customer as expected.
6.5 In the case where the customer deems that the Company collects, uses, and discloses the customer’s personal data, and the customer intends to exercise the right or is in doubt about the customer’s right pursuant to the Personal Data Protection Act B.E. 2562 (2019) in the following matters.
6.5.1 Right to be Informed
6.5.2 Right to Withdraw Consent
6.5.3 Right of Access
6.5.4 Right to Rectification
6.5.5 Right to Erasure
6.5.6 Right to Restrict Processing
6.5.7 Right to Data Portability
6.5.8 Right to Object
Kindly contact or submit the Request to the Company via the channels specified in Clause 12.
7. Security Measure for Personal Data Storage Security
The Company strictly emphasizes on security of the customer’s personal data, and establishes a security measure and a secure and appropriate personal data collection, usage, or disclosure system to prevent the loss, and unauthorized use, access, change, or disclosure of the customer’s personal data. The Company limits the access to the customer’s personal data by the staff, agent, contractor, and outsider who need to acquire data, whereas they shall particularly process the customer’s personal data subject to the conditions prescribed by the Company.
Furthermore, the Company shall store the personal data pursuant to the objective notified to the customer who owns the personal data according to the law requirement. In the case where the Company outsources the third party company to operate the customer’s personal data, the Company shall select the company that has the standard data protection system and also prepare the agreement on the personal data storage to be conforming to the Policy.
In the case of the event of infringement against the customer’s personal data, the Company shall notify the Office of the Personal Data Protection Commission without delay within 72 hours from being informed of the event as much as possible, unless such infringement is not risky for the customer’s right and freedom impact. In the case of high risk of the customer’s right and freedom impact from the said infringement, the Company shall notify the event of infringement and a remedy guideline to the customer for acknowledgement without delay.
8. Linkage to Third Party’s Website, Application, Product and Service
The Company’s Website may link to the third parties’ websites, products, and services. Those third parties may collect some data relating to the customer’s service use, whereas the Company is unable to take responsibility on security or privacy of any of the customer’s data collected by the said third parties’ websites, products, and services. The customer should exercise his/her carefulness and verify the personal data protection policy of those third parties’ websites, products, and services.
9. Application of the Personal Data Protection Policy
This Personal Data Protection Policy is effective with all personal data collected, used, and disclosed by the Company, and the customer agrees that the Company is entitled to collect, use, and disclose the customer’s personal data collected by the Company (if any), and the customer’s personal data which has been currently collected and will be collected by the Company in the future, to other persons within the scope specified in this Personal Data Protection Policy.
10. Policy Review
With good governance and social responsibilities, the Company and the related work units shall review the following this Policy at least once a year.
11. Applicable Laws and Jurisdiction
This Personal Data Protection Policy shall be subject to the enforcement and interpretation according to Thai laws, and Thai court shall have power to consider any potential disputes.
12. Contact Channels
If the customer is in doubt or in question about the Personal Data Protection Policy, the customer can contact MBK Hotel & Tourism Limited via the following channels.
– Send letter to MBK Hotel & Tourism Limited
No. 444, Fl. 8, MBK Center Building, Phaya Thai Road, Wang Mai Sub-district, Pathum Wan District, Bangkok 10330.
– or contact MBK Hotel & Tourism Contact Center: (66 (0) 2216-3700 ext.20554
– E-mail: [email protected]
The Company has entrusted and appointed Mr. Apichart Suphadej as the personal data protection officer, to have power and duty as the personal data protection officer as prescribed in the Personal Data Protection Act B.E. 2562 (2019), and coordinator relating to the Company’s personal data protection.
Contact Place: MBK Public Company Limited, No. 444, Fl. 8, MBK Center Building, Wang Mai Sub-district, Pathum Wan District, Bangkok 10330.
Contact Channel: (66) 2853-9000
In the case of complaints on the Company, violation or breach of laws by the Company’s employee or staff, the personal data owner can complain to the Compliance Unit as per the following details.
Office of the Personal Data Protection Commission
Contact Place: Fl. 7, Ratthaprasatphakdi Building, the Government Complex Commemorating His Majesty the King’s 80th Birthday Anniversary, Chaeng Watthana Road, Thung Song Hong Sub-district, Lak Si District, Bangkok 10210
However, the data owner must complain within the period specified by law.
By resolution of the Board of Directors,
Announced on 30 June 2020.