
Privacy Policy
Personal Data Protection Policy
For Third Party
Last updated: 13 Dec, 2024CARIVA (Thailand)Company Limited (hereinafter referred to as “we”, “us”, “our”, “ours”, “ARV”, or “Company”, ) recognize the importance of the protection of your personal data. Therefore, we have issued our Personal Data Protection Policy (“Policy”) in order to prescribe the process of data collection, storage, usage and disclosure, also including other rights of the Data Subject under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). Company would like to announce this Policy with the following:1) Definition“Personal Data” means any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons in particular.“Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks to the person’s fundamental rights and freedoms, which includes data regarding racial or ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any data which may affect the Data Subject in the same manner, as prescribed by the Personal Data Protection Committee.“Personal Data Protection Committee” means the Committee appointed under the PDPA, in charge of the duties and authorities to govern, issue criteria or measures or provide any other guidance as prescribed by the PDPA.2) Application of this PolicyThis Policy applies to you if you are (i) a natural person who is our business partner or sells products or provides service(s) to ARV, or (ii) a contact person or authorized representative of the entity who is our business partner or sells products or provides service(s) to ARV (collectively referred to as, “Third Party”).3) Collection of Personal DataCompany shall collect your personal data within the purpose, scope, and lawful and fair methods as is necessary which is defined hereinbelow. In case the Company needs to collect sensitive data, the Company shall request explicit consent from you before such collecting, except for when this is allowed by the PDPA, or other laws.In general, Company will collect and process the following categories of your Personal Data:3.1) Identification and contact information:
- Full name, e-mail address, telephone number, mobile phone number, date of birth, address, identification card number, passport number, data contained in the identification card and passport
- Full name, e-mail address, telephone number, mobile phone number, date of birth, address, identification card number, passport number, data contained in the identification card and passport
- Your resume, CV, biography, professional background, educational background, language proficiency, position, company’s name, etc.
- Your data related to the COVID-19 vaccination status and COVID-19 test result may also be collected by us.
- We may also collect your Sensitive Personal Data that appear on the copy of your identification card, i.e., your religious belief and/or blood type. However, we do not have an intention to process such Sensitive Personal Data; therefore, we will require you to omit, blind or cross out the information about religious belief and/or blood type before providing a copy of your identification card to ARV.
- In the case where we will collect the Personal Data other than those proscribed in this Policy, we will inform you about the collection or the processing of the Personal Data and may request for your consent (if required), in accordance with the conditions prescribed by the PDPA.
In general, we will collect the Personal Data directly from you; however, in the case where it is necessary for us to collect your Personal Data from other sources, we will ensure that your Personal Data will be collected and protected in accordance with the PDPA.5) Purpose of Collecting and Usage of Personal DataIn general, we will process your Personal Data for the following purposes:5.1) To enter into an agreement or establish a legal relationship between ARV and you or the legal entity of which you were authorized to represent5.1.1) Type of personal data
- Identification and contact information
- Finance information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Remark: If you do not provide any Personal Data that is necessary for entering into an agreement with you or the legal entity you represented, we may not be able to proceed to enter into an agreement with you or such entity.
- Legitimate interest (for corporate Third Party, to prepare documents for entering into an agreement)
- Contractual Obligation (for individual Third Party, to proceed with your request to enter into a contract)
- Explicit consent (for the processing of Sensitive Personal Data before or when we enter into a contract with you)
- Identification and contact information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Legitimate interest (for corporate Third Party)
- Contractual Obligation (for individual Third Party)
- Explicit consent (for the processing of Sensitive Personal Data)
- Identification and contact information
- Work information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Explicit consent (for the processing of Sensitive Personal Data)
- Identification and contact information
- Finance information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Legitimate interest (to create and record vendor code/account for the Third Party, to communicate with the Third Party, to record and adjust details of account payable, and to proceed with payment for corporate Third Party)
- Contractual Obligation (to proceed with payment for individual Third Party)
- Explicit consent (for the processing of Sensitive Personal Data)
- Identification and contact information
- Sensitive personal Data (i.e., COVID-19 vaccination status, COVID-19 test result)
- Legitimate interest (for processing of Personal Data)
- Explicit consent (for processing of Sensitive Personal Data)
- Authorize to proceed or coordinate, or to submit any required information and documents to the government agencies in order to comply with the applicable law
- Arrange to comply with our tax obligations and to submit the required documents to the Revenue Department
- To proceed with customs clearance processand import/export related matters
- Identification and contact information
- Finance information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Legitimate interest (to arrange to comply with ARV’s tax obligations and to proceed with customs clearance process and import/export related matters for ARV)
- Legal obligation (Section 24 (6) of the PDPA for the processing of Personal Data, and Section 26 (5) of the PDPA for the processing of Sensitive Personal Data)
- Identification and contact information
- Finance information(if required)
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Legitimate interest
- Establishment of legal claims (for the processing of Sensitive Personal Data)
Company shall not disclose your Personal Data without your consent unless it is solely for the above mentioned purposes which rely on other lawful basis.In processing Personal Data for the above purposes, it may be necessary for us to disclose your Personal Data to third parties, as follows:
- (a)to any of ARV’ affiliates or group companies, domestically, for internal management and administration work, to perform our contractual obligations, and for other purposes as identified in this Policy;
- (b)to external legal counsels in the case of legal proceedings and legal execution;
- (c)to general counsels, advisors, auditors, and other experts;
- (d)to other third-party vendors, suppliers, or service provider, who provide services to us;
- (e)to local commercial banks;
- (f)to any competent regulatory, prosecuting, tax or governmental agencies, courts or other tribunals in any jurisdiction, including, without limitation, Customs Department, and Revenue Department;
- (g)to any other persons or entities to whom ARV is required to make disclosure by applicable law and regulations. Also, we may disclose it by virtue of laws, such as requests for the purposes of litigation or prosecution, or requests made by the private sector or other persons involved in the legal proceedings, or whom we are permitted by you to disclose your Personal Data; and/or
- (h)to prospect buyer in case of merger or acquisition of ARV.
ARV retains your Personal Data for as long as is required in order to fulfil our contractual obligations under the agreement with you. In general, ARV will retain your Personal Data for ten (10) years after the cessation of our contractual relationship or our last communication.For Finance Information, it will be trained only for five (10) years from the date that the accounts are closed.Notwithstanding the above, we may retain your Personal Data longer than the above period, only as otherwise permitted or specified by the applicable law.8) Direction of Personal Data
Protection Company shall establish measures including for the security of Personal Data in accordance with the laws, regulations, rules, and guidelines regarding the personal data protection for employees and other relevant persons. Company shall promote and encourage employees to learn and recognize the duties and accountabilities in the collection, storage, usage, and disclosure of personal data. All employees are required to follow this policy and all guidelines regarding personal data protection in order for the Company to remain in compliance with the PDPA accurately and effectively.9) Rights of Data Subject
You are entitled to request any actions regarding your Personal Data as per the following:9.1) Right to withdraw consent, or to request a change to the scope of your consent; however, any consent which was obtained earlier shall not be affected.9.2) Right to request that we confirm to you whether we have in possession any Personal Data that is related to you; and right to access; to request access to and obtain a copy of the Personal Data related, including to request the disclosure of the acquisition of the Personal Data obtained without your consent.9.3) Right to rectification or update any Personal Data that is related to you.9.4) Right to request that we erase or destroy, or de-identify your Personal Data;9.5) Right to restriction of processing of your Personal Data.9.6) Right to request that we transfer your Personal Data in a format which is generally readable or usable by automatic device or tool.9.7) Right to object the processing of your Personal Data.9.8) Right to file a complaint in relation to our processing of your Personal Data with the Personal Data Protection Commission, in accordance with the procedures set out in the PDPA.You may request these rights by sending a notice or submitting Company electronics form set by the Company to the channel following the Contact Information of this policy.Company shall consider the right request received and inform the Data Subject without undue delay, but not exceeding 30 days from the date of receiving the request to access, or to access and obtain a copy of the Personal Data related, or to request the disclosure of the acquisition of the Personal Data obtained without the Data Subject’s consent. However, the Company may deny such a right subject to exception by applicable laws.And as far as permitted by the applicable law and regulations, we may be entitled to charge reasonable expenses incurred in respect to handling any of the above requests.10) Review and Changes of Policy
Company may review this policy to ensure that it remains in adherence to laws, any significant business changes, and any suggestions and opinions from other organizations. Company shall review the amended policies thoroughly before implementing all the changes and announce on its website: https://cariva.co.th/.In the event that the amendment, change, or update will affect the purposes for which your Personal Data has originally been collected, ARV will notify you about such changes, and obtain your consent (if required by law), prior to such changes becoming effective.11) Contact Information
If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your Data Subject Rights, you may contact us at:Cariva (Thailand) Company Limited
304 Vanit Place Aree (Building A), 25th Floor, Unit 2501, Phaholyothin Road, Samsen Nai, Phaya Thai, Bangkok 10400, Thailand
Email Address: contact@cariva.co.th
----------------------------------------------------------------------------
Personal Data Protection Policy
For Customers
Last updated: 13 Dec, 2024Personal Data Protection PolicyFor CustomersCARIVA (Thailand)Company Limited (hereinafter referred to as “we”, “us”, “our”, “ours”, “ARV”, or “Company”, ) recognize the importance of the protection of your personal data. Therefore, we have issued our Personal Data Protection Policy (“Policy”) in order to prescribe the process of data collection, storage, usage and disclosure, also including other rights of the Data Subjectunder Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). Companywould like to announce this Policy with the following:1) Definition“Personal Data” means any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons in particular.“Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks to the person’s fundamental rights and freedoms, which includes data regarding racial or ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any data which may affect the Data Subject in the same manner, as prescribed by the Personal Data Protection Committee.“Personal Data Protection Committee” means the Committee appointed under the PDPA, in charge of the duties and authorities to govern, issue criteria or measures or provide any other guidance as prescribed by the PDPA.2) Application of this PolicyThis Policy applies to you if you are:2.1) Associated Person: Any persons, who are relevant to the Customers, such as family members, relatives, and friends.2.2) Customers: Existing Customer and Prospective Customer, collectively.2.3) Existing Customer: A customer (a natural person) who purchases our products and/or services or enjoys our products and/or services free of charge via all means, for personal use.A contact person or authorized representative of the entity who purchases our products and/or services via all means.2.4) Prospective Customer: A natural person who has subscribed to receive any news, updates, promotion, and other marketing materials from us, in spite of the fact that you have not purchased anything from us.3) Customers who are Minor
We may collect the Personal Data as described below from person(s) under 20 years old. If you are a minor, we recommend that your parents or guardians read this Policy together with you, and that the parents and/or guardians of minors give consent (if required) and guidance before a minor provides his/her Personal Data.4) Collection of Personal Data
Company shall collect your personal data within the purpose, scope, and lawful and fair methods as is necessary which is defined hereinbelow. In case the Company needs to collect sensitive data, the Company shall request explicit consent from you before such collecting, except for when this is allowed by the PDPA, or other laws.In general, Company will collect and process the following categories of your Personal Data:4.1) Device information and access data: Device identification, operating system and corresponding version, time of access, configuration settings, information on Internet connection (IP address)4.2) Identification and contact information: Full name, phone numbers, address, GPS location, e-mail address, date of birth, age, gender, identification card number, passport number, data contained in the identification card and passport, LINE ID, Facebook account, profile picture, selfie picture with identification card or passport, signature, organization or company’s name, position, current residence city and country, interests, etc.4.3) Payment information: For example, your bank account number, bank account information, and information of payment evidence, relationship with the Customer4.4) Personal Data of Associated Persons: For example, full name, address, contact number, e-mail address4.5) Sensitive Personal data: Your data related to the COVID-19 vaccination status and COVID-19 test result may also be collected by us.We may also collect your Sensitive Personal Data that appear on the copy of your identification card, i.e., your religious belief and/or blood type. However, we do not have an intention to process such Sensitive Personal Data; therefore, we will require you to omit, blind or cross out the information about religious belief and/or blood type before providing a copy of your identification card to ARV.In the case where such Sensitive Personal Data still appears on a copy of identification card, ARV may, at any time, blind or cross out such Sensitive Personal Data in order to comply with the PDPA (which requires ARV to collect personal data to the extent that is necessary and relevant for our business operations).In the case where we will collect the Personal Data other than those proscribed in this Policy, we will inform you about the collection or the processing of the Personal Data and may request for your consent (if required), in accordance with the conditions prescribed by the PDPA.5) Methods for the collection of your Personal Data
In general, ARV will collect the Personal Data directly from you; however, in the case where it is necessary for ARV to collect your Personal Data from other sources, ARV will ensure that your Personal Data will be collected and protected in accordance with the PDPA.In the case where you provide the Personal Data of a third party including the Associated Persons to ARV, you warrant that you have informed such person about the processing of his/her Personal Data by ARV as explained in this Privacy Policy. In addition, if the consent for the processing of the Personal Data is required, you agree to assist ARV in obtaining the valid and enforceable consent from such person in accordance with the requirements prescribed in the PDPA.6) Purpose of Collecting and Usage of Personal Data
In general, we will process your Personal Data for the following purposes:6.1) To enter into an agreement or establish a legal relationship with you or the legal entity of which you were authorized torepresent, and to execute and perform our obligations under such agreementYour Personal Data is necessary for the following purposes:
- To create and register customer account and enrollment;
- To proceed with purchase payment;
- To furnish you and the legal entity you are contact person or authorized representative with our services and/or products;
- To communicate with you or for the legal entity you represent (not for marketing purposes); and
- Identification and contact information
- Finance information
- Personal Data of Associated Persons
- Sensitive Personal Data (i.e., health-related data such as your medication records, visual sign, disorders, medical conditions (which are related to CVS, RS, KUB, GI/HPB, endocrine, muscle/bone, reproductive system etc.), pharmacy record, weight, height, BMI, heart rate, calories intake and burned, body movement)
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Contractual Obligation (for individual Customers – to proceed with the purchase payment, to furnish you with our products and services, and to comply with our obligations under the agreement we have with you)
- Legitimate interest (for Customer – to create and register of customer account and communication)
- Identification and contact information
- Finance information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Legitimate interest (for corporate Customer)
- Contractual Obligation (for individual Customers)
- Explicit consent (for the processing Sensitive Personal Data)
- Identification and contact information
- Legitimate interest (For corporate Customer)
- Contractual Obligation (if the provision of rewards/gift is stated in the agreement between you and ARV)
- Consent (if the provision of rewards/gift is not stated in the agreement between you and ARV)
- Identification and contact information
- Sensitive personal Data (i.e., COVID-19 vaccination status, COVID-19 test result)
- Legitimate interest (for processing of Personal Data)
- Explicit consent (for processing of Sensitive Personal Data)
- Identification and contact information
- Finance information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required) )
- Legitimate interest (for processing of Personal Data)
- Explicit consent (for processing of Sensitive Personal Data)
- Identification and contact information
- Legitimate interest (For Existing Customer)
- Consent (For Prospective Customer)
- Proceed or submit any required information and documents, or arrange to comply with our tax obligations and to submit the required documents to the Revenue Department including but not limited to processing with VAT refund and issuing of invoice; and
- Comply with other laws, such as the PDPA, and laws related and applicable to ARV’s business
- Identification and contact information
- Payment information
- Sensitive Personal Data, i.e., religion and/or blood type data in the Thai identification card (if required)
- Legitimate interest (to arrange to comply with ARV’s tax obligations)
- Legal obligation (Section 24 (6) of the PDPA for the processing of Personal Data, and Section 26 (5) of the PDPA for the processing of Sensitive Personal Data)
- Identification and contact information
- Sensitive Personal Data (i.e., religion and/or blood type data in the Thai identification card (if required))
- Legitimate interest (for processing of Personal Data)
- Establishment of legal claims (for processing of Sensitive Personal Data)
- Device information and access data
- Legitimate interest
- Consent for personalization and advertising cookies
Cookies Please note that Cookies are small text files that are stored on your device. Some of the Cookies we use are deleted after the end of the browser session, i.e., after closing your browser (so-called, session Cookies). Other Cookies may remain on your device and allow us or our affiliate to recognize your browser on your next visit (so called, persistent Cookies).Below is the information about your choices as well as a detailed list of Cookies we use:(1)Required CookiesThese Cookies are required to navigate our site, and in order to use the features provided. Without the use of such Cookies, proper functioning of our site is not guaranteed (e.g., entering text), while browsing through pages on the website. In addition, they are Cookies that collect information about how visitors use our website, for example, which pages they visit most often, and if they receive error messages from websites. They also allow our site to remember your choices such as language, or region to provide improved features. We also use these Cookies to store whether you have given us your consent to use Cookies or to temporarily store the information you have entered, as necessary.(2)Functional CookiesThese Cookies collect pseudonymous information and cannot track your movements on other websites. We use these Cookies for pseudonymized usage analysis.(3)Personalization and Advertising CookiesThese Cookies are used to play more targeted advertising relevant to the user and adapted to their interests.You can set your browser so that you are informed about the setting of Cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. Failure to accept Cookies may limit the functionality of our website.You can install additional add-ons in your browser that block unnecessary cookies. By doing so, you will not see any interest-based advertisements. This Privacy Policy covers the use of Cookies by us and does not cover the use of cookies by any advertisers, or other third-party websites, which may link to our website. If you link to or is directed to a third-party website, you are encouraged to read the privacy policy, as well as cookies policy, of such third-party website.8) Personal data disclosure
Company shall not disclose your Personal Data without your consent unless it is solely for the above mentioned purposes which rely on other lawful basis.In processing Personal Data for the above purposes, it may be necessary for us to disclose your Personal Data to third parties, as follows:
- (a)to any of ARV’ affiliates or group companies, domestically, for internal management and administration work, to perform our contractual obligations, and for other purposes as identified in this Policy;
- (b)to external legal counsels in the case of legal proceedings and legal execution;
- (c)to general counsels, advisors, auditors, and other experts;
- (d)to third-party, and/or to vendors, suppliers or service provider (domestically and internationally), such as solutions and system development company, insurance company, mobile network operators, etc.;
- (e)to any competent regulatory, prosecuting, tax or governmental agencies, courts or other tribunals in any jurisdiction;
- (f)to any other persons or entities to whom ARV is required to make disclosure by applicable law and regulations, such as disclosing it to a government agency, state enterprise, regulator. Also, we may disclose it by virtue of laws, such as requests for the purposes of litigation or prosecution, or requests made by the private sector or other persons involved in the legal proceedings, or whom we are permitted by you to disclose your Personal Data; and/or
- (g)to prospect buyer in case of merger or acquisition of ARV.
The Cross-Border Transfer of the Personal Data In certain circumstances, ARV transfers, discloses, and give access of your Personal Data to third parties located outside of Thailand, for processing of Personal Data for the purposes mentioned in this Policy. The destination countries may have different data protection standards to those prescribed by the data protection authority in Thailand.Notwithstanding that, ARV will ensure that it will protect your Personal Data by implementing adequate personal data protection standards for the transfer of your Personal Data outside Thailand, as prescribed under the PDPA.In any event, ARV shall govern the above-mentioned persons to treat the personal data as confidential and not to use the data for purposes which are not covered in prior notifications.10) Retention of the Personal Data
ARV retains your Personal Data and the Associated Person’s Personal Data for as long as is required in order to fulfil our contractual obligations under the agreement with you. In general, ARV will retain your Personal Data for ten (10) years after the cessation of our contractual relationship, or our last contact/communication. Notwithstanding, we may retain your Personal Data longer than the aforementioned period, only as otherwise permitted or specified by the applicable law.aforementioned period, only as otherwise permitted or specified by the applicable law.We will retain Personal Data of the Associated Person for the period not exceeding the period of which we will retain the Personal Data of the Customer whom the Associated Person is related with.11) Direction of Personal Data Protection
Company shall establish measures including for the security of Personal Data in accordance with the laws, regulations, rules, and guidelines regarding the personal data protection for employees and other relevant persons. Company shall promote and encourage employees to learn and recognize the duties and accountabilities in the collection, storage, usage, and disclosure of personal data. All employees are required to follow this policy and all guidelines regarding personal data protection in order for the Company to remain in compliance with the PDPA accurately and effectively.12) Rights of Data Subject
You are entitled to request any actions regarding your Personal Data as per the following:12.1) Right to withdraw consent, or to request a change to the scope of your consent; however, any consent which was obtained earlier shall not be affected.12.2) Right to request that we confirm to you whether we have in possession any Personal Data that is related to you; and right to access; to request access to and obtain a copy of the Personal Data related, including to request the disclosure of the acquisition of the Personal Data obtained without your consent.12.3) Right to rectification or update any Personal Data that is related to you.12.4) Right to request that we erase or destroy, or de-identify your Personal Data;12.5) Right to restriction of processing of your Personal Data.12.6) Right to request that we transfer your Personal Data in a format which is generally readable or usable by automatic device or tool.12.7) Right to object the processing of your Personal Data.12.8) Right to file a complaint in relation to our processing of your Personal Data with the Personal Data Protection Commission, in accordance with the procedures set out in the PDPA.You may request these rights by sending a notice or submitting Company electronics form set by the Company to the channel following the Contact Information of this policy.Company shall consider the right request received and inform the Data Subject without undue delay, but not exceeding 30 days from the date of receiving the request to access, or to access and obtain a copy of the Personal Data related, or to request the disclosure of the acquisition of the Personal Data obtained without the Data Subject’s consent. However, the Company may deny such a right subject to exception by applicable laws.And as far as permitted by the applicable law and regulations, we may be entitled to charge reasonable expenses incurred in respect to handling any of the above requests.13) Review and Changes of Policy
Company may review this policy to ensure that it remains in adherence to laws, any significant business changes, and any suggestions and opinions from other organizations. Company shall review the amended policies thoroughly before implementing all the changes and announce on its website: https://cariva.co.th/.In the event that the amendment, change, or update will affect the purposes for which your Personal Data has originally been collected, ARV will notify you about such changes, and obtain your consent (if required by law), prior to such changes becoming effective.14) Contact Information
If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your Data Subject Rights, you may contact us at:Cariva (Thailand) Company Limited
304 Vanit Place Aree (Building A), 25th Floor, Unit 2501, Phaholyothin Road, Samsen Nai, Phaya Thai, Bangkok 10400, Thailand
Email Address: contact@cariva.co.th