Narai Hotel Co., Ltd.
2. Scope of Policy
This policy applies to current and future personal information of individuals associated with the Company which is processed personal data by staff, contractual employees Business units or other forms of entities operated by the Company as well as parties or third parties who process personal data on behalf of or on behalf of the Company (hereinafter referred to as “Data processor”) under products and services such as websites, systems, applications, documents or other forms of services controlled by the Company. (hereinafter referred to as “Services”)
Individuals in relation to the Company under the provisions of the first paragraph include:
2.1 Individual customers
2.2 Employees, workers or employees
2.3 Partners and service providers who are natural persons
2.4 Executive directors, attorneys, representatives, shareholders, employees or other persons having a relationship similar to a juristic person with the company.
2.5 Users of the Company’s products or services.
2.7 Other persons with whom the Company collects personal data such as job applicants, family of officers, guarantors, insurance policy beneficiaries, etc.
Articles 2.1 to 2.7 are hereinafter collectively referred to as “you”.
In addition to this Policy, the Company may require a privacy notice (“Notice”) for its products or services to inform the personal data subject who is the user of the personal data being processed, the purposes and lawful grounds for the processing, the retention period of personal data as well as the rights to personal data that the personal data subject may have in a particular product or service.
In the event of a material conflict between the Privacy Notice and this Policy, the Service’s Privacy Notice shall be final.
- Personal data means information about an individual from which an individual can be identified, directly or indirectly, but does not include information of a particular deceased person.
- Sensitive data means personal data as provided for in Section 26 of the Personal Data Protection Act B.E. 2562, including race, ethnicity, political opinion, ideology, religion or philosophy, sexual behavior, criminal history, health information, disability, trade union information, genetic information, biological information or any other information that affects the subject of personal data in a similar manner as determined by the Personal Data Protection Commission.
- Processing of personal data means any action on personal data such as collect, save, copy, organize, store, update, change, use, restore, disclose, forward, publish, transfer, merge, delete, destroy, etc.
- Data subject means a natural person who is a data subject that is collected, used, or disclosed by the Company.
- Data controller means a person or entity has the authority to make decisions about the collection, use or disclosure of personal data.
- Data processor means an individual or a legal entity who is involved in the collection, use or disclosure of personal data on the order or on behalf of the data controller. However, such person or entity is not a controller of personal data.
4. Data source
The Company collects or obtains various types of personal information from the following sources:
4.1 Personal information that the company collects directly from the data subject in various service channels. For example, the process of applying, registering, applying for a job, signing contracts, documents, surveys or using products, services, or other service channels supervised by the Company or when the subject of personal data communicates with the Company at the office or through other communication channels supervised by the Company, etc.
4.3 Personal information that the Company collects from sources other than the data subject. Such sources have the authority, have legitimate grounds or have already obtained the consent of the personal data subject to disclose the information to the Company. For example, linking the digital services of government agencies to provide comprehensive public benefit services to the personal data subject itself, receiving personal data from other government agencies in accordance with the mission of providing Central Information Exchange Center. The purpose is to support the actions of government agencies in providing services to people through digital systems. Moreover, it also includes more precisely providing contractual services where personal data may be exchanged with contractual entities.
In addition, this also includes cases where you provide personal information from third parties to the Company. Therefore, it is your responsibility to provide details under this policy or announcements of products or services, as the case may be, to such parties as well as obtaining consent from that person if it is a case where consent is required to disclose information to the Company.
In the event the data subject refuses to provide the information necessary to provide the Company’s services, the Company may not be able to provide that service to the data subject in whole or in part.
5. Collection of personal information
The Company will collect personal data with the prior consent of the personal data subject except in the following cases:
5.1. To perform the contract in the case of collecting, using or disclosing personal data for the necessity of providing services or contracts between the data subject and the Company.
5.2. To prevent or suppress harm to life, body or health.
5.3. To obey the law.
5.4. To the legitimate interests of the Company if necessary, for the legitimate interests of the Company’s operations. The Company will consider the rights of the data subject as important. For example, fraud prevention, network security, protection of the rights, freedoms and interests of all data subjects, etc.
5.5. To conduct research or statistics in the case of historical documents or archives for the public benefit or related to research studies or statistics in order to provide appropriate safeguards to protect the rights and freedoms of data subjects.
5.6. To perform state missions if necessary, for the performance of duties for the public interest or the performance of duties under the state powers assigned by the Company.
Where it is necessary for the Company to collect your personal data for the performance of a contract, the performance of legal duties or for the necessity of entering into a contract. If you refuse to provide personal data or object to processing for the purposes of the activity, it may result in the company being unable to perform or provide the services you have requested in whole or in part.
6. Types of personal data
The Company will use lawful means and limited to the extent necessary for the Company’s operational purposes, including without limitation the following information:
|Type||Description and example|
|Personal data||Title, name – surname, date of birth, gender, age, marital status, nationality, ID number, passport number, job position, affiliation, signature, photograph, Media, driver’s license number, insurance number or insurance card, taxpayer identification number or other identifiable official documents, etc.|
|Contact data||Address, phone number, email, and social media.|
|Figurative data||Figurative data such as still images, movies of you or your assets, which are collected from CCTV, cameras when you enter the Company’s area, etc.|
|Platform account data||Account, password, etc.|
|Official document data||A copy of your ID card, a copy of your house registration, a copy of your passport, a copy of your work permit, a copy of your birth certificate, a copy of your driving license, a copy of your professional license, etc.|
|financial data||Bank account number, copy of bank passbook, credit card information, income, taxes, provident fund, employee benefits (such as pension or entitlement under an insurance policy) and related information. (Reimbursement or allowance)|
|educational data||Qualifications, educational background, transcript, educational evidence.|
|Related third party data||Spouse, child, father/mother, emergency contact person, reference and beneficiary.|
|Data for purchasing products and services||Order history, service & product interests, order number, request number, etc.|
|Data obtained from the company’s collection or automation from the company’s devices||IP Address, Cookie, Service Behavior, Service History, Voice, Photo, Motion, social media, Chat, Geolocation, etc.|
|Data from the Company’s system or from being an employee||Employee ID, work permit number, records of working hours and duration of work, overtime, absences and leave, Username, Password, history and usage behavior, camera images and/or video.|
|Work-related data||Job description, qualifications, skills, professional organization membership, experience, employer opinion, assessment results, training, certification history, CV or resume, certificate number.|
|Data usage and access to information systems||Usage and access data of information systems, computers, systems, websites, applications, network systems, electronic devices, e-mail systems to comply with the Company’s information technology policy and related laws.|
|Travel data||Flight information, hotel information, vehicle information, tour information that you use, information for specific services for special meals, in-flight seat numbers, passenger records, ticket numbers, invoice numbers, etc.|
|Sensitive data||race, medical information, disability information, religion, biometric information (Finger and face scan).|
8. Purpose of collecting personal data
The Company collects your personal information for several purposes. It depends on the type of product or service or activity you use. as well as the nature of your relationship with the Company or considerations in each context is important. The purposes stated below are just a general framework for the Company’s use of personal data. However, only the purposes related to the products or services you use or are associated with will apply to your information.
8.1 To create and store your service history.
8.2 To carry out accounting and financial activities such as auditing, debt notification and collection, exercise of benefits, taxes, and proof of transactions required by law.
8.3 To evaluate and improve the business to improve the quality of goods and services.
8.4 To respond to your requests such as complaints.
8.5 To enter into a contract or perform duties under a contract between the Company and the data subject or a contract between the Company and a third party for the benefit of the data subject.
8.6 To answer questions and provide assistance to the data subject.
8.7 To provide information and recommend products, services or public relations in the marketing program
8.8 To promote sales or benefits through contacts received from the data subjects as the data subjects have given the consents that they have consented to the Company
8.9 To survey opinions, analyze research and produce statistical information for marketing purposes or to develop and improve the Company’s operations with your consent.
8.10 To be useful in the management of the Company’s internal affairs or operations that are necessary under the legitimate interests.
- To inspect, supervise, and secure the building or premises of the Company.
- To comply with the laws related to the operations of the company such as withholding tax.
- To provide information to government agencies with legal authority as requested by government agencies such as the Royal Thai Police, Anti-Money Laundering Office, Revenue Department, courts.
- To carry out accounting and financial activities such as auditing, debt notification and collection, exercise of benefits, taxes, and proof of transactions required by law.
- To the legitimate interests of the Company such as recording complaints through the Call Center system, recording images through CCTV cameras.
- To investigate and comply with laws, regulations, regulations or legal duties of the Company.
- To verify, authenticate and verify customer information.
- Other purposes with your express consent.
9. Personal data transfer and disclosure
The Company will not disclose and transmit your personal information to external parties unless with your explicit consent or in the following cases:
9.3 The law or legal process requires disclosure or disclosure to an official, government official or competent authority in order to comply with a legal order or request.
10. Transferring or sending data to foreign countries
The Company may transmit or transfer personal information to foreign countries. This will ensure that the destination country or the destination authority has adequate privacy protection standards and policies.
11. Collection period
The Company will keep your personal data only for as long as is necessary for the purpose for which the data was collected. It will be in accordance with the details set forth in the relevant policies, notices or laws. However, after the expiration of the period and your personal data is no longer necessary for the aforementioned purposes, the company will delete and destroy your personal data or your personal data is not identifiable. In the event of a dispute, any exercise of rights or lawsuits in connection with your personal data will be reserved for the continued retention of that data until the dispute has been finalized by order or judgment.
12. Protection of personal data
The Company will take appropriate technical and administrative measures to protect and secure the personal information of employees by encrypting information and controlling access to personal information of specific employees electronically and manually.
13. External websites or services
14. Personal Data Protection Officer
The Company has appointed a Personal Data Protection Officer to examine, supervise and advise on the collection, use, or disclosure of personal information. It also includes coordinating and cooperating with the Personal Data Protection Commission to comply with the Personal Data Protection Act B.E. 2562.
15. Your rights under the Personal Data Protection Act B.E. 2562
You can exercise the rights as required by law and as set forth in this notice as follows:
15.1 Right to withdraw consent, you have the right to withdraw your consent at any time unless restricted by law or contractually beneficial to you. However, the withdrawal of consent will not affect the processing of personal data that you have previously given consent to the Company.
15.2 The right to request access and obtain a copy of personal data, unless the company has the right to refuse your request by law or court order or your request will have consequences that may harm the rights and freedoms of others.
15.3 The right to request that personal information be updated, correct, complete and not cause misunderstanding. However, the Company can amend the above even if you do not request it.
15.4 The right to request removal or removal or non-identification of an individual in the following cases:
15.4.1 When personal data is no longer necessary keep it for the purposes of collecting, using or disclosing personal data.
15.4.2 When you withdraw your consent to the collection, use or disclosure of personal information and the Company has no legal authority to collect, use or disclose personal information further.
15.4.3 When you object to the collection, use or disclosure of personal data and the Company has no legal authority to refuse it, unless the Company has legitimate grounds to decline your request unless the Company has legitimate grounds to decline your request.
15.5 The right to obtain or request the transmission or transfer of your personal data in the event that the Company has made the personal data in a readable or generally usable format by means of automated tools or equipment to use or disclose personal information by automatic means unless the technical condition is impracticable or for the benefit of the public or statutory duty or the exercise of infringement against the rights or freedoms of others.
15.6 Right to objection, you have the right to object to the collection, use or disclosure of personal data at any time in the following cases:
15.6.1 In the case of personal data which the Company operates under the lawful interest unless the Company demonstrates a more important legitimate cause or to establish a statutory claim, the performance or exercise of a statutory claim or to raise a statutory claim.
15.6.2 Direct marketing objectives
15.6.3 To study scientific, historical or statistical research unless the it is necessary for its mission in the public interest of the Company.
15.7 The right to request that the use of personal data be restricted in the following circumstances:
15.7.1 When the Company is in the process of reviewing your request to amend your personal data to be accurate, current, complete and not cause misunderstandings.
15.7.2 Personal data that must be deleted or destroyed.
15.7.3 hen such personal data is no longer necessary because you are obliged to request the retention of your personal data in order to establish a legal claim, compliance or exercising legal claims or countering legal claims.
15.7.4 When the Company is in the process of proving its right to refuse a request to object to the collection, use or disclosure of personal data.
Failure to comply with the policy may result in an offense and be subject to disciplinary action in accordance with the Company’s rules (for officers or operators). or in accordance with the personal data processing agreement (for personal data processors). However, it is subject to the case and your relationship with the Company and may be subject to penalties as determined by the Personal Data Protection Act B.E. 2562 along with all secondary laws, rules, regulations, and relevant orders.
17. Complaints to supervisory authorities
In the event that you become aware that the Company has not complied with the Personal Data Protection Law, you have the right to submit a complaint to the Personal Data Protection Committee or a supervisory authority appointed by the Personal Data Protection Committee or by law. Before making such a complaint, please contact the Company to give us an opportunity to know the facts and clarify the issues and resolve your concerns in the first place.
The Company may update, amend or change this Policy at its discretion by notifying you through https://www.lubd.com with the effective date of each revised version. However, the Company would like to advise you to regularly check for the latest version of the Policy through specific channels for activities at the Company before you disclose your personal information to the Company.
Access to the Company’s products or services after the enforcement of the new policy constitutes acceptance of the terms of the new policy. Please stop using it if you do not agree with the details in this policy and please contact us for further clarification.
19. Inquiries or exercise of rights
If you have any questions, suggestions or concerns about the collection, use and disclosure of personal information by the Company or in relation to this policy or to exercise your rights under the Personal Data Protection Law, you can contact us at
Narai Hotel Co., Ltd.
Personal Data Protection Officer
No. 2242 Silom Road Suriyawong Subdistrict,
Bang Rak District, Bangkok 10500
Please provide the following information in addition to the exercise of the rights of the personal data subject.
- Name-surname, ID card number/passport number.
- Inquiries about personal data or legal rights.
- Phone number, address and e-mail address.
Announced on 30th of May 2022
( Nathee Nithivasin )
Narai Hotel Co., Ltd.