Trunk Travel Company Limited (‘the company”) adheres to business operations compliance with the provisions of relevant laws, in particular, focusing on an importance of Personal Data Protection of stakeholders in business operations, therefore a personal data management system is developed with operational system and modern IT system and have security to Personal Data Protection effectively by determining only the company’s employees or stakeholders to have right to access personal data. In addition, also provides a system to strictly check access and use personal data as well as providing system improvement and development to collect and maintain personal data on a regular basis causing the system can store personal data accurately and reliable, prevent personal data leak on, personal data correction by unauthorized persons or using personal data other than the purpose that the Company has informed to stakeholders in the first place.
This document describes the types of personal data, and the purpose of collection for use or disclosure personal data, collection period type of person or entity in which the Company may disclose personal data collected by the Company, rights of the data subject, including measures to maintain the personal data security according to the provisions of law as well as other information related to the Company’s personal data management
Moreover, this document is also an integral part of the Company’s service terms and conditions, which may be edited, updated, amended, or altered by this Policy which we will inform you and obtaining consent based on laws related to personal data protection have prescribed.
To ensure clarity in communication with stakeholders about business operation and does not raise concerns about the interpretation of some of the terms in this document, therefore, the Company has prepared the definition as follows:
“Company” means Trunk Travel Company Limited.
“Personal Data” means information relating to natural person, directly or indirectly.
“Sensitive Personal Data” means a personal data that identifies in accordance with Section 26 of the personal Data Protection Act B.E. 2565 (2019).
“Data Processor” means a person or entity with authority to make decisions about the collection, use or dissemination of personal data.
“Personal Data Controller” means a person or entity with authority to make decisions about the collection, use or dissemination of personal data.
“Personal Data Controller” means a person or entity with authority to make decisions about the collection, use or dissemination of personal data.
“Costumers/Users/Visitor/Business Partners” This includes one or more persons who are authorized person or has been assigned to act on behalf of a juristic person to enter to be business partner with the Company as costumers/users/visitors/business partners whether they are a buyer or seller, service provider or service recipient, consignor or consignment, visitor, and users.
“Job Applicant” means a person who expresses his/her intent to submit documents containing personal data to request the Company to consider to accept into work as requested whether it is a simple document or an electronic document.
“Employee” means a person who enters into an employment contract directly with the Company no matter What it is called.
“Employee to the contract” means a person who enters into an employment contract by the company under Service Contractor Contract or Labor contractor Contract sent to work in the Company.
“Family Member” means a person that employees inform they are family member or references for the Company to collect, use, disclose personal data, which the data subject has given consent in writing which those documents will be sent to the Company by the employee.
The Company will carefully consider to collect, use, and disclose the personal data of stakeholder under the purposes of lawful business operations on the following reasons:
This policy applies to personal data that the Company may collect, including in the event that the data
Subject has given consent to the company as follows:
(a) General personal data such as name, surname, signature, date of birth, IDs number or passport
Number or identification card issued by government, address on national IDs, domicile address, current address, phone number, mobile number, online platform account and E-mail, bank account number, account or transaction or history of holding shares or securities, photographs in ID cards, photos of participation in activities, employee IDs, recordings of conversations for both employees, customers, etc.;
(b) Sensitive personal data such as racial, nationality, religion, blood group, family status, medical
Examination results, Medical history, work-related injury history or unrelated to work but presented to the Company, diagnostic results, health information labor union, sexual behavior, physical disability information, criminal record, work assessment results, opinions on social media, scans of faces, eyes or fingerprint, genetic information, biological information that may affect the data subject as prescribed by law;
(c) Other personal data such as educational background, work history, vehicle registration, motorcycle
registered with government agencies, professional number or code as required by law, product reference number registered by the user to guarantee that product or service, financial status, income, obligation, consumption behavior, reviews, opinions or satisfaction or experience using the goods or products, opinions on participating in activities,
visiting both online and offline, record from static images, interviews, registration forms, coupons including any other information that is not directly personal data but when such information is put together, it is possible to identity the data subject.
Although the law on personal data protection will allow the Company to collect the personal data of
stakeholders directly as a party or a party or a person who has to act on behalf of a juristic person or attorney from an authorized person to enter into a juristic act as a party without requesting consent in accordance with the legal informed consent, which the company still maintains participation and will clearly inform stakeholders that the party must provide the personal data only necessary to enter into a contract as a party that the Company and stakeholders are required to comply with the law on a juristic act or such contract, besides to those that have already been specified. The Company may collect data without need to request consent from the data subject in the following cases:
(a) It is collection for the purpose relating to research or statistics in which the suitable measures to safeguard
the data subject by following the rules prescribed by laws;
(b) It is prevent or suppress a danger to life, body or health of the person, where the data subject is incapable of
giving consent by whatever reason;
(c) It is necessary for the performance of a contract to which the data subject is a party, or in order to take
steps at the request of the data subject prior to entering into any contract with the Company;
(d) It is necessary for the performance of a task carried out in the public interest by the Data Controller, or
Performing duties in exercising state powers given to the Company;
(e) It is necessary for legitimate interests of the Company or person or juristic persons other than the Company,
Except where such interests are overridden by fundamental rights in the personal data of the data subject;
(f) It is necessary for compliance with a law to which the Company has duty to comply with the law.
The Company may collect sensitive personal data without obtaining the consent of the data subject as follows:
(a) Where the company is necessary to prevent or suppress a danger to life, body or health of the person,
where the data subject is incapable of giving consent by whatever reason;
(b) It is information that is disclosed to the public with the explicit consent of the data subject;
(c) Where the Company is necessary for the establishment of legal claims, compliance or exercising of legal
Claims; or exercising of legal claims; or defending legal claims, including the execution of lawsuit under the warrant of execution;
(d) Where the Company is necessary for compliance with a legal obligation to achieve the purposes with
respect to preventive medicine or occupational medicine, the assessment of working capacity of the employee, medical diagnosis or public interest in public health, including compliance with laws on employment protection, social security, national health security, social health welfare of the entitled person by law, the road accident victim’s protection, or social protection, statistic research or other public interest, including preforming for the substantial public interest, and the suitable measures have been provided to the protect the fundamental rights and interest of the data subject.
The Company adheres to the provision of law by collecting personal data from the data subject only, unless where the data subject is necessary may not or is not a person who collects such personal data. The Company may collect the personal data from other sources, but it will only be in a case that the Company obtains the written consent of the data subject only. In general, the Company may collect the personal data directly from the data directly from the data subject, and other sources including;
(a) Personal data is about health or congenital disease of the job application that the Company accepted to work with the Company as an employee which must have a health check before entering work and the hospital where performs the health check must send the results back to the Company
(b) Personal data is about legal action or criminal record by the Company may define any one person or any one position who will work with the Company do criminal record check or consent the Company to do criminal a criminal record check on behalf of employees, and consent the Company to collect the data as specified period by the Company.
(c) Personal data is about work history before working with the Company by requiring the data subject to give explicit consent every time and the company will notify the consent to such third parties in advance before sending such data back to the Company.
In the case that the data subject is interested in products or order products from the Company, visitors, users including contacting for after-sales service, comment reviews, satisfaction in using the good or services or products. Contacting between the data subject and the Company whether by phone, e-mail, company applications, applications used for communication, customer service center or contacting by any other means. The Company may process such communication records for purposes such as to use as evidence, to develop and improve services, to follow satisfaction of the data subject, to train personnel testing, to analyze data including to develop the Company’s system.
In the event that business partners have assigned one person or more people must contact the Company to comply with the terms and condition of being a party whether as a seller, consignor, service provider, agent, distributor both products and service centers on behalf of the Company who sets the standard of relevant personnel capacity to be able to provide services or respond to use goods or services. The Company will collect, use or disclose personal data of stakeholders to carry out the purposes stated in this document or according to the agreement terms.
Before or while to collects, uses or discloses personal data of stakeholders. The Company will have a process for management, analyzing various personal data with principles of accuracy, completeness, readiness, validity, modernity, unique and precise.
The Company provided stakeholders to analyze and plan the process mentioned above to collect unique, accurate data that is appropriate for the various processes for use or disclose personal data of stakeholders for the maximum benefit, verify the validity and accuracy of data obtained prior to its collection whether recording data in a book or electronic system to ensure completeness, accuracy, and to provide for verification of accuracy of information from reliable sources or as required by law to be an agency having the authority to deal such personal data including management for the personal data protection, data security to prevent legal or commercial claims in the future.
The Company will define purposes as necessary to collect, use or disclose the personal data of stakeholders in business operation under lawful purposes to achieve along with services, benefit to the data subject, classified by type of stakeholders in the Company’s business operation as follows:
Shareholder, Executive Director, Director authorized to act on behalf of the Company
The Company will collect, use or disclose the personal data as shareholder, executive director, director authorized to act on behalf of the Company for the signing of business agreements, general agreements, approval of various operation, authorized in business operation, laws, banking transactions, contacting government agent general operations, meeting invitation, notifying meeting results, dividend management, performance report of the Company according to regulations or as prescribed by law including for donations or charitable activities.
The Company will collect use or disclose the personal data of employees, employees to the contract in
the scope of recruitment, selection for employment, employment contract, identity verification for employment or access to internal information systems calculation and payment for wages, compensation, performance evaluation, wages increasing, collect disciplinary behavior history including penalties, training and personal management as employees in the contract, criminal record checks, job promotion, job relocation, reimbursement upon work regulations, coordinating instead of managements to make a medical appointment, ticket reservations, visa applications, room reservation, service places, medical examinations both required by law and provided by the Company, and includes providing welfare and benefits for employees and their families, sending data to external agencies in compliance with the laws related to the Revenue Department, Social Security Office, Department of Skill Development, Legal Execution Department, and office administration, contacting internal coordination, expense reimbursement, property holding, facility administration, mail and postal management, entry and exit records, audits both internal and external including sending, transferring or disclosing personal data to delivery service provider to coordinate with customers
For family members of employees, the Company will consider to collect, use or disclose the personal data as necessary for the benefit of legal compliance or for any other operation that are primarily beneficial to employees to employees or family members. The Company will request family members to give a consent to collect, use or disclose the personal data through the actions of the employees. However, if employee fails to take appropriate action for the Company to comply with the law, employees may be affected whether they are unable to use benefits that can be received from services provided by the Company. The Company reserves the right not to provide, pay benefits or welfares if employees or family members of employee has not acted in accordance with the provisions of laws.
The Company will collect, use or disclose the personal data of business partners which covers suppliers,
Consignees, dealers, employers, manufacturers, exhibitors, including those who have to carry out orders, assessments of business partners in the scope of new trade receivable and trade payable account, bidding, negotiation, contracting, organizing promotional activities, meetings, training, seminars both domestically and internationally, business certification, exhibitions or product launches or demonstrations hold both domestically and internationally, sales management, training, technical proficiency testing, advertising, print production, commissions and vendors registration, procurement, vendor evaluation, contracting of various services, delivery of documents, products in case of lecturer or host for giving advice on the training process, seminars, meeting, personal history including education, work experience, special abilities, photos while performing activities, in case of being an auditor. Assessing from external agencies which the Company will collect the personal data of auditors, audit only to the extent used to verify identity, to registered as the Certified Public Accountant.
The company will collect, use or disclose personal data of customers, product users, participants in events organized by the Company for costumer’s benefit from product offering, sales coordinate, new costumer registration, customer credit limit setting, pre-sales service while trading, and after services, verification of first name, surname, telephone number, shipping address and proof of payment, review (commenting opinions, public relations, expressing feelings, reporting on the results of the use of goods and/or products), satisfaction surveys, confirmation or identification for visiting trade fairs held locally and abroad, attending events, receiving prizes, gifts, souvenirs, business certification which will collect, use and disclose data of people who participate in the activities according to the conditions set by the Company or brand owner, including transferring, forwarding or disclosing data or couriers to process deliveries, contacting costumers for returns or to a financial institution to refund the cost of goods costumers including analyzing cookies for the effectiveness of marketing through various online media.
The Company will carefully consider the limited use of personal data of stakeholders within the scope of stated purposes the stakeholders before or while of collecting such personal data;
Besides taking into account of the privacy and fundamental rights of stakeholders as the data subject, together with provisions, rules, regulation, and relevant government requirement, the Company will consider using personal data for benefit or responding to stakeholders as customers, service providers, within a limited scope of the purpose for the following:
(1) Contact to answer questions from customers, partners;
(2) Delivery ordered goods, services or products;
(3) Management and compliance with contracts in which that data subject is a party tot the Company;
(4) Market research and development of new products and services,
(5) Introduction of marketing proposals, marketing communications,
(6) Other purposes related to the above, if must obtain or use the personal data for other purposes than those stated above by the Company will request for consent before collection, use such personal data strictly in accordance with the law.
However, the personal data of stakeholders that the company has collected, used, including
disclosed before the personal protection law came into force, the Company will collect and use it for the same purpose that the Company had previously informed and requested for consent in accordance with the business operation that the Company has treated its stakeholders before the personal data protection law continues to come into force for the period specified in this document, unless it is a specific case of a period of time. But if the Company will disclose personal data or use personal data other than those previously stated. The Company will strictly adhere to the law, considering the privacy of the data subject as important
The Company has established personal data security measures that stored as hard copy
specifically, by collecting data in accordance with information security policy which the Company has defined clear procedure in Company-ITP-DN-01-220464
The Company has established personal data security measures by taking into account the
fundamental rights of personal data of stakeholders by designing the information systems and network systems and computers to be most secure in order to support the Company’s operations continuously comply with the provisions of relevant laws, and also to prevent threats that may cause damage to the Company.
policy to ensure correct understanding and compliance. Communications between IT department and other departments across the enterprise is particularly important, for coordination and achievements as outlined in business objectives.
network and internet systems, hardware, computer equipment, finances, floods, storms, fires, earthquakes, building collapses, theft, and power outages.
responsible persons, so that risks can tackled in an appropriate and timely manner.
8. Do not allow to use computer network or computer with others’ user account, whether with or
without the permission of the account owner.
9. Do not access the computer system or encrypted data of other person to edit, delete, add or copy the
10. Do not share other persons data or the organization’s information without permission from the data subject
11. Do not allow anyone to obstruct, damage or destroy the Company’s computer resources and network, by spreading computer virus or enter the program that leads network computers or equipment to Denial of Service, etc.
12. Do not allow anyone to smuggle data from the Company’s network or others machines connected with them network for data transmission
13. always activate antivirus software before opening portable drives, email attachments and files
downloaded from the Internet
14. Shall give assignments to IT operators, to ensure security and control the operations as prescribed in
the IT Security Policy and guideline of the Company
15. All the Company’s employees must responsible for complying with the Company’s IT Security Policy
and guidelines and must not commit any act that violates the Computer Crime Act
16. Users are barred from installing new software or changing programs installed in the Company’s computer, unless seeking consultation or advice from system administrators or receiving permission from the top authoritarian of organization
17. Define Internet connection routes via security systems like Firewall with the Company’s computer.
Antivirus program must be installed vulnerabilities must be addressed before connecting the Company’s computers with the network After using the internet, users shall close web browsers to prevent access by other people.
18. User shall access the information deemed suitable for their roles and responsibilities, for the network’s efficiency and the Company’s safety by user are prohibited from disclosing the Company’s confidential information, unless it complies with the Company’s official disclosure guidelines.
19. Users’ Internet usage must not infringe others or cause harm to the Company. Users must not act in violations to the Computer Crime Act or relevant laws. In using the Internet to support their job assignments, users mast strictly follow the procedures prescribed by the Company.
20. Confidential information must be classified and categorized accordingly to mission and importance. The management of each category must be defined along with the practices to treat confidential or important data prior to cancellation or reuse by important data transmitted through public networks must be encrypted with international encryption standards
21. Provide measures to control the accuracy and conformity of data input and output must be put in place, in case that the data is stored at more than one place (distributed database) or is related to other data sets. Data security measures should be outlined in case computers are moved out of the Company’s premises for repair or other purposes e.g., some data may need to be deleted before.
22. Control access to data and processing equipment with usability and security of the IT system in mind, Define rules regarding access permission and privilege, to be acknowledged by employees at all levels for their strict compliance. Employees should realize the importance of IT system security safeguarding. Define employees’ access to data and IT system; for instance, access to the Application System and access to the Internet in accordance with their roles and responsibilities. Grant employees the access only to accomplish necessary work, with written approval from responsible persons, including reviewing such rights regularly.
23. In a case that it is necessary for users who own sensitive data has to give permission to other users to access or modify their data, such as through shared files, etc, must be limited to an individual or a specific group only. and must be revoked when such access is no longer necessary. The data subject must produce a proof of authorization. set time limits and revoke the access immediately after the time limits.
24. Where it is necessary to grant emergency or temporary access to IT system or network, the protocol must be followed and permission from the authorized persons must be obtained at all times. Record reasons and necessities of such permission, set the duration of use and cancel it immediately after the end of the period.
25. Establish concise identification and authentication protocol, like a requirement for a password difficult to guess. Each user must have his/her own user account. In determining whether passwords are difficult to guess and password control is tough, the Company will use the following factors for overall consideration.
26. Shall verify identity before access to system with the password set by the administrator, should change passwords regularly and each new password should not repeat the 3 most recent ones, should keep their passwords confidential, do not write it on a paper and post it on the screen. In case of sharing as Shared Users, system administrators shall inform users to change the password to access such system when there is a change of affiliated
27. Provide a system to check the list of users of critical systems on a regular basis, check the list of users whose rights are terminated, including those who have resigned and default users, suspend the users immediately upon detection, by disabling their access, removing them, changing passwords, etc.
28. Provide Data Center Room that should be divided into separate sections, for Network Zone, Server Zone, UPS Zone and Batter UPS Zone and etc., for ease of operation and more efficient control over access to important computer equipment.
29. Prepare Agreements on Information Transfer considering information security and, for system administrators, ensure CIA triad-Confidentiality, Integrity and Availability by defined to sign non-disclosure agreement with external organizations, to protect the Company’s secrets as well as providing measures to follow and examine the operations and service quality of external service providers to be in line with the contract and agreement.
The Company may disclose personal data of the above-mentioned stakeholders. to various persons or entities to achieve above purposes as stated below,
Whether it be a case that the Company may send personal data of the data subject to organization located in a foreign country under provisions of law or to achieve the contract’s objectives or upon request or for the benefit of the data subject more than the fundamental rights as legal or necessity by the Company shall strictly comply with the provisions of law that have been permitted. Therefore, if the Company will send/transfer disclosure personal data to organization located in a foreign country were without protection or personal data protection standards that appropriate and adequate. The Company will inform the data subject in detail, including various risks that may occur and the Company will send transfer disclosure personal data when receiving clearly consent from the data subject only.
Besides the fundamental rights, the data subject also has other rights to collect, use or disclose such as the right of data acknowledge, access, rectification, erasure, limited of giving data, receive notifications, data transfer, rejection, disallow the use of automated decision-making systems and the data subject also has specific rights as provided by law as follows:
9.1 Giving of consent, the data subject has the right to choose person to provide any personal data that the Company requests and give the consent to the Company collect, use or disclose such personal data or not, but the data subject must acknowledge that giving incomplete personal data as requested by the Company or not giving consent to collect, use or disclose such personal data, may cause the data subject is limited the right of using some services or resulting in the Company being unable to provide services to the data subject at all If such data is necessary for the Company to provide services to you
9.2 Data access and obtaining copy those personal data or request the Company send personal data
to the data subject itself or other personal data controllers (if such data is in a form where processing is possible) and the data subject can also request the Company disclose acquisition of such personal data which it may obtain without consent t storage
9.3 Objection, the data subject has the right to object to collect, use, and disclose the personal data
relating to the data subject. If that data is collected by the Company without your consent or that data is collected, used or disclosed for direct marketing or the research studies.
9.4 Erasure, destruction or suspension, the data subject has the right to request the Company to erase, destroy or suspend use of the personal data of the data subject retained by the company or allow the Company carry out such data unable to identify the data subject. If the data subject revokes or object to collect, use, disclose your personal data or when not necessary to keep, use or disclose for the purposes for which you have given your consent or when the Company fails to comply with the law relating to the personal data protection
9.5 Rectification, the data subject has the right to request the Company to rectify personal data of the data subject retained by the Company to be accuracy, modernity. complete and does not cause misunderstanding
9.6 Withdrawal of Consent; the data subject has the right to withdraw a consent to collect, use
and disclose the personal data of the data subject but must not affect the collection, use or disclosure of personal data that the data subject has previously given consent. In this regard, withdrawal of such consent may cause the Company is unable to provide services to you.
For exercising your rights, you should acknowledge your rights as the data subject stated in Clauses 8.1 to 8.6. at above, they are rights that are limited under applicable law and the Company may deny exercising your rights if the Company has legitimate grounds to deny exercising such rights.
However, exercising of rights as the data subject as stated in this document, it is limited to providing basic services that do not incur unnecessary costs to data controller. If exercising of rights of the data subject of stakeholders cause fees, expenses for processing requests of the data subject so the data subject will be liable to reimburse the processing fees that request to exercise such rights
Unless specifically stated as required by law. The Company will retain personal data of stakeholders in business operation for a period of years from the date that stakeholders terminated their legal relationship with the Company, unless it is necessary that related to use or refutation of a legal claim, legal execution, deposit in lieu of performance of obligation or as specifically required by law.
The Company provides checking system to erase or destroy the personal data of stakeholders after the retention period or exceed necessity of purposes or as requested by the data subject or request for withdrawal of consent, unless the Company has to keep personal data for the purpose of using freedom for expression or in accordance with the legal exceptions that permitted as specifically, including the use for the establishment of legal claims or legal compliance or exercise of legal claims or defense of legal claims or for legal compliance.
Trunk Travel Company Limited
Tel. 02-117-9171 E-mail address. Pai@Trunk-Travel.com
Data Protection Officer
Business day, Tel
Lerdtida M. Williams
Trunk Travel Company Limited