Privacy Policy

Last updated August 09, 2023

 

The Rockshop Company Limited (“the Company”) is committed to conducting businesses in compliance with business ethics and applicable laws and appreciates your trust in the Company. The Company is well aware of your transaction security and collection and storage of Personal Data.

  The Company values your privacy and thus protects your Personal Data by formulating policies, regulations, and rules for the Company’s business. The full data protection shall ensure that your Personal Data shall be processed as per your requirements and under the law.

Purpose

  This Policy is to inform you, as a data subject, of purposes and details about the collection, storage, usage, and/or disclosure of your Personal Data and your legal rights concerning Personal Data.

Personal Data the Company Collects and/or Discloses

  1. Personal Datais any information that identifies you, directly or indirectly, i.e.
    1. Personal Data you, directly or indirectly, give the Company, or the data available to the Company by your use of services, contact, visit, search via digital platforms, website, call center, assigned persons, or other channels;
    2. Personal Data received or accessed by the Company from other sources, not directly from you, e.g., government entities, financial institutions, financial service providers, business partners, the National Credit Bureau, and information service providers, etc. The Company will collect data from other sources only when your consent is given as consistent with laws unless where necessary for the Company as permissible under laws.

Your Personal Data the Company Collects and Discloses are as follows:

  • Personal Data, such as name, surname, age, date of birth, marital status, national identification number, and passport number, and contact information, such as home address, workplace, temporary address (other than home address), telephone number, E-mail, and Line account ID;
  • Financial information, such as financial statements, source of finance, bank account number, credit card numbers, and debit card numbers;
  • Transaction information, such as foreign exchange purchase and sale transactions, including source and distribution of foreign exchange;
  • Data related to devices or machines, such as IP address, MAC address, and cookie ID;
  • Other information, such as website-visiting data, voice, still picture, moving picture, and other information deemed Personal Data under the Personal Data Protection Laws
  1. Sensitive Personal Datais specially categorized by law and will be collected, used, and/or disclosed by the Company only when the Company is given explicit consent or where necessary for the Company as permissible under law. The Company may collect, use, and/or disclose biometric identifiers, e.g., facial recognition, fingerprint recognition, retina recognition, and voice recognition, for the sake of verifying and confirming the identity of applicants for services and/or transactions via digital platforms, website, call center or other channels, etc.

Remark: Unless otherwise specified in this Policy, Personal Data and sensitive data about you above will be collectively called “Personal Data.”

  1. What are the Company’s purposes for collecting, using, and/or disclosing your Personal Data?
    1. For your benefit in using the Company’s products and/or services that meet your own purposes and for other purposes necessary under laws, for example,
      1. to allow you to use the Company’s products and/or services that meet your purposes under your contract with the Company or to take steps at your request prior to using the Company’s products and/or services (Contractual Basis), for example,

(1) to approve the use of any products and/or services, such as member subscription and other relevant services;

(2) to take any steps in relation to product and service provision, e.g., processing, contact, notification, outsourcing, right and/or duty assignment, and notification of services.

  1. to comply with the following legal obligations:

(1) to comply with an order from an authority; and/or

(2) to comply with Tax law, Anti-Money Laundering Act, Counter-Terrorism and Proliferation of Weapon of Mass Destruction Financing Act, Computer-Related Crime Act, Bankruptcy Act, and other laws to which the Company is subject both in Thailand and outside the country, including regulations and rules issued pursuant to such law and acts.

  1. to take necessary steps for the Company’s legitimate interests or other individual or juristic person which are not overriding your reasonable expectations (Legitimate Interest), for example, 

(1) to record voice conversations with the call center or images from CCTV, to exchange ID cards before entering buildings;

(2) to maintain relationship with customers, e.g., complaint handling, satisfaction survey, customer service by the Company’s staff, notification or offer on any products and/or services of the same types you are using for your own sake;

(3) to manage risks, monitor, and manage within the organization, including to refer such tasks to the same corporate group under the binding corporate rules;

(4) to anonymize your Personal Data;

(5) to prevent, respond, and minimize potential risks from corruption, cyber threat, or law violation (e.g., money laundering, terrorism and proliferation of weapon of mass destruction financing, offences related to property, life, body, liberty or reputation); including sharing Personal Data to raise work standards of the same corporate group in order to prevent, respond, and minimize such risks;

(6) to collect, use, and/or disclose the Personal Data of directors, representatives, and customers’ agents who are juristic persons;

(7) to contact and record voice or image during meetings, trainings, seminars, or workshops;

(8) to collect, use, and/or disclose the Personal Data of the ward;

(9) to receive dispatch documents or parcels.

  1. To enable you to receive benefits from using products and/or services as per your given consent, for example,

(1) for you to be provided with better and more suitable products and/or services as per your requirements; 

(2) for you to receive offers, privileges, recommendations, and other information, including eligibility to attend special activities;

Regardless of being products and/or services, privileges, promotions, information, or special activities of the Company, business partner, or a third party associated with the Company, depending on your given consent.

  1. To Whom may the Company disclose your Personal Data?

  The Company may, under your consent and under the applicable law, disclose your personal to other third parties. The persons or entities receiving the data will collect, use, and/or disclose the Personal Data to the extent permissible under your consent or related to this Policy.

  The Company may, under your consent and under the applicable law, disclose your personal to other third parties under this Policy, e.g., the Personal Data processor, business partners, external service providers, the Company’s agents, sub-contractors, financial institutions, auditors, external auditors, competent authorities, prospective assignees and/or assignees in any transaction or business merger of the Company, any corporations or individuals under relationship or contract with the Company; including executives, staffs, employees, contractors, agents, the Company’s advisor and of those persons or entities who receive the data, etc.

  1. Can the Company send or transfer your Personal Data to other countries?

  If need be, the Company may send or transfer your Personal Data to the same corporate group overseas or to other recipients to the extent necessary to perform the Company’s activities, e.g., sending or transferring the Personal Data to be stored on server/cloud in other countries.

  In the case of the receiving countries’ adequate standard levels, the Company will ensure that the sending and the transferring are in accordance with the law and take reasonable data protection measures as necessary, appropriate, and in consistent with confidentiality measures. Such measures are, for example, entering into confidentiality agreements with recipients overseas, setting out the Personal Data Policy that is audited and certified by competent authorities under the relevant law in case of the corporate group in the same business being the recipients, and controlling the sending and transferring to comply with such Policy instead of legal requirements.

  1. How long does the Company retain your Personal Data?

  The Company will retain your Personal Data for as long as necessary during the period you are a customer or binding on the Company, or for as long as necessary in connection with the purposes set out above, unless law requires or permits longer retention period. For example, retention pursuant to the Anti-money Laundering Act and retention for proving and examining in the event of dispute within legal prescription not exceeding 10 years, etc.

  The Company may erase, destroy, or anonymize the Personal Data when it is no longer necessary or when the period lapses.

  1. How does the Company protect your Personal Data?

  The Company will best store your Personal Data according to technical measures and organizational measures to maintain security of personal data processing and prevent a Personal Data breach. The Company has formulated policies, rules, and regulations on Personal Data protection, e.g., security standards of information technology and measures to bar data recipients from using or disclosing the data outside the purposes or without authorization or unlawfully. The Company has developed the policies, rules, and regulations as frequently as necessary and appropriate.

  Moreover, the Company’s executives, staffs, employees, contractors, agents, advisers, and data recipients are obligated to keep the Personal Data in confidence pursuant to confidentiality measure provided by the Company.

  1. What are your rights related to Personal Data?

  Your rights described hereunder are legal rights of which you should be informed. You may exercise any of these rights within legal requirements and policies at present or as amended in the future as well as regulations set out by the Company. If you are under the age of 20 or your legal contractual capacity is restricted, your parent(s), guardian, or representative may request to exercise the rights on your behalf.

  1. Withdrawal of Consent: If your consent is given to the Company to collect, use, and/or disclose your Personal Data (whether before or after the effective date of the Personal Data Protection law), you have the right to withdraw such consent at any time throughout the period your Personal Data are held by the Company unless it is restricted by laws or you are still under beneficial contract. 

However, your withdrawal of consent may affect your service usage; for instance, you shall neither be provided with privileges, promotions, and offers nor notified of useful information. For your own benefit, please study and inquire before deciding to withdraw consent.

  1. Data Access: You have the right to access your Personal Data that is in the Company’s possession, to request the Company to make a copy of such data for you, and to request the Company to reveal how the Company obtained your Personal Data.
  2. Data Portability: You have the right to request for your Personal Data if the Company renders such Personal Data machine-readable or usable via automatic means; to request the Company to send or transfer the Personal Data in such format directly to other data controllers if doable by automatic means; and to request to obtain the Personal Data in such format sent or transferred by the Company directly to other data controller unless technical errors occur.

However, your Personal Data above must be under your consent given to the Company to collect, use, and/or disclose; or those the Company deems necessary to collect, use, and/or disclose to allow you to use products and/or services as per your needs under your contract with the Company; or to take steps at your requests before using products and/or services; or as legally required by the authority.

  1. Objection: You have the right to object to collection, usage, and/or disclosure of your Personal Data at any time if such doing is conducted for legitimate interests of the Company, corporation, or individual, which is within your reasonable expectation; or for carrying out public tasks. If you request to object, the Company will continue collecting, using, and/or disclosing your Personal Data only when the Company can establish a legal basis that doing so is more important than your fundamental rights; or to affirm legal rights; to comply with laws; or to defend legal proceedings, depending on a case-by-case basis.

In addition, you have the right to object to collection, use, and/or disclosure of your Personal Data carried out for the purposes of scientific, historical, or statistical research.

  1. Data Erasure or Destruction: You have the right to have the Company erase, destroy, or anonymize your Personal Data if you believe that the collection, use, and/or disclosure of your Personal Data is violating relevant laws; or retention of the data by the Company is no longer necessary under the purposes set out in this Policy; or when you request to withdraw your consent or to object to the processing as earlier described.
  2. Processing Suspension: You have the right to have the Company suspend processing your Personal Data during the period where the Company examines your rectification or objection request; or when it is no longer necessary, and the Company must, under relevant laws, erase or destroy your Personal Data, but you instead request the bank to suspend the processing.
  3. Data Rectification: You have the right to rectify your Personal Data to be updated, complete, and not misleading.
  4. Complaint Lodging: You have the right to, under relevant laws, complain to authorities on the condition that you believe that the collection, use, and/or disclosure of your Personal Data is violating or against relevant laws.
  5. The exercise of the rights above: may be restricted under relevant laws, and it may be necessary for the Company to deny or not be able to respond to your requests, e.g., to comply with laws or court orders, public tasks, your request in breach of rights or freedom of other persons, etc. If the Company denies the request, the Company will inform you of the reason.

This Policy notice shall come into force on 09 August 2023.

Appendix No. A

You may request to exercise your rights via the following channels:

Rights

Channels

Processing Time (Working Day)

Call Center

The Rockshop Co., Ltd.

Branch

Consent Withdrawal

7 days

Data Access

 

30 days

Data Portability

 

30 days

Objection

 

30 days

Data Erasure or Destruction

 

30 days

Processing Suspension

 

30 days

Data Rectification

7 days

***From the day you submit your request and the Company receives all documents

Remark: If you wish to make any complaints regarding Personal Data Breaches and/or Privacy Violations, you may contact us in person at one of our many locations. (Working Hours)

CCTV Privacy Notice

   The Rockshop Co., Ltd. (hereinafter referred to as ‘the Company”) is to inform you of the use of closed-circuit television (CCTV) devices to monitor conditions within or around the Company premises to protect life, health, and property. The Company collects the Personal Data of all officers, workers, customers, employees, contractors, visitors, or any individuals entering the monitored space within the Company premises (collectively referred to as “you” or “your”) through the use of CCTV devices.

  This CCTV Privacy Notice provides information on The Company’s collection, use, or disclosure of individually identifiable information (“Personal Data”) about you.

  1. Legal bases for processing your Personal Data

The Company shall process your Personal Data for the following legal purposes:

  1. to prevent, protect and/or suppress a danger to the life, body, and health of a person or those of any relevant third parties;
  2. to assist in the legitimate interest of the Company and that of any relevant third parties, both of which are considered necessary for your fundamental rights to the protection of the Personal Data; and
  3. to comply with applicable laws regarding safety and environment in the workplace and the Company properties.
  1. Purposes of collection of your Personal Data

The Company shall process your Personal Data for the following purposes:

  1. to protect your health, personal safety, and belongings;
  2. to protect and prevent premises, facilities, and assets of the Company from damage, disruption, vandalism, or other crime;
  3. to support law enforcement agencies in the deterrent, prevention, detection, and prosecution of crime;
  4. to assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings;
  5. to assist in the investigation or proceedings concerning a whistleblowing complaint; and
  6. to assist in the establishment or defense of any litigation, including but not limited to employment proceedings.
  1. Collected and used Personal Data

The Company installs CCTV devices at clearly visible spots and places appropriate signage at the entrance and the exit, and in other areas, the Company considers it necessary to be kept under surveillance to alert you that a CCTV installation is in use and your Personal Data is recorded.

Types of Personal Data the Company Collects

o   Image

o   Video

o   Sound

o   Images of your belongings, e.g., vehicles, bags, hats, and clothes

Please also note that the Company shall not install CCTV devices in private areas to prevent an invasion of your privacy.

  1. Disclosure of your Personal Data

The Company shall keep your Personal Data confidential and may, however, disclose them to any relevant third parties if it is deemed necessary for the following purposes:

  1. The Company may disclose your Personal Data to law enforcement agencies to comply with legal obligations and assist them in the detection, investigation, and prosecution of crime; and
  2. The Company may disclose your Personal Data to any relevant third parties to ensure the Company’s protection of your life, body, health, personal safety, and belongings.
  1. Your rights as a data subject

Pursuant to the Personal Data Protection Act (PDPA) B.E. 2562, which seeks to empower individuals to take control of their Personal Data, you have the following rights:

  1. Right of access.You have the right to access and obtain a copy of your Personal Data that the Company collected. The Company may, to the extent permitted by law or a court order, refuse to act on your request where such request could affect the rights and freedom of another person.
  2. Right to rectification. You have the right to request for rectification of incomplete, inaccurate, misleading, or not up-to-date Personal Data that the Company processes about you.
  3. Right to restrict processing. You have the right to restrict the processing of your Personal Data in the following circumstances when:
    1. It is under the pending examination process of checking whether your Personal Data is accurate, up-to-date, and complete or not;
    2. Your Personal Data is collected, used, or disclosed unlawfully;
    3. It is no longer necessary to retain your Personal Data for the purpose for which it was collected, used, or disclosed, but you still require the data to establish, exercise, or defend a legal claim; and
    4. The Company is pending verification in order to reject your request for the objection to the collection, use, or disclosure of your Personal Data.
  4. Right to object. You have the right to object to the collection, use, or disclosure of your Personal Data. However, the Company may refuse to comply with your request if the Company can demonstrate compelling legitimate grounds for such collection, use, or disclosure, which may override your own interest or if such collection, use, or disclosure is for the purposes of establishment, compliance, exercise, or defense of legal claims.
  1. Retention period of Personal Data

To achieve the monitoring purposes described in this Notice, the Company may retain your Personal Data for 90 days after your visit to the Company premises or so long as it is necessary to deal with any disputes or legal proceedings that may arise. After that period, your Personal Data will be deleted.

  1. Security measures for your Personal Data

  The Company uses reasonable technical and administrative security measures to protect your Personal Data from loss or unauthorized access, deletion, destruction, use, modification, alteration, and disclosure of data.

  The Company has established the Privacy Policy publicized throughout the Company and security guidelines for the collection, use, and disclosure of Personal Data that cover confidentiality, integrity, and availability. In this regard, the Company will revise the Policy as well as this Notice in due course.

  1. Personal Data controllers’ scope of responsibility

  The Company allows only authorized controllers to process your Personal Data and has them strictly follow this Notice.

  1. Changes to this CCTV Privacy Notice

  The Company reserves the right to amend this Notice at any time in its sole discretion and will notify you in an appropriate manner of any modification to the terms of this Notice through the QR code at the information counter. It is advisable that you always check the up-to-date Notice before entering the Company premises.

  Entering the Company premises is considered acceptance of this Notice. Please do not enter if you do not accept it. Your visit to the Company premises after the Notice has been updated or modified is also considered acceptance of its terms.

  1. Contact details

If you have any queries about your Personal Data under this CCTV Privacy Notice, please contact us at:

Email address: [email protected]