Rangsit Plaza Company Limited (“the Company”) on behalf of the management of Future Park Leasehold Property Fund (“Property Fund”) and the management of Future Park Department Store and Zpell Department Store (“Department Store”) has realized importance of personal data protection of customers, clients, tenants, business vendors, business partners and stakeholders (“You”). This is because personal data protection is a part of corporate social responsilbity and foundtation to create reliable business relationship between the Company and other parties. The Company, therefore, has complied with Personal Data Protection Act and other relevant official regulations.
means Rangsit Plaza Company Limited.
means Future Park Leasehold Property Fund.
means Future Park Department Store and Zpell Department Store.
means customers, goods buyers, users of services including website or applications or other services from the Company and/or Department Store. This shall cover tenants, service clients, business vendors and business partners who are normal persons or normal persons who are related to juristic persons who are customers, users, tenants, service clients, business vendors, and business partners of the Company and/or Department Store.
means a person assigned by the Company to have authority for any approval within the scope defined by the Company.
means a unit or person assigned by the System Owner or Data Subject to take charge of a system.
means an executive of business unit or executive who has duty and responsibility for taking charge of a system.
means a normal person who is under the age of 20 years, except for a normal person who is under the age of 20 years, but has legally married, therefore has attained maturity age under the law.
means a person with mental disorder who cannot take care of one’s self or one own’s benefits and is ordered to be an incompetent person by the court.
Quasi Incompetent Person
means a person with physical disorder or mental disorder or a person with dissipation or alcohol addiction or other similar causes causing him not to take effective action or take action which causes damages to his own or family’s assets, therefore, ordered to be a quasi incompetent person by the court and under custody of guardian appointed by the court.
means data relating to a person which helps directly and indirectly identify a person but not including that of a specific passed person. Moreover, it also includes data that alone may not identify a person but when combined with others can create a set of data that can identify personal data such as address, gender and age which can be combined to identify a person. This kind of data is Personal Data.
means personal data regarding nationality, race, political opinion, sect, religious or philosophy belief, sexual orientation, criminal record, health information, disability information, labor union information, genetics information, Biometric Data or any other data affecting Data Subject in the same manner as stipulated by law.
means personal data retrieved from use of technique or technology relating to unique physical or behavioral traits of an individual to identify a person such as face recognition, retina recognition, and fingerprint recognition.
means Personal Data Data Subject disclosed to the public such as social media profile and social media credential such as Facebook, Twitter, Line and other channels to be created in the future to connect or log in to any services of the Company such as Social Media Account ID, Interests, Likes and list of friends of Data Subject which the Data Subject can control the credential by settings provided by the social media.
means a normal person who can be identified by such personal data directly or indirectly in the manner that such data can refer to not that such person has real rights in the data or creates the data.
means a person authorized to make a decision on gathering, using or disclosing Personal Data.
means a person who collects, gathers, uses or discloses Personal Data following order of or on behalf of the Data Controller.
Data Protection Officer (DPO)
means a person who gives advice or audits the Company’s implementation and has a duty to coordinate and collaborate with Personal Data Protection Commission Office.
means programs or instruction sets to control computers and other peripherals to follow instructions and response to desire of the users. The Application must have user interface or UI as medium for using functions.
means a series of number that identifies each device such as computer or network device using Transmission Control Protocol/Internet Protocol (TCP/IP) and identifying location of the device. IP Address is unique
means a small piece of information the Company’s website sends to computers or electronic devices connected to the Internet to store Personal Data. Cookie will be sent to web server every time, users are browsing the websites.
2. General Provisions
2.1 Personal Data Protection in this policy covers Personal Data of customers who are normal persons or normal persons relating to juristic persons who are customers, users, tenants, clients, business vendors, and business partners with the Company and/or Department Store.
2.2 The Company shall review this policy at least once a year or when there is any significant change to compliance with this policy and the Company shall announce any changes on www.futurepark.co.th
or the Company’s application.
2.3 The Company collects, gathers, uses or discloses Personal Data upon getting prior consent or consent at that moment from Data Subject, except that the Company makes such data not to identify a person or there is lawful basis to accommodate as follows:
2.3.1 Contract compliance.
2.3.2 Legal obligation.
2.3.3 Legitimate interest which does not go beyond the scope the Data Subject can expect on reasonable basis.
2.3.4 Public interest.
2.3.5 Vital interest.
2.3.6 Historical document or archive for public interests.
2.4 The Company collects and gathers Personal Data as much as necessary under lawful objectives and informs details of gathering of Personal Data to Data Subject as prescribed by law.
2.5 The Company shall delete and destroy Personal Data or make the data not to identify a person after defined storage period ends or in case it is beyond necessity in collecting Personal Data or as requested by Data Subject as Data Subject withdraws the consent, except there is any lawful cause or official regulations forcing the Company to store such Personal Data.
2.6 The Company takes care of Personal Data in secured manner and considers privacy of Data Subject maintaining the Personal Data secrecy.
3. Consent Request from Data Subject
3.1 Request of consent to gather, collect, use or disclose Personal Data from Data Subject must be clearly made in writing or via electronic system, except for a case that the consent cannot be requested in such manner. Request of consent by other methods must have reliable proof that the Data Subject shows intention to give consent.
3.2 Data Subject must be clearly and faithfully informed objectives of collection, use or revelation of Personal Data which is easy to understand or Data Subject must not be tempted to misunderstand objectives and Data Subject’s freewill to give consent must be prioritized.
3.3 In case the Data Subject is Minor who does not attain maturity by marriage or does not have status in the same manner as a matured person, consent must be obtained from guardian who can act on behalf of the Minor.
3.4 In case the Data Subject is Incompetent Person, consent must be obtained from custodian who is authorized to act on behalf of the Incompetent Person.
3.5 In case the Data Subject is Quasi Incompetent Person, consent must be obtained from custodian who is authorized to act on behalf of the Quasi Incompetent Person.
3.6 In case the Data Subject of Authorized Person as in No. 3.3, 3.4, and 3.5 desire to withdraw the consent given earlier, this person shall follow desire of the Data Subject like when giving consent. If withdrawal of consent affects the Data Subject in any aspect, impacts from consent withdrawal must be informed to the Data Subject.
3.7 The Company must gather, collect, use or disclose Personal Data according to objectives notified to the Data Subject only. Gathering, use or disclosure of Personal Data which is different from notified objectives cannot be done, except for notifying new objectives to the Data Subject with prior consent before gathering, using or disclosing.
4. Objectives for Gathering Personal Data
The Company shall gather, collect, use and disclose Personal Data for basis specified in this policy.
4.1 Contractual Basis
To comply with contracts for which you are a party such as lease contract, premise use contract, purchase contract, employment contract, service contract, membership contract or any other contracts or for any act relating to being a party of contract or to comply with your request/application form before entering into the contract.
4.2 Legal Obligation
To comply with laws such as financial institution business laws, securities and exchange laws, insurance laws, labor protection law, social security law, severance law, labor relation law, provident fund law, tax law, bankrupcy law, anti money laundering law, Counter Terrorism and Proliferation of Weapon of Mass Destruction Financing, computer law, and contagious disease control law.
4.3 Legitimate Interest
For legitimate interest of the Company or another person or juristic person which does not exceed the scope you reasonably anticipate or for other objectives allowed by laws such as
(1) Recording of voice, still or motion picture via CCTV to prevent or stop life, physical or health threats of an individual.
(2) Survey of opinion, participation of internal activities, announcement of results, receipt and sending of parcels, research and analysis and statistic preparation.
(3) Risk management, governing and auditing, complaint handling, internal administration, prevention, handling and mitigation or risk in fraud.
(4) Cyber threat, legal violation, data verification, and electronic appliance use to boost efficiency in working or tracking working behaviors and legal action in court.
(5) Making the data to be anonymous data.
(6) Making internal reports such as taking pictures to prepare reports.
The Company may collect Personal Data which may include Sensitive Data such as nationality, race, political opinion, sect, religious or philosophy belief, sexual orientation, criminal record, health information, disability information, labor union information, genetics information, and Biometric Data and disclose the Personal Data as necessary such as for medical treatment at medical room, blood donation, research and questionnaire, participation of some activities for marketing, sale promotion, news dissemination, public relation, reward redemption, registration for service, membership registration, Wi-Fi service request, and request to use the Company’s services. The Company shall clearly request consent from the Data Subject every time, the Company collects such Sensitive Data.
4.5 Use of Personal Data for Marketing Purposes
Apart from objectives to collect Personal Data stated in No. 4.1-4.4 above and under legal obligation, the Company shall use Personal Data for marketing purposes as follows:
4.5.1 To offer special privilege and promotion, news on discount offer, special offer, advertisement, notice of commercial news and information relating to the Company and Department Store and business partners such as sending documents regarding to sale promotion and marketing activities via postage, e-mail, SMS, Line and other channels.
4.5.2 To survey satisfaction level, analyze and research data on interests and behaviors of customers, customer relationship management and development and improvement of products or services and to make business plan for the Company and Department Store.
4.5.3 To calculate scores or accumulate or receive points or redeem points for members.
4.5.4 To conduct direct and indirect marketing activities to boost privileges the Data Subject is entitled to from being the Company and Department Store’s customer via introduction of products, activities and services relating to the Company and Department Store.
5. Access to and Use of Personal Data
5.1 The Company’s employees can access to or use Personal Data as much as necessary for work and as defined by the Company. If the Company’s employees need to access to the Personal Data at the scope exceeding that allowed by the Company, they must get approval from Authorized Person.
5.2 The Company’s employees must use Personal Data only for objectives set to collect the Personal Data or as objectives given consent by the Data Subject, except for having legal basis to support.
5.3 System Administrator and System Owner must allow the Company’s employees who have authority or allowed by Authorized Person to access to the Personal Data.
6. Personal Data Collection Methods
The Company shall collect and gather Personal Data with the following methods
6.1 Personal Data directly given by Data Subject.
6.2 Personal Data given by Property Fund
6.3 Personal Data given by the third party such as agents, shops or data collecting service providers, vendors and partners etc.
6.4 Personal Data retrieved from website browsing such as name of Internet service provider, and IP Address, date and time or website browsing, browsed pages and address of website directly connected to the Company’s website.
6.5 Personal Data received from Public Records and Non-Public Records the Company is entitled to collecting as stipulated by law.
6.6 Personal Data received from government agencies, and law enforcing regulators.
7. Disclosure and Receipt of Personal Data
7.1 Disclosure of Personal Data to External Person or Agency
The Company must receive consent from Data Subject and approval from Data Protection Officer (DPO), except for being an act to comply with laws or official regulations.
he Company shall disclose Personal Data to Property Fund, external party and/or organization or external agency in these following cases
7.1.1 A person who is allowed to be middle man such as transport company, data collection and gathering company, system developing and maintenance company for running activities of the Company.
7.1.2 Vendors, business partners, subsidiary and/or external service providers to provide service to propose privilege and other services of the Company to the Data Subject including development and improvement or products or services of the Company such as data analysis and processing, information technology service provision and preparation of relevant infrastructure, client service platform development, sending of e-mail/SMS, website development, mobile application development, satisfaction survey and research conducting, and customer relationship management. In case of juristic person, such person must have standard in Personal Data protection widely accepted with secrecy agreement made for the Personal Data.
7.1.3 Government agency, government or other organization stipulated by law, to comply with laws, orders and requests to coordinate with agencies in terms of compliance with laws.
7.2 Receipt of Personal Data from External Person or Agency
The Company shall verify to ensure that the Personal Data received has legal basis to support and gets approval from Data Protection Officer (DPO), except that the act is made to comply with laws or official regulations.
The Company shall collect and gather data directly given by the Data Subject or Personal Data the Company receives from providing services or running business via all channels including these following channels
7.2.1 Data received when Data Subject registers or fills in application forms to participate in the Company’s activities or other services such as title, name, surname, nick name, gender, age, nationality, religion, birthday, fingerprint, place of birth, weight, height, signature, photo, voice, audio record, traits of face for recognition, clips from CCTV, marital status, number of family members, profile, education, career, position, working place, type of business, household income, salary and personal income, data in card or document issued by government agency or organization such as ID card, housing registration, marriage certificate, name change certificate, passport, visa, alien card, driving license, copy car registration, social security information, taxpayer information, license plate and housing registration, etc.
7.2.2 Data from applying for membership of the Department Store such as details of member account, type of member, registration data, date of issuance/expiry date, accumulated points, card use record, point accumulation, point redemption, services, privilege exercise, data from registration to participate in sale promotion activities or in marketing activities, expressing opinions, complaints and compliments and suggestions.
7.2.3 Data from creating user account, and profile comprising Personal Data given to the Company to use services via channels provided by the Company such as the Company’s mobile application and/or website as online account, application account the Company provides and Personal Data given to apply for activities such as for joining activities and/or contacting the Company via website or other channels as defined by the Company.
7.2.4 Data for news subscription from doing survey or data from joining activities such as satisfaction, interest or consumption behaviors, opinion expressing, compliments, complaints and suggestions, etc.
7.2.5 Data relating to transactions with the Company and/or Department Store or Property Fund or others such as credit or debit card data, bank account number or data relating to bank or other payments including date and time of payment depending on type of the Data Subject’s transactions
7.2.6 Data from browsing or using the Company’s website or Application of the Company or that run by the Company, data of social media use and conversation with the Company’s online advertisement, model and type of computer programs use to browse website, types of equipment to access to the services such as personal computer, laptop or smart phone, operating system and platform types, address, IP address of equipment or terminal equipment, location data, service data, and product visited or searched by Data Subject.
7.2.7 Data from contact record of Data Subject and the Company stored in a form of client records, satisfaction survey evaluation, research and statistics or conversation record or clip from CCTV when the Data Subject contacts the Company such as the Company’s customer service center and data given via research media such as SMS, Social Media Application or e-mail, etc.
7.2.8 Social media profile data, when there is social media credential to log in such as Facebook, Twitter, Line and Google account to connect or log into any of the Company’s services such as Social Media Account ID, Interests, Likes and list of friends of Data Subject which the Data Subject can control the credential by settings provided by the social media.
7.2.9 Data from issuing shop staff card, Exhibitor card, and work permit in Department Store area, goods transport in and out of the Department Store request, coordination, activity arrangement, preparation of area for events and any arrangement for events and activities in the area of the Department Store.
7.2.10 Data from issuing parking card, parking lot service request and free extra parking hour request.
7.2.11 Data from request to rent equipment, use security service, use cleaning service and use PR media.
7.2.12 Data from receipt of complaints, suggestions, compliments, lost property report, contact for retrieving lost property, for problem solving, service development, improvement and feedback for reporters on progress of action.
7.3 In case of Assigning External Person or Agency to Collect, Gather, Use or Disclose Personal Data in Place of the Company (Data Processor)
An external person or agency must be Data Processor who has appropriate security measure for Personal Data which is equal to the Company’s standard of the Company following information technology external service provider management security policy. The Company shall arrange mutual agreement to control Data Processor to comply with the law by clearly defining objectives or orders to collect, gather, use or disclose the Personal Data to the Data Processor and set up measure to prevent the Data Processor from collecing, gathering, using or disclosing the Personal Data received from the Company for objectives apart from the objectives or orders given by the Company.
8. Sending or Transfer of Personal Data Abroad
In case the Company transfers, transmits and/or sends the data abroad, the Company shall set standards for making agreement and/or shareholder agreement with an agency which will receive the Personal Data that it has accepted Personal Data protection measure which is in line with relevant laws to ensure that the Personal Data shall be fully protected such as
8.1 In case the Company has to collect and gather and/or transfer or transmit Personal Data for collection.
8.2 For Cloud processing, the Company shall consider an agency which has international security standard and store the Personal Data in coded format or other format that cannot identify the Data Subject, etc.
9. Security and Secrecy of Personal Data
In order that Data Subject is confident in the Company’s administration to prevent risks that cause the Personal Data to wrongly be accessed, leak, be revised and lost, the Company complies with the information security policy and international standard on information security widely accepted and on business continuity management and scope stipulated by laws.
The Company has privacy protection policy of Data Subject with restricted access to Personal Data of Data Subject. The Company has allowed only persons who need to use such Personal Data to propose products and services of the Company such as the Company’s employees can have access to such Personal Data and this person must strictly follow the Company’s Personal Data protection measure and keep secrecy of such Personal Data. The Company has physical and electronic protection measure following enforcing controlling measure to protect the Personal Data.
When the Company has executed contract or agreement with the third party, the Company shall set up Personal Data security measure and appropriate secrecy measure to ensure that the Personal Data held by the Company is secured.
10. Rights of Data Subject
Data Subject has statutory rights under personal data protection law as follows:
10.1 Right to acknowledge existence and types of Personal Data and objectives of the Company’s to use the Personal Data.
10.2 Right to access to and request copy of one’s own Personal Data for which the Company shall have appropriate identification procedures for you.
10.3 Right to amend or correct one’s own Personal Data to be updated, complete and not to cause misunderstanding.
10.4 Right to object collection, gathering, use or disclosure of Personal Data relating to one’s self and right to object processing of the Personal Data.
10.5 Right to temporarily suspend use or revelation of Personal Data relating to one’s self.
10.6 Right to request deletion or destroying Personal Data relating to one’s self or make the data anonymous data.
10.7 Right to request disclosure of acquisition of one’s own Personal Data in case it is data the service clients do not give consent to collect or store.
10.8 Right to withdraw the consent previously given to the Company to collect, gather, use or disclose Personal Data. However, withdrawal of the consent shall not affect collection, gathering, use or disclosure of the Personal Data the Data Subject given consent earlier.
The Company has set up contact channels for you to exercise the rights as defined in No. 15 and the Company shall take action and consider your request within 30 days starting from the day of receiving the request. However, the Company may reject the Data subject’s request as prescribed by law or as contract executed with the Company in case the Data Subject may lose any benefits.
Deleting or destroying or causing your Personal Data to be in a format not identifying a person who is Data Subject or withdrawal of consent of Data Subject can be made under the laws or contracts made with the Company. Exercise of the rights may affect compliance with the contracts made with the Company or other service provision cases since Data Subject cannot be identified so there is limitation in providing services which require use of Personal Data. This may cause the Data Subject not to get benefits from the service and receive news from the Company, as well.
However, the Company does not have to delete or destroy or make your Personal Data in the format that cannot identify Data Subject, if the Company has to store the data to comply with right of claim establishment or use of right of claim.
11. Period and Location of Personal Data Storage
The Company shall store Personal Data for a necessary period considering objectives and necessity the Company has to gather and process data including compliance with enforcing laws and period and prescription of related laws. The Company shall store the data in the location appropriate for types of the data. However, the Company may have to store the Personal Data after the prescription stipulated by law ends, for example, if it is during the period of lawsuit.
The Company shall use Cookie to collect and gather browsing history of Data Subject to collect data and statistics, research and analyze trends and improve and control web functions and/or application. The Company’s use of Cookie is categorized as follows:
12.1 Strictly Necessary Cookies
This kind of Cookie is essential function on the website to create normal function and security. It enables users to access to websites by logging in to websites and authenticating. You cannot turn off this kind of Cookie via the Company’s website.
The Company can use this type of Cookie without asking for your consent but the Company shall inform you on objectives of its use and notify you this kind of Cookie will be used every time, you are browsing the Company’s website.
12.2 Non-Necessary Cookies
For this kind of Cookie, the Company must ask for your consent every time before use. They are categorized by types of use as follows:
12.2.1 Analytic Cookies
This kind of Cookie stores your website browsing histories in order that the Company assesses, evaluates, improves and develops contents on products/services and website of the Company to enhance your website browsing experiences. If you do not give consent to the Company to use this type of Cookie, the Company may not assess, evaluate and develop the website.
12.2.2 Functional Cookies
This kind of Cookie helps store data of the computer or electronic appliances you use to browse website, registration data or log in data, setting data or settings on websites such as displayed language to give you more convenience when using the website without giving or setting data every time, you are browsing the website. If you do not give consent to the Company to use this kind of Cookie, you may use the website without convenience and full efficiency.
12.2.3 Targeting Cookies
This kind of Cookie stores data possibly including your Personal Data and creates your profile so that the Company can analyze and offer contents, products/services and/or advertisement that suit your interests. If you do not give consent to the Company to use this kind of Cookie, you may receive general data and advertisement which do not match your interests.
13. External Links
The Company’s website shall connect to the third party websites which may have Personal Data Protection policy that is different from the Company’s. Data Subject should study the policy of such websites in order to understand Personal Data Protection policy and make a decision to disclose Personal Data. The Company shall not be responsible for contents and policy of and damages or actions caused by the third party websites.
14. Data Protection Officer (DPO)
The Company has appointed Data Protection Officer (DPO) to verify any actions relating to collecting, gathering, using or disclosing personal data to be in compliance with Personal Data Protection Act of BE. 2019 and policy, principal regulations, regulations and announcements of the Company and coordinate and cooprate with Office of Personal Data Protection Commission.
15. Contact Channels
Announced on 19th May 2022.