This Privacy Policy for Clients and Users (“Privacy Policy”) explains how GEPP Sa-Ard Co., Ltd. and our affiliates (collectively “GEPP” “we” “us” “our”), collects, uses, and discloses (“process” “processing”) your Personal Data in the course of our business, in accordance with the Personal Data Protection Act (2019) (“PDPA”).

Our Privacy Policy governs your visit to www.gepp.me, GEPP Business Platform, GEPP Rewards Application, and other platforms associated with us (collectively “GEPP Platforms”).

We advise you to read this Privacy Policy in its entirety.

1. When does this Privacy Policy apply to you?

This Privacy Policy applies to you if you are an individual client, platform user, or a person associated with a corporate client (including the authorized director(s), authorized representative(s), and/or the contact person(s) of the corporate client) (“associated person”). This Privacy Policy also applies even if you have not engaged GEPP for our services, but you contact us for any purpose, such as for inquiries, or you attend a seminar which is hosted/provided by us, or you subscribe to our communications (“prospective client”).

2. What types of Personal Data does GEPP collect from you?

1. For our clients, platform users, or associated persons, we collect various types of data from you, which can be used to identify you as an individual, whether directly or indirectly (“Personal Data”), including your full name, home address, personal email address, contact number(s), place of work, job title, business email address, data contained in your identification document (e.g. identification card, passport, or driver’s license), signature, photo and images, location data and any other Personal Data you may provide to us. The national identification card we collect from you may contain Sensitive Personal Data, i.e. blood type and/or religion;
2. For prospective clients, the Personal Data that we collect will normally depend on how you contact us and the purpose of such contact, which may include your full name, personal or business email address, mobile phone number, and your place of work;
3. When you visit our office, we will collect details pertaining to your full name, place of work, contact number(s), and car license plate number, as well as photos or motion images recorded by CCTV;
4. In the event that you contact us via any social media platform, including, without limitation to, Facebook and LinkedIn, we may collect Personal Data which you have provided to us via such platforms. Notwithstanding that, in the case where you contact us via social media platforms, GEPP is not responsible for the privacy or the information security practices of such platforms. Therefore, you should carefully review the applicable privacy and information security policies and notices, for any of the websites/platforms that you use.

3. Why does GEPP collect and process your Personal Data?

GEPP collects your Personal Data for different purposes, relying on various lawful bases, as set out below:

Consent:

1. In the case of prospective clients, we may process your Personal Data in order to provide you with waste management industry and practices updates, articles, newsletters, or any materials in relation to your business and our services, including invitations to seminars, training, or any events, which we believe may be interest of you. In this regard, you are entitled to opt-out, or withdraw your consent, at any time by using the ‘unsubscribe’ function as provided in the email which is sent to you.
2. If you are Thai national, we may need to submit your national identification card, which may contain Sensitive Personal Data, i.e. blood type and/or religion, to the government agencies, local authorities or other relevant organizations pursuant to your instructions or as required by applicable laws, rules or regulations. Further, your national identification card may be collected, used, disclosed, transferred or otherwise processed for purpose of verification of identity.
3. Client, platform users, associated persons, and prospective clients may withdraw his/her consent at any time, subject to the conditions under the applicable laws. Withdrawal of consent will not affect any processing of your Personal Data for which you have lawfully provided consent prior to such withdrawal.

Contractual Necessity:

1. To proceed with your request to engage our company for services, including providing our project management and consultancy services, subscription to use our GEPP Platforms, and performing our rights and duties under the engagement agreement between you and GEPP. This would include the processing of your Personal Data for payment, tax, and financial matters relating to our contract or engagement. GEPP will use the Personal Data we have to provide the services.
2. Where the processing of Personal Data relies on contractual obligation as a legal basis, failure to provide required or necessary Personal Data may result in GEPP being unable to proceed with your request to engage or enter into an agreement with GEPP for our services, or GEPP may not be able to perform our rights and duties under the engagement agreement with you, either in part or in whole.

Legal Obligation:

1. To comply with applicable law or regulation, both domestic and foreign, and to comply with order of the court, competent authorities, and/or government agencies.
2. Where the processing of Personal Data relies on legal obligation as a legal basis, failure to provide required or necessary Personal Data may result in GEPP being unable to proceed or undertake any act relating to the provision of our services, either in part or in whole. Further, it may cause GEPP and/or the clients, platform users, and/or associated persons to be in violation of applicable law or regulation, or order of the court, competent authorities, and/or government agencies.

Legitimate Interest:

1. For identification and verification purposes, including performing a conflict-of-interest review, prior to providing our services;
2. To waste management trends and practices updates, articles, newsletters, or any materials in relation to your business and our services, including invitations to seminars, training, or any events, which we believe may be interest of you. We rely on our legitimate interest, whereby you are our clients who have engaged us;
3. To protect our rights, property, personnel, safety, business operations, and customers, such as for instance, in the case of recording your images/movements via our installed CCTV cameras when you enter our premises or complete our entrance registration;
4. To manage our information technology systems, and to ensure the adequacy of the security relating to such systems;
5. To detect, prevent, investigate, and prosecute fraudulent and other criminal activity;
6. To monitor and analyze our services for the purpose of risk assessment and control, and statistical and trend analysis, for compliance with the respective policies, system administration, operation, testing and support, and to operate control and management information systems; and
7. For any other activities which are necessary for us to carry out our business; and

Legal Claims:

For the establishment, compliance, exercising, or the defense of GEPP’s legal claims.

4. Where does GEPP collect your Personal Data?

1. Directly from you: We normally collect your Personal Data directly from you (the “Data Subject”), when you contact, communicate, or correspond with us either via email, our website, or through direct interaction. For example, we may collect your Personal Data when you register to attend a seminar, or for training, or for any event which is hosted/provided by us, or when you contact us for legal or other business inquiries.
2. Referring persons: We may collect your Personal Data from other persons, such as our partner firms, business partners, relevant associations and existing clients, which are permitted to contact us, or to introduce or refer you to us.
3. Public sources: We may collect your Personal Data which is available on public sources, such as websites that are provided by authorities (e.g., the Department of Business Development), or via websites which are provided by private operators.
4. Cookies data: We use cookies and similar tracking technologies to track the activity on GEPP Platforms and we hold certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags, and scripts to collect and track information and to improve and analyze our GEPP Platforms. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our GEPP Platforms.
5. Employer or others: In the case of corporate clients, we generally collect the Personal Data of associated persons through your employer or directly from you, in order to provide our services and to maintain our relationship with you.

5. To whom does GEPP disclose your Personal Data?

Depending on the service we are providing to you, we may disclose your Personal Data to the following parties:

1. To our affiliate companies which are located outside Thailand, for the purpose of managing your relationship with us, providing you with our services, performing our contractual obligations, and for other purposes as identified in this Privacy Policy. In this regard, please see ‘Where does GEPP transfer your Personal Data?’ for more information;
2. To third party vendors, suppliers, and outsourced companies, in order to support the services we provide to you;
3. To our business partners and the relevant associations in which GEPP is a member;
4. To any competent regulators and any other governmental agencies we deal with on your behalf;
5. To third parties in connection with a change of ownership in GEPP, or any of its assets or properties; and
6. To any other persons or entities to whom GEPP is required to make disclosure by applicable law.

6. Where does GEPP transfer your Personal Data?

We seldom transfer your Personal Data to our affiliates, and in certain circumstances, to third parties (e.g. service providers) both inside and outside Thailand and which may have different data protection standards to those prescribed by the data protection authority in Thailand. Notwithstanding that, we ensure that we will protect your Personal Data by implementing adequate personal data protection standards for the transfer of your Personal Data outside Thailand. We will also ensure that any entity to whom your Personal Data will be disclosed will implement adequate personal data protection standards, and where your Personal Data will be transferred within our affiliates, we will use the relevant data transfer mechanisms in accordance with the requirements of the PDPA.

The majority of the transfers of your Personal Data are undertaken for the purpose of the provision of our services and the management of our business

In all cases, we will transfer your Personal Data only where it is permitted and in compliance with the PDPA.

7. For how long does GEPP retain your Personal Data?

We retain your Personal Data for as long as is required in order to fulfill our contractual obligations, or for the performance of our services to you, and for 10 years after the cessation of our contractual relationship, or the last performance of our services, unless otherwise agreed with you in writing, or required or permitted by applicable law.

Where we process your Personal Data in connection with a legal obligation, your Personal Data will be retained for the duration of the prescribed legal retention period, as stipulated under the applicable law.

Where we process your Personal Data solely with your consent, your Personal Data will be deleted, destroyed, or de-identified, subject to the requirements and conditions prescribed by the applicable law.

8. What are your rights in relation to your Personal Data?

You are entitled to:

1. Request to have access to and obtain a copy of your Personal Data, and to request the disclosure of the source of the Personal Data, in the event that your Personal Data was collected without your consent;
2. Receive your Personal Data in a commonly used and machine-readable format, and to have your Personal Data in said format transmitted to another Data Controller;
3. Request that your Personal Data be deleted, destroyed, or de-identified;
4. Object to the collection, use, and disclosure of your Personal Data, and especially where such collection, use, or disclosure is for direct marketing purposes;
5. Request that the processing of your Personal Data be suspended;
6. Request that your Personal Data be corrected, updated, or completed;
7. Withdraw your consent at any time, provided that there is no other legal ground for GEPP to continue with the processing of your Personal Data; and
8. Lodge complaints to the competent authority.

Your request may be refused, and the exercise of your rights is subject to the limitations prescribed by law. You can make a request only via email to [email protected].

9. Changes to This Privacy Policy

GEPP may amend, change, or update this Privacy Policy from time to time, whereby GEPP will notify you about such changes via your selected communication channel. In the event that the amendment, change, or update will affect the purposes for which your Personal Data has originally been collected, GEPP will notify you about such changes and obtain your consent (if applicable), prior to such changes becoming effective.

10. How can you contact us?

If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your Data Subject rights, you may contact us at:

Data Protection Officer

Mayuree   Aroonwaranon

GEPP Sa-Ard Co., Ltd.

559/186 Nonsi Road

Chongnonsi, Yannawa

Bangkok 10120, Thailand

T: +66 6 4043 7166

E: [email protected]