Privacy Policy
1. Introduction and Scope
This Privacy Notice (this “Notice”) explains how SCRATCH FIRST CO., LTD. (the “Company,” “we,” “our,” or “us”) processes the Personal Data (as defined below) of different categories of identifiable persons, such as but not limited to, our clients, suppliers, distributors, contractors, sub-contractors, vendors, service providers, media providers, lessors, sponsorship companies, investors, auditors (including directors and contact persons), performers and their staffs, volunteers, other event participants, consumers and end-users of our various services, and other persons who visit our website or contact the Company in the course of our business.
We recognize the importance of Personal Data protection and are committed to ensuring that your Personal Data is processed in accordance with the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) based on this Notice.
In this Notice, “Personal Data” means any information relating to a natural person (the “Data Subject”) that enables the identification of such a person, directly or indirectly, not including information of deceased persons.
2. Acquisition of Personal Data
The Company may obtain your Personal Data directly from you or any other source, including, but not limited to the following:
(a) Provided directly by you when we establish a business relationship with you, including information obtained by business card exchange and submitted by you in various documents;
(b) Provided directly by you or indirectly from our business partners such as ticket service providers or from a third person when you buy an event ticket and attend such event;
(c) Provided directly by you or indirectly by a third person when you apply to volunteer in the event(s) we hold;
(d) Provided when you visit our website, or respond to questionnaires or surveys, or communicate with us through phone calls, emails, and/or other correspondence; and/or
(e) Captured by a security system, such as a CCTV camera when you are entering our office or an event venue.
In the event that you provide any Personal Data to the Company on behalf of other persons, it is your responsibility to confirm that such other persons have consented to the processing and transfer of their Personal Data in accordance with this Notice (if necessary), and you shall be authorized to receive any privacy notice and other related information on their behalf. In the event that you provide a minor’s Personal Data, you shall corporately provide necessary information or documents for our age verification measure and representatively consent on behalf of such minor, or obtain consent from his/her parent(s) or legal guardian(s).
We do not knowingly collect Personal Data from minors under the age of 20 without the consent of his/her parent(s) or guardian(s) as appropriate. If we learn that Personal Data of any Data Subject less than 20 years of age has been collected, we will obtain the consent of his/her parent(s) or guardian(s), or take reasonable measures, including, but not limited to, to promptly delete such Personal Data from our records.
3. Personal Data Processed
The Company may collect, use, and disclose Personal Data solely to the extent necessary to conduct its business activities and only within the scope of the purposes indicated when the information is obtained. The Personal Data that the Company holds may include the following information:
4. Purposes of Processing
The Personal Data of the following categories of individuals may be processed for the following purposes
5. Legal Grounds for Processing
Your Personal Data shall be processed for the aforementioned purposes in accordance with the PDPA. In principle, the Company processes your Personal Data only when:
(a) the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract
Other than where justified by the contract above, the Company will usually process Personal Data where necessary for:
(b) the processing is necessary for legitimate interests pursued by the Company as a data controller or interests of a third party other than the data controller, except where the fundamental rights and freedoms of the Data Subject regarding the protection of his or her Personal Data override these interests;
(c) compliance with a legal obligation imposed upon the Company;
(d) preventing or suppressing a danger to a person’s life, body, or health;
(e) the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
(f) the achievement of purposes relating to the preparation of historical documents or archives for the public interest or for purposes relating to research or statistics in which suitable measures to safeguard the Data Subject’s rights and freedoms are taken; and/or
(g) processing based on the Data Subject’s consent. Before or at the time the Personal Data is collected, the Company shall inform the person concerned about the purpose for which consent is required, what Personal Data will be collected for processing, the right to revoke consent, the possible consequences for the Data Subject in automated individual decision-making and profiling, and the possible transfer to third countries.
Some categories of Personal Data are of sensitive nature, and data protection legislation has imposed a stricter regime for these special categories of Personal Data (“Sensitive Personal Data”). This data concerns race; ethnic origin; political opinions; cult, religious, or philosophical beliefs; sexual behavior; criminal records; health data; disability; trade union information; genetic data; biometric data; and any data that may affect the Data Subject in the same manner. In principle, the processing of Sensitive Personal Data is forbidden unless the Company can refer to an exception. In the limited number of cases, in which the Company processes Sensitive Personal Data, the Data Subject will be informed in advance. For more information about the Company’s handling of Sensitive Personal Data, please refer to “10. Contact Details of the Data Controller.”
6. Provision of Personal Data to Third Parties
For the purposes stated in “4. Purposes of Processing”, the Company may disclose your Personal Data:
(a) to companies and entities within its group, including the foreign entities
(b) to third-party agents/suppliers or contractors bound by obligations of confidentiality, in connection with the processing of your Personal Data for the purposes described in this Notice (this may include, without limitation, leasing companies, sub-contractors, customers, system engineer service providers, financial organizations, business advisors, law firms, marketing agencies, and other service providers); and/or
(c) to the extent required by laws, regulations, or court orders (for example, if we are under a duty to disclose your Personal Data in order to comply with a legal obligation).
The Company may transfer your Personal Data to countries outside of Thailand, to where it may not have Personal Data protection laws that are as comprehensive as existing in Thailand, and the same level of protection as that set forth in the PDPA may not necessarily be guaranteed. In such case, the Company shall implement the necessary safety management measures pursuant to the requirements of the PDPA.
7. Data Storage and Retention Period
Your Personal Data will be stored securely in the Company’s data server or in a third party’s data server. The Company will strictly control access to this information and will review such access control from time to time.
The Company will not keep your Personal Data for longer than is required for the purpose for which it has been collected or processed, in accordance with the applicable laws, or, in any case, to allow the Company to protect its legitimate rights and interests or those of third parties. To determine the appropriate retention period for the Personal Data, we shall consider the amount, nature, and sensitivity of the Personal Data; the potential risk of harm from unauthorized use or disclosure of the Personal Data; the purposes for which we process the Personal Data and whether we can achieve those purposes through other means; and the applicable legal requirements.
8. Rights of Data Subjects
You have the right to access, request the correction or deletion of, request the limitation of processing of, object to the processing of, withdraw consent regarding, and request the data portability of your Personal Data retained by us. Any request for any of these rights should be submitted to the data controller specified in “10. Contact Details of the Data Controller.” When we receive a request based on such rights, we will conduct all necessary investigations without delay and provide you or a nominated third party with the relevant Personal Data or otherwise respond to such request without delay. If you have given your consent for a specific processing purpose to the Company, you can withdraw this consent at any time. However, the withdrawal of such consent shall not affect the processing of Personal Data for which you have already legally given consent to the Company.
You also have the right to lodge a complaint with the Personal Data Protection Committee if you have any complaint regarding our processing of your Personal Data.
The Company may object to or reject your request according to the provisions prescribed in the PDPA.
9. Links to third parties’ websites
You may enter other third parties’ websites by clicking the links shown on our site. The Company will not take any responsibility for the privacy of such websites. Please find the privacy notice for each website you visit.
10. Contact Details of the Data Controller
To exercise your rights specified in “8. Rights of Data Subjects”, you can find the Data Subject Rights Request Form here, or to submit inquiries concerning this Notice, you can contact the following persons/departments:
SCRATCH FIRST CO., LTD.
Email Address: info@wonderfruit.co
11. Changes to this Privacy Notice
From time to time, we may revise this Privacy Notice. Kindly find the updated Privacy Notice on our website.
This Privacy Notice is effective on 1 July 2022