Privacy Notice
27 May 2022
Introduction
Thai Airways International Public Company Ltd. (THAI), which includes its subsidiary companies, consisting of Thai Smile Airways Co., Ltd.,
Thai Flight Training Co., Ltd., Thai-Amadeus Southeast Asia Co., Ltd., Tour Euang Luang Co., Ltd. and WingSpan Services Co., Ltd. aims at
provision of services with quality to respond to your expectation. THAI realizes the importance of personal data protection and the compliance
with laws and regulations. This Privacy Notice is provided to you to inform you how we protect your personal data and your rights as the Data
Subjects.
THAI as the “Controller” has the authority to determine the collection, use and disclosure of personal data in compliance with the Personal
Data Protection Act B.E.2562 (2019) (PDPA) (“the Act”), the General Data Protection Regulation of the European Union (GDPR) and other related
laws (“the applicable privacy laws”)
THAI hereby informs you as the Data Subject who may be (1) the person who has contacted THAI either be, has been or may further be a customer
of THAI or (2) employee, personnel, staff, representative, shareholder, director, contact person, agent or person associated with juristic person
or natural person under (1) above or party of persons who has contacted THAI either be, has been or may further be a customer of THAI, of how we
protect your personal data obtained or may obtain from the business conduction and the provision of services through various channel e.g.
website, telephone, electronic channel, application, social media or other sources, to ensure that THAI will protect your personal data and will
collect, use or disclose your personal data only in the case necessary, lawful and appropriate, and also to inform you the rights you may have
as the Data Subject, as more detailed in this Privacy Notice.
1. The Personal Data that THAI Collects, Uses and Discloses.
1.1 The Data that Identify the Data Subject Directly or Indirectly
(1) Personal Data consisting of name, last name, sex, date of birth, age, contact details, data in various documents such as identification card,
passport, residential card, alien card, work authorization, social security card, driving license, car registration book, house registration,
signature, tax identity, data concerning member of family, facial photo, educational background, occupation or status.
(2) Contact Details consisting of address as appeared on the house registration, address for delivery of documents, postal address,
email address, house telephone number, mobile telephone number, fax number, name or account for application through digital channel
e.g. Line, Google, Facebook, YouTube, Instagram or Twitter and contact information provided to THAI.
(3) Financial and Transaction Information consisting of bank account number, credit card number, debit card number, type of credit or
debit card, information from the analysis of personal data, payment information or other information about the use or application for
the use of the service with THAI.
(4) Contact Information consisting of information received through branch offices, telephone, electronic or digital channel, social
media, information from CCTV and mobile service which information may appear in written form, voice or video record, transaction record,
photograph or motion pictures.
(5) Information Technology Technical Data consisting computer serial number or internet protocol (IP address), Media Access Control (MAC),
address code or serial number of the equipment conning to the network (MAC Address), Transaction Log, device ID, connecting information
through application connecting channel (API), Cookies, type and version of Plug-In, Browser, operating system and platform, mobile internet
or network, setting information on device and other technical data from the use of platform, application and operating system of THAI.
(6) Usage Information consisting of username or code for the service, password, searching information, browsing history, viewing history,
menu accessed, time period for using the website, platform, application, favorite menu, question & answer, log file, communication and
suggestion to THAI.
(7) Behavioral Information consisting of information about personal interest, service usage behavior.
(8) Work Information consisting of start date, department, years of service, job position, job bibliography, job certification and
reference, personnel ID, salary, wages, benefits, salary adjustment history, working record, disciplinary record, date of termination,
type of termination, time in-out record, leave of absence history, bank details, emergency contact details, details of beneficiaries of
an insurance.
(if any), educational background and reports, training and development information, photo, work history, other non-financial benefits,
insurance information, family information, meeting records and opinions.
(9) Medical Record consisting illness information, medical conditions.
(10) Scorings and Testing Results.
1.2 Sensitive Personal Data where THAI shall obtain your consent prior to the collection consisting of biometric data (e.g. Facial
recognition, finger scan, retinas and voice recognition data), religious, criminal record, health or any other information as may be
published by the Data Protection Board may announce.
In some case, provision of personal information is necessary for the legal obligation or performance of contract or necessary for
entering into the contract. If you do not provide the information, this may result in THAI will be unable to comply with the legal or
contractual obligation that THAI has with you.
2. Purposes for Which Your Personal Data are Collected, Used and Disclosed.
In some case, provision of personal information is necessary for the legal obligation or performance of contract or necessary for entering
into the contract. If you do not provide the information, this may result in THAI will be unable to comply with the legal or contractual
obligation that THAI has with you.
2.1 to contact, communicate or provide information about the products or services that you use or will use;
2.2 to respond to your request or contract that you have with THAI or associated with the request or contract that you have made with
THAI, for example, delivery of document, demand for debt payment including to comply with the contract that we have with other person
and necessary and relating to provision of a service to you;
2.3 to manage relations between you and THAI and to prepare detailed or historical records about services provided to you for further
service to you;
2.4 to manage information of corporate customers which your personal data may be involved;
2.5 to comply with laws, rules and regulations;
2.6 to perform any acts as the supervisory authorities may describe, request or recommend to comply;
2.7 to manage and administrate THAI’s internal businesses, e.g. compliance, improvement, or internal audit;
2.8 to administrate or manage all risks e.g.
(1) to protect, handle or minimize risks arising from illegal acts which may occur to you, the customers, THAI’s personnel and
THAI by using the data for improvement of security system through various service channels, working systems and safety and
security systems for information technology operation of THAI;
(2) for security purpose, e.g. photo recording of the person contacting or doing transaction with THAI via CCTV and the exchange of
identification card when accessing the building for the security reasons within THAI areas;
2.9 to procure and offer products, services and alternatives of services to you, including communication, warning, deliver or offer
privilege, benefits, awards or information about products or services of THAI, the companies in THAI group or business alliances which
may of interest to you, or for sale promotion or lucky drawing activity;
2.10 to monitor the use of services or transaction according to your orders;
2.11 to manage all complains e.g. the investigation on the use of the services or transmission of data within or between THAI and other
persons, the process for accepting of the complaint from you, compensation or as information for improving such services;
2.13 for strategic purpose, protecting interest or evaluation of the business result or services of THAI;
2.14 for evaluation, development and improvement of products or services or for execution of the rights by THAI;
2.15 for marketing promotion project or activity, meeting, seminar, entertainment or the site orientation;
2.16 for storage of data on cloud service and other system used for storing data;
2.17 for the performance of contract as THAI as the contractor or for execution of the right or enforcement of contract of THAI;
2.18 for connecting or facilitate the use of website, application and platform of THAI or other persons;
2.19 for application for a job or for the employment.
The collection, use and disclosure of your personal data including the cross-border transfer thereof shall be performed in accordance
with the above principles.
3. Persons or organizations who the data may be disclosed to.
THAI may have to disclose your personal data to other persons or organizations within or outside the country to fulfill the purposes under
this notice as follows:
3.1 Subsidiary Companies consisting of Thai Smile Airways Co., Ltd., Thai Flight Training Co., Ltd., Thai-Amadeus Southeast Asia Co., Ltd.,
Tour Euang Luang Co., Ltd. And WingSpan Services Co., Ltd.
3.2 Business Alliances for example, business alliance in air transport, tourism, hotel, car rent, marketing, financial institution,
insurance or life assurance or any persons involving the promotion or loyalty program, data analysis, platform joint service provider or
person whose name or trade mark appears on the contract, website or other service channels of THAI.
3.3 Persons Involving in the Services of THAI for example other airlines, ground handling agent providing check-in and baggage services,
cargo accepting and delivery services, call center, person who perform the duty as the middle person for THAI, joint provider with THAI,
outsourcing service provider, contractor or provision of goods or service to THAI or agent of THAI within and outside the country who THAI
is a contracting party, for example, infrastructure development provider, technical infrastructure developer, electronic or information
technology system developer, logistics and cargo terminal service provider, Cloud computing service provider, data analysis provider and
event and activity organizers.
3.4 Person or Organization as Described by Laws THAI may have to disclose your personal data for the purpose of compliance with laws, rules,
regulations or order of the government agency, state agency, supervisory agency or in case THAI believes that the disclosure is necessary
for complying with laws to protect the right of THAI or other person, for the safety of person, to protect, investigate or manage the fraud,
security or safety in various areas, for example, tax authority, fund administrator, social security authority or financial institution.
3.5 Advisors of THAI, for example, legal, financial, technical experts and auditor.
3.6 Right and Obligation Assignee or Novation Assignee including the person involving in the reorganization, business assignment, investment,
merger, purchase or sell of properties, shares or businesses by a person involving such activities, shall be in accordance with this notice.
3.7 Other Related Persons, for example, beneficiary, person has the authority to perform the duty for or guarantor.
3.8 Association, Organization, Club and Other Bodies, for example, Thai Airways Employee Saving Cooperation, Thai Airways Employee Club.
3.9 Websites and Other Social Media, for example, Facebook, Google, Instagram
THAI shall inform the person or organization who the data has been disclosed to treat the data in a safe manner according to THAI’s policy
and laws. THAI shall allow the use your personal data for the intended purposes and order of THAI only.
4. Storage of Your Personal Data and Duration.
4.1 Storage of Your Personal Data
THAI takes security measure to your personal data both in document and electronic form to protect the data from loss or unauthorized or
unlawful access, use, amendment, revision or disclosure.
4.2 DatDuration for Storage Your Personal Data
THAI will collect your personal data as it is needed for the respective purposes as informed in this notice as necessary as specified
by laws at the maximum period of 10 years from the date your relation with THAI shall cease, except that it is otherwise necessary by
THAI as specified by laws or such personal data are unable to be erased or destroyed due to the technical limitation.
5. International Transfer of Your Personal Data.
In case THAI is necessary to transfer your personal data to other persons in other countries, for example, your or THAI’s contracting
party, branch office of THAI in other countries, the subsidiary companies, authority or organization in other countries, the
destination country where data protection measures are not sufficient as required by laws. In such case, THAI will take appropriate
measure to ensure that your personal data will be transferred safely.
Personal data may be shared with related third party service providers who will process it on behalf of THAI for the purposes identified
above. In this case, we use additional safeguards to protect your personal data such as “Data Processing and Transfer Agreement” and
“Standard Contractual Clauses” for sharing to the processor outside EU/EEA or Thailand, as the case may be. We process your data mainly
within the Kingdom of Thailand and EU. If you acquire services that involve the transfer of your data to other countries, with
equivalent or non-equivalent data protection measures with the Kingdom of Thailand or the EU, such as international flight connections,
we will also transfer your data to these other countries. In this respect we also refer to the general privacy policy of the
International Air Transport Association (IATA)
https://www.iatatravelcentre.com/privacy.htm
When you are under GDPR, in some cases when we transfer your data to countries outside of the EU or EEA, we use additional safeguards
to protect your personal data, such as the EU Commission approved “Standard Contractual Clauses”. A copy of the clauses can be
provided for your review on request to the contact details provided in section 10.
6. Website System used for collecting the Data.
When access to the website system of THAI, THAI will automatically collect some data from your usage for the purposes detailed in
this notice, for example, THAI will take the data that Cookies and other similar technologies has recorded or collected for
statistical analysis or other activities of the website system or business of THAI to help THAI to provide best experience for the
use of website to you including the improvement of efficiency and quality of website system service of THAI.
7. What rights do you have?
As the data subject, you may exercise the following rights;
7.1 Right of access and Request a Copy
<
You have a right of access to your personal data and request for a copy which are under our responsibility or request for the
disclosure of the collection of personal data that you have not consented.
7.2 Right of Data Portability
Where your personal data are provided to THAI by consent or necessary for performance of contract or by a request you have made to
THAI or as announced by the Data Protection Committee, and in case THAI has made data, and those data are in machine-readable format,
you the right to request the transmit those machine-readable data to another controller, where technically feasible.
7.3 Right to Object
You have a right to raise objection to collect, use or disclose your personal data in case (1) THAI collects your personal data
for necessary reason for the public task, the exercise of right by the government sector or for the legitimate interest of THAI, person
or juristic person (2) THAI collects, uses or discloses your personal data for the purpose of direct marketing or (3) THAI collects,
uses or discloses your personal data for the purposes of scientific, historical or statistical research, except as necessary for the
purposes of public task of THAI.
7.4 Right to Erasure or Destroy Personal Data
You have a right to request to erase, destroy or to make your personal data unidentifiable in case (1) your personal data are no
longer necessary in relation to the purposes for which they were collected (2) you have withdrawn your consent and THAI does not
have the authority by other legal ground to collect, use or disclose such personal data (3) you have objected to the collection,
use or disclose of your personal data collected by THAI for the reasons of necessity to perform the public task of THAI, the
exercise of the right by the public authority or for the legitimate interest of THAI or other person or juristic person and
THAI has no overriding legitimate grounds to refuse such objection (5) your personal data are unlawfully collected, used or
disclosed, except in case it is necessary for THAI to collect your personal data for legal obligation or for the establishment,
exercise or defence of legal claims or the use or protection of the right of THAI.
7.5 Right to Restriction
You have the right to restriction of the use of your personal data in case (1) THAI is in the process of verification of the
accuracy of your personal data (2) THAI unlawfully collects, uses or discloses your personal data (3) THAI no longer needs
the personal data for any purposes, but they are required by you for the establishment, exercise or defence of legal claims
(4) you have objected the use of your personal data pending the verification whether the legitimate grounds of THAI override
those of you.
7.6 Right to Rectification
You have the right to request THAI to rectify your personal data to be accurate, complete and not to mislead.
7.7 Right to Withdrawal of Your Consent
Where you have consented to collect, use and disclose your personal data, you have the right to withdraw your consent to
THAI at any time.
7.8 Right to Cancellation of Your Consent
You have the right to cancel your consent where THAI has collected your personal data prior to the Data Protection Act
became effective by submitting your cancellation request to the office of THAI where you use or has used the services.
7.9 Right to Complaint
You have the right to lodge you complaint to the agency or responsible authority when THAI or a processor of personal
data including employee or contractor of a processing company infringe or does not comply with the data protection laws.
8. Additional requirements of local laws
This Privacy Notice complies with the requirements of the Personal Data Protection Act (“PDPA”) and General Data
Protection Regulation ("GDPR"). In some of the countries there may be local laws which impose requirements which are
additional to, or different from, those of the PDPA and GDPR. Where this is the case we will from time to time issue local
notices or policies which supplement or amend this Privacy Notice to ensure that we fully comply with its legal
obligations to you.
9. Changes to this privacy notice
THAI may update this privacy notice from time to time as appropriate, and we will provide you with a new privacy
notice when we make any substantial updates through our website, applications. You are advised to read and inspect
the details in the new privacy notice when updated.
10. How can you contact us?
If you have any concerns about how we process your personal data, or would like to exercise your rights according to
this notice, you can send your request to;
Data Protection Officer or Privacy Office
Thai Airways International Public Company Ltd.
89 Vibhavadi Rangsit Road, Bangkok 10900, Thailand
Email: privacy@thaiairways.com
THAI has appointed EU representative for the purposes of the GDPR. If you are in EU and would like to contact us,
you can also send your request to;
Thai Airways International Public Company Ltd.
ZEIL 127
60313 Frankfurt
Germany
Email: EU.Representative@thaiairways.com