NOTICE OF PROCESSING ON PERSONAL DATA (FOR POTENTIAL BUYER/ BUYER/ RESIDENCE OWNER)
City Dynamic Co., Ltd. (“CD”), as a controller of Personal Data, is bound by Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). In processing individual’s Personal Data, CD is required to comply with PDPA, including the obligation to notify the data subject of his legal rights pursuant to this document, and for certain cases, obtaining consent from data subject pursuant to the attached Consent Form.
1. COLLECTION OF PERSONAL DATA
CD may collect Personal Data directly and indirectly from data subject, his representative or other related persons, through CD’s business partners, other businesses in CD Group, CD s phone services and digital services (including website and application) as well as other reliable sources (such as association, governmental organization, governmental body, private organization, seminars, training workshops, exhibitions) organized either by CD, governmental or private sector including social media.
2. TYPES OF PERSONAL DATA COLLECTED
Full name, email address, postal address, telephone, nationality, place of work, work history, copy
of ID card/passport,
proof of address, mortgage details
Payment information (such as a credit and debit card) and bank account details, financial
information, bank statements,
payslips or income details, confirmation of income
Recordings when you call our customer service line,
Any other documents deemed relevant when buying, selling, letting or renting a property
Details of anyone Authorized to act on your behalf if applicable
monitor, record, store and use any telephone calls, CCTV recordings, email or other communication
you provide
Name and contact details of a guarantor
Internet protocol (IP) address, your login data, browser type and version, time zone setting and
location, browser
plug-in types and versions, operating system and platform and other technology on the devices you
use to access our
website.
3. RETENTION PERIOD
CD will retain your Personal Data as long as it is necessary for the purpose of data processing. After that, CD will erase and destroy your Personal Data except as may be required, by applicable laws, or for protection of our interest. In general, your Personal Data will be kept for a maximum period of 10 years or otherwise longer if it is specifically provided by law.
4. PURPOSES OF USE AND DISCLOSURE
CD will use and disclose your Personal Data for the following purposes:
Selling properties (either freehold or leasehold)
Set up your user account
Notify you of the sales/letting process
To detect, investigate and report financial crime (e.g. Fraud)
Check anti-money laundering
Marketing communications to inform you of special offers, promotions, new lines and Sales. Provide
you with online
advertising
Notify you about enhancements to our services, such as changes to the website and new services that
may be of interest
to you
Contact you to undertake customer satisfaction surveys, invite you to provide product reviews or for
market research
Maintain network and data security
Manage property i.e. housing, tenancy/lease and account on behalf of property owner
Organise and assist community events
Check any instructions given to us, for training purposes, and to improve the quality of our
customer service
Support any alteration/reparation made to the property you are living in
Settle any arrears payments such as rent or other expenses
Provide welfare, benefits and debt advice
Proceed with a residential sale or purchase
Keep in touch with customers to understand the needs and preferences
Invite customer to events
To process and perform our obligations under our contract with customer including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
Detect and prevent fraud
Comply with applicable laws that require us to process certain Personal Information
Comply with inspection, analysis and preparation of documents upon request of governmental
organizations and regulatory
bodies
Protect the health of residence
Ensure the safety and security of residence
In the case where CD appoints third party service provider(s) to process your Personal Data, CD will
process your
Personal Data for the purposes of performing CD’s contractual obligations, compliance with legal
obligations, based on
CD’s legitimate interests or based on your consent (if necessary). CD will not disclose or permit
the disclosure or make
available your Personal Data other than in accordance with the relevant ground unless a prior
consent of data subject
has been given to CD or PDPA allows CD to do so without obtaining consent from data subject.
If any data subject could not share Personal Data necessary for CD to process Personal Data based on
the ground
specified above, CD will not be able to perform its contractual obligations with such subject matter
nor able to comply
with legal obligations.
CD will process Personal Data in strict compliance with applicable laws. In case where you have
given a consent to any
data processing activity, you may withdraw your consent at any time.
5. DISCLOSURE
CD will not disclose your Personal Data without any legal basis. Your data may be disclosed or
transferred to
governmental organizations, governmental bodies or third parties including:
Service Providers/ Vendor: We may share your Personal Information to our third-party service
providers, subcontractors
and other associated organisations for the purposes of carrying out a task in accordance to the
contract we have in
place with you. However, when we share your Personal Information with third parties, we disclose
only the Personal
Information that is necessary to deliver the service and we have a contract in place that requires
them to keep your
Personal Information secure and only for the duration it is required to carry out that specific
task. Such third-party
companies may fall under the following categories; referencing companies, deposit protection,
cleaning, inventory,
maintenance, building management etc.
We work closely with various third-party vendors to bring you a range of quality and reliable
products and services
designed to meet your needs. When you enquire about or purchase one or more of these products, the
relevant third-party
vendors will use your details to provide you with information and carry out their obligations
arising from any contracts
you have entered into with them. In some cases, they will be acting as a data controller of your
data and therefore we
advise you to read their privacy notice. Such third-party companies may fall under the following
categories; utility
providers, mortgage providers, tax consultants, furnishing, financial advisors, rent protection,
content protection,
etc.
Business Partners: As allowed by applicable law, we disclose Personal Information with select
Business Partners who
provide goods, services and offers for the purposes described in this Notice
Government Authorities: We may share Personal Information to relevant government authorities to
fulfill any legal
obligations and/or requirement we may have. We may also share the Personal Information to relevant
government
authorities in order to fulfill our contractual obligation such as the local authorities for certain
permissions and/or
registrations.
Financial Institutions: Financial Institutions: We may share Personal Information to any financial
institutions, charge
or credit card issuing companies, credit information or reference bureau, or collection agencies
necessary to establish
and support the payment of any services being requested. Personal data may also be disclosed to any
person or persons
that have a right under local law to gain access to such information provided they are able to prove
their authority to
access such information.
CD will disclose your Personal Data to the recipient outside of Thailand only where it is permitted
by PDPA or other
applicable laws.
In the event where CD is required to disclose your Personal Data to a third party, CD will follow
appropriate procedures
to ensure that the third party will properly handle your Personal Data in order to prevent data
loss, unauthorized
access, improper use, modification, disclosure or processing.
6. Data Security Measure
CD adopts the high-standard security system in both technology and procedures to prevent any possible
data theft. CD
implements various measures to protect its computer system (such as firewall, Intrusion Detection,
Data Encryption,
Virus Scanning, Secure Socket Layer, Cookies, Auto Log off) [Note to CD: the aforementioned example
is merely a basic
security measure to protect the computer system. If it found that in fact, CD has more or less
security measure in
place, CD may adjust this part so that it is reflects the actual operation of CD], though
substantial investments,
effort and human resources as to ensure that CD achieves high-standard measures and your personal
data remains safe.
Although CD makes its best efforts to protect personal data with our technical mechanism along with
the management by
our personnel to control access and keep personal data against unauthorized access, CD cannot always
guarantee the
security and confidentiality of personal data from every incident that may arise, such as virus
threat and unauthorized
access. A data subject should regularly keep up with technology news, install personal firewall
software to prevent his
computer from threat or data theft.
7. Right of Data Subject
In exercising any right under this Clause 6, data subject shall comply with criteria and procedures
specified in Clause
7 of this document. However, the rights specified in this Clause 6 are subject to change as the
relevant law may be
amended from time to time by the government. CD will inform you about the changes.
7.1 Right to be notified: if CD wishes to collect, store, use or disclose your Personal Data in any
manner beyond the
intended purposes or your given consent, CD will notify and/or seek your prior consent with respect
to such additional
scope.
7.2 Right to Access to your Personal Data: You may request for a copy of your Personal Data and
request to disclose
about the source of your Personal Data.
7.3 Rectification of the Personal Data: To ensure that your Personal Data is accurate, up-to-date,
complete and not
misleading, you may file a request to rectify any of your Personal Data that has been changed by
following the
procedures specified in Clause 7.
7.4 Right to data portability: In case where it is technically available, you may request to receive
your Personal Data
in a commonly used or readable by the automatic device or to automatically transfer.
7.5 Right to erasure of your Personal Data: You may request to erase or make your Personal Data
pseudonymised under any
of the following circumstances: (a) your Personal Data is no longer needed to be collected, stored,
used or disclosed
for the intended purposes, (b) you withdraw your consent for your Personal Data to be collected,
stored, used or
disclosed and CD no longer has any legal right to process your Personal Data for the intended
purposes, (c) you object
to CD’s processing of your Personal Data, or (d) your Personal Data was processed in contravention
of the PDPA.
7.6 Request to suspend the use of your Personal Data: You may request CD to suspend its use of your
Personal Data in any
of the following events:
when CD is in the process of verifying certain information for the purpose of rectifying, updating,
completing or
avoiding any misleading about your Personal Data upon your request;
when your Personal Data is to be erased under Clause 6.5 but you instead request to suspend its use;
when it is no longer necessary to store your Personal Data, but you request CD to continue the
storage of your Personal
Data for establishing legal claims, legal compliance, exercise of legal rights or defenses; or
when CD is in the process of verifying its legitimate rights in its data collection or processing
for purposes specified
by law.
7.7 Right to object the processing of Personal Data: You may object to the collection, storage, use
or disclosure of
your Personal Data in any of the following events:
In case where your Personal Data was collected by CD for the purpose of (a) CD’s compliance with a
governmental order or
(b) any legitimate interest of CD or other legal entity;
In case where CD has processed your Personal Data for the purpose of direct marketing; and
In case where CD has processed your Personal Data for any research purposes as specified in relevant
laws, including for
statistical purpose.
7.8 Right to withdraw consent: You may withdraw your consent at any time. Your withdrawal will not
have any effect on
CD’s previous data processing. If your withdrawal will affect any part of your Personal Data, CD
will notify you of such
effect at the time you make such withdrawal.
However, CD may deny your request to withdraw consent if the processing is for the purpose of, or
for complying with,
applicable law or court order, the withdrawal may adversely affect and harm the rights and freedom
of the data subject
himself or other people, the processing is for research purposes that has appropriate protection for
Personal Data, or
the processing is for establishing legal claims, legal compliance, exercise of legal rights or
defenses.
8. Criteria and Procedures for Exercise of Your Rights
1
If you wish to exercise your right, please submit your request via e-mail at
[central@citydynamic.com]
Alternatively, you may contact our Data Protection Officer at the following:
City Dynamic Co., Ltd.
Unit 6A, 6/F, 140 Wireless Building, 140 Wireless Road, Lumphini, Pathumwan, Bangkok 10330, Thailand
Tel: +66 2112 2160
Please mark as “Personal Data Request from a Guest” with your first name, last name and contact
information.
2
Your request will be sent to CD’s data protection officer for verification of your identity. We will
require you to
produce some form of photo identification (copy of a government-issued identification with
signature, passport, driver’s
license or Student ID Card), home or business address, phone number, information of your stay with
CD Hotels & Resorts,
and details of products purchased. You will also be asked to sign a request form.
3
The data protection officer will consider your request by considering various factors such as its
legitimate reasons,
its negative effect on a third party etc. and whether the PDPA provides for any exemptions.
4
If your request is approved, the data protection officer will proceed and report the result to you
without delay via the
channel you have specified in your request.
5
If you request is denied, the data protection officer will notify you with explanation without delay
via the channel you
have specified in your request. You may make an appeal to the authority as prescribed by the PDPA
which CD will inform
you in CD’s notification of such denial.
Remark:
The procedures above will take no more than 30 (thirty) days following the receipt of your request
and all supporting
documents.
CD’s process will not incur any costs to you. But if there is any cost, CD will notify you prior to
taking any action.
9. Contact Information
If you have any questions relating to an exercise of your rights or your given consent, you may
contact us at:
Name: Khun Kwanrudee Maneewongwatthana
Address: Unit 6A, 6/F, 140 Wireless Building, 140 Wireless Road, Lumphini, Pathumwan, Bangkok 10330
Telephone: +66 2112 2160
E-mail: kwanrudeem@citydynamic.com