As of March 2024
Maintaining the security and privacy of Personal Data (as defined below) is important to the way in which Gulf Energy Development Public Company Limited and our affiliated companies (hereinafter “Gulf”, “we”, “us”, or “our” ) operates business globally.
This Privacy Notice (“Notice”) explains the collection, use, disclosure and transfer of Personal Data (as defined below) and the data protection rights of individuals outside our organization with whom we interact and whose Personal Data (as defined below) we handle in the course of our businesses or in connection with the products and services we provide, including: (i) contact persons, employees, personnel, authorized persons, representatives, agents, directors, shareholders or any persons, who have the power to establish business relationship or engage in a transaction on behalf of our (a) corporate customers and their affiliates (hereinafter “Corporate Customers”); (b) business partners, vendors, suppliers, service providers, and other persons who provide their products and services to us (collectively in (b) as “Business Partners”), (ii) users and visitors of our websites, (iii) other recipients of our products and services, and (iv) any other individuals about whom we obtain Personal Data (as defined below) (together, “you” or “your”).
This Notice may be amended or updated from time to time upon developments in our practices or policies with respect to the collection, use, disclosure and/or transfer of Personal Data (as defined below), or to reflect changes in applicable laws. It is suggested that you check back periodically to view any changes or updates to this Notice. The amendments to this Notice will be effective upon being published on our websites at [ https://www.gulf.co.th/th ]. If such amendment or update, however, materially affects you as a data subject, we will give you a reasonable prior notice in a suitable manner before such amendment or update is effective.
1. Personal Data We Collect
1.1 Categories of Personal Data
“Personal Data” means any identified or identifiable information about you as listed below.
If it is possible to combine any information with your Personal Data, or if other information is used to build a profile of an individual, we will treat such other information and combined information as Personal Data.
We may collect or obtain the following categories of information which may include your Personal Data, depending on the context of your interactions and relationship with us. For personnel of our Corporate Customers and Business Partners, the specific types of data collected depend on the Corporate Customers’ and Business Partners’ relationship with us. We may collect your Personal Data as applicable as follows:
| Personal details: | Personal details about you, such as title, first name, last name, copies or information on government-issued cards (e.g., national identification number, tax identification number, passport number and household registration information), signatures, images, work-related information (e.g., your position, function, occupation, job title, company you work for, employment status, or shareholding status), and other identifiers. |
| Contact details: | Your contact details, such as business telephone numbers, business postal address, business e-mail address, mobile phone number, social media account ID and other similar contact information. |
| Financial details: | Your financial details, such as bank account information. |
| Online/Internet details: | Data in connection with online usage and technical data, such as cookies and other similar technology, Internet Protocol (IP) address, internet browsing behavior, login data, login log, search history, browsing details, browsing type and version, browsing language, web beacon, log, device ID and type, network, connection details, access details, single sign-on (SSO) details, browser plug-in types and versions, operating system and platform, time zone setting and location, access times, time spent on our page, information about how you use and interact with our online services (including web page viewed, content viewed, links clicked, and features used), when and how often you use our online services, the webpage from which you clicked a link to come to our online services (e.g., the referrer URL), crash reports and other technology on devices you use to access the platform. |
| Other details you provide to us: | Information as part of our prospective or existing relationship with you, such as information collected, used, or disclosed in connection with the relationship with us, or in connection with the relationship between us and our Corporate Customers or Business Partners in which you work for or associated with, such as, required documents containing your Personal Data attached to contracts with us or information contained in tax document (e.g., PND. 3 form), or data collected when you interact with us, which may include signatures, and your correspondence with us, and information as part of our prospective or existing relationship with you in the course of you applying for or us providing you with our products or services and otherwise (such as, via filling in our forms or other methods determined by us). |
We will only collect, use, or disclose sensitive data on the basis of your explicit consent or where permitted by law, as the case may be.
If you provide us with Personal Data about other persons such as, personal information of contact person, board members, directors, shareholders, representatives, or other persons who have executive power in your organization, or you ask us to disclose their Personal Data to third parties, you are responsible for notifying those other persons of the details of this Notice, including obtaining any required consent from such third parties (where consent is required). You must also ensure that we can lawfully collect, use, or disclose those persons' Personal Data as set out in this Notice.
Our business operation does not generally involve the collection, use, disclosure and/or transfer of minors’, incompetent persons’ and quasi-incompetent persons' Personal Data. However, in the event where we collect such Personal data, we will only collect such Personal Data of minors, quasi-incompetent persons, and incompetent persons where their parents or guardians have given their consent, or where we can rely on other legal basis as permitted by laws. We do not knowingly collect Personal Data from individuals under the age of 20 without their parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardian's consent. Upon being aware of unintentional collection of Personal Data from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardians consent, we will delete it immediately or collect, use, disclose and/or transfer only if we can rely on other legal bases apart from consent.
As part of security procedure of our services and user experiences, cookies and such other systems may be used and may be placed on your device. We use cookies on our website which automatically collects information about the visitors when they visit and interact with our website. In general, information gathered through usage of a cookies is not linked to any direct personal identifiers (e.g. your name or e-mail address). However, the information may include Personal Data under appropriate data protection laws such as user domain; browser type; operating system; page visits; additional information about user device; date, time, and duration of user visit; Internet traffic; and information from third parties. In the case where we may link such Personal Data with cookies or other data that are associated with your use of our services, we will treat cookies and combined information as Personal Data.
Our emails may include links to visit pages on our website, download content, open attachments, complete surveys, or perform additional actions. If a user is in our customer contact database, or has interacted with us online previously, metadata in the links may allow us to identify the individual user clicking on the link.
If you visit our offices or sites, and use our guest Wi-Fi, we may automatically collect information about your devices and online activities. Usage of our Wi-Fi is subject to our Wi-Fi Acceptable Use Guidelines, which must be accepted by users to connect to our guest Wi-Fi. For reasons of office, site and facility security and safety, we use video surveillance (CCTV) in our offices, sites and facilities. Please refer to our Privacy Notice on CCTV use accessible at [CCTV Notice].
1.2 Collection of your Personal Data
We may collect your Personal Data through various means, such as, directly from you (e.g., when you do businesses with us, including signing a contract, filling a form when you interact with us, including interactions via our online platforms (e.g. e-bidding), via our website, via e-mail, by phone, during meetings and events or when we visit you), or indirectly from the Corporate Customers or Business Partners you represent, work, or act for, or from our affiliates or third parties, or through publicly available sources (e.g. websites and publicly available corporate databases).
2. On what basis and why we collect, use, or disclose your Personal Data
Except in limited instances when we indicate that collection, use, disclosure and/or transfer are based on your consent, we generally use the following legal justifications: (1) a contractual basis, for our initiation or fulfilment of a contract with you; (2) compliance with legal obligations; (3) the legitimate interest of ourselves and third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; and (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health.
We may collect, use, disclose and/or transfer your Personal Data collected for various purposes, depending on how you interact with us, what products or services you obtain from us, nature of our relationship with you and our Corporate Customers or Business Partners and/or any other considerations in each specific context and nature, as described below.
| Business Communication and Management of Business Relationship: | Such as to communicate with you, or our Corporate Customers or Business Partners (for example, to respond to inquiries or requests), to send or receive information pertaining to company businesses, to administer and manage the relationship, including contractual relationship, with our Corporate Customers or Business Partners, to perform accounting, auditing, billing and collection activities, to maintain and update contact lists/directories, record keeping of contracts and associated documents in which you may be referred to, to facilitate the use of our services; to handle any complaints; to plan, to perform, and manage the (contractual) relationship with our Corporate Customers or Business Partners; to deliver letters and documents and track of document delivery; |
| Selection and Procurement Process: | Such as to authenticate and verify your identity and/or our Corporate Customers or Business Partners status, to procure products and services, to request for quotation, to arrange bidding process, to conduct due diligence or any other form of background checks or risk identification on you and/or our Corporate Customers or Business Partners, and to evaluate qualifications of you and/or our Corporate Customers or Business Partners; |
| Provision of Products and Services: | Such as to supply our products or services, to provide our quotation, to execute of contract with you, our Corporate Customers or Business Partners, to carry out related business functions, to perform obligations under the contract with our Corporate Customers or Business Partners; to perform of tasks necessary for the provision of the requested services; |
| Payments and Transactions Process: | Such as to administer transactions, to process payments, to fulfill orders; to issue receipt and invoice; and to conduct settlement, billing, processing, clearing, or reconciliation activities; |
| Security and System Monitoring: | Such as to safeguard the confidentiality, security, and accessibility of the company website, IT systems, networks and hardware, and information, to provide IT and helpdesk supports, to create and maintain code and profile, to manage the access to any systems to which we have granted the access, to remove inactive accounts, to implement business controls to enable our business to operate, to identify and resolve issues in our IT systems, to keep systems secure, to perform IT systems development, implementation, operation and maintenance, to authenticate and access controls and logs where applicable, to monitor of system, devices and internet; |
| Protection of our interests: | Such as to oversee, safeguard, and inspect risk exposure, to prevent fraud, claims and further liabilities, to encompass but not restricted to violations of company contract terms, regulations, or laws, to perform institutional risk control, to deal with active risk management pursuant to which risks in terms of markets, credit, default, processes, liquidity and image as well as operational and legal risks must be identified, limited, and monitored, to protect the security and integrity of business, to exercise the rights or protect our interests where it is necessary and lawfully to do so (e.g., to determine fraud risk and identify fraudulent transactions, intellectual property infringement claims, or violations of law), to manage and prevent loss of our assets and property, to perform internal audits and records, asset management, system, and other business controls, to maintain data accuracy, to keep business records and otherwise to operate, manage, and maintain our business operations, to maintain internal business management for internal compliance requirements, policies, and procedures, to prevent or suppress a danger to a person’s life, body, or health, to secure the compliance of our contract terms, to follow up on incidents, to prevent and report criminal offences; |
| Corporate Transactions: | Such as to disclose and transfer your Personal Data to third parties as part of business transaction, for example sale, transfer, merger, reorganization, or similar event; |
| Carrying out legal purposes: | Such as to comply with appropriate rules, regulations, and laws (including tax report and tax filing), and in advancement of our associated internal policies, counting records retention requirements and compliance policies, to exercise our rights or defend against legal claims, to maintain record keeping and resolving complaints and disputes, to comply with legal obligations, legal proceedings, or government authorities' orders which may include orders from government authorities outside Thailand, and/or cooperate with court, regulators, government authorities, and law enforcement bodies when we reasonably believe that we are legally required to do so, and when disclosing your Personal Data is strictly necessary to comply with the said legal obligations, proceedings, government orders, codes of conduct and our internal policies, to perform compliance activities, to conduct internal and regulatory reporting; |
| Functioning of our sites and platform | Such as to administer, operate, track, monitor, and manage our sites and platform, to facilitate and ensure that they function properly, efficiently, and securely, to facilitate your experience on our sites and platform, to improve the layout and content of our sites and platform, to allow the access to our available systems and provide technical assistance; |
| Office and Facilities Security and Safety: | Such as to oversee visitor access to company offices, sites and facilities and maintain the security and safety of staffs, visitors, and offices, sites and facilities; |
| Activities and Events: | Such as to coordinate, accommodate, and direct events, to count processing registrations, to disseminate participant lists, to assign acceptable accommodations (including special dietary concerns), and to utilize photos and videos taken at events on our websites and additional materials pertaining to the event; and |
| Sensitive Data: | In general, we use your identification card for authentication and verification purpose, however we do not intend to collect, use or disclose any of your sensitive data appeared on the identification card (i.e. religion and blood types, if any). In the case where we receive any of such sensitive data, we will cross out such sensitive data accordingly, and it does not constitute the collection of any of such sensitive data. |
If you do not provide your Personal Data, it may mean that we cannot provide you with the products or services you request, we cannot meet all our obligations to you, or we cannot comply with other legal obligations.
3. Disclosure of Personal Data
Depending on the context of your relationship with us and the nature of products or services you obtain from us, we may disclose your Personal Data to the following parties for the purposes as described in this Notice:
| Gulf group and affiliates: | We are a multinational corporation. We distribute information, including Personal Data, internally among our corporate affiliates in the typical course of our day-to-day transactions. For a current listing of our power plants, please visit our website at: https://www.gulf.co.th/en/business_overview |
| Service providers or suppliers: | We may disclose your Personal Data to service providers or suppliers (or they may gather Personal Data precisely on our behalf), as engaged to provide services or support for various business purposes, for example, IT service providers including, cloud service providers; software service providers; network and infrastructure service providers; postal mail and messenger service providers; logistic service providers; payment service providers; payment networking service providers; administrative and business support service providers; document storage and destruction service providers; data backup service providers; printing service providers. |
| Professional advisors: | We may disclose your Personal Data to professional advisors such as auditors, legal advisors or counsels, accountants, and tax consultants who assist us in running our business and defending or bringing any legal claims, initiating and managing auction or otherwise taking legal actions. |
| Business partners: | We may disclose your Personal Data to companies that we have partnered with to offer or enhance our products or services, such as state enterprises, and financial institutions, to perform our products or services. |
| Third parties with whom you authorize or direct us to share your Personal Data | We may disclose your Personal Data with your consent or at your direction. |
| Third Parties as assignees, transferees, or novatees: | We may assign, transfer, or novate our rights or obligations to a third party, to the extent permitted under an agreement between us and you, or our Corporate Customers or Business Partners. We may disclose or transfer your Personal Data to assignees, transferees, or novatees, including prospective assignees, transferees, or novatees, provided that we will use our best efforts to ensure that these data recipients agree to treat your Personal Data in a manner consistent with this Notice. |
| Third parties connected with corporate transactions: | We may disclose or transfer your Personal Data to third parties that are connected with possible or substantive sale of our business or any of our assets, or those of any related company, particularly through acquirements or mergers, alteration in divestitures or control, or affiliation with bankruptcy. In such instances, Personal Data collected by us may be one of the reassigned equities. |
| Government entities and others with whom we disclose Personal Data for legal or necessary purposes | We may disclose your Personal Data to government entities or regulatory bodies and others for legal, regulatory and other necessary purposes. This includes responding to requests from regulators or government authorities for purposes of law enforcement, legal orders, audits, or legal processes/claims. |
| Other third parties: | We may disclose your Personal Data to persons involved in the provision of the type of products or services offered by us including your corporate insurer, your contact persons and/or your employers. If you attend our events, we may distribute your name in the participant list and/or promotional materials. We may incorporate videos, photographs, and additional multimedia taken of the individual on our website and in certified report materials. |
Where applicable, we will implement appropriate guidelines to ensure the recipients of your Personal Data will act in accordance with this Notice. We reserve the right to disclose any information which you provide that is not designated as Personal Data or otherwise exempt from legal stipulations.
4. Transfer of Personal Data to other countries
We may disclose or transfer your Personal Data to our affiliates, third parties or servers located outside Thailand for lawful purposes. Some recipients of your Personal Data are located in another country for which the Personal Data Protection Committee under the Thai Personal Data Protection Act B.E. 2562 has not ruled that this country has adequate data protection standard.
When it is necessary for us to transfer your Personal Data to a country with a level of data protection standards not equivalent to Thailand, we will ensure that an adequate degree of protection is afforded to the transferred Personal Data, or the transfer is otherwise permitted in accordance with the applicable data protection law. We undertake to comply with any requirements or conditions for cross-border transfer of personal data that the Personal Data Protection Committee may issue, and will update this section as may be necessary.
5. Security of your Personal Data
We maintain a variety of safeguards, managerial, material, and industrial; devised to safeguard Personal Data from unauthorized admittance or publication; and incidental or illegal demolition, amendment, or misplacement.
While it is our goal to secure your Personal Data from unauthorized access, inappropriate use or disclosure, prohibited amending or illegal demolition or incidental misplacement, and we manage and use particular equitable actions, telecommunications, and structures to do so, please note that no communication over the Internet is entirely protected or infallible, and that the aforementioned structures, actions, and telecommunications managed and used by us may be compromised.
6. Retention of your Personal Data
We will store your Personal Data for as long as it is necessary for the purposes for which it was collected, as explained in this Notice and in accordance with the applicable laws. However, we may retain your Personal Data for a longer period in order to comply with applicable laws and regulations and our internal policy or with regard to our operational requirements, such as proper record maintenance, facilitating relationship management, and responding to legal claims or regulatory request.
7. External Links
Where applicable for website users, our services may contain links to other websites/platforms that are operated and controlled by third parties. While we try to link only to websites that share our high standards and respect for privacy, we do not take responsibility for the content or the privacy practices employed by other websites. Unless otherwise stated, any Personal Data you provide to any such third party website will be collected by that party and not by us, and will be subject to that party's privacy notice/policy (if any), rather than this Notice. In such a situation, we will have no control over, and shall not be responsible for, that party's use of the Personal Data you provide to them.
8. Your Personal Data Protection Rights
The rights in this section are your legal rights, where you may request exercise of these rights under the conditions prescribed by law and our right management procedures. These rights are as follows:
a) Right of Access. You have the right to access and obtain a copy of your Personal Data or request to disclose your Personal Data. We may, to the extent permitted by law or a court order, refuse to act on your request where such request could affect the rights and freedom of another person;
b) Right to Rectification. You may have the right to have incomplete, inaccurate, misleading, or not up-to-date Personal Data collected about you rectified;
c) Right to Objection. You have the right to object to the collection, use, or disclosure of your Personal Data for the purposes of achieving our legitimate interest (or that of other persons). We may refuse to comply with your request if we can demonstrate compelling legitimate grounds for such collection, use, or disclosure, which may override your own interests or if such collection, use, or disclosure is for the purposes of establishment, compliance, exercise or defense of legal claims;
d) Right to Erasure. You have the right to request us to erase or destroy your Personal Data or to anonymize your Personal Data if you believe that (i) the Personal Data is no longer needed for the purposes described in this notice or (ii) the collection, use, or disclosure of your Personal Data is unlawful. We may refuse to comply with your request for erasure or destroy for the purposes of establishment, compliance, exercise or defense of legal claims, or compliance with laws;
e) Right to Data Portability. You may have the right to obtain your Personal Data we hold, in a structured, electronic format, and transmit such data to another data controller, where this is (a) personal information which you have provided to us, and (b) if we are processing that data on the basis of your consent;
f) Right to Restrict Processing. You have the right to request us to suspend the use of your Personal Data if you believe that we no longer need to retain the Personal Data for the purposes described in this notice, but you still require the retention for the purposes of establishment, compliance, exercise or defense of legal claims, or compliance with laws;
g) Right to Withdraw Consent. If you have consented to our collection, use, or disclosure of your Personal Data, you have the right to withdraw that consent at any time; and
h) Right to Lodge a Complaint: You have the right to file a complaint with the competent authority regarding the collection, use, and/or disclosure of your Personal Data by us or on our behalf. We would, however, appreciate the chance to deal with your concerns before you approach the competent authority, so please contact us in the first instance.
If you would like to exercise any of your rights, you may do so by downloading our request form at Data Subject Rights Request Form and sending the completed request form to our contact as detailed in this notice.
9. Our Contact Details
If you have any inquiries or concerns in connection with this Notice or the collection, use, or disclosure of your Personal Data by us, or you would like to submit a request to exercise your rights, please contact us at:
Gulf Energy Development Public Company Limited
87 M. Thai Tower 11th Floor, All Seasons Place, Wireless Road,
Lumpini, Pathumwan, Bangkok 10330
Tel: +662-080-4499
Fax: +662-080-4455
E-mail: contact@gulf.co.th
