1. Introduction

Toyota Tsusho Forklift (Thailand) Co., Ltd. is authorized distributor for forklift brand “TOYOTA” in Thailand. We operate our business related to selling, rental, maintenance and repairing services, forklift training including with forklift parts. Consistent with our Code of Conduct & Ethics, We will respect the privacy rights of data subject that the Company collects, uses, processes, stores, discloses and/or transfers on purpose of the business activities.

2. Purpose of this privacy policy

This privacy policy aims to give you information on the way of processing (including collection, use, storage, disclosure and transfer) (hereinafter referred to as “Processing” or “Process”) by Toyota Tsusho Forklift (Thailand) Co., Ltd. (the “Company”, "we", "us" or "our" in this privacy policy) of personal data relating to an identified or identifiable natural person in Thailand, and (such natural person shall be “Data Subject” and such personal data shall be “Personal Data”) as a data controller (or a data processor, if applicable).

Consistent with our Global Code of Conduct & Ethics, we will respect the rights to privacy of individuals and comply with the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”).

3. Personal Data we Process

Personal Data means any information relating to Data Subject which is directly or indirectly identified to such individual person such as first name, last name, address, date of birth, telephone number, photo, biometric data, including customer or supplier data, employee data, data of directors, shareholders, contractors, etc. It does not include data where the data subject is not or no longer identifiable (anonymous data).

We may Process the following Personal Data:

• “Personal details and Identification” e.g., first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, residency, family status, house registration address, vehicle information, visa, work permit, national identification card, passport, tax identification and other government-issued identification;
• “Contact Information” e.g., billing address, delivery address, email address, telephone numbers;
• “Payment Information” e.g., bank account and debit or credit card details;
• “Data for Marketing and Communications” e.g., Data Subject’s preferences in marketing from us or third parties and Data Subject’s communication preferences;
• “Personal History” e.g., educational background, transcript, academic degree, skills, qualifications, job history and any other information that might be necessary to judge Data Subject’s suitability to job role;
• “Security Data” e.g., photograph and/or voice recording by means of closed circuit television (CCTV), photograph, footage, video, voice recording of conversations;
• “Technical Information” e.g., IP address, cookies, accessed devices location while using this website;
• “Sensitive Data” e.g., information about health/medical records, health examination result, biometric data, disability, race, religion, blood type, vaccination record, criminal record.

Personal Data may be converted into statistical or aggregated data in such a way that Data Subject will not be identified or identifiable from it and may be used for analytical and research purposes.

4. How is Personal Data collected

We collect Personal Data including through the following ways:

• Direct collection:

  We collect Personal Data directly from Data Subject. This includes Data Subject filling in a designated form, electronic form and/or by corresponding with us by post, email or otherwise when Data Subject:

  • requests information on our products or services;
  • provides us with your business cards;
  • places order or makes requests for our products or services;
  • gives us feedback or contact us; or
  • applies to job roles and further take interview.

• Indirect collection:

  We may also collect Personal Data about Data Subject from third parties such as the organisation to which the Data Subject belongs and/or public sources to the extent that it is permitted under the PDPA and other applicable laws.

5. How we Process Personal Data

5.1 Legal grounds for lawful Processing of Personal Data

We will Process Personal Data only when relevant laws and/or regulations (in particular, PDPA) allow us to do so.

When we Process Personal Data, we will rely on at least one of the legal grounds for lawful Processing (including, but not limited to the following applies):

• “Consent by Data Subject” Processing Personal Data in the case where Data Subject has given consent to such processing for one or more specific purposes;
• “Performance of Contract” Processing Personal Data in the case where it is necessary for the performance of a contract to which Data Subject is a party, or for taking steps at Data Subject’s request before entering into such a contract;
• “Compliance” Processing Personal Data in the case where it is necessary for our compliance with a legal obligation to which the Company is subjected;
• “Vital Interest” in the case where it is for preventing or suppressing a danger to a person’s life, body or health;
• “Legitimate Interests” Processing Personal Data in the case where it will be in the legitimate interests of the Company to carry out its operation and management of its business for provision of most suitable services and/or products.

Before processing Personal Data under this Legitimate Interests ground, we will assess potential impacts (both positive and negative) on Data Subject and his/her rights and further make comparison between such impacts on Data Subject and the Company’s Legitimate Interests. We will not Process Personal Data by relying on this Legitimate Interests ground if the adverse effect on Data Subjects and his/her rights exceeds the Company's Legitimate Interest.

5.2 Purposes for Processing of Personal Data

We have set out below, in a table format, a description of typical (i) purposes for Processing of Personal Data, (ii) types of Personal Data and (iii) legal grounds for lawful Processing of Personal Data.

(We may Process Personal Data for more than one legal ground depending on the specific purpose for Processing of Personal Data. In addition to the purposes listed in the table below, please note that we may also Process Personal Data for complying with legal obligations of the Company, for Legitimate Interests, or for Vital Interests as permitted by law.)

5.3 Change to purpose, etc.

We will only Process Personal Data for the informed purposes for which we collected it, unless we reasonably consider that we need to Process it for another purpose and such purpose is compatible with the original informed purpose.

If we need to Process Personal Data for a purpose apparently irrelevant to the original informed purpose, we will inform Data Subject on the new purpose and obtain Data Subject’s prior consent where Data Subject’s consent is required under the applicable law.

We may Process Personal Data, without Data Subject’s knowledge or consent, if to do so is required or permitted by relevant laws and/or regulations.

6. Disclosure of Personal Data

We may disclose Personal Data to the following third parties, subject to availability of safety measure for protection of Personal Data and compliance with the relevant laws and regulations by such third parties:

• “Internal Third Parties”
• “External Third Parties”
• “Third parties, to whom we may choose to sell and transfer out business (or vice versa) or with whom merge”

When we ask External Third Parties to Process Personal Data on our behalf, we will not allow them to use Personal Data for their own purposes. We will permit them to Process Personal Data only within the scope of our instructions and applicable relevant laws and regulations.

New owner of our business will be able to Process relevant Personal Data to the same extent permitted by this policy and in accordance with the PDPA.

For the purposes of interpretation of this part:

• “Internal Third Parties” shall include our parent company, the Company’s subsidiaries and affiliates in which the Company holds majority of the shares or interests in Thailand and/or other countries.
• “External Third Parties” shall include the following third parties:
  • (a) our service providers, service providers of Internal Third Parties in Thailand and/or any other relevant countries (acting as their commissioned processors or joint controllers, etc. of Personal Data);
  • (b) our professional advisers, professional advisers of Internal Third Parties in Thailand and/or any other relevant countries (acting as their lawyers, accountants, auditors, financiers, insurers based and consultants, etc.; and
  • (c) any regulator and/or authority of Personal Data/ information/ privacy protection in Thailand and/or any other relevant countries, which has authority to require reporting of processing activities, etc. in certain circumstances under the applicable law.

7. Transfer of Personal Data to a foreign country

Disclosure of Personal Data mentioned in Clause 6. (Disclosure of Personal Data) above may include transfer of Personal Data to a foreign country.

We transfer Personal Data from Thailand to a foreign country only if at least one of the following applies:

• • (a) transfer of Personal Data Thailand to a foreign country where the destination country or international organization that receives such Personal Data has adequate data protection standard and the transfer is carried out in accordance with the rules for the protection of Personal Data as prescribed by the Personal Data Protection Committee; or
  • (b) transfer of Personal Data from Thailand to a foreign country is (i) for compliance with the law, (ii) with consent of the Data Subject, (iii) for performance of a contract which the Data Subject is a party or a Data Subject’s pre-contract request, (iv) for compliance with a contract between the Company and others for the interests of the Data Subject, (v) for preventing or suppressing a danger to life, body, or health of Data Subject, or (vi) necessary for carrying out activities in relation to substantial public interest.

8. Data security

We have put in place appropriate security measures to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data and will ensure that the security measures are in accordance with the minimum standard specified and announced by the Personal Data Protection Committee under the PDPA.

We limit access to Personal Data only to employees, agents, contractors and other persons and third parties mentioned in Clause 6. (Disclosure of Personal Data) above only as necessary. They will be allowed to Process Personal Data only within the scope of our instructions and be subject to a duty of confidentiality.

If we discover that there is a breach of the Personal Data that poses a risk to the rights and freedom of a Data Subject, the Company will report it to the Office of Personal Data Protection Commission without undue delay, and where feasible no later than 72 hours of discovery.

If the breach is likely to result in a high risk to the rights and freedom of a person, we will notify relevant Data Subjects that there has been a breach and provide information about the breach and the guideline of remedy without undue delay.

9. Retention period of Personal Data

We will retain Personal Data only to the reasonable extent necessary to achieve the purposes for collection of the same.

We may retain Personal Data for a longer period in the event of complaint by Data Subject, or, if we reasonably believe, there is a prospect of litigation with Data Subject. We may also retain Personal Data even after the purposes for its collection are fulfilled in case it is necessary as the Company has an ongoing legitimate interest to do so, or it is for compliance with the applicable law, including the Computer Crimes Act B.E. 2550 (2017).

To determine the appropriate retention period of Personal Data, we will consider the amount, nature and sensitivity of the Personal Data; the potential risk of harm from unauthorised use or disclosure of Personal Data; purposes for Processing Personal Data; prospect of achieving such purposes through other means, as well as the applicable legal, tax, accounting or other requirements.

10. Legal rights of Data Subject

10.1 Legal rights

In relation to his/her Personal Data, Data Subject may make a request to the Company at the contact details under Clause 12 of this Privacy Policy to exercise the following rights of Data Subject:

• • (a) Right to Access and Obtain Copy: This enables relevant Data Subject to request access to and receive a copy of his/her Personal Data held by us and to check the status of lawful Processing of such Personal Data. This also includes the right to request the disclosure of the acquisition of Personal Data obtained without his/her consent.
  • (b) Right to Data Portability: This enables relevant Data Subject to obtain Personal Data in the format which is readable or commonly used by ways of automatic tools or equipment, including to request to send or transfer Personal Data to another Data Controller or to the Data Subject, unless it is technically unfeasible to do so.
  • (c) Right to Object: This enables relevant Data Subject to raise an objection to the Processing of his/her Personal Data in case that the Company:
    • i) Processes Personal Data based on legitimate interest or public interest ground, except in the case that the Company can demonstrate compelling legitimate grounds, or Processing of Personal Data is carried out for establishment, compliance with or exercise of the legal claims or defense of the legal claims;
    • ii) Processes Personal Data for the purpose of direct marketing; or
    • iii) Processes Personal data for the purpose of scientific, historic or statistic research, unless it is necessary for conducting activities for the public interest by the Company.
  • (d) Right to erasure of Personal Data: This enables relevant Data Subject to ask us to delete, destroy or anonymize relevant Personal Data if there is no legitimate reason for us continuing to Process it, including when Personal Data is no longer necessary in relation to the purposes for which it was collected or when Data Subject withdraws his/her consent on which the Processing is based and no other legal ground is available. However, please note that we may not always be able to comply with Data Subject’s request to delete his/her Personal Data for specific legal reasons as permitted by PDPA and other relevant regulations.
  • (e) Right to restriction: This enables relevant Data Subject to ask us to suspend the Processing of his/her Personal Data in the following scenarios:
    • (i) If the Company is pending the verification of the accuracy of Personal Data as per your request;
    • (ii) In case of Personal Data which shall be deleted or erased in according with 10.1 (d), but you request restriction to use instead;
    • (iii) The Company has no longer necessary to use Personal Data; however, Data Subject have a necessity to request the retention for the purpose of exercising legal claims, or for defense of the legal claims; or
    • (iv) The Company is pending the verification according to 10.1(a) or pending examination regarding 10.1(c) in order to reject your objection request.
  • (f) Right to rectification: This enables relevant Data Subject to request that your Personal Data be rectified if the Personal Data is inaccurate, not up-to date or incomplete, or may cause a misunderstanding;
  • (g) Right to withdraw consent by Data Subject to Process Personal Data: This will not affect the lawfulness of any Processing carried out before such withdraw. If Data Subject withdraws his/her consent, we may not be able to provide certain products or services to him/her. We will advise him/her if this is the case at the time of such withdrawal by Data Subject.
  • (h) Right to lodge a complaint: This enables relevant Data Subject to lodge a complaint to the Office of Personal Data Protection Committee.

When we receive a request to exercise Data Subject’s rights above, we will fulfill the request without undue delay provided that the request is carried out in accordance with the PDPA and other relevant regulations and we have no legitimate reason to reject such request as permitted by law.

Data Subject has the right to make a complaint to relevant supervisory authority in charge of data protection issues having competent jurisdiction. However, we would appreciate if Data Subject could give us chance to deal with Data Subject’s concerns in the first instance before Data Subject approaching such supervisory authority.

10.2 Cost, etc.

Basically, Data Subject does not have to pay any cost for exercising any of said rights.

However, we may ask Data Subject to bear reasonable cost if his/her request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to respond to Data Subject’s request in these circumstances according to the PDPA and other applicable laws and regulations.

10.3 Provision of additional information

When we receive a request to exercise Data Subject’s rights, we may need to request specific information from Data Subject to help us confirm his/her identity and secure Data Subject’s rights. This is a security measure to ensure that Personal Data will not be disclosed to any person who has no right to receive it.

We may also contact Data Subject to ask for further information in relation to his/her specific request to speed up our response.

10.4 Updates to this policy

This policy may be updated from time to time. You can find the latest version on our website.

11. Third-party links

This website may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share personal data about you. We do not control these third-party websites and are not responsible for their privacy statements. Accordingly, when you leave our website, we encourage you to read the privacy policy of every website you visit.

12. Contact

If you have any questions regarding this privacy policy, please contact us or our Data Protection Officer (DPO) at the following contact information:

Data Controller: Toyota Tsusho Forklift (Thailand) Co., Ltd.

Registered Office: 607 Asoke-Dindaeng Road, Kwang Dindaeng, Khet Dindaeng, Bangkok 10400
Amata Office: 700/412 Moo 7, T. Don Huaroh, A. Muang, Chonburi
Telephone No. (038) 454-428 Ext: 208
E-mail Address: [email protected]

Data Protection Officer (DPO): Ms. Tunya Duangnapa