Thai ORIX Leasing Co., Ltd. (Hereinafter refer to as “(We, Us, Our”) respects your privacy and recognizes the importance of personal data protection. We shall ensure that your Personal Data is handled in accordance with the Personal Data Protection Act B.E. 2562 (2019) in Thailand (“Thai PDPA”) and other applicable laws.

This Privacy Notice for customer aims to provide information regarding collection, use, or disclosure of your personal data internally, your privacy rights, as well as your legal protection.

We reserve the right to revise and update this Privacy Notice at any time.

1. Definitions

Terms and Definitions used in this Privacy Notice are set out in the table below:

Personal Datameans as specified in clause 2 “Types of Personal Data Collected”.
Data Controllermeans a natural or legal person who has powers and duties to make decisions regarding the collection, use and disclosure of Personal Data.
Data Processormeans a natural or legal person who proceeds with the collection, use or disclosure of Personal Data according to the orders of or on behalf of the Data Controller; however, such natural or legal person who proceeds with such activities is not the Data Controller.
Data Subjectmeans any individual person who can be identified directly or indirectly, via Personal Data.
Personmeans a natural person.
Business Partnersmeans a natural or legal person who directly or indirectly controls us, is controlled by us, owns us, is owned by us, manages us, is managed by us; including any legal entities whom we disclose, transfer, or receive Personal Data, for example, consulting and law firms, telemarketing companies, co-brand partners, correspondent banks, recruitment agencies, business alliances, external service providers (suppliers, vendors, outsources) and/or government affairs or regulators in order to comply with applicable laws.
DPOData Protection Officer

2. Types of Personal Data Collected

Personal data refers to information about an individual from which that person can be identified whether by direct or indirect means. However, Personal data does not include information of deceased persons and anonymous data. We collect, use, and disclose your Personal Data received from you and from our Business Partners.

Personal data includes:

I. Identity Data: data about individuals which can be used to identify specific individuals, whether by direct or indirect means such as name, surname, date/ month/ year of birth, gender, ID number, driving license number, passport number and marital status.
II. Contact Data: such as email address and phone number.
III. Sensitive Data: such as Race, Ethnic Origin, Political Opinions, Religion, Philosophical Beliefs, Sexual Orientation, Criminal Record, Health, Disability, Trade Union Membership, Genetic Data, Biometric Data, Ethnicity, Religion.

Personal Data excludes:

I. Personal Data which is publicly available at the point of collection.
II. Business contact information such as business phone number and business address.
III. Anonymous data.
IV. Data of Deceased Persons.

3. Third-party Links

Our website may lead you to a third-party website when you access the website. Such action may allow other websites to collect, use, or disclose your Personal Data. We are not responsible for any processing activities of Personal Data that occur on other websites.

4. Legal Basis

We will process your Personal Data under the following legal basis:

4.1 Consent: We process Personal Data based on consensual basis. In the event that you have provided us with explicit consent, we will process your Personal Data within the scope of the purpose we have informed you.

4.2 Contract: We process Personal Data under contractual basis. We use this legal basis when the processing of Personal Data is necessary to fulfill the contract for which you are a part of, or to use in fulfilling your request prior to entering into the contract. For example, processing your Personal Data is crucial to our ability to provide products and services as well as internal processes in achieving contractual objectives.

4.3 Legal Obligation: We process personal data in accordance with legal compliance, such as the prevention and detection of irregular transactions which may involve illegal activities.

4.4 Public Task: We process personal data under the necessity to carry out the mission for the public, or perform duties as the government agency has assigned to us.

4.5 Vital Interest: We process personal data under the necessity in an emergency medical situation to protect your life or those of another natural person.

4.6 Legitimate Interest: We process Personal Data under the necessity to protect our legitimate interests or those of other individuals or juristic persons which are not overriding your interests or your fundamental rights and freedoms.

4.7 Research Objective: We process Personal Data under the necessity to achieve the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose of relating to research or statistics as the government agency has assigned to us.

5. Purpose of Personal Data Processing

As our customers, we collect, use, or disclose your Personal Data, for the following purposes;

5.1 To manage, provide, improve and develop products and services.

5.2 To carry out the contract with our Business Partners.

5.3 To comply with relevant laws and regulations.

However, the collection, use, or disclosure of Personal Data will be processed on legal basis. We may process your Personal Data on different legal basis, depending on the purpose of data processing.

6. Personal Data Disclosure

We may disclose your Personal Data to government agencies and our Business Partners for the purposes stated in clause 5 “Purpose of Personal Data Processing” and government affairs or regulators in order to comply with the law.

7. Cross Boarder Transfer of Personal Data

We may disclose or transfer your Personal Data to third parties or servers located overseas, and the destination countries may or may not have the same data protection standards as Thailand. We have taken steps and measures to ensure that your Personal Data is securely transferred, that the data recipients have suitable data protection standards in place, and that the transfer is lawful by relying on the derogations as permitted under the law.

8. Data Security

We will take appropriate measures to ensure physical protection and organizational and technical measures, to prevent your personal data from loss, misuse, or unauthorized access, disclosure, change, and deletion. In the event that the Company assigns external parties for system development and maintenance, resources allocation, or any other services, we may arrange for confidentiality and/or data processing agreements in accordance with this Privacy Notice to be made; for the benefit of securing your personal data.

9. Data Retention

We will retain your Personal Data for a period according to the purpose for which it was collected and/or applicable laws (e.g. ongoing legal action, compliance with obligations under applicable law, regulations and professional standards, business operations.)

10. Data Subject Rights

Stated below are your rights as a data subject under Thai PDPA that you should be aware of.

10.1 Right to Withdraw Consent: You have the right to withdraw your consent on which the collection, use, or disclosure is based on at any time. As a result, we will stop the processing of your information as soon as possible and if we do not have other lawful basis which allow us to process your Personal Data, we will then delete your information.

10.2 Right to Access: You have the right to request access and to obtain a copy of your Personal Data related to you under our responsibility or to request disclosure of the acquisition of the Personal Data obtained without your consent. Once we have received the request, we will proceed to comply within 30 days.

10.3 Right to Rectification: You have the right to request correction and rectification of your Personal Data to ensure that the data is correct, up-to-date, and complete.

10.4 Right to Data Portability: You have the right to request us to send or transmit your Personal Data to another Data Controller by transmission that can be done by automatic means. You also have the right to receive directly your Personal Data in the format that we send or transfer to another Data Controller, except where it is not technically feasible.

10.5 Right to Erasure: You have the right to request us to erase, destroy, or anonymize your Personal Data in the cases stated below:
I. Personal Data is no longer necessary for the purpose in which it is collected for.
II. You withdraw consent in processing Personal Data and we have no legal ground for further retention or processing of that Data.
III. You object to processing of Personal Data for direct marketing purposes.
IV. Where processing of Personal Data is unlawful.

10.6 Right to Restriction of Processing: You have the right to restrict the processing of Personal Data if the stated conditions are met:
I. Processing of Personal Data is no longer necessary but we can demonstrate that there is a compelling legitimate ground.
II. Processing of Personal Data is unlawful but you want to restrict the processing activity instead of deletion.
III. Personal Data is under review for completeness and accuracy upon your request.
IV. Processing of Personal Data is carried out for the establishment, compliance, or exercise /defense of legal claims.

10.7 Right to Object: You have the right to object to the processing of Personal Data if the stated conditions are met:
I. Personal Data is being processed for direct marketing purposes
II. Personal Data is being processed for research purposes either in the field of science, history, or statistics, unless it is necessary to perform such tasks for reasons of public interest.
III. Personal Data is collected for our necessity to carry out public tasks or for other legitimate grounds. Unless we are able to demonstrate higher legitimate grounds, or the processing activity is to establish legal claims or compliance

10.8 Right to Lodge a Complaint: You have the right to submit complaint to the relevant government agencies in the event that our employees, vendors, contractors violate or fail to comply with the personal data protection requirements.

11. Data Breach Notification

11.1 We shall maintain a record of all Personal Data breaches and notices. Record of Personal Data breaches shall include the fact of the incident, its effects, and the mitigation action planned or taken. The personal data breaches record is subjected to confidentiality and shall be kept and maintained by us.

11.2 Where we are of the view that a breach, including a potential or alleged breach, may have a material reputational or financial impact, we shall escalate the matter to the management. The management shall assess and determine whether to report to the relevant government agencies and/or notify the data subject involved.

11.3 We have to notify data breaches, without undue delay and not later than 72 hours after the acknowledgment of the data breach incident, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where it is highly likely to result in a risk to the rights and freedoms of natural persons, we shall notify the data subject regarding data breach without undue delay.

12. Use of personal data for original purposes

We are entitled to continue collecting and using your personal data, which has previously been collected by us before the effectiveness of Thai PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes. If you do not wish us to continue collecting and using your personal data, you may notify us to withdraw your consent at any time.

13. Contact Us

If you wish to exercise data subject rights or if you have any question or complain, you can contact us via the following channels.

  • Company name: Thai ORIX Leasing Company Limited
  • Email Address: DPO@orix.co.th