PRIVACY NOTICE
Effective Date: 1 September 2022
ReAcc Company Limited (“Company”, “we”, or “us”) gives great importance on the protection of Personal Data (as defined below). The Company prepares this Privacy Notice to inform about how the Company collects, uses, discloses and/or cross-border transfers of Personal Data (as defined below), and the rights of data subjects.
This Privacy Notice applies to third parties, whose Personal Data (as defined below) we collect, use, disclose, and/or cross-border transfer in the course of our business operations or the provision of our services, which includes:
(1) Chief Executive Officer (CEO), directors, general manager, representatives, shareholders, agents, employees (including primary contact, lead user and other user), and other persons in a similar capacity including contact person (collectively, “Connected Persons”) of juristic persons and their affiliates which are users of our platform, including existing or prospective Seller and Buyer of the REC services;
(2) visitors and users of our platform, including other channels of communication; and
(3) any other persons whose Personal Data we obtain in the course of our business operations or the provision of our services.
Persons described above are collectively referred to as “you” or “your”.
Please read this Privacy Notice carefully to understand how we collect, use, disclose and/or cross-border transfer of Personal Data (as defined below) and for what purposes.
Failure to provide certain Personal Data may result in us not being able to perform certain processing activities described in this Privacy Notice, and as a consequence, we may not be able to provide you with the services you request or meet certain of our contractual obligations, or we cannot comply with our legal obligations.
1. What Personal Data we collect
“Personal Data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, or as defined under the applicable data protection laws or under this Privacy Notice. If there is any data which can be combined with your Personal Data, we will deem that such data is Personal Data.
We may collect or obtain your Personal Data via online and offline channels, for example electronic and/or physical forms and documents, e-mail address , name cards, telephone calls, or other third party sources (e.g., your company or any other third parties involved in the course of our businesses).
We may collect or obtain the following categories of data, depending on the context of your relationship with us and the required services.
· Personal identification and communication information: such as title, name, surname, national ID number, passport number, a copy of national ID card and/or passport, nationality, address, country, phone number, fax number, e-mail address, website and signature;
· Work-related information: such as job position, department, employee ID, your company name, your percentage of shareholding or ownership, and other details about your company (e.g., head quarter or branch, business type, company status and registration details, contact and address details, payment details, tax ID, number of employees and website) and other details in your company’s documents (e.g., PP 20, copy of the certificate of company registration, VAT registration, and audited financial statement);
· User account information: such as user ID, organization ID, password, and other information related to the account (e.g., status);
· Device information: such as Internet Protocol (IP) address, internet browsing behavior, login data, login log, search history, browsing details, browsing type and version, browsing language, web beacon, log, device ID and type, network, connection details, access details, single sign-on (SSO) details, browser plug-in types and versions, operating system and platform, time zone setting and location, access times, time spent on page, information about how you use and interact with our platform (including web page viewed, content viewed, links clicked, and features used), when and how often you use our platform, crash reports and other technology on devices you use to access the platform;
· Other details provided to us: such as information collected, used, or disclosed in connection with the relationship with us, or in connection with the relationship between us and your company, data collected when you interact with us, your correspondence with us, and information as part of our prospective or existing relationship with you in the course of you applying for or us providing you with our services and otherwise.
If you provide us with Personal Data about other persons (e.g., Personal Data of Chief Executive Officer (CEO), directors, general manager, shareholders, or other persons who have executive power in your company or other employees of your company), or you ask us to disclose their Personal Data to third parties, you are responsible for notifying those other persons of the details of this Privacy Notice, including obtaining any required consent from such third parties (where consent is required). You shall also ensure that we can lawfully collect, use, disclose and cross-border transfer those persons’ Personal Data as set out in this Privacy Notice, and that the provided Personal Data are accurate, complete and up-to-date, and if there is any change to such Personal Data, you will inform us.
Cookies
As part of the security procedure for our services and user experiences in using our platform and services, cookies and such other technology systems may be used and may be placed on your device. In general, information gathered using cookies is not linked to any identifiable data (e.g., your name or e-mail). However, if we may need to link your Personal Data with cookies or other data that is associated with your use of our platform and services, we will treat cookies and combined data as Personal Data.
2. Why do we collect Personal Data
Apart from the purposes where we may seek your consent, we and third parties who may be acting on our behalf may rely on (1) pre-contractual and contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties (e.g., your company), to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, preventing or suppressing a danger to a person’s life, body or health; (5) public interest, for the performance of a task carried out in the public interest or for the exercise of official actions and (6) the reason for an establishment and defence of legal claims, for using your Personal Data for the following purposes:
· Identity verification: such as for identity verification in relation to business operations; for contract entering and other related transactions; for enabling you to apply for our services; for verifying login credentials; for allowing an access to the account and other process of transactions; for identity verification when you contact us for any requests related to the services and the platform ; for creation of electronic signature;
· Registration and Know-Your-Customer (KYC) process: such as for the on-boarding registration and assessment process to receive our services; for Know-Your-Customer (KYC) processes; for contract entering and initiation of services;
· User and Sub-user account: such as for account creation and activation process; for account administration, maintenance and support;
· Provision of services: such as for provision of services at your request; for contact and communication regarding the services and related support; for processing of transactions (including the processing related to registry, issuance, trade and redemption of RECs); for issuance and delivery of relevant documents related to transactions; for contract, services or relationship termination processes;
· Payments process: such as for billing, processing, clearing, settlement, or reconciliation activities; for issuance and delivery of relevant documents related to payments; for maintenance of payment records and relevant documents;
· Communication: such as for communication on services and related support; for assistance and interaction with you regarding the services (e.g., responding to inquiries and requests); for additional request on supporting document and information; for issuance and delivery of relevant documents;
· Our legitimate operations: such as for platform and services management, improvement and maintenance; for data management and maintenance; for facilitation and allowance of appropriate, efficient, and safe use of the platform and our services; for record keeping (e.g., records of contracts and other related documents); for development and improvement of services ; for conducting services performance monitoring and analysis; for data analysis to improve our services, and business opportunities; for identification of problems and solutions regarding existing services; for detection and prevention of fraud risk and resolving any fraudulent activities, fraudulent transactions, deception, and fraudulent applications; for identification and management control on logs of network activities; for taking any necessary steps to prevent activities aimed to cause damage, fraud, or illegal activities including activities relating to data maintenance and relevant services; for identification, investigation, prevention and protection of security events including security for life, health, property, and other rights of persons; for the follow-up on incidents; for assistance on crime prevention; for the protection of security and integrity of business; for maintenance of internal business management; for internal compliance requirements, policies, and procedures; for the exercise of rights or protection of our interests where it is necessary and lawfully to do so; for an establishment and defence of legal claims;
· IT maintenance and support: such as for safeguarding the confidentiality, security, and accessibility of our platform site, IT systems, networks and hardware, and information; for provision of IT and technical supports; for management of access to any systems to which we have granted the access; for removing inactive accounts; for implementation of business controls to enable our business to operate; for identification and resolving issues in our IT systems; for maintenance of our systems security; for IT system performance, development, implementation, operation and maintenance; for authentication and access controls and logs where applicable; for monitoring of system, devices and internet;
· Legal and policy compliance: such as for compliance with appropriate rules, regulations, and laws (including tax report and tax filing), and in advancement of our associated internal policies, counting records retention requirements and compliance policies; for exercise of our rights or defend against legal claims; for maintenance of record keeping and resolving complaints and disputes; for compliance with legal obligations, legal proceedings, or government authorities' orders which may include orders from government authorities outside Thailand, and/or cooperate with court, regulators, government authorities, and law enforcement bodies when we reasonably believe that we are legally required to do so, and when disclosing your Personal Data is strictly necessary to comply with the said legal obligations, proceedings, government orders, codes of conduct and our internal policies; for performance of compliance activities; for conducting internal and regulatory reporting;
· Vital interests: for prevention or suppression of a danger to a person’s life, body, or health;
· Corporate transactions: such as when we need to disclose and transfer your Personal Data to third parties as part of business transaction, for example sale, transfer, merger, reorganization, or similar event.
3. Who we disclose Personal Data to
Depending on the context of your relationship with us and the nature of services you obtain from us, we may disclose or transfer your Personal Data to third parties, including (1) our affiliates (e.g., PTT Public Company Limited); (2) service providers (e.g., infrastructure, IT and/or software service providers, postal mail service providers, delivery or logistic service providers, professional advisors relating to audit, legal, accounting and tax services, payment service provider, administrative and business support service providers, document storage and destruction service providers, data backup service providers, printing service providers); (3) business partners, which include entities that we have collaborated with to offer or enhance our services (e.g., financial institutions for payment-related process); (4) I-REC issuer and registry entity (e.g., Green Certificate Company Limited, Electricity Generating Authority of Thailand, and the International REC Standard Foundation); (5) government entities or regulatory bodies and others for legal, regulatory and other necessary purposes, including responding to requests from government entities or regulatory bodies for purposes of law enforcement, legal orders, audits, or legal processes/claims; and (6) any other third party based on your consent or your instruction.
We may disclose or transfer your Personal Data to third parties that are connected with possible or substantive sale of our business or any of our assets, or those of any related company, particularly through acquirements or mergers, alteration in divestitures or control, or affiliation with bankruptcy. In such instances, Personal Data collected by us may be one of the reassigned equities.
4. Cross-border transfer of Personal Data
We may transfer your Personal Data to third parties or servers located outside Thailand for lawful purposes, including to the International REC Standard Foundation and the Green Certificate Company Limited for purposes related to the provision of REC services (in particular to serve as a supporting evidence for relevant legal transactions). Some recipients of your Personal Data are located in another country for which the competent authority may or may not have announced as having a comparable data protection standards to Thailand.
5. How long we retain Personal Data
We will retain your Personal Data only for as long as it is necessary for the purposes for which it was collected, as explained in this Privacy Notice, and in accordance with the applicable laws. However, we may retain your Personal Data for a longer period to comply with applicable laws and regulations, our internal policy, and responding to legal claims or regulatory requests.
6. How do we protect your Personal Data
We have arranged for appropriate security measures, which cover administrative, technical and physical safeguards in relation to access control, to protect Personal Data against any unauthorized or unlawful loss, alteration, modification, use, disclosure, or access, for example: restricting access to Personal Data as well as storage and processing equipment; imposing access rights or permission; implementing user access management to limit access to Personal Data to only authorized persons; implementing user responsibilities to prevent unauthorized access, disclosure, knowledge acquisition or unlawful duplication of Personal Data or theft of device used to store and process Personal Data; and enabling the re-examination of access, alteration, erasure, or transfer of Personal Data. These measures are in place to protect the confidentiality, integrity, and availability of Personal Data as required by law.
7. Your rights
Subject to applicable laws and exceptions thereof, you may have the following rights to:
· Access: You may have the right to access or request a copy of the Personal Data we collect, use, and disclose about you. For your own privacy and security, we may request a proof of your identity before providing the requested information to you.
· Rectification: You may have the right to have incomplete, inaccurate, misleading, or not up-to-date Personal Data that we collect, use, and disclose about you rectified.
· Data portability: You may have the right to obtain Personal Data we hold about you, in a structured, electronic format, and to send or transfer such data to another data controller, where this is (a) Personal Data which you have provided to us, and (b) if we process such data on the basis of your consent or to perform a contract with you.
· Objection: You may have the right to object to certain collection, use, and disclosure of your Personal Data.
· Restriction: You may have the right to restrict the use of your Personal Data in certain circumstances.
· Withdraw consent: For the purposes you have consented to the collection, use, and disclosure of your Personal Data, you have the right to withdraw your consent at any time.
· Deletion: You may have the right to request that we delete or de-identify Personal Data that we collect, use, and disclose about you. However, we are not obliged to do so if we need to retain such data in order to comply with legal obligations or to establish, exercise, or defend legal claims.
· Lodge a complaint: You may have the right to lodge a complaint to the competent authority where you believe the collection, use, and disclosure of your Personal Data is unlawful or non-compliant with applicable data protection laws. We would, however, appreciate the chance to deal with your concerns before you approach the competent authority, so please contact us in the first instance.
8. Links to other third party websites
For website users, our site may contain links to platforms and other websites that are operated by third parties. While we try to link only to platforms and websites that share our high standards for privacy, we do not take responsibility for the content or the data protection standards employed by such other platforms or websites. Unless this Privacy Notice provides otherwise, any Personal Data you provide to any such third-party platforms or websites will be collected by that party and not by us and will be subject to that party’s privacy notice/policy (if any), rather than this Privacy Notice. In such a situation, we will have no control over, and shall not be responsible for that party’s use of your Personal Data.
9. Changes to this Privacy Notice
We may amend/update this Privacy Notice from time to time in accordance with our processing activities, or to reflect changes in applicable laws. It is suggested that you check back periodically to view any changes or updates to this Privacy Notice. The amendments to this Privacy Notice will be effective upon being published on our platform at reacc.io. If such amendment or update, however, materially affects you as a data subject, we will give you a reasonable prior notice in a suitable manner before such amendment or update is effective, and obtain your consent where necessary and required by laws.
10. Contact us
If you have any questions or concerns about our privacy practices or if you would like to submit a right request listed in this Privacy Notice, please contact us per the details below.
(1) ReAcc Company Limited
· Address: No.555/1, Energy Complex, Building A, Floor G, Vibhavadi Rangsit Road, Chatuchak Sub-district, Chatuchak District, Bangkok, Thailand, 10900
· Telephone: +6687-816-5652
· E-mail: [email protected]
(2) [Data Protection Officer (DPO)]
· Address: No.555/1, Energy Complex, Building A, Floor G, Vibhavadi Rangsit Road, Chatuchak Sub-district, Chatuchak District, Bangkok, Thailand, 10900
· Telephone: +6687-816-5652
· E-mail: [email protected]