Privacy Policy - Thailand

ZICO INSOURCE (THAILAND) LTD. (the “company”, “we”, “us”, or “our”) operates the website https://zicoinsource.com along with other online platforms and social media channels within our group. As a law firm, we are committed to respecting the privacy of our users and recognizing the importance of safeguarding personal data. Our goal is to provide clear and transparent information regarding the collection, use, and disclosure of your personal data.
We handle your personal data with the utmost care and in compliance with the Personal Data Protection Act of Thailand (the “PDPA”), as well as other applicable laws and regulations. This Privacy Policy outlines how we collect, use, store, disclose, and protect your personal data, including sensitive legal information, in accordance with relevant data protection laws. By providing your personal data to us, you consent to the practices described in this Privacy Policy.
Therefore, we have established this Personal Data Protection Policy to outline the procedures for collecting, using, disclosing, protecting, accessing, transferring, and analyzing your personal data, as following;

1) Scope of this Privacy Policy

This policy applies to all parties involved in the management of personal data within the organization, including us, employees, staff, contractors, outsourced parties, and third-party individuals who work on behalf of or collaborate with us. The Purpose of this Privacy Policy is:
A.To ensure that the management of the personal data collected by our Company comply with all relevant legal requirements.
B. To provide clear guidelines for the protection of personal data collected and processed by the Company, which must be strictly adhered to by employees and all parties involved in handling such data.
C. To assure personal data owners that their data will be protected and processed in an appropriate, transparent manner, in full compliance with the PDPA and other applicable regulations.

2) Definitions

“Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular. This may include:

• Personal Identifiers:Name, identification number (Passport number and/or ID card number), gender, nationality.
  • Contact Information: Residential address, email address, phone number.
  • Sensitive Personal Data: Information that is considered more sensitive under the PDPA, which requires higher protection. This includes:
  – Racial or ethnic origin
  – Political opinions
  – Religious or philosophical beliefs
  – Health information
  – Genetic data
  – Biometric data
  – Sexual orientation
  – Criminal records and legal proceedings
• Professional Information:Employment history, professional credentials, and other relevant background data.
  “Data Controller” means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data; “Data Processor” means a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller;

3) Duty and Responsibility
A. As the “Personal Data Controller” we hold the authority and responsibility for determining the purposes and methods of collecting, using, and disclosing personal data. We have also designated employees to manage activities related to the collection, use, or disclosure of personal data on our behalf.
B. Our employees, who handle personal data on behalf of the Company, are referred to as “Personal Data Processors” under the PDPA.
C. As an individual whose personal data is processed, you are recognized as a “Personal Data Owner” under this legislation.

4) Personal Data Protection

A. Collection

1. We collect your personal data in various ways, including:
   • Direct Communication:Information you provide during consultations, via emails, phone calls, or meetings, and information included in any legal documents, or any documents or agreements.
   • Third Parties:Data shared by third parties such as other legal professionals, organizations, or individuals with your consent.
   • Public Records: Information we may collect from publicly available records or legal filings in the course of our work.
   • Website Interaction: Data collected when you visit our website, including your device’s IP address, cookies, and other tracking technologies.

B. Consent

We may acquire your consent to collect, use and disclose your Personal Data for the following purposes, which include but are not limited to:

• collection and use your sensitive Personal Data as necessary; and/or
• sending or transfer of your Personal Data to another country, which may have inadequate personal data protection standards.
  
  If it is necessary for compliance with the applicable laws, We may process your Personal Data without your consent. In this regard, We will strictly comply with the relevant laws regarding your Personal Data.

C. Use

We collect, use, and disclose personal data for the following purposes:
• Provision of Services: Fulfilling contractual obligations in relation to the goods and/or services requested by you.
• Identity Verification: Confirming your identity and processing legal or financial transactions.

• Recruitment purposes: To process any application made to us in relation to job openings (permanent, contract or internships).  
  • Client Support & Relationship Management: Responding to inquiries, applications, complaints, and feedback while managing our professional relationship with you.
  • Communications & Publications: Providing relevant information, materials, publications, and invitations to events related to our services.
  • Regulatory & Legal Compliance: Ensuring adherence to applicable laws, regulations, codes of practice, and assisting governmental or regulatory authorities in investigations.
  • Information Sharing: Disclosing personal data to third-party service providers, agents, and relevant governmental or regulatory authorities in Malaysia, Singapore, or other jurisdictions for legitimate business purposes.
  • Technology & Platform Maintenance: Ensuring the proper functioning and security of our website and legal technology platforms.
  • Incidental Business Purposes: Any other purposes reasonably related to the above or for which you have provided your consent.
  
  The collection of your personal data by us may be mandatory or voluntary in nature depending on the purposes for which your personal data is collected. If you fail or choose not to provide us with such data, or do not consent to the above or this Privacy Statement, we may not be able to provide our products and/or services or otherwise deal with you and/or to assess and process your application.

D. Disclosure of Personal Data
We may disclose your personal data to the following:
• Legal and Regulatory Authorities:To comply with any legal obligations or respond to requests from government bodies, courts, or regulatory authorities.
• Service Providers and Professional Advisors:To our agents, contractors, or professional advisers (such as external auditors or accountants) who assist us in providing services to you.
• Other Entities within the Firm: Other offices or entities within the ZICO Holdings Inc group

Please note: We take extra precautions when handling sensitive personal data, including legal documents and privileged communications, in order to protect confidentiality.

E. Storage
Electronic personal data shall be securely stored in accordance with the PDPA and Zico Insource cloud services or other secure systems authorized by us.

Additionally, personal data in non-electronic formats shall be stored in secure storage, with access restricted in accordance with the relevant department to prevent unauthorized access to personal data.
When the data subject’s consent is obtained, employees shall store the consent along with the personal data in the same systems and/or storage, ensuring proper documentation and security.

F. Retention of Personal Data
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. This includes maintaining client files and records in accordance with professional standards and legal requirements. When the data is no longer needed, we will securely delete or anonymize it.

However, the Company may retain the personal data of the data subject for a period longer than the specified retention period if permitted by law, or if the retention is necessary for the establishment of legal claims, compliance with legal obligations, adherence to an order from an official or government agency with relevant authority, or for business purposes as required by law.

G. Transfer of Personal Data in the Group
Personal data may be transferred between employees within the Zico Holdings Inc Group only when necessary for the performance of their work duties and is strictly limited to informed business purposes. Such transfers will be carried out in compliance with the PDPA, this Policy, and all other relevant regulations.

H. Security of Personal Data
We implement reasonable physical, technical, and organizational measures to protect your personal data against unauthorized access, loss, or misuse. We take all necessary steps to ensure the confidentiality and integrity of your legal information, recognizing the sensitive nature of the data we handle.

However, no system is completely secure, and we cannot guarantee absolute protection from data breaches.

5) Data Subject’s Right
Under the PDPA, you have certain rights regarding your personal data, including:
A. Right to Withdraw Consent: You have the right to withdraw your consent from us to collect, use, or disclose your personal data. However, please note that withdrawing consent may impact our ability to provide you with legal services or could have legal consequences in certain situations.
B. Right to Access: You have the right to request access to the personal data we hold about you.
C. Right to Data Portability: Data subjects may have the right to obtain personal data in a structured, electronic format and to transmit such personal data to another data controller, where (a) the data subject has provided the personal data to the Company, and (b) we have been collecting, using, and/or disclosing that personal data based on the data subject’s consent or other legitimate purposes.
D. Right to Object: Data subjects may have the right to object to certain collection, use, and/or disclosure of their personal data.
E. Right to Erasure: Data subjects may have the right to request that we delete, destroy, or anonymize personal data that we have been collecting, using, and/or disclosing. However, we are not obligated to comply with such requests if we need to retain personal data to comply with a legal obligation or to establish, exercise, or defend legal claims.
F. Right to Restriction: Data subjects may have the right to restrict the use of their personal data if they believe the data is inaccurate, that our collection, use, and/or disclosure is unlawful, or that we no longer need the personal data for a specific purpose.
G. Right to Rectification: Data subjects may have the right to request the rectification of any incomplete, inaccurate, misleading, or outdated personal data that we have been collecting, using, and/or disclosing.
If you wish to exercise any of these rights, please contact us using the details provided below.

6) Accuracy of Personal Data
We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing us in in writing or via email at the contact details provided below.

7) Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or to comply with changes in laws and regulations. Any updates will be posted on our website, with the date of the last revision indicated. By continuing to use our services, you accept the updated Privacy Policy.

8) Procedures for Data Breach
In the event of any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or accession to Personal Data, the relevant Data Processor shall immediately, but not later than 12 (twelve) hours, notify the Management with the appropriate details of the breach.

9) Withdrawing the consent
The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to the contact details provided below.

Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within fourteen (14) business days of receiving it.

Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described above.

Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

10) Access to and correction of Personal Data
If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email at the contact details provided below.

Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

We will respond to your request as soon as reasonably possible. In general, our response will be within twenty (20) business days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the relevant laws).

11) Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights under the PDPA, please contact us at:

Name: Sheliza Suhana Ahmad
Designation: Head of Risk & Compliance, ZICO Holdings Inc. Group
Contact No: +603 9212 0977
Email Address: sheliza.suhana.ahmad@zicoholdings.com