Gulf Privacy Notice

Last modified: July, 2020

Maintaining the security and privacy of Personal Data (as defined below) is important to the way in which Gulf Energy Development Public Company Limited and our affiliated companies (hereinafter “Gulf”, “we”, “us”, or “our” ) operates business globally.

A. How this Notice applies

This Privacy Notice (“Notice”) explains the collection, use, disclosure and transfer of Personal Data (as defined below) and the data protection rights of individuals outside our organization with whom we interact and whose Personal Data (as defined below) we handle in the course of our businesses or in connection with the products and services we provide, including: (i) contact persons, employees, personnel, authorized persons, representatives, agents, directors, shareholders or any persons, who have the power to establish business relationship or engage in a transaction on behalf of our (a) corporate customers and their affiliates (hereinafter “Corporate Customers”); (b) business partners, vendors, suppliers, service providers, and other persons who provide their products and services to us (collectively in (b) as “Business Partners”), (ii) users and visitors of our websites, (iii) other recipients of our products and services, and (iv) any other individuals about whom we obtain Personal Data (as defined below) (together, “you” or “your”).

B. Changes of this Notice

This Notice may be amended or updated from time to time upon developments in our practices or policies with respect to the collection, use, disclosure and/or transfer of Personal Data (as defined below), or to reflect changes in applicable laws. It is suggested that you check back periodically to view any changes or updates to this Notice. The amendments to this Notice will be effective upon being published on our websites at [https://www.gulf.co.th/en/PrivacyNotice]. If such amendment or update, however, materially affects you as a data subject, we will give you a reasonable prior notice in a suitable manner before such amendment or update is effective.

C. How we collect, use, disclose and/or transfer and protect your Personal Data

1. Personal Data We Collect

1.1 Categories of Personal Data

Personal Data” means any identified or identifiable information about you as listed below.

If it is possible to combine any information with your Personal Data, or if other information is used to build a profile of an individual, we will treat such other information and combined information as Personal Data.

We may collect or obtain the following categories of information which may include your Personal Data, depending on the context of your interactions and relationship with us. For personnel of our Corporate Customers and Business Partners, the specific types of data collected depend on the Corporate Customers’ and Business Partners’ relationship with us. We may collect your Personal Data as applicable as follows:

Personal details: Personal details about you, such as title, first name, last name, copies or information on government-issued cards (e.g., national identification number, tax identification number, passport number and household registration information), signatures, images, work-related information (e.g., your position, function, occupation, job title, company you work for, employment status, or shareholding status), and other identifiers.
Contact details: Your contact details, such as business telephone numbers, business postal address, business e-mail address, mobile phone number, social media account ID and other similar contact information.
Financial details: Your financial details, such as bank account information.
Online/Internet details: Data in connection with online usage and technical data, such as cookies and other similar technology, Internet Protocol (IP) address, internet browsing behavior, login data, login log, search history, browsing details, browsing type and version, browsing language, web beacon, log, device ID and type, network, connection details, access details, single sign-on (SSO) details, browser plug-in types and versions, operating system and platform, time zone setting and location, access times, time spent on our page, information about how you use and interact with our online services (including web page viewed, content viewed, links clicked, and features used), when and how often you use our online services, the webpage from which you clicked a link to come to our online services (e.g., the referrer URL), crash reports and other technology on devices you use to access the platform.
Other details you provide to us: Information as part of our prospective or existing relationship with you, such as information collected, used, or disclosed in connection with the relationship with us, or in connection with the relationship between us and our Corporate Customers or Business Partners in which you work for or associated with, such as, required documents containing your Personal Data attached to contracts with us or information contained in tax document (e.g., PND. 3 form), or data collected when you interact with us, which may include signatures, and your correspondence with us, and information as part of our prospective or existing relationship with you in the course of you applying for or us providing you with our products or services and otherwise (such as, via filling in our forms or other methods determined by us).
Sensitive Data: Your religion as shown on your national identification card.

We will only collect, use, or disclose sensitive data on the basis of your explicit consent or where permitted by law.

Personal Data of third parties

If you provide us with Personal Data about other persons such as, personal information of contact person, board members, directors, shareholders, representatives, or other persons who have executive power in your organization, or you ask us to disclose their Personal Data to third parties, you are responsible for notifying those other persons of the details of this Notice, including obtaining any required consent from such third parties (where consent is required). You must also ensure that we can lawfully collect, use, or disclose those persons' Personal Data as set out in this Notice.

Personal Data of minors, incompetent persons and quasi-incompetent persons

Our business operation does not generally involve the collection, use, disclosure and/or transfer of minors’, incompetent persons’ and quasi-incompetent persons' Personal Data. However, in the event where we collect such Personal data, we will only collect such Personal Data of minors, quasi-incompetent persons, and incompetent persons where their parents or guardians have given their consent, or where we can rely on other legal basis as permitted by laws. We do not knowingly collect Personal Data from individuals under the age of 20 without their parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardian's consent. Upon being aware of unintentional collection of Personal Data from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardians consent, we will delete it immediately or collect, use, disclose and/or transfer only if we can rely on other legal bases apart from consent.

Cookies and other Automatically Collected Information

As part of security procedure of our services and user experiences, cookies and such other systems may be used and may be placed on your device. We use cookies on our website which automatically collects information about the visitors when they visit and interact with our website. In general, information gathered through usage of a cookies is not linked to any direct personal identifiers (e.g. your name or e-mail address). However, the information may include Personal Data under appropriate data protection laws such as user domain; browser type; operating system; page visits; additional information about user device; date, time, and duration of user visit; Internet traffic; and information from third parties. In the case where we may link such Personal Data with cookies or other data that are associated with your use of our services, we will treat cookies and combined information as Personal Data.

Our emails may include links to visit pages on our website, download content, open attachments, complete surveys, or perform additional actions. If a user is in our customer contact database, or has interacted with us online previously, metadata in the links may allow us to identify the individual user clicking on the link.

If you visit our offices or sites, and use our guest Wi-Fi, we may automatically collect information about your devices and online activities. Usage of our Wi-Fi is subject to our Wi-Fi Acceptable Use Guidelines, which must be accepted by users to connect to our guest Wi-Fi. For reasons of office, site and facility security and safety, we use video surveillance (CCTV) in our offices, sites and facilities. Please refer to our Privacy Notice on CCTV use accessible at [https://www.gulf.co.th/media/1756/cctv-notice.pdf].

1.2 Collection of your Personal Data

We may collect your Personal Data through various means, such as, directly from you (e.g., when you do businesses with us, including signing a contract, filling a form when you interact with us, including interactions via our online platforms (e.g. e-bidding), via our website, via e-mail, by phone, during meetings and events or when we visit you), or indirectly from the Corporate Customers or Business Partners you represent, work, or act for, or from our affiliates or third parties, or through publicly available sources (e.g. websites and publicly available corporate databases).

2. On what basis and why we collect, use, or disclose your Personal Data

Except in limited instances when we indicate that collection, use, disclosure and/or transfer are based on your consent, we generally use the following legal justifications: (1) a contractual basis, for our initiation or fulfilment of a contract with you; (2) compliance with legal obligations; (3) the legitimate interest of ourselves and third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; and (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health.

We may collect, use, disclose and/or transfer your Personal Data collected for various purposes, depending on how you interact with us, what products or services you obtain from us, nature of our relationship with you and our Corporate Customers or Business Partners and/or any other considerations in each specific context and nature, as described below.

Security and System Monitoring: Such as to safeguard the confidentiality, security, and accessibility of the company website, IT systems, networks and hardware, and information, to provide IT and helpdesk supports, to create and maintain code and profile, to manage the access to any systems to which we have granted the access, to remove inactive accounts, to implement business controls to enable our business to operate, to identify and resolve issues in our IT systems, to keep systems secure, to perform IT systems development, implementation, operation and maintenance, to authenticate and access controls and logs where applicable, to monitor of system, devices and internet;
Protection of our interests: Such as to oversee, safeguard, and inspect risk exposure, to prevent fraud, claims and further liabilities, to encompass but not restricted to violations of company contract terms, regulations, or laws, to perform institutional risk control, to deal with active risk management pursuant to which risks in terms of markets, credit, default, processes, liquidity and image as well as operational and legal risks must be identified, limited, and monitored, to protect the security and integrity of business, to exercise the rights or protect our interests where it is necessary and lawfully to do so (e.g., to determine fraud risk and identify fraudulent transactions, intellectual property infringement claims, or violations of law), to manage and prevent loss of our assets and property, to perform internal audits and records, asset management, system, and other business controls, to maintain data accuracy, to keep business records and otherwise to operate, manage, and maintain our business operations, to maintain internal business management for internal compliance requirements, policies, and procedures, to prevent or suppress a danger to a person’s life, body, or health, to secure the compliance of our contract terms, to follow up on incidents, to prevent and report criminal offences;
Carrying out legal purposes: Such as to comply with appropriate rules, regulations, and laws (including tax report and tax filing), and in advancement of our associated internal policies, counting records retention requirements and compliance policies, to exercise our rights or defend against legal claims, to maintain record keeping and resolving complaints and disputes, to comply with legal obligations, legal proceedings, or government authorities' orders which may include orders from government authorities outside Thailand, and/or cooperate with court, regulators, government authorities, and law enforcement bodies when we reasonably believe that we are legally required to do so, and when disclosing your Personal Data is strictly necessary to comply with the said legal obligations, proceedings, government orders, codes of conduct and our internal policies, to perform compliance activities, to conduct internal and regulatory reporting;
Functioning of our sites and platform Such as to administer, operate, track, monitor, and manage our sites and platform, to facilitate and ensure that they function properly, efficiently, and securely, to facilitate your experience on our sites and platform, to improve the layout and content of our sites and platform, to allow the access to our available systems and provide technical assistance;
Office and Facilities Security and Safety: Such as to oversee visitor access to company offices, sites and facilities and maintain the security and safety of staffs, visitors, and offices, sites and facilities;
Activities and Events: Such as to coordinate, accommodate, and direct events, to count processing registrations, to disseminate participant lists, to assign acceptable accommodations (including special dietary concerns), and to utilize photos and videos taken at events on our websites and additional materials pertaining to the event; and
Sensitive Data: In general, we use your identification card for authentication and verification purpose, however we do not use or disclose your religion shown in the identification for any other purpose.

If you do not provide your Personal Data, it may mean that we cannot provide you with the products or services you request, we cannot meet all our obligations to you, or we cannot comply with other legal obligations.

3. Disclosure of Personal Data

Depending on the context of your relationship with us and the nature of products or services you obtain from us, we may disclose your Personal Data to the following parties for the purposes as described in this Notice:

Gulf group and affiliates: Gulf is a multinational corporation. We distribute information, including Personal Data, internally among our corporate affiliates in the typical course of our day-to-day transactions. For a current listing of our power plants and other projects, please visit our website at: https://www.gulf.co.th/en/our-business.
Service providers or suppliers: We may disclose your Personal Data to service providers or suppliers (or they may gather Personal Data precisely on our behalf), as engaged to provide services or support for various business purposes, for example, IT service providers including, cloud service providers; software service providers; network and infrastructure service providers; postal mail and messenger service providers; logistic service providers; payment service providers; payment networking service providers; administrative and business support service providers; document storage and destruction service providers; data backup service providers; printing service providers.
Professional advisors: We may disclose your Personal Data to professional advisors such as auditors, legal advisors or counsels, accountants, and tax consultants who assist us in running our business and defending or bringing any legal claims, initiating and managing auction or otherwise taking legal actions.
Business partners: We may disclose your Personal Data to companies that we have partnered with to offer or enhance our products or services, such as state enterprises, and financial institutions, to perform our products or services.
Third parties with whom you authorize or direct us to share your Personal Data We may disclose your Personal Data with your consent or at your direction.
Third parties connected with corporate transactions: We may disclose or transfer your Personal Data to third parties that are connected with possible or substantive sale of our business or any of our assets, or those of any related company, particularly through acquirements or mergers, alteration in divestitures or control, or affiliation with bankruptcy. In such instances, Personal Data collected by us may be one of the reassigned equities.
Government entities and others with whom we disclose Personal Data for legal or necessary purposes We may disclose your Personal Data to government entities or regulatory bodies and others for legal, regulatory and other necessary purposes. This includes responding to requests from regulators or government authorities for purposes of law enforcement, legal orders, audits, or legal processes/claims.
Other third parties: We may disclose your Personal Data to persons involved in the provision of the type of products or services offered by us including your corporate insurer, your contact persons and/or your employers. If you attend our events, we may distribute your name in the participant list and/or promotional materials. We may incorporate videos, photographs, and additional multimedia taken of the individual on our website and in certified report materials.

4. Transfer of Personal Data to other countries

We may disclose or transfer your Personal Data to our affiliates, third parties or servers located outside Thailand for lawful purposes. Some recipients of your Personal Data are located in another country for which the Personal Data Protection Committee under the Thai Personal Data Protection Act B.E. 2562 has not ruled that this country has adequate data protection standard.

5. Security of your Personal Data

Gulf maintains a variety of safeguards, managerial, material, and industrial; devised to safeguard Personal Data from unauthorized admittance or publication; and incidental or illegal demolition, amendment, or misplacement. Features of Gulf’s information security program can be found in further detail on our website at https://www.gulf.co.th/en/InformationSecurity.

While it is our goal to secure your Personal Data from unauthorized access, inappropriate use or disclosure, prohibited amending or illegal demolition or incidental misplacement, and we manage and use particular equitable actions, telecommunications, and structures to do so, please note that no communication over the Internet is entirely protected or infallible, and that the aforementioned structures, actions, and telecommunications managed and used by us may be compromised.

6. Retention of your Personal Data

We will store your Personal Data for as long as it is necessary for the purposes for which it was collected, as explained in this Notice and in accordance with the applicable laws. However, we may retain your Personal Data for a longer period in order to comply with applicable laws and regulations and our internal policy or with regard to our operational requirements, such as proper record maintenance, facilitating relationship management, and responding to legal claims or regulatory request.

7. External Links

Where applicable for website users, our services may contain links to other websites/platforms that are operated and controlled by third parties. While we try to link only to websites that share our high standards and respect for privacy, we do not take responsibility for the content or the privacy practices employed by other websites. Unless otherwise stated, any Personal Data you provide to any such third party website will be collected by that party and not by us, and will be subject to that party's privacy notice/policy (if any), rather than this Notice. In such a situation, we will have no control over, and shall not be responsible for, that party's use of the Personal Data you provide to them.

8. Your Personal Data Protection Rights

The rights in this section are your legal rights, where you may request exercise of these rights under the conditions prescribed by law and our right management procedures. These rights are as follows:

a) Right to Access: You have the right to access and request a copy of Personal Data concerning you, or request us of the disclosure of the acquisition of your Personal Data acquired without your consent;
b) Right to Rectification: You may have the right to have incomplete, inaccurate, misleading, or not up-to-date Personal Data collected about you rectified;
c) Right to Objection: You have the right to object to the collection, use, or disclosure of your Personal Data, on grounds relating to your particular situation;
d) Right to Erasure: You have the right to request us to delete, destruct or anonymize your Personal Data to the extent permitted by laws;
e) Data portability: Where legally applicable, you have the right to request your Personal Data in a structured, commonly used and machine-readable format, and transmit it to another organization;
f) Right to Restriction: You have the right to request us to restrict the use of your Personal Data;
g) Right to Consent withdrawal: Where you have given your consent for the collection, use, or disclosure of your Personal Data, you have the right to withdraw your consent at any time; and
h) Right to Lodge a Complaint: You have the right to file a complaint with the competent authority regarding the collection, use, and/or disclosure of your Personal Data by us or on our behalf. We would, however, appreciate the chance to deal with your concerns before you approach the competent authority, so please contact us in the first instance.

If you would like to exercise any of your data protection rights, you may do so by contacting us per our contact details below. A fee may be charged where permissible by law.

Your request for exercising any of the above personal data protection rights may be limited by the applicable laws. There may be certain cases where we can reasonably and lawfully decline your request, for example, due to our legal obligation or court order.

Gulf Investor Relations

You may unsubscribe from our investor relations emails by clicking on the “unsubscribe” link supplied in every email or by the link situated at https://investor.gulf.co.th/en/information-request/email-alerts-unsubscribe. Additionally, you may opt-out/unsubscribe from our emails and amend your contact information by contacting our customer support team directly.

9. Our Contact Details

If you have any inquiries or concerns in connection with this Notice or the collection, use, or disclosure of your Personal Data by us, or you would like to submit a request to exercise your rights, please contact us at:

Gulf Energy Development Public Company Limited
87 M. Thai Tower 11th Floor, All Seasons Place, Wireless Road,
Lumpini, Pathumwan, Bangkok 10330
Tel: +662-080-4499
Fax: +662-080-4455
E-mail: contact@gulf.co.th