POLICY

We, Suntory PepsiCo Beverage (Thailand) (“SPBT”), care about your privacy and are committed to respect them to the best of our ability. This Privacy Policy describes how, we collect, use, disclose or process your personal identifiable information (“Data”),

This Privacy Policy is in line with all laws, regulations and other legal requirements, including but not limited to, the Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”) and the sub-regulations which are relevant to the collection, use and/or disclosure of Data (as amended and/or changed from time to time) (hereinafter referred to as “Personal Data Protection Law”). We will notify you if there are any changes to our purpose of processing your Data to ensure compliance with the Personal Data Protection Law.

This Privacy Policy is in line with all laws, regulations and other legal requirements, including but not limited to, the Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”) and the sub-regulations which are relevant to the collection, use and/or disclosure of Data (as amended and/or changed from time to time) (hereinafter referred to as “Personal Data Protection Law”). We will notify you if there are any changes to our purpose of processing your Data to ensure compliance with the Personal Data Protection Law.

Please note that some of the links on our platform may lead to third party’s platforms, and if you access these platforms, your Data will then be processed under the third party’s policies. Make sure that you have read and are satisfied with those privacy policies when accessing such platforms.

“Process” or “processing” means any operation or set of operations which is performed on Data, including the collection, use, or disclosure of the Data.

“Sensitive Data” means a special category of Data under the Personal Data Protection Law consisting of racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data or disability condition, trade union information, genetic data and biometric data or of any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee.

1. What Data we collect
We may process the following types of Data, received directly from you, or indirectly from other sources (such as our candidates, employees, distributors, customers, consumers, suppliers, service providers, other business partners, third parties (e.g., hospitals, the Royal Thai Police, other government agencies) or publicly available sources). The type of Data collected will depend on the communication and interaction between you and us, including but not limited to:

1. Personal details, such as title, full name, gender, age, nationality, date of birth, blood type, signature, information on government-issued cards (such as national identification card, passport), marital status, photographs, video, CCTV, and voice records;
2. Contact details, such as postal address, email address, telephone number, other social media contact details;
3. Social media and consumer behavior details, such as information about you and your behavior when you interact with any media about our products and/or services via various social media networks, such as when you “Like” us on Facebook, follow us, send us a message or share our content on Facebook;
4. Financial details, such as financial status and other financial related information;
5. Transaction details, such as payment date and time, purchased items and payment amount, transaction status and history;
6. Computer system, device and equipment details, such as IP Address, audit log, operating system, network information of the mobile, computer traffic information, and/or information of the use of service on website and application;
7. Sensitive Data, such as Sensitive Data from national identification card (such as religion), health data, medical certificates, disability, and any other sensitive data related to the filling of or providing evidence for consumer complaints and speak-up reports;

If you have provided Data of any third party to us, please provide this Privacy Policy for their acknowledgement and/or obtaining consent where consent is required when no other legal basis can be relied on.

We may occasionally collect the Personal Data of minors, quasi-incompetent persons and incompetent persons. If you are a minor, quasi-incompetent or incompetent person wishing to engage in a relationship with us, you must obtain consent from your parent or guardian prior to contacting us or giving us your Personal Data when the consent is required by law. In the event we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent and/or incompetent persons without consent from their legal guardians when it is required by law, we will delete it immediately or collect, use and/or disclose it only if we can rely on other legal bases apart from consent.

2.How we collect and use your Data
We only collect and use your general Data and/or Sensitive Data where it is necessary or there is a lawful basis for collecting and using it. These reasons include:

1. To prepare historical documents or archives for the public interest, or in relation to research or statistics;
2. Believing that the use of your general Data and/or Sensitive Data is of vital interest or to prevent or avoid danger to a person’s life, body or health;
3. Believing that the use of your general Data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
4. Believing that the use of your general Data is necessary for the performance of our task carried out in the public interest or in the exercise of official authority vested in us;
5. Believing that the use of your general Data is necessary for the legitimate interests pursued by us or by a third party (e.g. ensuring security and business continuity, providing high standard services, improving our products and services and undertaking product development), unless the interests are overridden by your interests or fundamental rights and freedoms;
6. Believing that the use of your general Data and/or Sensitive Data is necessary for compliance with a legal obligation to which we are subject.

Apart from the mentioned lawful basis, we may process your general Data and/or Sensitive Data on the ground of consent. If we need to ask for your consent, we will make it clear what we are asking for and ask you to confirm your choice to give us that consent. If we cannot provide a service or product without your consent to process your general Data and Sensitive Data, we will make this clear when we ask for your consent.

In general, the reasons for processing your Data are as follows:

2.1. Our contract with you
We will process your general Data in accordance with the agreement between you and us, which may include the following reasons:

1. Executing an agreement for business operation of the company including but not limited to a supply agreement, a distribution agreement, a lease agreement, an employment agreement, a sale and purchase agreement, a service agreement, a purchase order, a non-disclosure agreement, a letter of intent, a memorandum of understanding, a letter of indemnity, and etc.;
2. Exercising rights or performing obligations under an agreement including but not limited to a supply agreement, a distribution agreement, lease agreement, an employment agreement, a sale and purchase agreement, a service agreement, a purchase order, a non-disclosure agreement, a letter of intent, a memorandum of understanding, a letter of indemnity, and etc.;
3. Receiving orders, delivering our products and/or services, ensuring consumers’ and customers’ satisfaction of our products and services, responding to consumer’s enquiries regarding the products and services as well as providing business support to our business partners including distributors for resale of our products to secondary customers and end consumers through any channels including online, offline, telesales, etc.; and
4. Participating in activities reorganize by, co-organized by, or on behalf of us for promoting our products, consumer or customer promotion, consumer research, sales activation, brands building, events organized by our affiliates, appointed third party and/or others with our sponsorship e.g. lucky draw activity, Pepsi Fanclub activity, Pepsi Promotion activity, running activity, Gatorade 5v5.

2.2. Our legitimate interests
We rely on the legitimate interests basis by balancing the nature of your general Data that we process with the normal reasonable expectations and provide safeguards to reduce any negative impacts on your fundamental rights and freedoms. This may include processing your general Data to:

1. Process the recruitment and provide job offers to candidates;
2. Approach for vendor selection process, third party due diligence process, and procure supply and/or services;
3. Receive complaints, proceed for investigate claims, connect to report the results of claims, compensation or complimentary distribution, report for internal use and make public communications;
4. Ensure security and safety of persons and properties in our responsibility;
5. Engage and communicate business transactions, engage in marketing and selling our products, promotions, campaign, activities, events, lucky draw and activations as well as provide business support to our business partners including distributors, agencies including report for internal use and make public communications;
6. Monitor sales performance, market analysis, production plan, sale and marketing strategy and planning as well as seeking for new route to market or distribution channels, conduct market research, consumer’s behaviour analysis, report for internal use and do telesales;
7. Process training to our business partners, distributors, and others;
8. Conduct vendor selection, bidding, and third party due diligence (TPDD);
9. Connect to third party and competent authorities for tax and privilege purpose from sales, marketing and consumers activities including business operations activities provide the equipment support as well as the maintenance service to the equipment including provide the products knowledge;
10. Investigate suspected misconduct activities reported by or against you or third party via Speak-Up including investigation of witness to the misconduct activities;
11. Establish, comply, exercise or defend legal claims against you including initiate litigation action.

2.3. Our legal obligation
We are regulated by many laws and regulations, and to fulfil our legal requirements, it is necessary to collect and process your general Data and/or Sensitive Data for the purposes of compliance with laws and regulatory obligations e.g. Labour Protection Act, B.E. 2541, Social Security Act, B.E. 2533, Workmen’s Compensation Act, B.E. 2537, Consumer Protection Act, B.E. 2522, Liability for Damage Arising from Unsafe Products, B.E. 2551, Revenue Code, Anti-Money Laundering Act, B.E. 2542 and etc.

2.4. Our legal claims
We may rely on the legal claims basis to process your Sensitive Data to establish, comply, exercise or defend legal claims against you or initiate litigation action to protect our interests.

2.5. Consent
Normally, we will not process your general Data and Sensitive Data if we do not have any legal basis to do so. However, in some cases we will ask your consent to collect, use, disclose or process your general Data and Sensitive Data. This may include certain processing of your general Data and Sensitive Data under the following circumstances, for which we cannot rely on other legal bases:

1. We intend to collect, use, disclose, transfer or process your general Data or Sensitive Data for our business operation, product improvement and marketing activities;
2. We intend to collect, use, disclose, transfer or process your general Data or Sensitive Data received transfer from others for our business operation, product improvement and marketing activities;
3. We intend to transfer your general Data or Sensitive Data overseas and the destination country has lesser data privacy standards; and
4. When the data subject is classified as a minor, quasi-incompetent or incompetent of which the consent will be requested from their legal representatives, guardians or curators, as the case may be.

We will send you relevant marketing information including details of products provided by us, our affiliates, or business partners which we believe you will be interested in, by mail, phone, email, text and other forms of communication. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can tell us anytime by following our withdrawal process.

Failure to provide certain Data to us may result in us not being able to perform certain activities described in this Privacy Policy, to provide our products and services to you, or to perform our legal obligation.

3. Informing you of our collection of all your Data
Sometimes it is not necessary for us to inform you about Data collection, such as when:

1. You are aware of such new purposes or details;
2. We believe that notice of such new purposes or the details of the Data are impossible or will obstruct the use or disclosure of your Data, in particular for scientific, historical, or statistical research purposes, where we will take suitable measures to protect your rights, freedoms and interests;
3. It is urgent to use or disclose your Data as required by law and we will implement suitable measures to protect your interest; or
4. We are aware of or acquire your Data from our duty, occupation or profession, and we will maintain new purposes or certain Data details with confidentiality as required by law.

4.Your rights
The Personal Data Protection Law aims to give you more control of your Data. You have legal rights concerning your Data. These rights include:

4.1 Right to access
You have a right to get access and obtain a copy of your Data that we hold about you, or you may ask us to disclose the sources of where we obtained your Data that you have not given consent.

4.2 Right to data portability
You have a right to request us to transfer your Data to other persons/organizations, or request to see the Data that we have transferred to other persons/organizations, unless it is impossible due to technical circumstances.

4.3 Right to object to the processing of your Data
You have the right to object to the processing of your Data in cases where we rely on legitimate interest basis or public interest basis, unless there are circumstances that do not allow you to make the objection, such as when we have compelling legitimate grounds or when the processing of your Data is carried out to comply, exercise or defend legal claims.

4.4 Right to erasure
You have a right to request us to delete, destroy or anonymise your Data in the following circumstances where:
1. The Data is no longer necessary for the purpose of which it was collected, used or disclosed;
2. You have withdrawn your consent to which the collection, used or disclosure is based on and we do not have legal grounds to collect, use or disclose the Data;
3. You have objected to the collection, use or disclosure of the Data and we do not have legal grounds to reject such request; and/or
4. When the Data has been unlawfully collected, used or disclosed under the Personal Data Protection Law.


4.5 Right to restrict the processing of your Data
You have a right to request us to restrict the processing of your Data in the following circumstances when:

1. It is under the pending examination process of checking whether the Data is accurate, up-to-date, complete and not misleading or not;
2. It is the Data that should be deleted or destroyed as it does not comply with the law and you request to restrict it instead;
3. The Data is no longer necessary to retain for the purpose of which it was collected, used or disclosed, but you still have the necessity to request the retention for the purposes of the establishment, compliance, exercise of legal claims or the defense of legal claims;
4. We are pending verification in order to reject the objection request to the collection, used or disclosure of Data.


4.6 Right to rectification
You have a right to rectify inaccurate Data in order to make it accurate, up-to-date, complete and not misleading. If we reject your request, we will record such rejection with reasons.

4.7 Right to lodge a complaint
You will have the right to make a complaint to the competent authority in the case of where we, our data processors including our employees or contractors do not comply with the Personal Data Protection Law or other announcements of the Personal Data Protection Law.

4.8 Right to withdraw consent
You may withdraw your consent at any time, unless we have lawful basis to deny your request.

5. Retention period of Data
We retain your Data for as long as it is reasonably necessary to fulfil the purpose for which we obtained it, and to comply with our contractual, legal and regulatory obligations, to enable us to safeguard our legitimate rights such asserting claims in courts or for statistical or historical purposes.

The period we keep your Data is often linked to the prescription period and law enforcement period under the laws, which in many cases is up to 10 years. We will keep your Data after this time if we must do so to comply with the legal obligation, or if some existing claims or complaints will reasonably require us to keep your Data, or for regulatory or technical reasons. If we do need to keep your Data for a longer period, we will continue to protect that Data.

We may need to retain images and video clips from CCTV surveillance systems installed for security and safety of persons within our premises for 45 days.

6. Security
We use a range of appropriate physical, technical and organizational measures to keep your Data safe and secure which may include encryption and other forms of security. We require our staff and any third parties to comply with appropriate privacy standards including obligations to protect any Data and applying appropriate measures for the use and transfer of Data.

We certify that all collected Data will be stored safely and securely with strict and adequate security standards and in compliance with the Personal Data Protection Law.

We have implemented measures on controlling access and use of devices for storing and processing Data which are secured and suitable for our collection, use and disclosure of Data. We also have measures on restricting access to Data and the use of storage and processing equipment by imposing users’ access rights, users’ permission rights to the authorized personnel, and users’ duties and responsibilities to prevent unauthorized access, disclosure, perception or unlawful duplication of Data, or theft of device used to store and process Data.

7. How we share your Data
We may disclose or transfer your Data to our affiliates to comply with our legal obligations, to prevent fraud and/or to secure our tools, to improve our products and/or services or for the marketing purpose.

We may disclose or transfer your Data to the third parties who collect, use and disclose Data in accordance with the purpose under this Privacy Policy. You can visit their privacy policies to learn more details on how they collect, use and disclose your Data as you are also subject to their privacy policies separately.

We may provide your Data to the following parties on a need-to-know basis in certain circumstances:

1. Business partners, including (i) our group or affiliated companies and (ii) other persons or entities that we have an agreement with.
2. Suppliers, agents and other external auditors, system located overseas where the disclosure of such Data has a specific purpose and legal basis, as well as appropriate security measures.
3. Third parties providing services to us, such as market analysis and subcontractors acting on our behalf.
4. Social media companies (in a secure format) or other third-party advertisers so they can display relevant messages to you and others on our behalf about our products. Third-party advertisers may also use Data about your previous web activity to tailor adverts what are displayed to you.
5. Requirement for a proposed sale, reorganization, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business.
6. Requirement under the laws and other relevant regulations, court order or other authorities. This includes any law enforcement agency, court, regulator, government authority or other third parties where we believe it is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security, or safety issues.

8. International disclosure or transfer
We may disclose or transfer data subjects’ collected Data to group companies, third parties (such as, business partners, suppliers or service providers), or servers located in countries outside Thailand whose data protection laws may not be the same or as extensive as those in Thailand.

We will only disclose or transfer the collected Data to a country which the Personal Data Protection Committee considers to have adequate data protection standards.

Where such data security standards are deemed inadequate, we will provide appropriate safeguards to protect the data subjects’ interest and the disclosure or transfer will take place if one of the exceptions defined by the Personal Data Protection Law is met. The exceptions are:

1. The transfer is necessary for compliance with the laws;
2. The data subjects have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer due to the absence of an adequacy decision or adequate safeguards;
3. The transfer is necessary for the performance of a contract with the data subjects or the implementation of pre-contractual measures taken at the data subjects’ request;
4. The transfer is necessary for the conclusion or performance of a contract in the data subjects’ interest between us and another natural or legal person;
5. The transfer is necessary to protect the data subjects’ vital interests or those of other persons, where the data subject is incapable of giving consent; or
6. The transfer is necessary for important reasons of public interest.

9. How to contact us
If you have any comments, suggestions, questions or want to make a complaint or exercise your rights regarding your Data, please contact us at No.88 The PARQ Building, 15th floor, Ratchadaphisek Road, Khlong Toei, Khong Toei Bangkok 10110 Tel: (+66) 2610 2500 or visit our website at https://www.suntorypepsico.co.th/en/corporate/privacy-policy or contact our data protection officer at dpo@suntorypepsico.com .

10. Changes to this Privacy Policy
We reserve the right to change, amend or update the privacy policy at any time as we deem appropriate by notifying you of the said change, amendment or update. We will notify the changes on our website https://www.suntorypepsico.co.th/ in which you can check at any time.

To continue doing business with our business partners and maintain our business relationship, SPBT shall continue to collect and use business partners Data which SPBT currently hold about our business partners and/or their employees, personals, or contractors. These Data will only be used for SPBT original purposes before the effectiveness of the Personal Data Protection Law.