PRIVACY POLICY OF INDOCHINA PRODUCTIONS (SIAM)

This Privacy Policy shall become effective as of 1 March 2022.

Indochina Productions (Siam) Co.,Ltd. (the “Company”, “we”, “us”, or “our”) value the trust of all individuals (covering the current and previous roles) who we contract to work on our film productions in both production and performance roles, as well as the selected service providers and business partners (the “you”, “your”, or “yours”) and is committed to protecting and respecting your privacy. 

This Privacy Policy explains what Personal Data (defined below) we collect, use, disclose, and/or cross-border transfer outside Thailand (“process”) in the course of our film productions business, why we are processing it, and how may it affect you and your relevant rights as a data subject. 

We encourage you to read this Privacy Policy carefully. From time to time, we may change and/or update this Privacy Policy. We will provide you with additional notice of significant changes and/or updates.

WHAT PERSONAL DATA WE COLLECT

For the purposes of this Privacy Policy, “Personal Data” means any identified or identifiable information about any person as listed below.

We may collect your Personal Data directly from you or indirectly from other sources including our affiliates and subsidiaries, our service providers, and our third party business partners. The specific type of data collected will depend on the context of your interactions with us including for production, broadcasting, distribution, financing, management, promotion, marketing, administrative and legal purposes. The following are examples of Personal Data that may be collected:

1. Personal details, such as title, name, surname, gender, age, occupation, nationality, date of birth, identifiable information on government-issued cards (e.g., national identification card, passport, driver’s license details, house registration, work permit, tax identification number), signature, voice record, picture, photograph, VDO records, educational backgrounds, work experience, income/salary/bonus, payslip, weight and height, and CCTV records; 

2. Contact details, such as residential address, phone number, mobile phone number, email address, and social media accounts;  

3. Transaction details, such as credit/debit card holder number, credit/debit card information, bank account details, copy of bank account/bank book, purchase order details, legal proceeding information, documents related to such transaction (e.g. contracts, receipts), and contract details; and

4. Sensitive data, such as sensitive data as shown in the government-issued cards (e.g., religion on national identification card), and health data (e.g., health information, COVID vaccination status, and results of COVID testing) (“Sensitive Data“). 

   
   

We will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.

If you provide Personal Data of any person other than yourself to us (e.g., contact details of your preferred contact in the event of an emergency), you represent and warrant that you have the authority to do so by (i) informing such other person about this Privacy Policy; and (ii) obtaining consent where applicable or necessary to permit us to collect, use and disclose the Personal Data in accordance with this Privacy Policy.

We only collect the Personal Data of children, quasi-incompetent persons and incompetent persons where their parent or guardian has given their consent. We do not knowingly collect Personal Data from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardian’s consent. In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from a quasi-incompetent person or incompetent person without their legal guardian’s consent, we will delete it immediately or only collect, use and/or disclose the Personal Data if we can rely on another legal basis other than consent or where permitted by law.

WHY WE COLLECT, USE AND/OR DISCLOSE PERSONAL DATA

We may collect, use and/or disclose Personal Data for the following purposes:

THE PURPOSE FOR WHICH WE RELY ON CONSENT:

We rely on consent for the collection, use, and/or disclosure of Sensitive Data by us and our affiliates and subsidiaries, and for the disclosure of your Sensitive Data to our selected business partners for the following purposes:

1. Sensitive data: as shown in government-issued cards (e.g., religion on national identification card): To authenticate and verify identity; and

2. Sensitive data: health data (e.g., health information, COVID vaccination status, and results of COVID testing): To keep as evidence for contagious disease/epidemic protection and safety purposes. 

Where we rely on consent for the collection, use and/or disclosure of Personal Data, the data subject has the right to withdraw consent by contacting us (as detailed in “Our Contact Details”). The withdrawal of consent will not affect the collection, use and/or disclosure of Personal Data and Sensitive Data that was previously consented before the withdrawal. If you do not give consent or withdraw your consent for this purpose, we may not be able to engage you or hire you in the course of our business.

THE PURPOSE THAT WE MAY RELY ON OTHER LEGAL GROUNDS FOR COLLECTION, USE, AND/OR DISCLOSURE OF PERSONAL DATA

We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties (for which we will balance the legitimate interest pursued by us and any relevant third party with your interests and fundamental rights and freedoms in relation to the protection of your Personal Data); (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; (5) public interest, for the performance of a task carried out in the public interest or for the exercising of official authorities; (6) the reason for an establishment and defense of legal claims in the future; and (7) for the necessity to comply with legal obligations to achieve the purpose relating to substantial public interest; or other legal grounds permitted under applicable data protection laws as the case may be. Depending on the context of the interactions with us, we may collect, use and/ or disclose Personal Data for the following purposes:

1. Work engagement: such as, for engagement decision making, evaluating suitability and qualifications, conducting due diligence or any other form of background checks or risk identification (including screening against publicly available government law enforcement agency and/or official sanctions lists), entering into a contract and managing our relationship with you, on-boarding process, issuing of name badge and staff identification pass and access card, provision of tools and/or equipment in order to carry on the engaged tasks, and issuing requests for quotations and purchase orders;

2. Managing Workforce: such as, managing work activities and personnel generally, including recruitment, performance management, salary, and payment administration and reviews, healthcare, benefits and welfare administration, insurance, training, leave, managing business expenses and reimbursements, planning and monitoring of training requirements, activities and skills, creating and maintaining directories, and termination;

3. Relationship management: such as, to plan, perform, and manage the (contractual) relationship with business partners e.g., by processing payments, performing accounting, auditing, and billing and collection activities;

4. Conducting our business operations: such as, to comply with reasonable business requirements including but not limited to internal management, training, quality control, auditing, reporting, submissions or filings, data processing, control or risk management, statistical, trend analysis and planning or other related or similar activities;

5. Communication: such as, to faciliate communication with you and your nominated contacts in an emergency; to provide references, and to protect the health and safety of individuals;

6. IT system management: such as, for our business management purpose including for our IT administration and operations, management of communication system, operation of IT security and IT security audit; internal business management for internal compliance requirements, policies and procedures; and to update our database;

7. Compliance with regulatory and compliance obligations: such as, to comply with legal obligations, legal proceedings or government authorities’ orders and/or cooperate with court, regulators, government authority and law enforcement bodies. 

8. Protection of our interests: such as, to protect the security and integrity of our business; to exercise our rights or protect our interest where it is necessary and lawful to do so, for example to authenticate and verify identity, to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law; to manage and prevent loss of our assets and property; to secure the compliance of our agreements; to detect and prevent misconduct within our premises; to follow up on incidents; to prevent and report criminal offences; and to ensure business continuity;

9. Transfer in the event of merger: such as, sale, transfer, merger, reorganization or similar event, we may transfer Personal Data to one or more third parties as part of that transaction; and/or

10. Protection of person’s life, body or health: such as, to prevent or suppress a danger to a person’s life, body or health; or to prevent a contagious disease/epidemic or to handle an emergency event.

    
    

Where the Personal Data to be collected from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your Personal Data when requested, we may not be able to engage (or continue to engage) you in the course of our business.

• TO WHOM WE MAY DISCLOSE OR CROSS-BORDER TRANSFER PERSONAL DATA

We may disclose or transfer Personal Data to the following third parties who collect, use, and/or disclose Personal Data in accordance with the purpose under this Privacy Policy. These third parties may be located in Thailand and areas outside Thailand. You can visit their privacy policy to learn more details on how they collect, use and/or disclose Personal Data since you could also be subject to their privacy policies. 

Our affiliates and subsidiaries: We may need to transfer your Personal Data to, or otherwise allow access to such Personal Data to our affiliates and subsidiaries for the purposes set out above. Affiliates and subsidiaries will rely on the consent obtained by us to use your Personal Data. 

Our service providers: We may use other companies, agents or contractors to perform services on behalf of or to assist with the operation of our business, including but not limited to (1) infrastructure, software and website developer and IT service providers; (2) production house, marketing, advertising media and communications agencies; and (3) outsourced administrative service providers. 

In the course of providing such services, the service providers may have access to your Personal Data. However, we will only provide our service providers with the Personal Data that is necessary for them to perform the services, and we require them to not use your Personal Data for any other purposes. We will ensure that all the service providers we work with will keep your Personal Data secure.

Our business partners: We may transfer Personal Data to our business partners to operate our business including, but not limited to, production houses/studios, co-producers, distributors, insurance providers, medical service providers, hospitals, financiers, banks, space owners, suppliers, professional advisors, provided that the receiving business partner agrees to treat Personal Data in a manner consistent with this Privacy Policy. 

Third parties permitted by law: In certain circumstances, we may be required to disclose or share Personal Data in order to comply with legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority, embassy, consulate, or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety; or to detect, prevent, or otherwise address fraud, security or safety issues. 

Third parties connected with business transfer: We may disclose or transfer Personal Data to our business partner, investor, significant shareholders, assignee or transferee in the event of a merger or transfer of all or a material part of our business, assets, or stock. If any of the above events occur, the receiving party will comply with this Privacy Policy to respect Personal Data.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

We may disclose or transfer Personal Data to third parties or servers located overseas, in which the destination countries may or may not have the same data protection standards. We take steps and measures to ensure that Personal Data is securely transferred, that the receiving parties have in place suitable data protection standards and that the transfer is lawful by relying on the derogations permitted under the law.

HOW LONG DO WE KEEP PERSONAL DATA

We retain Personal Data for as long as it is reasonably necessary to fulfil the purposes for which it was obtained and to comply with our legal and regulatory obligations. However, we may have to retain Personal Data for a longer duration as required by applicable law.

DATA SECURITY

As a way to protect personal privacy, we maintain appropriate security measures, which include administrative, technical and physical safeguards in relation to access control, to protect the confidentiality, integrity, and availability of Personal Data against any accidental or unlawful or unauthorized loss, alteration, correction, use, disclosure or access, in compliance with the applicable laws.

In particular, we have implemented access control measures which are secured and suitable for our collection, use, and disclosure of Personal Data. We restrict access to Personal Data as well as storage and processing equipment by imposing access rights or permission, access management to limit access to Personal Data to only authorized persons, and implement user responsibilities to prevent unauthorized access, disclosure, perception, unlawful duplication of Personal Data or theft of device used to store and process Personal Data. This also includes methods enabling the re-examination of unauthorized access, alteration, erasure, or transfer of Personal Data which is suitable for the method and means of collecting, using and/or disclosing Personal Data.

RIGHTS AS A DATA SUBJECT

Subject to applicable laws and exceptions thereof, a data subject may have the following rights to:

1. Access: Data subjects may have the right to access or request a copy of their Personal Data we are collecting, using and/or disclosing. For privacy and security, we may require proof of the data subject’s identity before providing the requested Personal Data;

   • Rectification: Data subjects may have the right to have incomplete, inaccurate, misleading, or not up to date Personal Data that we collect, use and/or disclose rectified;

   • Data Portability: Data subjects may have the right to obtain Personal Data we hold about that data subject, in a structured electronic format, and to transmit such data to another data controller, where this is (a) Personal Data which you have provided to us, and (b) if we are collecting, using and/or disclosing that data on the basis of the data subject’s consent or to perform a contract with the data subject;

   • Objection: Data subjects may have the right to object to certain collection, use and/or disclosure of Personal Data such as objecting to direct marketing;

   • Restriction: Data subjects may have the right to restrict our use of Personal Data where the data subject believes such Personal Data to be inaccurate, that our collection, use and/or disclosure is unlawful, or that we no longer need such Personal Data for a particular purpose;

   • Withdraw Consent: For the purposes the data subjects have consented to our collection, use and/or disclosure of Personal Data, data subjects may have the right to withdraw consent at any time;

   • Deletion: Data subjects may have the right to request that we delete, destroy or de-identify Personal Data that we collect, use, and/or disclose, except when we are not obligated to do so if we need to retain such Personal Data in order to comply with a legal obligation or to establish, exercise or defend legal claims; and 

• Lodge a complaint: Data subjects may have the right to lodge a complaint to the competent authority where the data subject believes our collection, use and/or disclosure of Personal Data is unlawful or non-compliance with applicable data protection law.

OUR CONTACT DETAILS 

If you, as a data subject, wish to contact us to exercise your rights relating to your Personal Data or if there are any queries about your Personal Data under this Privacy Policy, please contact us or our Data Protection Officer (DPO) at:

Indochina Productions (Siam) Co.,Ltd.