Privacy Policy

Backyard Co., Ltd. (hereinafter referred to as "the Company") is committed to protecting personal data and complying with the Thailand Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). As the Company's operations involve the collection and processing of personal data, it acts as a personal data controller under the PDPA and has duties and responsibilities to protect personal data in accordance with the law.

To uphold these commitments, the Company has established this privacy policy ("Policy") to outline the guidelines and practices for its personal data protection operations.

This Policy applies to all individuals involved in the management of the Company's data, including directors, employees, staff, working groups, contractors, external agencies or external persons who work on behalf of or in collaboration with the Company.

The Company expects all individuals subject to this policy to understand its principles and guidelines and adhere to them strictly. Any violation of this Policy, including practices contrary to it, will result in disciplinary action.

Personal Data Protection Law refers to the Thailand Personal Data Protection Act B.E. 2562 (2019) and any future amendments thereto, including related subordinate laws and regulations.

Personal Data refers to information relating to an individual that enables the identification of such individual, whether directly or indirectly, such as name, surname, nickname, email address, telephone number, address, vehicle registration number, including biometric data such as facial recognition and fingerprints, but excludes information of deceased persons.

Data Controller refers to a person or juristic person who has the power and duty to make decisions regarding the collection, use, or disclosure of personal data.

Data Processor refers to a person or juristic person who performs operations regarding the collection, use, or disclosure of personal data on behalf of or as instructed by the Data Controller. Such a person or juristic person is not the Data Controller.

Data Subject refers to a natural person who is the owner of the personal data, but it does not include cases where a person has ownership or creates or collects the data themselves.

Processing refers to the collection, use, or disclosure of personal data in accordance with the Personal Data Protection Law.

Employee refers to executives, employees, staff, or those working for or performing duties for the company under a contractual agreement or appointed by law to perform duties.

The company will process personal data based on the following key principles:

• Lawfulness, Fairness, and Transparency: The processing of personal data must be lawful, fair, and transparent to the data subject.
• Purpose Limitation: The processing of personal data will be carried out within the scope of clear and legally binding purposes and will not be incompatible with those purposes.
• Data Minimization: The processing of personal data must be adequate, relevant, and limited to what is necessary for the intended purposes.
• Accuracy: Personal data must be accurate and, where necessary, kept up to date, with appropriate steps taken to correct any inaccuracies.
• Storage Limitation: Personal data must be stored only as long as necessary for the processing purposes unless a law requires the company to retain the data longer.
• Integrity and Confidentiality: Personal data must protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

The company will process personal data based on the following key principles:

• Establish an organizational structure to assign responsibilities for overseeing and guiding the company’s operations in compliance with this policy and the Personal Data Protection Law, provide consultation to employees, and act as the company’s liaison with data subjects and the Personal Data Protection Committee.
• Define practices and employee responsibilities related to personal data protection that align with this Policy, the Personal Data Protection Law, and other related policies.
• Provide training to raise awareness and understanding among the Company’s employees regarding personal data protection.
• Inform service users or individuals interacting with the Company about data processing purposes, including third parties with whom the data may be shared or disclosed, through clear Privacy Notices and Cookie Notices.
• Ensure that consent, when required, is explicit, using clear language, in easily accessible and understandable formats, and written in a simple language.
• Establish methods, channels, and designate responsible persons for handling complaints, requests, and actions regarding the data subject’s rights under the Personal Data Protection Law.
• Establish processes and designate responsible persons for conducting audits, investigations, and internal reporting in the event of a personal data breach
• Maintain records as required by Section 39 of the Personal Data Protection Law for inspection by data subjects and the Personal Data Protection Committee, such as records of collected personal data and data controllers, and reviewing and auditing these records at least once a year.
• Create a retention schedule to ensure that personal data stored by the company is kept only as necessary and for the purposes specified.
• Draft and execute data processing agreements or contracts when the Company hires or assigns external parties to process personal data.
• Set internal measures for transferring or transmitting personal data outside the Company, both domestically and internationally.

Any personal data processing carried out by the company will be lawful and based on the following key principles:

• The data processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into such a contract.
• The data processing is necessary to prevent or suppress danger to a person’s life, body, or health.
• The data processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority conferred to the data controller.
• The data processing is necessary for the legitimate interests of the data controller or other persons or juristic persons, except where such interests are overridden by the fundamental rights of the data subject’s personal data.
• The data processing is for achieving purposes related to historical or archival documentation for the public interest or related to research or statistical purposes, with appropriate safeguards to protect the data subject’s rights and freedoms, as prescribed by the Personal Data Protection Law.
• The data processing is to comply with a legal obligation..
• The data subject has given explicit consent.

The company acknowledges that data subjects have rights under the Personal Data Protection Law and places great importance on facilitating the exercise of these rights. The rights are as follows:

• Right to be Informed: The company will provide a “Privacy Notice” with clear details of the purposes of data processing, as well as a “Cookie Policy” outlining the types of cookies used and their purposes. If the company processes data beyond the stated purposes or outside of any given consent, it will notify and/or seek additional consent from the data subject before processing such personal data.
• Right to Withdraw Consent: Data subjects can withdraw their consent at any time.
• Right of Access: Data subjects can request access to their personal data and obtain copies of the personal data processing activities, as well as request the company to disclose how it obtained the data.
• Right to Rectification: Data subjects can request corrections to any inaccurate personal data to ensure that it is accurate, up-to-date, and not misleading.
• Right to Erasure: Data subjects can request deletion, destruction, or anonymization of their personal data.
• Right to Data Portability: If the company’s data system supports it, data subjects can request a copy of their personal data in a commonly used and machine-readable format and can also request the transfer of such data to another data controller automatically.
• Right to Restrict Processing: Data subjects can request the company to restrict the use of their personal data.
• Right to Object: Data subjects can object to the processing of their personal data.

Data subjects can read more about the conditions for exercising these rights in the Privacy Notice. In some cases, the company may refuse such requests if there are lawful grounds to do so, or if the request is for legal compliance or court orders, or if it may impact the rights and freedoms of the data subject or others.

If data subjects would like to exercise the above rights, they can contact info@backyard.in.th. Further details on how to exercise these rights can be found under “Verification and Request for Rights” on the company's website.

The company will review this policy at least once a year or whenever there are necessary changes to ensure that it remains appropriate to the changing circumstances. Updates will be announced on the company’s website and other appropriate communication channels