Data management information
Preamble
The purpose of this Privacy Notice (hereinafter referred to as the Notice) is to provide information about the data management practices of AsiaHabit Digital, hereinafter referred to as the Service Provider. The Service Provider respects the privacy of any person who uses the Services or comes into contact with the Service Provider in any way:
- natural persons (enquirers, registrants, job seekers, employees, partners, etc.)
- natural person clients of legal entities contracting with us
- as well as natural person contact persons of legal persons who have a contractual relationship with us
Hereinafter collectively referred to as: the privacy of Users.
The Service Provider acknowledges that it is bound by the contents of this Policy. The Service Provider shall treat Personal Data confidentially and shall take all security, technical and organisational measures to ensure data security.
If you have any questions, please contact us!
General information
As data controller, the Service Provider undertakes to handle, store and process users' data in compliance with the applicable data protection legislation, in particular with regard to the following legislation:
- Directive 95/46/EC of the European Parliament and of the Council - from 25.05.2018, Regulation 2016/679 of the European Parliament and of the Council (GDPR)
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act)
- Act CXIX of 1995 on the processing of names and addresses for the purpose of research and direct marketing
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services
- The Personal Data Protection Act (PDPA) of 2019 (B.E.2562) of the Asian Powers Act
Personal data will be stored electronically, online, and at least in accordance with ISO/IEC27001, ISO/IEC27017, ISO/IEC27018, ISO/IEC27701, SSAE18/ISAE3402 standards.
The Service Provider shall carry out Data Processing only within the group of companies and only with the external contractor with whom it has concluded a contract for this purpose at the request or with the knowledge of the User.
By concluding a contract (whether in writing, orally, or by implicit conduct), the business partner consents to the collection and processing of data, assumes responsibility for the accuracy of the data provided by him/her and is entitled to provide them to the Service Provider and to consent to their processing.
In case of providing data of contact persons, employees, the business partner is responsible for having made the data subject familiar with this Privacy Policy and for informing him/her of the terms and conditions of data processing.
In order to ensure that the storage of personal data is limited to the necessary period, the Service Provider will review and delete data that has expired in the month of January each year.
The Service Provider shall not disclose Personal Data to third parties without the consent of the User, unless required to do so by law, public authority or court.
Data and contact details of the Service Provider
| Name: | AsiaHabit Digital Co.,Ltd. |
| Location: | 76, Sukhumvit 101/2 Alley, Bangkok, Thailand 10260 |
| Public Protection Officer: | Dr.Gyula Kizakis |
| Company registration number: | 0105564108581 |
| Address number: | 0105564108581 |
| Email: | hello@asiahabit.com |
Definitions of terms used in this leaflet
Sensitive data: data that can be associated with the data subject, in particular the name, the identification mark and one or more characteristics of the physical, physiological, mental, economic, cultural or social identity of the data subject, and the inference that can be drawn from it concerning the data subject;
Controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the processing (including the means used) or has them executed by a processor on its behalf;
Controlling: any operation or set of operations which is performed on data, irrespective of the process used. In particular, the collection, recording, recording, organisation, storage, alteration, use, consultation, retrieval, transmission, disclosure, alignment or combination, blocking, erasure and destruction of data and the prevention of their further use, the taking of photographs, audio or video recordings, and the recording of physical characteristics which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
Duration of processing: The Service Provider will store the User's Personal Data only for as long as necessary to achieve the purposes for which it was collected or until the User withdraws his/her consent to the processing. In case of legal obligations (e.g. billing), Personal Data will be kept for 5 years.
Transmission: making data available to a specified third party;
Deletion: rendering records unrecognisable in such a way that it is no longer possible to retrieve them;
Data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
Processor: a natural or legal person or unincorporated body which, under a contract with a controller, including a contract concluded pursuant to a legal provision, carries out processing of data;
Third party:a natural or legal person or unincorporated body other than the data subject, the controller or the processor;
Cookies: Cookies are temporarily stored on the User's device and can only store data that the User provides and/or authorises.
Purpose, legal basis, time of processing
Users' Personal Data is stored in the Service Provider's central Google Workspace & Cloud database. We use Google Analytics for aggregated, anonymous online traffic analysis, for which Google creates a randomly generated cookie. This cookie is anonymised and does not contain any identifiable information such as email, phone number, name, etc.
Business offer, privacy statement, contract, contact us
| personal data processed | purpose of processing | legal basis for processing | duration of processing |
|---|---|---|---|
| leading name, first name, position, e-mail address, telephone number, billing address, tax number, company registration number, correspondence, communication | for the preparation, delivery and communication of individual business proposals, confidentiality agreements, contracts | Info tv. 5.§ 1/a ▪️ EU 2016/679 regulation. 6.§ 1/a,c ▪️ § 169 (2) | until the withdrawal of the contribution, but for a maximum of 5 years |
Online contact, login, registration
| processed personal data | purpose of data processing | legal basis for processing | duration of processing |
|---|---|---|---|
| e-mail address, password | for the preparation, delivery and communication of individual business proposals, confidentiality agreements, contracts | EU Regulation 2016/679/EU. 6.§ 1/b ▪️ Elker tv. 13/A.§ (3) | until revoked |
| session cookies (cookies) | to ensure proper functioning | Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Elkertv.), Article 13/A (3) | until the end of the session |
| Google reCapthca cookie | Security feature functionality - details | Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Elkertv.), Article 13/A (3) | 6 months |
Protection of sensitive data
The IT environment used for the processing of Personal Data in the provision of the service is ensured in such a way that:
- Personal Data may only be used for the specified purpose and only be accessed by staff who need to know it for the performance of their duties,
- we use a security incident reporting and alerting system and continuous virus protection,
- Stored data can only be accessed using a physical key (YubiKey) with two-factor authentication,
- secure passwords are changed regularly,
- Personal data are irretrievably deleted once the purposes of the processing have been fulfilled or if the time limit for processing has expired or the legal basis for processing has ceased to exist.
Transmission of personal data
Transfers abroad may only be made for the purpose of data processing. The User consents to the transfer of his/her data abroad in accordance with the provisions of applicable law. Please be informed that in order to fully provide our services, we work with partners, including the following entities, which may be involved in the processing of Personal Data. There is no joint processing of data.
| processor | service required | purpose of data processing | personal data transferred |
|---|---|---|---|
| Google Ireland Limited Gordon House Barrow Street Dublin 4, Ireland | Google Workspace | using cloud-based office and collaboration tools | lead name, first name, title, email address, telephone number, tax number, company registration number, correspondence, communications, contract data |
| Google Ireland Limited Gordon House Barrow Street Dublin 4, Ireland | Google Cloud Platform | online platforms, services, systems hosting | single customer contracted |
| Mailgun Technologies represented by VeraSafe Ireland Ltd. Unit 3D North Point House North Point Business Park New Mallow Road, Cork T23AT2P, Ireland | MailGun | system-wide email message management | a single customer contracted |
Users' rights regarding their Personal Data
Users may, at any time, request information on the processing of their personal data, request the rectification, specification, erasure or restriction of their personal data and exercise any of the rights provided for by Regulation EU 2016/679. Without undue delay, and in any event within 30 days of receipt of the request, we will inform the User of the action taken in response to his/her request. If necessary, this period may be extended by a further 30 days, but in this case the Service Provider will provide information within 30 days of receipt of the request, stating the reasons for the delay.
Compensation
The Service Provider shall be exempted from liability if the damage was caused by a cause beyond its control. The Service Provider shall not be liable for damages caused by the intentional or grossly negligent conduct of the injured party or if the User has provided third party data.
Amendment of the Privacy Policy
The Service Provider reserves the right to amend the Privacy Notice. The amended Privacy Notice shall enter into force on the 3rd working day following the date of the amendment.