Privacy Policy
Introduction
At Regent’s International School Bangkok (“RISB”), we value the rights and freedoms of all people. This includes respecting your privacy and protecting your personal data in compliance with the Personal Data Protection Act B.E. 2562 (“PDPA”), relevant laws and regulations. This privacy notice describes how we collect, use and disclose (or “process”) your information. It also tells you how to contact us as well as outlining what rights you have with regard to your personal data.
- Important Information
Who are we?
Throughout this document, “we”, “us”, “our”, “ours” refer to RISB.
Wherever we have said “you”, “your” or “yours”, this means YOU.
Controller
The RISB is the Data Controller when we collect and process Personal Data about you.
We have appointed a data protection officer (DPO) responsible for overseeing questions concerning this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please get in touch with the external DPO using the details set out below.
Regent’s International School Bangkok
601/99 Pracha Uthit Rd,
Khwaeng Wang Thonglang, Khet Wang Thonglang,
Bangkok 10310, Thailand.
Tel: 02-957-5777
Our Data Protection Officer (DPO)
Mr C.G. Reveley
Location: Regent’s International School Bangkok
601/99 Pracha Uthit Rd,
Khwaeng Wang Thonglang, Khet Wang Thonglang,
Bangkok 10310, Thailand.
Tel: 02-957-5777
Email: dpo@regents.ac.th
You have the right to make a complaint at any time to the Office of Persona Data Protection Committee, the Thailand supervisory authority for data protection issues, by contacting them
The Personal Data Protection Committee (the “PDPC”)
The Government Complex Commemorating His Majesty
Ratthaprasasanabhakti Building 7th Floor,
Chaengwattana Road, Thung Song Hong Sub-District, Lak Si District
Bangkok, Thailand 10210
Tel: 02 141 6993, 02 142 1033
E-mail: pdpc@mdes.go.th
Website: Thailand PDPC
We would, however, appreciate the chance to deal with your concerns before you approach the PDPC, so please get in touch with us in the first instance.
Changes to The Privacy Policy and Your Duty to Inform Us of Changes
This version was last updated on 02/06/2022, and historic versions can be obtained by contacting us.
It is essential that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third-Party Links
This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
- The Data We Collect About You
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
- Identity Data: includes but is not limited to first name, last name, username or similar identifier, title, date of birth, and other details.
- Contact Data: includes billing address, residential address, email address and telephone numbers.
- Financial Data: includes bank account details, bank statements, credit card details and payment details.
- Transaction Data: includes details about payments to and from you and financial information and identification documents (e.g., for KYC verification, for bursary assessment or for fundraising).
- Technical Data: commonly known as online identifiers and includes internet protocol (IP) address, unique mobile device identification numbers (such as your Media Access Control (MAC) address, Identifier For Advertising (IDFA), and/or International Mobile Equipment Identity (IMEI), type of device, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Academic Data: includes your login details, admissions, academic, disciplinary, and other education related records, references, examination scripts and marks.
- Usage Data: includes information about how you use our website, and services, education and employment data; images, audio, and video recordings or CCTV.
- Marketing and Communication Data: includes your preferences in receiving marketing from our third parties and us, news about our products and your communication preferences.
If you decide to make a payment for any of our services, your Financial Data, including your bank account and payment card details, will be collected and processed by our external payment service provider. We will not have access to collect, use, store or transfer your Financial Data
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, suppose we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you. In that case, we treat the combined data as personal data that will be used according to this privacy policy.
Sensitive Personal Data
As a school, from time to time we also need to process personal data which is designated as “sensitive” or “special category personal data” in order to facilitate our school operations and activities. Such data includes personal data regarding a data subject’s concerning:
- health;
- special education needs;
- Information relating to safeguarding and child protection/welfare;
- criminal records;
- ethnicity;
- religion; or
- biometric data (e.g. fingerprint).
- How Is Your Personal Data Collected
We collect the majority of the personal data we process directly from the data subject concerned (or often in the case of students, from their parents or guardians). There are instances where we collect data from third parties (for example, referees/references, and previous schools) or from publicly available resources.
We also collect data about you when:
- you have expressed an interest in having your child/children attend our school;
- you have requested a planned visit to the school;
- you have registered to attend (or have attended) one of our events;
- you visit our website or social media;
- you sign up to receive email our newsletter and/or prospectus;
- you have expressed an interest in working for, or with, us; or
- you are employed by an organisation with whom we have a business relationship.
- How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- We are about to enter into or have entered into a contract with you for the performance of a contract.
- Where it is necessary for our legitimate interests (or those of a third party), your interests and fundamental rights do not override those interests and
- Where we need to comply with a legal or regulatory obligation.
Purposes For Which We Will Use Your Personal Data.
In a table format below, we have set out a description of how we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
Marketing
We provide you with choices regarding our use of your personal data for marketing and advertising purposes. We have established the following personal data control mechanisms:
You will receive marketing communications from us if you have subscribed for an account with us or purchased/used services from us and you have consented to receiving that marketing. All of our marketing communications contain an opt-in option, and you can opt out at any time. Please note that the opt-out will not affect the lawfulness of the processing that has taken place before the opt-out.
Third-Party Marketing
We will get your explicit opt-in consent before sharing your personal data with any company outside RISB for marketing purposes.
Change of Purpose
We will only use your personal data for the purposes we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, we will notify you and obtain your consent to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Disclosure of Your Personal Data
- We will keep your personal data confidential and does not have policy to sell your personal data to third party. If there is legal necessity to disclose your personal data, we will only disclose your personal data to authorized person or party as necessary. We may share your personal data with third parties as set out below for the purposes specified in the table in section 4 above:
- Our school partners and our authorized representative personnel;
- Service providers such as representative companies, travel agencies, contractors, consultants, financial institutions, cloud service providers, online travel agents (OTA) websites, marketing companies, educational websites, and information technology (IT) development companies. Such parties may locate either domestically or internationally and all party is under agreement with us;
- Government or regulatory agencies, to comply with law or request of authorized departments.
- We may seek to acquire other businesses or merge with them, or our business or part of our business may be sold. If a change happens to our business, then your personal data may be disclosed to our advisers and those of any prospective purchaser or partner. The new owners or partners may use your personal data in the same way as set out in this privacy policy. Your data will only be disclosed for the purposes identified in this privacy policy (as may be updated from time to time) unless a law or regulation allows explicitly or requires otherwise.
- We require all third parties to respect the security of your personal data and treat it according to the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. All our third-party processing partners are vetted under our third-party due diligence process and have signed data processor contracts with us.
6. International Transfers
Some of our external third parties are based outside the Kingdom of Thailand, so their processing of your personal data will involve a transfer of data outside the Kingdom of Thailand.
Whenever we transfer your personal data out of the Kingdom of Thailand, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the Personal Data Protection Committee (PDPC) (as appropriate).
- Appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses/ data protection clauses approved by the Personal Data Protection Commission (as appropriate)
- The transfer is otherwise allowed under data protection laws (including where we have your consent, or the transfer is necessary for the performance of a contract with you).
7. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, disclosed or being unavailable. In addition, we limit access to your personal data to those employees, agents, professional advisers, contractors, and other third parties who have a business need to know on the principle of least privilege (PoLP). They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We periodically review all privacy and security policies and update, when necessary, in line with changes in data protection laws or when any new technologies are introduced into our business. Where the introduction of new technologies results in a high risk to your personal data, we will perform a data protection impact assessment. We will only proceed if we are able to mitigate any identified high risks. Our methods of collecting personal data are reviewed by management before they are implemented to confirm that personal data is obtained
- fairly, without intimidation or deception, and
- lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal data.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. You can also see our Data Beach Policy for risk classification of a breach as reference.
8. Data Retention
How Long Will You Use My Data For?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. A copy of our Data Retention Schedule is available upon request.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law, we have to keep basic information about our service users/staff (including Contact, Identify, Financial and Transaction Data) for ten tax years as part of our legal obligations to do so.
You can ask us to delete your data in some circumstances: please contact the above DPO to Request erasure and for further information.
In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9. Your Data Subject Rights
- The right to be informed about the purpose of collecting and processing the data.
- The right to withdraw the given consent.
- The right to access and obtain the data collected from you.
- The right to object the collection, use, and disclosure of your data.
- The right to restrict the use of your data.
- The right to correction of your data.
- The right to transfer your data to another data controller.
- The right to have your data erased, destroyed, or anonymized.
What We May Need from You: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it. We may also contact you to ask you for further information concerning your request to speed up our response.
Time Limit to Respond: We try to respond to all legitimate requests within thirty days. Occasionally it may take us longer than thirty days if your request is particularly complex or you have made a number of requests, in which case we will inform you of the reason and expected time of completing the request.
10. Policy Updates
Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually, and whenever changes to such laws and regulations are made, privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.
If you would like a to request a DSAR (Data Subject Access Request) please send an email to: (dpo@regents.ac.th)