Personal Data Protection Policy
TAT is a legal entity established under the Tourism Authority of Thailand Act, B.E. 2522, with its headquarters located at 1600 New Phetchaburi Road, Makkasan Sub-district, Ratchathewi District, Bangkok 10400, Thailand.
TAT also provides tourist information centers in London, Frankfurt, Paris, Rome, Stockholm, Moscow, Prague, New York, Los Angeles, Toronto, Sydney, Kuala Lumpur, Singapore, Jakarta, Hong Kong, Beijing, Chengdu, Shanghai, Guangzhou, Kunming, Taipei, Tokyo, Osaka, Fukuoka, Seoul, New Delhi, Mumbai, Ho Chi Minh, and Dubai. These services are made available to users of the Tourism Authority of Thailand's website at www.tourismthailand.org/trustedthailand and any other services we provide, including through our website and tourist information centers worldwide ("our services"). This includes information for business operators related to tourism activities. We respect the privacy of everyone who visits our website, contacts our tourist information centers, or uses our services. We are committed to ensuring that everyone has a secure online experience and is aware of the importance of personal data and other related information about you (collectively called “Data”). You can trust that we maintain transparency and responsibility in collecting, using, or disclosing your data in accordance with the Personal Data Protection Act, B.E. 2562 (“Personal Data Protection Law”) and other relevant laws. This Personal Data Protection Policy (“Policy”) has been created to explain in detail how we collect, use, or disclose (collectively “Process”) personal data handled by us, including our staff and representatives operating on our behalf. Our website and services are operated by the Tourism Authority of Thailand ("TAT" or "we"), with TAT acting as the data controller responsible for your personal information. The content is as follows.
Scope of Policy Enforcement
This policy applies to personal data of individuals who have a relationship with usat present and in the future, and whose personal data is processed by us, our officers, contract employees, business units, or other entities operated by us. It also includes contractors or third parties who process personal data on our behalf (“Personal Data Processors”)under various products and services, such as websites, systems, applications, documents, or other services managed by us (collectively called “Services”).
Individuals who have a relationship with us as mentioned above include:
- Individual customers
- Officers or workers, employees
- Partners and service providers who are individuals
- Directors, authorized persons, representatives, agents, shareholders, employees, or others with similar relationships to a legal entity that has a relationship with us
- Users of our products or services
- Visitors or users of our websites, systems, applications, devices, or other communication channels managed by us
- Other individuals whose personal data we collect, such as job applicants, family members of officers, guarantors, or insurance policy beneficiaries
Items 1) to 6) are collectively referred to as “you.”
In addition to this policy, we may provide aPrivacy Notice (“Notice”) for our products or services to inform data subjects who are service users about the personal data being processed, the lawful purposes and reasons for processing, the data retention period, as well as the personal data rights applicable to that specific product or service.
In case of any material conflict between this policy and the Privacy Notice, the Privacy Notice for that particular service shall prevail.
Definitions
Personal Data means any information relating to an identified or identifiable natural person, whether directly or indirectly, but does not include information of deceased persons, minors, incompetent persons, quasi-incompetent persons, or others without legal authority to act on their behalf.
Sensitive Personal Data means personal data as specified under Section 26 of the Personal Data Protection Act B.E. 2562, which includes information on race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health information, disability, trade union membership, genetic data, biometric data, or any other data that may similarly affect the data subject as announced by the Personal Data Protection Committee.
Processing of Personal Data means any operation performed on personal data, including images, such as collecting, recording, copying, organizing, storing, updating, altering, using, retrieving, disclosing, transferring, publishing, combining, deleting, or destroying, etc.
Data Subject means a natural person who is the owner of personal data collected, used, or disclosed by us.
Data Controller means a person or legal entity with the authority and responsibility to make decisions regarding the collection, use, or disclosure of personal data.
Data Processor means a person or legal entity who processes personal data on behalf of or under the instructions of the data controller. Such person or legal entity is not considered the data controller.
Sources of Personal Data
We collect or obtain various types of personal data from the following sources:
- Personal data that we collect directly from the data subject through various service channels, such as during application, registration, job application, signing contracts, documents, completing surveys, or using products, services, or other service channels managed by us. This also includes when the data subject communicates with us at our office or through other contact channels managed by us.
- Data collected from the data subject's use of websites, products, or other services under contracts or missions, such as tracking the use of our websites, products, or services through cookies or software on the data subject's device.
- Personal data collected from sources other than the data subject, where such sources are authorized, have lawful reasons, or have obtained consent from the data subject to disclose data to us. Examples include linking digital services to provide integrated public services to the data subject, receiving data in our role under our mission to operate a central data exchange center to support public services via digital systems, or exchanging data with counterparties to fulfill contractual obligations.
- Visitors to Tourist Information Centers: For additional information, if you visit any of our Tourist Information Centers, we will process the personal data you voluntarily provide in relation to the purpose of your visit or inquiries you may have. For example, you may voluntarily provide your information when you ask us to help you find suitable accommodations and transportation based on your needs.
- Event Participants: For additional information, if you participate in our events, we will process your personal data in connection with your participation. For example, we may request that you complete surveys, feedback forms, or other documents related to the event.
This also includes cases where you provide us with personal data of third parties. You are responsible for informing those individuals of the details of this policy or the privacy notice of the relevant product or service, as applicable, and obtaining their consent if consent is required to disclose their data to us.
If a data subject refuses to provide personal data necessary for us to provide services, we may be unable to provide all or part of the requested services.
Types of Personal Data We Collect
We collect and retain personal data that you provide to us while using our website, tourist information centers, and services offered through our website or at our tourist information centers. We may collect and process your personal data whether you are interacting with us on your own behalf or as a representative of an organization. The personal data we process may include your name and contact details (e.g., email address, mailing address, and phone number) as well as your payment information (if applicable). We process this data to deliver our services as requested, to maintain a user database, and to create service records. If you visit our tourist information centers, we process any personal data you voluntarily provide in relation to your purpose of visit and inquiries. Some services we provide are subject to specific terms and conditions, which apply if you use those services. If you click social media links on our website or interact with our social media accounts (e.g., Facebook or Instagram), we may collect data about such interactions or about your social media account. Additionally, we implement security measures at our tourist information centers, including CCTV cameras and building access control systems, with clear signage indicating camera use. Recorded footage is securely stored and accessed only when necessary (e.g., for incident investigations) and is typically automatically overwritten after a short period unless an investigation is required (e.g., theft incidents). We may also request visitors to sign in when accessing our tourist information centers, and these records are securely stored and accessed only when necessary.
Registration and account access on our main TAT website: Users can register for a membership account to access exclusive services and special offers. Applicants are required to complete a registration form with a username, email address, password, and other personal information, including future travel plans and preferences. We use this information to process your registration. Once registered, we process your username and password to identify you for secure account login and manage your account. Your use of our website, including member-only areas, is subject to our Terms of Use.
Requesting photos from TAT Newsroom: Our TAT Newsroom offers a "Photo Request" service, allowing accredited media members, online journalists, and freelance writers to access a high-resolution image library of Thailand's attractions, activities, and infrastructure. If you request images, you must fill out a request form with your name, job title, organization (if applicable), email address, mailing address, mobile and home/office phone numbers, and other relevant details. We process this data to handle and respond to your request.
Your contributions to the TAT Newsroom: If you write articles or blogs for us, or contribute to other publications we distribute or post on our website or in other media, we may use your personal data (e.g., your name and organization name) to provide attribution for your work. If you include photographs or images, we may publish these alongside your article or blog.
Participation in TAT events: We may organize or host product and service showcases or other events to promote Thailand as a tourist destination. We may process your name and contact details (including email address, mailing address, and phone number) to communicate about these events if you have requested information or if permitted by law.
If you attend our events, we may use your personal data to record your attendance and for record-keeping purposes. We may also collect and process your dietary preferences (if any). Additionally, you may appear in photographs taken during our events, which may be published in member-distributed publications, on our website, or other media.
Email and SMS/MMS marketing: We use your name and email address to send marketing communications via email (to you or your organization) and your mobile phone number to send marketing messages via SMS/MMS. These communications include news updates, tourism promotions, information about our organization, website, tourist information centers, services, events, and occasional promotions. Members can also subscribe to special offer alerts via email. For details about data collection methods, see "Analytics and Data Insights" above.
Legal basis for processing: Using your personal data is necessary for fulfilling contractual obligations between you and us, or it is based on our or a third party's legitimate interest to ensure we can deliver services effectively. If we seek your explicit consent to use photos, statements, testimonials, or other content, we will process this data based on your consent.
We may collect or obtain the following data, which may include your personal data, depending on the services you use or the context of your relationship with us, as well as other considerations that affect data collection. The types of data listed below represent a general framework of our data collection practices. Only data relevant to the products or services you use or are associated with will apply.
| Type of Personal Data | Details and Examples |
|---|---|
| Personal Identification Data | Information identifying you or from official documents that specify your identity, such as title, first name, last name, middle name, nickname, signature, ID card number, nationality, driver’s license number, passport number, household registration details, business registration number, professional license number (for each profession), social security registration number, etc. |
| Personal Attributes | Details about you, such as date of birth, gender, height, weight, age, marital status, military status, photograph, spoken language, behavior information, preferences, bankruptcy record, status as an incompetent or quasi-incompetent person, etc. |
| Contact Information | Data used to contact you, such as home phone number, mobile phone number, fax number, email address, mailing address, social media usernames (Line ID, MS Teams), residence map, etc. |
| Service Usage Information | Details about our products or services, user account name, password, PIN, Single Sign-On (SSO ID), OTP, computer traffic data, location information, photos, videos, voice recordings, usage behavior (websites or applications managed by us), browsing history, cookies or similar technologies, device ID, device type, connection details, browser, language used, operating system, etc. |
| Sensitive Personal Data | Sensitive personal data, such as race, religion, disability, political opinions, criminal records, biometric data (e.g., facial recognition data), health information, etc. |
Cookies
We collect and use cookies and similar technologies on websites under our management or on your devices, depending on the services you use. This is to ensure the security of our services and to provide you, as a user, with convenience and an improved experience. This data is used to enhance our website to better meet your needs. You can configure or delete cookies yourself through your web browser settings.
With your consent (where required by law), we use cookies, log files, and other technologies to collect personal data from the hardware and software of your computer and mobile devices used to access our website. This includes the following data:
IP address: To monitor website traffic and visitor volume.
Session ID: To track website usage statistics and gather information about personal interests, professional interests, demographic segments, user experience with our services, and contact preferences.
Our website [and emails] may use cookies, web beacons, and pixel tags ("tags"). Tags help us track the number of visitors to web pages [or email opens] and collect other aggregate data. When you click on an email containing tags, your contact details may be cross-referenced with [the original email] and/or related tags.
[We use "click-through URLs" in certain email messages to link to websites we manage or that are managed on our behalf. We may track click-through statistics to measure interest in specific topics and assess the effectiveness of these communications.] For more information, please see our Cookie Policy.
This data is used to provide insights into visitor behavior. With your consent, we may also use your location data for analytics and data insights. This allows us to measure content performance and user interactions on our websites and services, identify the most engaging pages, sections, and features visitors prefer.
We use this information to assist in selecting future products and services, designing our website, and remembering your specific preferences.
Additionally, we use this data for marketing purposes (for more information, please see the "Marketing Activities" section below).
Personal Data of Minors, Incompetent Persons, and Quasi-Incompetent Persons
If we are aware that personal data requiring consent belongs to a minor, an incompetent person, or a quasi-incompetent person, we will not collect such personal data until consent is obtained from the legal guardian or authorized representative (parent, guardian, or custodian, as the case may be), in compliance with legal requirements.
If we are not aware beforehand that the data subject is a minor, an incompetent person, or a quasi-incompetent person and later discover that we collected their data without obtaining proper consent from the parent, guardian, or custodian, we will promptly delete or destroy the personal data unless there is another lawful basis for collecting, using, or disclosing such data apart from consent.
Purposes for Collecting Personal Data
We collect your personal data for various purposes, depending on the type of product, service, or activity you use, as well as the nature of your relationship with us or the specific context. The purposes listed below serve as a general framework for how we use personal data. Only the purposes relevant to the products or services you use or are associated with will apply to your data.
- To conduct our business transactions
- To manage, operate, monitor, and administer services to ensure convenience and meet your needs
- To maintain and update information related to you, including documents referring to you
- To create and maintain personal data processing records as required by law
- To analyze data and resolve issues related to our services
- To perform necessary organizational management activities, including recruitment of board members or position holders, and qualification assessments
- To prevent, detect, avoid, and investigate fraud, security breaches, or prohibited/illegal actions that may harm us or data subjects
- To verify identity and confirm information when you register, use services, or exercise legal rights
- To improve and develop product and service quality to be more up-to-date
- To assess and manage risks
- To send notifications, confirmations, communications, and updates to you
- To prepare and deliver relevant and necessary documents or information
- To verify identity, prevent spam, and unauthorized or illegal actions
- To monitor how data subjects access and use our services, both in aggregate and individually, for research and analytical purposes
- To comply with obligations toward regulatory agencies, tax authorities, law enforcement, or other legal obligations
- To act as necessary for our legitimate interests or those of others or entities involved in our operations
- To prevent or mitigate harm to life, body, or health, including epidemic surveillance
- To prepare historical records for public benefit, research, or statistics as assigned to us
- To comply with applicable laws, regulations, enforceable orders, litigation processes, court-issued data requests, and to exercise rights over your data
Categories of Recipients of Your Personal Data
For the purposes stated, we may disclose your personal data to the following recipients. The categories of recipients listed below represent a general framework of our data disclosures. Only the recipients relevant to the products or services you use or are associated with will apply to your data.
| Recipient Category | Details |
|---|---|
| Required disclosure for legal or other important purposes (e.g., for public interest) | Law enforcement agencies or regulatory authorities, or for other important purposes such as Cabinet, relevant Ministers, Department of Provincial Administration, Revenue Department, Royal Thai Police, Courts, Office of the Attorney General, Department of Disease Control, Ministry of Digital Economy and Society, Office of the Prime Minister, Department of Consular Affairs, Tourism Authority of Thailand, etc. |
| Contractors handling employee welfare | External parties contracted to manage welfare, such as insurance companies, hospitals, payroll service providers, banks, telecommunication providers, or relevant government agencies. |
| Business Partners | Contact information shared with business partners, such as home and mobile phone numbers, fax numbers, email addresses, mailing addresses, social media usernames (Line ID, MS Teams), and residence maps, etc. |
| Service Usage Information | We may disclose your information to collaborators to provide services to you, such as service providers you contact through our platform, marketing providers, advertising media, financial institutions, platform providers, telecommunication service providers, etc. |
| Service Providers | We may appoint third parties as service providers or operational support, such as data storage providers (cloud or document warehouses), system/software/application/website developers, document delivery services, payment service providers, internet providers, telecommunication providers, Digital ID providers, social media platforms, risk management providers, external consultants, and logistics services, etc. |
| Other Recipients | We may disclose your data to other recipients for purposes related to our services, such as training, awards, charity activities, donations, etc. |
| Public Disclosure | We may publicly disclose your information when necessary, for example, where legally required to publish it. |
Cross-Border Transfer of Personal Data
In some cases, we may need to send or transfer your personal data to other countries to fulfill service purposes, such as transferring data to cloud systems with platforms or servers located abroad (e.g., Singapore or the United States) to support IT systems based outside Thailand. This depends on the specific service or activity you are involved in.
At the time this policy was created, the Personal Data Protection Committee has not yet published a list of destination countries deemed to have an adequate level of personal data protection. Therefore, when we need to transfer your personal data to a destination country, we will ensure that the transferred data is adequately protected in accordance with international standards or comply with the legal requirements for such data transfers.
Adequacy Decisions: We will transfer your personal data to countries deemed by the European Commission to provide an adequate level of data protection. For more details, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Standard Contractual Clauses: For some service providers, we may use model contracts approved by the European Commission that ensure data protection equivalent to that in Europe. For more details, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
EU-U.S. Privacy Shield Framework: If we work with business partners or contractors in the United States, we may transfer personal data to them if they are certified under the Privacy Shield Framework, which requires them to provide equivalent protection for shared data between the EU and the U.S. For more details, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en
Please contact us if you would like more information about the specific mechanisms we use to transfer your personal data outside the EEA.
Retention Period of Your Personal Data
We will retain your personal data only for as long as it is necessary to fulfill the purposes for which the data was collected, as specified in this policy, notices, or relevant laws. Once the retention period has ended and the data is no longer required for its stated purposes, we will delete, destroy, or anonymize your personal data, following deletion and destruction standards set by the Committee, the law, or international standards. However, in cases of disputes, rights enforcement, or legal proceedings involving your personal data, we reserve the right to retain that data until a final ruling or resolution is reached.
Personal Data Security Measures
We have measures in place to safeguard personal data by restricting access to it only to authorized personnel or individuals who have been assigned responsibilities and need to use such data for the purposes communicated to the data subject. These individuals are required to strictly comply with our data protection measures and maintain the confidentiality of any personal data they handle. We also maintain security measures, both organizational and technical, that meet international standards and comply with requirements set by the Personal Data Protection Committee.
Additionally, when transferring, disclosing, or sharing personal data with third parties for services, contractual obligations, or other agreements, we enforce appropriate security and confidentiality measures as required by law to ensure the protection of personal data at all times.
External Website or Service Links
Our services may contain links to third-party websites or services, which may have privacy policies differing from this policy. We recommend that you review the privacy policies of those websites or services before use. We have no control over and are not responsible for the data protection measures, content, policies, damages, or actions resulting from third-party websites or services.
Your Rights Under the Personal Data Protection Act B.E. 2562 (2019)
The Personal Data Protection Act B.E. 2562 (2019) grants several rights to data subjects. These rights will take effect when the relevant provisions of the law come into force.
Details of these rights include:
- Right to Access Personal Data: You have the right to access, receive copies of, and request disclosure of the sources of your personal data that we have collected without your consent, except where we have the right to refuse your request under the law, a court order, or where your request may adversely affect the rights and freedoms of others.
- Right to Rectification: If you find that your personal data is incorrect, incomplete, or not up to date, you have the right to request corrections to make the data accurate, current, complete, and not misleading.
- Right to Erasure or Destruction: You have the right to request that we erase or destroy your personal data, or anonymize it so it can no longer identify you. This right is subject to legal conditions.
- Right to Restriction of Processing: You have the right to request that we restrict the use of your personal data in the following cases:
- a) When we are verifying your request to correct, complete, or update personal data
- b) When your personal data has been collected, used, or disclosed unlawfully
- c) When your personal data is no longer necessary for the purposes of collection, but you request that we retain it for legal rights establishment
- d) When we are verifying legitimate grounds for collecting, using, or disclosing personal data, or checking its necessity for public interest due to your objection to data processing
- Right to Object: You have the right to object to the collection, use, or disclosure of your personal data, except where we can demonstrate lawful grounds (e.g., processing is necessary for legal claims, compliance, or public interest).
- Right to Withdraw Consent: If you have previously given consent for us to collect, use, or disclose your personal data (whether before or after this law came into effect), you have the right to withdraw that consent at any time while we retain your data, unless there are legal obligations or contractual arrangements requiring us to retain it.
- Right to Data Portability: You have the right to receive your personal data from us in a structured, commonly used, and machine-readable format and to request that we transmit this data to another data controller. This right is subject to legal conditions.
- Contact Us: If you have questions about this Privacy Policy or wish to exercise your rights under it, you can contact us via the contact channels provided.
- Email:trustedthailand@gmail.com
- LINE Official Account:@trustedthailand
