Privacy Notice for Vendors & Suppliers

ServerToday (Thailand) Co., Ltd.

ServerToday (Thailand) Co., Ltd. ("the Company") places great importance on protecting the personal data of its vendors and is committed to ensuring the security of your personal data in compliance with the Personal Data Protection Act B.E. 2562 and other applicable laws. This Privacy Notice explains the details of how we collect, use, and disclose ("process") your personal data, as well as your legal rights as a data subject.

Effective Date: May 6, 2025
Document ID: ISMS-1PC-007

Quick Navigation

1. Data Subjects2. Personal Data3. Sources of Personal Data4. Types of Personal Data Collected5. Purposes of Processing6. Disclosure of Personal Data7. Cross-Border Data Transfers8. Data Retention9. Data Protection Measures10. Data Subject Rights11. Third-Party Website Links12. Contact Information13. Governing Law14. Privacy Notice Updates

1. Data Subjects

This Privacy Notice covers the personal data of current vendors, prospective vendors, business partners, and suppliers, both as natural persons and natural persons acting on behalf of juristic persons who are data subjects, such as directors, consultants, executives, employees, agents, and any persons related to the vendor.

"Vendor" means a natural person or juristic person that conducts transactions with the Company and has been approved to enter into purchase/hire/lease agreements with the Company, including current vendors, prospective vendors, business partners, and suppliers who provide goods and services to the Company.

2. Personal Data

"Personal Data" means information about an individual that can identify that person, directly or indirectly, excluding data of deceased persons specifically. Examples include name, surname, nickname, address, phone number, national ID number, passport number, social security number, driver's license number, tax ID, bank account number, credit card number, email address, IP address, Cookie ID, Log File, etc.

The following is not considered personal data: business contact information that does not identify an individual (e.g., company name, company address, corporate registration number, work phone numbers, work email such as info@servertoday.com), anonymous data, pseudonymous data, and data of deceased persons.

"Sensitive Personal Data" means personal data relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union data, genetic data, biometric data, or other data that affects the data subject in a similar manner as determined by the Personal Data Protection Committee. The Company handles such data with special care and will only collect, use, and/or disclose sensitive data with explicit consent or as permitted by law.

Throughout this Privacy Notice, unless specifically stated otherwise, "personal data" and "sensitive personal data" pertaining to the aforementioned users shall be collectively referred to as "personal data."

Where the Company receives a copy of your national ID card or extracts data electronically for identity verification and legal transactions, the data may include religious information (sensitive data). The Company does not intend to collect such data and requests that you redact or obscure this information. If you do not do so, the Company reserves the right to redact it to protect your sensitive personal data.

3. Sources of Personal Data

3.1 Data provided directly by you

Data from procurement processes, service contracts, lease agreements, purchase agreements, business contracts, forms, surveys, registrations, account creation, claims or rights requests, and any communications with the Company in written, verbal, image, or audio form.

3.2 Data collected automatically

When you use the Company's services or visit the website via electronic devices (mobile phones, computers, laptops, etc.) using technology called "cookies" or similar technologies.

3.3 Data from external sources

Reliable public data sources including the Department of Provincial Administration, Department of Business Development, commercial data sources, websites, applications, social media, data providers, agencies, associations, or organizations related to the vendor's legal transactions and/or business operations.

3.4 Data from your interactions with the Company

Data from interactions with Company employees, agents, partners, or authorized representatives through websites, applications, social media, phone, email, meetings, interviews, SMS, fax, mail, video calls, or other means. Data may be collected in text, image, and audio formats.

4. Types of Personal Data Collected

The Company may collect the following types of personal data, such as:

  • Identity Data

    e.g. Name, surname, national ID number, address, phone number, email

  • Company/Organization Data

    e.g. Company name, corporate registration number, tax information, bank account details

  • Technical Data

    e.g. Log files, system access data, platform usage data (if applicable)

  • Other Business Data

    Other data necessary for the business relationship

  • IT System Data

    e.g. Email usage logs, document management system, server access logs

5. Purposes of Collection, Use, and Disclosure

The Company collects, uses, or discloses your personal data under the following legal bases:

  • Contract
  • Legal Obligation
  • Legitimate Interest
  • Consent — The Company will request your consent where required by law, or where none of the above legal bases are applicable to the personal data collected from you.

The purposes for collecting, using, and disclosing vendors' personal data include, for example:

  • For contacting, coordinating, and conducting business operations such as procurement, hiring, payments, and business relationship management
  • For verifying qualifications and background of vendors and suppliers
  • For risk management, internal auditing, and legal compliance checks
  • For complying with applicable laws and regulations
  • For managing, developing, and improving business operations efficiency
  • For protecting the Company's rights and cybersecurity, and complying with orders from legally authorized agencies

6. Disclosure of Your Personal Data

To fulfill the purposes stated in this Privacy Notice, your personal data may be disclosed to:

6.1 Within the Company

Your personal data may be disclosed or transferred to relevant internal departments only as necessary for the stated purposes. The following persons or teams will be granted access to your personal data as appropriate:

  • Procurement staff or other relevant departments, with access rights defined according to their roles and responsibilities.
  • Executives or direct supervisors responsible for management or decision-making, or when procurement-related procedures are involved.
  • Support functions such as IT, accounting, finance, sales, and marketing communications.

6.2 Outside the Company

Your personal data may be disclosed or transferred to the following external organizations:

  • Government agencies and regulators as required by law (e.g., Revenue Department, Consumer Protection Board, Department of Business Development, Ministry of Commerce, Export Promotion Department, Customs Department, Intellectual Property Department, courts, Legal Execution Department)
  • External organizations or persons for transaction verification purposes and to provide products or services matching your needs.

Additionally, where the Company has received your written consent to disclose information to external parties, such as a new employer, the Company may disclose your information to verify your previous employment status, or provide your information to educational institutions you previously attended for the purpose of quality development and graduate research projects.

7. Cross-Border Data Transfers

7.1 The Company may send or transfer your personal data to other persons both domestically and internationally where necessary to fulfill a contract you are party to, or pursuant to a contract between the Company and another person or juristic person for your benefit, or to carry out your pre-contractual request, or to prevent or suppress harm to the life, body, or health of you or others, to comply with law, or as necessary to carry out a mission of significant public interest.

7.2 The Company may store your data on computers, servers, or clouds operated by third parties, and may use software or platform services provided by third parties to process your personal data. The Company will not allow unauthorized persons to access personal data and will require such third parties to maintain appropriate personal data security measures.

7.3 Where it is necessary to send or transfer your personal data internationally, the Company will comply with personal data protection law and implement appropriate measures to ensure your data is protected, that you can exercise your rights as required by law, and that recipients maintain appropriate data protection measures, process the data only as necessary, and take steps to prevent unauthorized use or disclosure.

8. Data Retention

  • 8.1 The Company will retain your personal data for as long as necessary, taking into account the necessity and purposes for which it was collected, used, and processed, including compliance with applicable legal requirements.
  • 8.2 The Company will continue to collect, use, and disclose your personal data even after the termination of your relationship with the Company, to the extent necessary under applicable legal requirements for legitimate interests, or by storing it in a form that does not identify you directly or indirectly, such as "Anonymous Data" or "Pseudonymous Data".
  • 8.3 The Company may retain your personal data for as long as necessary to fulfill the purposes of processing described in this Privacy Notice. The Company will retain your personal data for no more than 10 years after the date your relationship ends or your last contact with the Company, unless the law permits longer retention.
  • 8.4 To align with relevant limitation periods, the Company will store your personal data in appropriate formats according to data type. Where necessary, the Company may continue to retain your personal data beyond the applicable legal limitation period for the legitimate interests of the data controller, unless such interests are outweighed by your fundamental rights in the personal data.
  • 8.5 The Company will review and delete, destroy, or permanently anonymize personal data upon expiry of the retention period, when data is no longer relevant or necessary for the purposes of collection, or when the Company must comply with your valid deletion request.

9. How We Protect Your Personal Data

The Company implements measures in accordance with Section 37 of the PDPA and ISO/IEC 27701 standards, including appropriate technical, physical, and organizational security measures to prevent unauthorized loss, access, use, alteration, modification, or disclosure of personal data, including:

  • Access control with authentication and authorization systems
  • Data encryption for stored and transmitted data
  • Logging and monitoring of data-related activities
  • Data backup and disaster recovery (DR & BCP)
  • PDPA and ISO/IEC 27701 training for employees and stakeholders
  • Regular review, testing, and assessment of security measures
  • Requiring data recipients to maintain confidentiality and process data only as specified by the Company

10. Data Subject Rights

Data subjects have the following rights regarding their personal data:

10.1 Right to Withdraw Consent

You may withdraw consent at any time while the Company retains your data, unless restricted by law or a contract that benefits you. Note: Withdrawal may affect your access to certain services, benefits, or information. For your own benefit, please consider the impact before proceeding.

10.2 Right to Access

You may request access to and copies of your personal data, including information about its sources. Exception: The Company may refuse if disclosure would affect others' rights or is prohibited by law or court order.

10.3 Right to Data Portability

You may request your data in a machine-readable format and request transfer to another controller, where technically feasible. Note: This right applies only to data provided with your consent or necessary for the Company's service delivery.

10.4 Right to Object

You may object to processing based on legitimate interests or public interest. The Company will cease processing unless it can demonstrate compelling legal grounds or the processing is necessary for legal claims. You may also object to the use of your data for marketing or scientific, historical, or statistical research purposes.

10.5 Right to Erasure

You may request deletion, destruction, or anonymization of your data if it was processed unlawfully, is no longer necessary, or you have withdrawn consent or exercised your right to object. Exception: Where the Company has a legal obligation or the data is necessary for legal claims.

10.6 Right to Restrict Processing

You may request temporary suspension of processing, for example while awaiting verification of a correction or objection request, or when the Company should delete data under law but you request restriction instead.

10.7 Right to Rectification

You may request correction of your data to ensure it is accurate, current, complete, and not misleading.

10.8 Right to Complain

If you believe the Company has collected, used, or disclosed your data in violation of law, you may file a complaint with the competent authority.

Additional Note: The exercise of the above rights may be limited by law, such as when the Company has legal obligations or court orders, or when exercising the right would violate others' rights. If a request must be denied, the Company will clearly explain the reasons.

12. Contact Information

If you have questions or wish to exercise your rights, please contact:

Data Controller

ServerToday (Thailand) Co., Ltd.

111/128 Moo 2, Ratchaphruek Rd., Bangraknoi, Mueang Nonthaburi, Nonthaburi 11000

dpo@servertoday.com
www.servertoday.com
02-026-3112

Data Protection Officer

DPO Team

111/128 Moo 2, Ratchaphruek Rd., Bangraknoi, Mueang Nonthaburi, Nonthaburi 11000

dpo@servertoday.com
02-026-3112

13. Governing Law

This Privacy Notice is governed by and interpreted in accordance with Thai law. Thai courts shall have jurisdiction over any dispute that may arise.

14. Changes to This Privacy Notice

The Company regularly reviews this Privacy Notice to ensure consistency with practices and applicable laws. Any significant changes will be communicated through appropriate channels along with the updated version. We recommend checking this notice periodically.

This notice is effective as of May 6, 2025

Download Document ID: ISMS-1PC-007