Personal Data Processing Policy
Approved by order of the General Director BABUSHKA.KITCHEN No. 01-03 dated 04/01/2019
1. General Provisions
1.1. This Policy for the processing of personal data (hereinafter referred to as the “Policy”) has been developed and applied by BABUSHKA.KITCHEN, (hereinafter also referred to as the “Operator”) in accordance with laws and other regulations in the field of personal data protection in force in the Kingdom of Thailand.
1.2. This Policy is part of the general policy regarding the processing of personal data BABUSHKA.KITCHEN.
1.3. This Policy applies to all personal data that may be obtained from individuals by the Operator in the process of selling food products, carried out by ordering through the website BABUSHKA.KITCHEN (hereinafter referred to as the “Site”), via the Operator’s call center at +66627255142 (hereinafter - “Call Center”) and through the Operator’s mobile application (hereinafter referred to as the “Application”), and which can be uniquely correlated with a specific individual and his personal data. This Policy does not apply to relationships:
arising in the processing of personal data of the Operator’s employees, since such relations are settled by a separate local act, which is also part of the general policy regarding the processing of personal data of BABUSHKA.KITCHEN;
1.4. The Policy defines the behavior of the Operator in relation to the processing of personal data accepted for processing, the procedure and conditions for processing personal data of individuals who have transferred their personal data for processing to the Operator (hereinafter also the “Personal Data Subject”, “Subject”) with or without automation tools, establishes procedures to prevent violations of the laws of the Kingdom of Thailand, to eliminate the consequences of such violations related to handling cial data.
1.5. The policy is designed to ensure the protection of the rights and freedoms of Personal Data Subjects when processing their personal data, as well as to establish the responsibility of Operator officials with access to personal data of Personal Data Subjects for non-compliance with the requirements and standards governing the processing of personal data.
1.6. The operator processes the following personal data:
delivery address of the order;
information about the services provided and provided to the Personal Data Subject, including the history of the Subject's orders;
the history of appeals of the Personal Data Subject, including the documents sent by the Subject when applying to the Operator.
1.7. When using the services of the Site, the Operator also processes other anonymized data that is automatically transmitted during the use of the Site through the software installed on the computer:
information about the browser used (or another program with which the site is accessed);
The Operator guarantees that organizations external to the Operator do not have access to such data that can be used by the Operator, except in cases expressly stipulated by the current legislation of the Kingdom of Thailand and this Policy. Upon receipt of personal data not listed in this section, such data are subject to immediate destruction.
1.8. The operator processes personal data of personal data subjects by maintaining databases in an automated, mechanical, manual way in order to:
1.8.1. processing orders, requests or other actions of the Personal Data Subject associated with the execution of orders;
1.8.2. notifications about changes in the offer, order of services, menu, list of actions, discounts, etc. held by the Operator
1.8.3. for other purposes if the relevant actions of the Operator do not contradict the current legislation, the activities of the Operator, and the consent of the Personal Data Subject is obtained for the said processing.
1.8.4. the data specified in clause 1.7. this Policy is processed in order to implement analytics of the Site and the Application, tracking and understanding the principles of using the Site and the Application by visitors, improving the functioning of the Site, solving technical problems of the Site and Application, developing new products, expanding services, identifying the popularity of events and determining the effectiveness of advertising campaigns; providing security and fraud prevention, providing effective customer support.
1.9. The operator processes personal data by performing any action (operation) or set of actions (operations), including the following:
clarification (update, change);
transfer (distribution, provision, access);
2. Receipt, use and disclosure of personal data
2.1. The operator receives and starts processing the personal data of the Subject from the moment of receiving his consent. Consent to the processing of personal data may be given by the Personal Data Subject in any form, allowing to confirm the fact of receiving consent, unless otherwise established by federal law: in written, oral or other form provided for by the current legislation, including through the Personal data performance of concrete actions (acceptance placed on the Site and in the Annex of the offer). In the absence of the consent of the Subject of personal data to the processing of his personal data, such processing is not carried out.
2.2. Personal data of personal data subjects are obtained by the Operator:
by personal transfer by the Subject of personal data when entering information into accounting forms in electronic form on the Website and in the Operator’s Application;
by personal transfer by the Subject of personal data when contacting the Call Center and communicating them orally by telephone during the ordering process;
in other ways that do not contradict the legislation of the Kingdom of Thailand and the requirements of international legislation on the protection of personal data.
2.3. Consent to the processing of personal data is deemed to be provided by means of the Personal Data of any action or combination of the following actions:
placing an order on the Website and in the Operator’s Application;
putting on the Site in the appropriate form a mark of consent to the processing of personal data in the amount, for the purposes and in the manner provided in the proposed before obtaining consent to read the text;
messages of personal data orally, when contacting the Call Center by phone during the order process.
2.4. The consent is deemed received in the prescribed manner and is valid until the submission by the Subject of personal data of the relevant application for termination of the processing of personal data at the location of the Operator.
2.5. The personal data subject may at any time withdraw its consent to the processing of personal data, provided that such a procedure does not violate the requirements of the laws of the Kingdom of Thailand. To revoke consent to the processing of personal data, the Personal Data Subject must send a written notice to the postal address: firstname.lastname@example.org. In case of revocation by the Subject of personal data of consent to the processing of its personal data, the Operator must stop processing them or ensure termination of such processing (if processing is carried out by another person acting on the instructions of the Operator) and if the storage of personal data is no longer required for the purposes of processing , destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) in a period not exceeding 30 (three TSATI) days from date of receipt of this withdrawal, unless otherwise provided by the contract, a party which, beneficiary or guarantor for that is the subject of personal data, any other agreement between the operator and the subject of personal data.
3. Rules and procedures for the processing of personal data
3.1. In order to achieve the objectives of this Policy, only those employees of the Operator who are entrusted with this duty in accordance with their official (labor) duties are allowed to process personal data. The operator requires its employees to maintain confidentiality and ensure the security of personal data during their processing.
3.2. In accordance with this Policy, the Operator may process personal data on its own, as well as with the involvement of third parties, who are involved by the Operator and carry out processing to fulfill the objectives specified in this Policy.
3.3. In the case of an order to process personal data to a third party, the amount transferred to a third party for processing personal data and the number of processing methods used by this person should be the minimum necessary for him to fulfill his duties to the Operator. In relation to the processing of personal data by a third party, it is the duty of such a person to respect the confidentiality of personal data and to ensure the security of personal data during their processing.
3.4. In the process of providing services, in the implementation of on-farm activities, the Operator uses automated, with the use of computer technology, and non-automated, with the use of paper workflow, the processing of personal data. The decisions that engender legal consequences in relation to the Personal Data Subject or otherwise affect his rights and legitimate interests are not performed by the Operator on the basis of exclusively automated processing of personal data. The operator stores personal information of personal data subjects in accordance with the internal regulations.
3.5. With respect to the personal information of the Personal Data Subject, confidentiality is maintained, except in cases where the Subject voluntarily provides information about himself for general access to the general public. In this case, the Personal Data Subject agrees that a certain part of its personal information becomes publicly available.
4. Information about the implemented requirements for the protection of personal data
4.1. The Operator’s personal data processing activities are inextricably linked to the protection of confidentiality of the information received by the Operator.
4.2. The operator requires other persons who have received access to personal data not to disclose to third parties and not to distribute personal data without the consent of the Personal Data Subject, unless otherwise provided by federal law.
4.3. All employees of the Operator are obliged to ensure the confidentiality of personal data, as well as other information established by the Operator, if this does not contradict the current legislation of the Kingdom of Thailand.
4.4. In order to ensure the security of personal data during their processing, the Operator takes the necessary and sufficient legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other misconduct against them. The operator ensures that all ongoing measures for the organizational and technical protection of personal data are carried out on a legal basis, including in accordance with the requirements of the legislation of the Kingdom of Thailand on the processing of personal data.
4.5. The operator applies the necessary and sufficient legal, organizational and technical measures to ensure the security of personal data, including:
identification of threats to the security of personal data during their processing in personal data information systems;
application of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the performance of which ensures the levels of personal data protection established by laws of the Kingdom of Thailand
the use of the information security protection measures passed in the prescribed manner;
assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
accounting of personal data carriers;
detection of unauthorized access to personal data and taking action;
restoration of personal data modified or destroyed due to unauthorized access to them;
carrying out activities aimed at preventing unauthorized access to personal data and (or) transferring them to persons who do not have the right to access such information;
timely detection of facts of unauthorized access to personal data and taking the necessary measures;
avoidance of impact on technical means of automated processing of personal data, as a result of which their functioning may be impaired;
establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with personal data in the personal data information system;
control over measures taken to ensure the security of personal data and the level of security of personal data information systems.
The measures to ensure the security of personal data implemented by the Operator within the framework of the personal data protection system, taking into account the current threats to the security of personal data and the information technologies used, include:
identification and authentication of access subjects and access objects;
access control for access subjects to access objects;
restriction of the software environment;
protection of computer-readable media on which personal data is stored and (or) processed;
security event logging;
detection (prevention) of intrusions;
ensuring the integrity of the information system and personal data;
protection of the virtualization environment;
protection of technical equipment;
protection of the information system, its facilities, communication and data transmission systems;
identifying incidents (one event or group of events) that may lead to disruptions or disruption of the information system and / or to the emergence of threats to the security of personal data, and respond to them;
configuration management information system and personal data protection system.
4.7. The operator undertakes not to disclose the information received from the Personal Data Subject. It is not considered a violation of the provision by the Operator of information to agents and third parties acting on the basis of an agreement with the Operator to fulfill obligations to the Subject of personal data. It is not considered a violation of disclosure obligations in accordance with the reasonable and applicable requirements of the law.
5. Consent to receive advertising information on telecommunication networks
5.1. Consent to receive newsletters / subscribing to receive advertising information obtained by:
ordering on the Website and in the Operator’s Application,
affixing to the Site in the appropriate form a mark of consent to the processing of personal data in the amount, for the purposes and in the manner provided for in the proposed before obtaining consent for familiarization with the text,
personal data messages verbally, when contacting the Call Center by phone during the ordering process, means the Personal Data Subject’s consent to receive from the Operator and third parties attracted by the Operator via telecommunication networks (by the provided mobile phone number and email address) messages, including information of a commercial advertising nature (advertising) referred to in paragraph 1.8.2. of this Policy.
5.2. By giving consent, specified in paragraph 5.1. of this Policy, the Subject of personal data confirms that it acts on its own will and in its interest, as well as the fact that the specified personal data are reliable.
6. Final provisions
6.1. This Policy is approved by order of the Director General of BABUSHKA.KITCHEN and enters into force on the date of its signing.
6.2. Changes and additions may be made to this Policy, which are approved by order of the General Director BABUSHKA.KITCHEN.
6.3. The current version of the Policy is available in the open access of the Internet at: BABUSHKA.KITCHEN and in the mobile application of the Operator.