Privacy Policy
Personal Data Protection Notice
Orico Auto Leasing (Thailand) Ltd.
Orico Auto Leasing (Thailand) Ltd. (the “Company”) is committed to operating in compliance with the Personal Data Protection Act B.E. 2562 (2019) and other related laws. Therefore, the Company has established this Personal Data Protection Policy (“Policy”) to inform data subjects about the purposes and details of the collection, use, and/or disclosure of personal data, as well as their various legal rights and effective and appropriate personal data management measures.
Article 1 Scope of Data Subjects
This Policy applies to all levels of employees of the Company. It aims to establish clear measures and practices for Personal Data protection. All employees are required to strictly adhere to this Policy within the framework of the law, as well as contracts, terms, and various products or services such as websites, applications, documents, or other services under the Company’s control (collectively, “Services”). This is to ensure that the Company’s management and processing of personal data is lawful, transparent, and secure.
Personal Data that may be processed or handled by the Company includes the Personal Data of the following “Data Subjects”:
1) Customers, lessees, loan applicants, other service applicants, guarantors, security providers who are natural persons, as well as inquirers and individuals who receive information about the Company’s products and/or services.
2) Permanent employees, probationary employees, temporary employees, expatriate employees, interns, and/or officers, staff, or employees of the Company, or job applicants who may be hired by the Company in the future.
3) Contacts, business partners, service providers, and individuals who build relationships with the Company, and sellers of goods to the Company who are natural persons.
4) Directors, authorized persons, representatives, agents, shareholders, partners, employees, personnel, or other individuals with similar relationships to legal entities associated with the Company, such as corporate clients, guarantors, security providers, partners, service providers, or users of the Company’s products or Services, including government agencies, state enterprises, or various organizations, etc.
5) Participants in the Company’s activities or projects, or users of the Company’s products or Services.
6) Visitors or users of websites, software, systems, applications, devices, platforms, social media accounts, or other communication channels controlled by the Company.
7) Other individuals related to the above Data Subjects, such as beneficiaries of insurance policies, spouses and/or domestic partners, children, parents, and siblings.
8) Other individuals from whom the Company collects Personal Data, such as contacts, payers, or vehicle occupants.
For Personal Data collected before the Personal Data Protection Act B.E. 2562 came into effect, the Company may continue to collect and use such data for its original purposes. However, disclosure and other actions beyond collection and use must comply with the Personal Data Protection Act B.E. 2562 and related laws.
Article 2 Collection of Personal Data
The Company collects Personal Data, such as personal details, information about personal life or interests, financial data, and Sensitive Data, as necessary and under lawful purposes. The sources and principles for collecting Personal Data are as follows:
2.1 Sources of Personal Data
The Company may obtain Personal Data from the following channels:
1) Directly from the Data Subject: Such as collecting Personal Data from application forms (both paper and online), questionnaires, job applications, signed contracts or documents, or when the Data Subject communicates with the Company through designated channels.
2) From the Data Subject’s use of websites, software, systems, applications, or platforms under a service agreement, such as tracking usage behavior on the Company’s websites, products, or Services using cookies or software on the Data Subject’s device.
3) From social media accounts or external user account providers with which the Data Subject has agreed or consented to disclose their Personal Data to the Company to link their external account with the Company’s Services. In this case, the Personal Data disclosed to the Company will be in accordance with the necessity and/or settings of the Data Subject under the privacy policy of that external service provider.
4) From sources other than the Data Subject directly, where the Company can lawfully collect from such sources or has obtained the Data Subject’s consent for disclosure to the Company. This includes searching public sources, government agency data, inquiring with third parties, or disclosures by affiliated companies, business partners, recruitment agencies, previous employers, and references, or third parties for the purposes specified in this Policy.
Examples of types of Personal Data that the Company may collect include:
| Type of Personal Data | Details and Examples |
|---|---|
| Data about Personal Identity | Prefix, first name, middle name, last name, alias, national identification card number or passport number or personal identification number, nationality, country of residence, house registration data, driver’s license data, visa data, signature, social security number, financial and health data, or other government document data that can identify an individual, application username and password, copy of national identification card including copies of other identification cards, copy of house registration, and including conversation records between the Data Subject and the Company, etc. |
| Data about Personal Characteristics | Date of birth, gender, height, weight, age, marital status, military conscription status, photograph, spoken language, behavioral data, preferences, data on bankruptcy status, data on status as an incapacitated or quasi-incapacitated person, etc. |
| Contact Information | Home phone number, mobile phone number, fax number, email, address according to important documents, current residential address, and address in the country of nationality, workplace, postal address, social media username (website/application accounts for Line, Facebook, Apple, Google, or Microsoft), map location of residence, proof of residency in Thailand, etc. |
| Employment, Education, and Business Ownership Data | Employment details, including work history, education, training, and participation in activities such as employment type, occupation, rank, position, duties, expertise, scope of responsibility, workplace, job tenure, organizational tenure, job function, job nature, work permit status, various professional licenses, reference person data, emergency contact person data, tax identification number, history of holding positions, work history, salary data, salary certificates, remuneration, length of service, start date, resignation date, work performance evaluation results, competence, skills, understanding of characteristics, aptitude, and potential, welfare and benefits, property in the possession of employees, work results, employee discipline (e.g., list of offending employees, employee disciplinary records, records of complaints from third parties), bank account number, educational institution, educational qualification, academic results, graduation date, learning and training history (e.g., certificates, training courses attended, training results, evaluation results of teaching), brief qualification history, language proficiency, computer skills, abilities, workplace entry/exit data, work time entry/exit data, shareholding proportion, and/or any other data on documents to confirm business operation (e.g., business premises lease agreement), commercial registration certificate, etc. |
| Insurance Policy Data | Details about insurance policies, such as insurer, insured, beneficiary, policy number, policy type, coverage limit, claim information, etc. |
| Social Relationship Data | Data Subject’s social relationship data, such as political status, holding political office, data on being a stakeholder in business conducted with the Company, family relationship data (e.g., parents, children, beneficiaries of various welfare benefits, emergency contacts, references). |
| Service Usage Data | Details about products or Services, such as username, password, PIN number, OTP code, computer traffic data, location data, photographs, videos, audio recordings, usage behavior data, search history, cookies or similar technologies, device number, device type, connection details, browser data, visited website history, access duration, language used, operating system used, etc. |
| Financial and Transactional Data | Data related to finances, financial status, or financial history, such as credit card number, bank account number, transaction history, loan repayment history, loan application data, supporting loan application data, approved credit limit, outstanding debt, transaction details and purpose of transaction, transaction reference number, transaction channels, payment history, income data, sources of income and expenses, data on salary certificates, payslips/bonus slips, or other proof of income, bank account statements, tax identification number, tax payment data, income tax returns, income statements, utility payment data, asset data, asset appraisal value, collateral data and documents proving collateral ownership, subscription data for channels, products, and/or Services, credit score data, credit bureau check results, provident fund data, power of attorney, etc. |
| Vehicle Data | Detailed information about vehicles and registration, such as vehicle registration number, engine number, vehicle registration data, GPS system data, etc. |
| Technical Data, Devices, or Tools | Application usage data, computer identification number, mobile phone identification number, cookies, device ID, machine identification number, universally unique identifier, tokens, symbols used in information technology systems for identification or access to various systems, model and type of device, network, connection data, access data, single sign-on (SSO) login data, logs, login data, access duration, usage and duration of application and website usage, search history, browsing data, time zone values, and location, browser plugin types and versions, operating systems and platforms, including other technologies on devices used by the Data Subject to access the platform, other technical data from platform and system usage. |
| Sensitive Data | Sensitive Data such as race, religious data, disability data, political opinion data, criminal records, biometric data (e.g., facial recognition data, fingerprint data), health data, etc. |
| Other Personal Data | Such as opinions, preferences, hobbies, marketing statistical analysis data of the Data Subject, requests for various rights, survey evaluation results, audio recordings, photographs, CCTV video data, telephone or electronic device conversations and communication data, registration data for bank activities, police reports, incident scene photos, etc. |
2.2 Principles for Personal Data Collection
1) The Company will only collect Personal Data that is necessary for its operations. The Company may have different purposes for Processing Personal Data depending on the case, such as:
| No. | Purpose | Details | Legal Basis |
|---|---|---|---|
| 1 | To act on the Data Subject’s request prior to entering into a contract and for the performance of a contract between the Company and the Data Subject | The use of Personal Data for the necessity of accessing Services or entering into a contract between the Data Subject and the Company, such as:
|
|
| 2 | To verify identity or investigate to ascertain facts about an individual | Verifying the Data Subject’s identity before providing Services or entering into a contract by methods prescribed by the Company, or verifying identity for transactions, checking qualifications, status, accuracy of related data or documents, proving and confirming identity, including the Know Your Customer (KYC) process and fact-checking about customers and related individuals, as well as verifying that a signature belongs to the actual Data Subject, checking credit information, and/or requesting correction of credit information, checking for receivership or bankruptcy status, customer risk classification. |
|
| 3 | To respond to customer inquiries and provide assistance | Providing assistance to customers related to Services, such as providing information about updating customer data, service payments, debt payment history, or submitting requests for rights or various complaints. |
|
| 4 | To provide information about products, services, or marketing promotions | Offering or presenting products or Services, organizing marketing activities, sales promotions, special offers, recommendations, news, promotions, special privileges, benefits, and promotions by the Company to customers, including offering or presenting products or Services by group companies, affiliated companies, as well as business partners through contact channels received from customers, such as direct contact, contact via email, sending messages, and/or contact via telephone. |
|
| 5 | To develop and improve products and Services | Researching, analyzing, testing, developing, and improving products or Services, service channels such as systems, portals/websites, etc., communications, public relations, sales promotion activities, and marketing activities of the Company, including affiliated companies and group companies, to be better and more suitable for customer needs. |
|
| 6 | To contact, communicate, and deliver documents | Contacting, communicating, sending news, organizing meetings, organizing activities, delivering various documents or letters, managing responses to communications where the Data Subject contacts the Company, preparing media and advertising materials such as invitation letters to meetings, business operation reports, and others such as to answer questions, respond to the exercise of rights, or provide various opinions. |
|
| 7 | For data analysis | Analyzing data and preparing statistical data for various benefits under lawful purposes, such as internal organizational risk management, fraud prevention. |
|
| 8 | To inspect and improve information technology systems | Inspecting and improving the organization’s information technology systems to comply with international standards and related regulations, such as system security maintenance, information technology system audits, penetration testing. |
|
| 9 | To investigate and prevent unlawful acts | Investigating and taking any actions to prevent offenses under relevant laws, including security breaches affecting the Company and the Data Subject. |
|
| 10 | To comply with laws related to the Company | Complying with laws applicable to the Company’s business operations, such as complying with regulatory requirements, data storage for withholding tax purposes, customer due diligence as part of anti-money laundering law compliance, operations under credit information business law, debt collection law, consumer protection law. |
|
| 11 | To comply with court orders, regulatory agencies, or government agencies, or upon request by government agencies | Complying with laws and orders from courts, regulatory agencies, government agencies that the Company is required to comply with both in Thailand and abroad, including announcements and regulations issued under such laws, whether currently in force, to be amended, or to arise in the future, and/or for public benefit, including submitting and explaining data to law enforcement agencies or authorized government officials, or state organizations that may be involved in business operations, such as the National Anti-Corruption Commission, Royal Thai Police, Anti-Money Laundering Office, Bank of Thailand. |
|
| 12 | For the purpose of internal organizational administration | Various aspects of internal organizational administration, such as recruitment and appointment of directors, board meetings, payment of director remuneration, shareholder meetings, ensuring compliance with the Company’s good corporate governance principles and business ethics of affiliated and group companies, organizational risk management, internal supervision and audit of the Company, creation, storage, and review of customer systems or databases, prevention of internal fraud and anti-bribery, handling complaints, or managing legal violations or suspicious incidents. |
|
| 13 | For the purpose of human resource management | Human resource management and administration of the Company, including affiliated and group companies, such as personnel recruitment, employee hiring, facilitating employment work, assigning tasks, paying salaries, remuneration, and bonuses to employees and trainees, providing welfare benefits, evaluating work performance, competence, skills, understanding of characteristics, aptitude, or potential of employees, monitoring employee performance, timekeeping, leave requests, appointments, transfers, position changes, organizational restructuring, providing insurance for employees, operations related to the Social Security Office, personal income tax payments, withholding tax, skill development, labor relations, prevention of contagious diseases and epidemics, compliance with occupational safety, health, and environment laws, operations under partnership and company laws. |
|
| 14 | For the purpose of the Company’s transactions | The Company’s transactions related to business operations, such as asset buying and selling, procurement, sourcing funding for business operations both domestically and internationally, securitization, issuing legal debt instruments, business transfer. |
|
| 15 | For the purpose of establishing legal rights and litigation | Dispute resolution and legal proceedings, lawsuits, as well as acting on court summons, court orders, or arbitral awards. |
|
| 16 | For the purpose of debt collection | Contacting for debt collection, debt restructuring, asset tracing and seizure, tracking assets obtained by customers from the Company’s Services and regaining possession of the Company’s assets, debt sale and transfer of customer history to debt buyers, including reclaiming money, and conducting auction processes. |
|
| 17 | To protect life, body, and property health and safety | To protect the health and safety of life, body, and property of the Data Subject, the Company, or other individuals, such as installing CCTV cameras to prevent intrusion, property damage, committing crimes in the area, as well as supporting law enforcement agencies in investigating crimes, processes related to whistleblowing, collecting relevant evidence, and supporting the establishment of rights or raising defenses in legal proceedings. |
|
| 18 | For the purpose of Processing Sensitive Data | To collect, use, and/or disclose Sensitive Data for which the Company cannot rely on other legal bases, such as considering job applications for employment, checking qualifications, checking personnel criminal records, considering approval of leave for religious ceremonies, managing welfare for disabled persons, managing health welfare, identity verification, timekeeping, attending meetings, or accessing work areas. |
|
2) The Company will collect Personal Data only as necessary for the lawful purposes that have been informed to the Data Subject before or at the time of collecting Personal Data. The Company will explicitly request consent from the Data Subject before or at the time of collecting Personal Data, except in cases where the law allows the Company to collect Personal Data without requiring consent.
3) In cases where the Data Subject must provide Personal Data to comply with laws or contracts, or it is necessary to provide Personal Data to enter into a contract, or must provide data for any other reason, if the Data Subject does not provide such data, it may result in transactions or other activities related to the Data Subject being suspended or temporarily halted until the Company receives the Data Subject’s information. This is because the Company cannot process such data, or the law prohibits the continuation of such transactions or activities
4) For Processing based on the Data Subject’s consent, if the Data Subject has not given consent, the Company will not process any Personal Data for which consent is required. The refusal to give consent by the Data Subject will not affect the entering into or performance of a contract between the Data Subject and the Company, or impact the Data Subject, except in cases where the law explicitly requires consent for Processing. Furthermore, the Data Subject can withdraw consent at any time and as easily as giving consent. However, such withdrawal of consent will not affect the legality of Processing carried out prior to the withdrawal.
5) For the collection of Sensitive Data, if it does not fall under legal exemptions, the Company will explicitly request consent from the Data Subject before or at the time of collecting such Sensitive Data, in accordance with the Company’s criteria and without violating the law. The Data Subject’s refusal to give consent may result in the inability to access certain Services for which no other legal basis can be used apart from explicit consent for Processing Sensitive Data.
In cases where the Company needs to use photographs and/or copies of the Data Subject’s national identification card for identity verification, and the national identification card may contain Sensitive Data such as religion, and as the Company does not intend to collect Sensitive Data from the Data Subject, the Company requests the Data Subject to redact that part of the information before submitting photographs and/or copies of the national identification card to the Company. If the Data Subject does not redact that part, the Company reserves the right to redact such Sensitive Data itself, which shall not be deemed as an alteration or amendment of the document in a manner likely to cause damage to any person, but it is not obligatory for the Company to do so.
6) Personal Data of minors, incapacitated persons, and quasi-incapacitated persons: In cases where the Company knows that Personal Data requiring consent for collection belongs to a Data Subject who is a minor, an incapacitated person, or a quasi-incapacitated person, the Company will not collect such Personal Data until consent is obtained from the parental authority authorized to act on behalf of the minor, or the guardian, or the curator, as the case may be, in accordance with the conditions prescribed by law.
In cases where the Company did not previously know that the Data Subject was a minor, an incapacitated person, or a quasi-incapacitated person, and later discovered that the Company had collected such Data Subject’s Personal Data without the consent of the parental authority authorized to act on behalf of the minor, or the guardian, or the curator, as the case may be, the Company will proceed to delete or destroy that Personal Data promptly if there are no other lawful grounds, apart from consent, for collecting, using, or disclosing such data.
Article 3 Use and Disclosure of Personal Data
3.1 Basic Principles
The Company’s use and disclosure of Personal Data are for purposes and operational principles consistent with Article 2.2 Principles for Personal Data Collection. The Company may disclose Personal Data as necessary to external entities or individuals with the Data Subject’s consent, unless done within the framework authorized by law. Personal Data may be disclosed to the following third parties, organizations, or government agencies:
1) Affiliated companies or group companies: Affiliated companies or group companies may collect, use, or disclose the Personal Data received for purposes related to their operations or services, subject to the privacy policy of such affiliated companies or group companies.
2) Contractors and service providers, such as developers of the Company’s infrastructure technology and/or systems, information technology service providers, technology support and security providers, digital identity verification providers, cloud computing and/or server providers, asset appraisal service providers, marketing service providers, document storage service providers, social media service providers, payment gateway providers, debt collection and asset tracking service providers, legal and litigation service providers, enforcement service providers, printing presses or printing service providers, document or parcel delivery service providers, vehicle registration service providers, telephone network signal and SMS delivery service providers, payroll service providers, employee welfare benefits providers, employee training service providers, survey service providers, residential accommodation providers, lecturers, event organizers, sponsors, owners of venues for meetings, training seminars, or various activities, online registration system providers.
3) The Company’s business partners, such as used car dealers, car distributors, companies in the automotive manufacturing group, companies in the banking and financial business group, companies in the insurance business group, companies in the e-commerce business group, companies in the car rental service group.
4) Credit information agencies.
5) Banks, financial institutions, financial service providers
6) Government agencies with legal authority, such as the Anti-Money Laundering Office, National Anti-Corruption Commission, Office of the Narcotics Control Board, Office of the Consumer Protection Board, Office of Insurance Commission, Personal Data Protection Committee Office, Social Security Office, Department of Provincial Administration, Revenue Department, Legal Execution Department, courts, Department of Land Transport.
7) Councils, associations, agencies, or other organizations that are related or may be related to the Company’s business operations, such as the Bank of Thailand, Thai Hire-Purchase Business Association.
8) Consultants/experts, such as auditors, external auditors, legal advisors, tax advisors, data analysis consultants, or other consultants or experts as appropriate.
9) Prospective transferees of rights and/or transferees of rights in various transactions or mergers of the Company.
10) Any other third parties to achieve the purposes stated in this Policy.
For the list of affiliated companies, group companies, and business partners to whom the Company may disclose Personal Data for the marketing purposes of those affiliated companies, group companies, or business partners, Data Subjects can view the Company’s List of Business Partners to assist in deciding whether to give consent. In this regard, affiliated companies, group companies, or business partners can rely on the consent obtained by the Company.
3.2 Cookies
The Company collects and uses cookies and other similar technologies on websites under the Company’s supervision or on the Data Subject’s devices. This is for the purpose of ensuring security in the Company’s Services and providing users with convenience and a good experience when using the Company’s Services. These data will be used to improve the Company’s website to better meet the Data Subject’s needs. Data Subjects can configure or delete cookie usage themselves from their web browser settings. Details of the Cookies Policy can be studied.
Article 4 Retention Period of Personal Data
The Company will retain Personal Data for the following periods:
4.1 In accordance with the specific retention period or statute of limitations prescribed by law for Personal Data, such as the Accounting Act B.E. 2543 (2000), Anti-Money Laundering Act B.E. 2542 (1999), Computer-Related Crime Act B.E. 2550 (2007), Revenue Code.
4.2 In cases where the law does not specifically prescribe a retention period for Personal Data, the Company will determine the retention period based on the appropriate necessity for the Company’s operations.
Upon expiry of the retention period or when there is no longer a necessity for Processing, the Company will delete, destroy, or anonymize the Personal Data so that it cannot identify the Data Subject.
Article 5 Sending or Transferring Personal Data Abroad
The Company may send or transfer Personal Data collected from the Data Subject to affiliated companies, group companies, or any other service providers located outside Thailand, such as cloud computing service providers with platforms or servers located abroad (e.g., Singapore or Japan), Data Processors, Platform as a Service (PaaS) providers, etc., for the purposes defined in this Policy. The Company will take steps to ensure that such destination countries have adequate Personal Data protection standards and that the Data Subject’s rights can be enforced. The Company will also provide adequate data security measures for such sending or transferring of Personal Data.
However, in cases where the destination country does not have adequate Personal Data protection standards, the Company will take steps to ensure that such sending or transferring of Personal Data will have sufficient and appropriate Personal Data protection measures, consistent with the Personal Data Protection Act B.E. 2562 (2019) and related laws.
Article 6 Rights of the Data Subject
This Policy has been prepared to assure Data Subjects that they can exercise the following rights available under the Personal Data Protection Act B.E. 2562 (2019) and related laws.
6.1 Right to withdraw consent: The Data Subject has the right to withdraw consent for the Processing of Personal Data that the Data Subject has given to the Company, throughout the period that the Data Subject’s Personal Data is with the Company. The Company wishes to inform that if the Data Subject withdraws consent, the Data Subject may lose certain benefits from the Company, affiliated companies, group companies, or business partners, and/or other individuals. Therefore, the Data Subject should study and inquire about the effects before withdrawing consent.
6.2 Right to access Personal Data: The Data Subject has the right to access their Personal Data and request the Company to make a copy of such Personal Data, including requesting the Company to disclose the acquisition of Personal Data for which the Data Subject did not give consent to the Company.
6.3 Right to rectification of Personal Data: The Data Subject has the right to request the Company to correct inaccurate or outdated data, or to complete incomplete data.
6.4 Right to erasure of Personal Data: The Data Subject has the right to request the Company to erase, destroy, or anonymize the Data Subject’s data for certain reasons.
6.5 Right to restriction of Personal Data Processing: The Data Subject has the right to restrict the use of their Personal Data for certain reasons.
6.6 Right to data portability: The Data Subject has the right to transfer their Personal Data held by the Company to another Data Controller or to themselves for certain reasons.
6.7 Right to object to Personal Data Processing: The Data Subject has the right to object to the Processing of their Personal Data for certain reasons.
However, the Company may refuse the exercise of the aforementioned rights by the Data Subject in accordance with the Company’s criteria, without violating the law.
Data Subjects can exercise the above rights by submitting a request to the Company through the Company’s contact channels. The Company will process the Data Subject’s request within 30 (thirty) days from the date the Company receives the request. In cases where the Company rejects the request, the Company will inform the Data Subject of the reasons for the refusal.
Data Subjects have the right to lodge a complaint with the Personal Data Protection Committee or a legally authorized government official if the Company, its Data Processor, employees, or contractors violate or fail to comply with the Personal Data Protection Act B.E. 2562 (2019) or related laws.
Article 7 Security Measures for Personal Data
The Company mandates appropriate Personal Data security measures, within the framework of system and data confidentiality, system and data integrity, and information technology availability, including system and data security, to prevent loss, unauthorized access, use, alteration, modification, or disclosure of Personal Data without authority or in violation of law. These measures are consistent with the Company’s information security policies, practices, and systems, which have considered the following issues:
7.1 Designing, developing, testing, and maintaining business support systems, service-related systems, and other systems to be flexible and secure for use, capable of preventing risks that may arise from intrusion or threats.
7.2 Defining the roles and responsibilities of stakeholders at all levels according to the principles of control, oversight, and auditing (3 Lines of Defense) to facilitate the maintenance of Personal Data security.
7.3 Controlling the storage and access to Personal Data, considering user rights management based on risk levels and usage necessity to be up-to-date, including separating departments according to the Chinese wall principle to allow access to data only as necessary.
7.4 Testing, detecting, and resolving issues of abnormal access to Personal Data or inappropriate use of Personal Data, including reporting to management in cases where abnormal access or inappropriate use of Personal Data is detected.
7.5 Defining, retaining, destroying, and encrypting data according to its classification level to maintain the security of Personal Data.
7.6 Supervising and managing external service providers, agents, business support service providers, including affiliated companies, group companies, or business partners, in accessing, using, modifying, and changing Personal Data efficiently and securely
7.7 Creating and promoting awareness among employees at all levels to understand the importance of Personal Data security.
In cases where the Company engages external entities or individuals to collect, use, or disclose Personal Data of the Data Subject, the Company will require such external entities or individuals to keep Personal Data confidential and maintain the security of such Personal Data, including preventing the collection, use, or disclosure of Personal Data for any other purpose that is not within the scope of engagement or violates the law.
Article 8 Links to External Websites or Services
The Company’s Services may include links to third-party websites or services, which may have Personal Data protection policies with content different from this Policy of the Company. Therefore, Data Subjects should study the Personal Data protection policies of such websites or services before using them. The Company is not affiliated with and has no control over the Personal Data protection measures of such websites or services and cannot be held responsible for the content, policies, damages, or actions arising from third-party websites or services.
Article 9 Services by Third Parties or Sub-processors
The Company may assign or procure third parties (Data Processors) to process Personal Data on behalf of or in the name of the Company. Such third parties may offer various services, such as hosting, outsourcing, cloud computing service providers, information technology system providers, artificial intelligence (AI) technology providers, or support services for the Company’s Services or internal management (e.g., vehicle registration operations, debt collection, providing data services to customers, preparing payslips, conducting surveys, analyzing customer data, etc.).
When assigning a third party to process Personal Data on behalf of the Company as a Data Processor, the Company will establish an agreement specifying the rights and duties between the Company and the assigned party. Such party, as a Data Processor, is obligated to process Personal Data only within the scope specified in the agreement and according to the Company’s instructions, and cannot process it for other purposes.
In cases where the Data Processor assigns a sub-service provider (sub-processor) to process Personal Data on behalf of or in the name of the Data Processor, the Company will instruct the Data Processor to arrange an agreement between the Data Processor and the sub-processor, in a format and standard no less than the agreement between the Company and the Data Processor.
Article 10 Policy Review and Update
The Company will review and update this Policy at least once a year or when significant changes occur that impact this Policy. In the event of any amendments, improvements, or changes to this Policy, the Company will publish the current version of this Policy on the Company’s website to inform Data Subjects.
Article 11 Contact Channels
| Details of the Data Controller | |
|---|---|
| Name: | Orico Auto Leasing (Thailand) Ltd. |
| Contact Address: | Head Office: 689 Bhiraj Tower at EmQuartier, 17th-18th Floor, Room No. 1702–1708, 1814 Sukhumvit Road, Klongton Nuea Subdistrict, Wattana District, Bangkok 10110. |
| Contact Channels: | Telephone: 02–026–5844 (Monday – Friday, 08:30 – 17:30 hrs.) Website: https://www.oalt.co.th/contactus/ |
| Information Channels:: | LINE Official Account: @oalt Facebook: Orico Auto Leasing – Thailand Ltd. |
| Details of the Data Protection Officer | |
| Name: | Data Protection Officer Committee |
| Contact Address: | Head Office: 689 Bhiraj Tower at EmQuartier, 17th-18th Floor, Room No. 1702–1708, 1814 Sukhumvit Road, Klongton Nuea Subdistrict, Wattana District, Bangkok 10110. |
| Contact Channels: | Telephone: 02-026-5844 ext. 2500 Email: DPO@oalt.co.th |
This Personal Data Protection Notice has been updated on 1 December 2025.