DATA PRIVACY POLICY
Close
Close
ONCE UPON a New Year 2026 Hotel Once Bangkok - Trusted Thailand Awards 2023 Hotel Once Bangkok - Life style +Travel Awards 2023 Tripadvisor Travelers Choice Awards 2024 JACUZZI BREAKFAST Once Hotel Bangkok
BOOK YOUR STAY HERE

DATA PRIVACY POLICY

1. Principles and Rationale

   With the advancement of information technology and the rapid development of communication systems, access to the collection, use, and disclosure of personal data has become easy, convenient, and fast, which may lead to damage to data owners. Additionally, the Personal Data Protection Act B.E. Professor 2562, published in the Royal Gazette on May 27, B.E. Professor In 2019, Hotel Once Bangkok announced the implementation of a Data Privacy Policy for use in the hotel and its affiliated businesses.


   The hotel recognizes the importance of personal data protection, which is a fundamental right to privacy that must be protected under the Constitution of the Kingdom of Thailand and the Universal Declaration of Human Rights. No one shall be subjected to arbitrary interference with their privacy, family, home, or communications, nor to attacks upon their honor and reputation. Everyone has the right to legal protection against such interference or attacks, and to support and respect the protection of human rights as declared internationally, in accordance with the principles of the United Nations Global Compact. Senior Management Team (SMT). A personal data protection working group has been established, and policies and guidelines for the protection of personal data for the hotel have been proposed and developed. Therefore, the following policy has been announced as a basis for personal data protection


2. Objective

   This personal data protection policy is established to protect the personal data of data subjects who conduct transactions, use services, have an interest in, or are involved with the hotel, with the following objectives:

   2.1 To define the roles and responsibilities of agencies, executives, and personnel involved with personal data.

   2.2 To determine the procedures or security measures for the protection of personal data.

   2.3 To establish guidelines for personnel's handling of personal data.

   2.4 To build confidence in the security of personal data for hotel guests, hotel staff, and other individuals who have a vested interest in or are involved with personal data.


3. Scope of application

   3.1 This announcement shall be effective for all levels of management and personnel, as well as hotel partners, service providers, and stakeholders.

   3.2 Operations of Institutions Related to Personal Data


4. Definition

   “Hotel“ means Hotel Once Bangkok.

   “Personal data“ means information about an individual that allows for their identification, whether directly or indirectly, but does not include information about deceased persons.

   “Sensitive personal data“ means personal data that, if misused, could lead to unfair discrimination. This includes race, religion, sexual behavior, criminal history, health information, disabilities, genetic data, biometric data, or other information as defined by law.

   “Personal data owner“ means the individual who owns personal data, such as customers, network users, and hotel staff at Hotel Once Bangkok.

   “Data controller“ means the natural or legal person who has the authority to decide on the collection, use, or disclosure of personal data. In this case, it refers to the hotel, the responsible agency, and the personnel in charge of that personal data.

   “Personal data processor“ means a person or legal entity that processes the collection, use, or disclosure of personal data according to the instructions or on behalf of the personal data controller. In this case, it refers to external individuals or legal entities hired by the institution.

   “Person“ means a natural person.

    “Incompetent person“ means a person who is a minor, an incompetent person, or a quasi-incompetent person under the Civil and Commercial Code.

   “Data Protection Officer (DPO)“ means the person appointed by Hotel Once Bangkok to act as the Data Protection Officer in accordance with the Personal Data Protection Act B.E. Professor 2562, and includes any other person appointed by the institution to perform the duties of a personal data protection officer under the said law.

   “Data Protection Coordinator“ (DPC) means the hotel manager or any other person designated by the hotel management to perform the duties.

   “Personal Data Protection Working Group“ means the working group established by the hotel management's appointment announcement/order, comprising representatives from management, information technology, human resources, and relevant departments, responsible for considering and issuing guidelines, requirements, or regulations regarding personal data protection within the hotel, in accordance with the Personal Data Protection Act B.E. Professor 2562


5. Personal Data Protection

   5.1 Collection of Personal Data

   The collection of personal data shall be carried out for purposes and to the extent necessary within the framework of the purpose or for benefits directly related to the purpose of collection, and the data controller shall inform the personal data owner before or at the time of collection of the following details:

   1) Purpose of Collection

   2) Retention period

   3) Types of individuals or entities to whom personal data may be disclosed

   4) Information or contact channels for the hotel

   5) Rights of Personal Data Subjects

   6) Inform about the consequences of not providing personal data, in cases where the data subject does not provide personal data as required by law or for the purpose of entering into or performing a contract.

   However, consent from the data subject is not required in the following cases:

   a) For public benefit, research, statistics, or legal compliance.

   b) It is an action taken to prevent or mitigate harm to the life, body, or health of the personal data subject.

   c) It is necessary to perform a contract or to take steps at the request of the data subject prior to entering into that contract.

   d) It is necessary for the performance of a task carried out in the public interest or for the performance of a task assigned by the public sector, or for the legitimate interests of the data controller or of a person or entity other than the data controller, where such legitimate interests outweigh the fundamental rights of the data subject.

   5.2 Collection of Personal Data of Persons with Disabilities

   The collection of personal data from a minor for any purpose that the minor cannot perform alone as stipulated by the Civil and Commercial Code must be obtained with the consent of the person with parental authority or the minor's representative, except in cases where the minor is under 10 years of age, in which case only the consent of the person with parental authority or the minor's representative is required.

   The collection of personal data from data subjects who are incompetent or quasi-incompetent requires consent from their guardian, conservator, or representative only.

   5.3 Collection of Sensitive Personal Data

   The hotel will not collect sensitive personal data unless it is necessary to do so, and explicit consent must be obtained from the data subject. This is accepted in cases where the law permits collection without consent.

   5.4 Use or Disclosure of Personal Data

   The use or disclosure of personal data must be for the purposes stated to the data subject before or at the time of collection, or is necessary for a purpose directly related to the purpose of collecting the personal data, and must be obtained with the consent of the data subject, except where the law does not require consent from the data subject or where it is in compliance with the law.

   Any other natural or legal person who receives personal data from the data subject's consent to disclosure or who processes personal data must use the personal data only for the purpose agreed upon by the data subject with the hotel and as notified by that person or legal entity to the hotel.


6. Quality of personal data

   The personal data collected must be accurate, up-to-date, complete, and not misleading. Channels must be provided for data subjects to request or correct their own personal data.


7. Roles, duties, and responsibilities

   The hotel requires personnel or entities related to personal data to prioritize and be responsible for collecting, using, or disclosing personal data strictly in accordance with the hotel's personal data protection policies and practices. The following individuals or entities are designated to oversee and ensure that the hotel's operations are correct and comply with personal data protection policies and laws:

   7. Roles, duties, and responsibilities

   7.1 Personal Data Controller

     7.1.1 Implement appropriate measures for the security and safety of personal data and review these measures regularly to ensure their effectiveness and keep pace with changing technology.

     7.1.2 Define the scope of personal data management disclosed to other individuals or legal entities.

     7.1.3 Establish a system to audit the handling of personal data in accordance with legal requirements.

     7.1.4 Record personal data entries as required by law.

     7.1.5 Enter into an agreement with personal data processors, legal entities, or any other third parties, if personal data is disclosed to hired data processors, legal entities, or any other third parties. The data processors, legal entities, or third parties must have security measures in place, and the collection, use, and disclosure of personal data must comply with this policy and the Personal Data Protection Act B.E. Professor 2019

   7.2 Processing of Personal Data

     7.2.1 Process the collection, use, or disclosure of personal data in accordance with instructions received from the data controller.

     7.2.2 Implement appropriate measures to ensure the security of personal data.

     7.2.3 Maintain and store records of personal data processing activities.

   7.3 Data Protection Officer

     7.3.1 Provide guidance on various aspects related to personal data protection to hotel management, employees, and the hotel network.

     7.3.2 Monitor the operations of personal data controllers and personal data processors.

     7.3.3 Coordinate and cooperate with the Office of the Personal Data Protection Committee in case of issues related to the collection, use, or disclosure of personal data of the institution and hotel network.

   7.4 "Data Protection Coordinator" (DPC)

     7.4.1 Coordinate and cooperate with the Data Protection Officer (DPO) in case of issues related to the collection, use, or disclosure of personal data of the institution and the hotel network.

     7.4.2 Report personal data breaches that occur at the hotel to the Data Protection Officer (DPO).

   7.5 Governance and Sustainability Units

     7.5.1 Develop and review the personal data protection policy to ensure it is complete and accurate as required by law.

     7.5.2 Provide legal advice on personal data protection.

     7.5.3 Reports on the operations of various institute units, network units, and hotel personnel to the Senior Management Committee (SMC).

   7.6 Risk Management Unit

     7.6.1 Evaluate the risks and risk management plans in the hotel's personal data management process.

     7.6.2 Oversee the various departments of the hotel, network entities, and institutional personnel to ensure they operate in accordance with the institution's personal data protection policies and practices.

     7.6.3 Risk Report to Senior Management (SMT)

   7.7 Internal Audit Department

     7.7.1 Check the work of those involved with personal data.

     7.7.2 Review and evaluate the effectiveness of the personal data protection system.

     7.7.3 Report of the audit results to the hotel's audit committee


8. Personal Data Management in Public Relations

   In any public relations work involving the use of personal and sensitive personal data, hotel staff must be aware of this personal data protection policy and follow appropriate personal data request practices. Researchers must ensure that the principles of fairness, transparency, and accuracy are adhered to in accordance with the Personal Data Protection Act B.E. Professor 2019


9. Security

   For the purpose of maintaining the confidentiality and security of personal data, the institution has implemented the following measures:

   9.1 Define the rights to access, use, disclose, and process personal data. Users must be aware of and exercise caution when using data, protecting, maintaining, and preserving its confidentiality and accuracy, whether the data comes from the hotel's information systems or external sources. This includes the display or verification of personal identities by those accessing or using personal data. Security measures must be implemented, and users are prohibited from secretly copying, altering, or deleting data, text, documents, or any other property belonging to others or internal hotel departments without authorization. This also includes the process of reviewing and evaluating the effectiveness of such security measures. If a user violates these terms, they will be subject to disciplinary action. If the violation constitutes an offense under the Computer-Related Crimes Act B.E. Professor The 2560 users will be prosecuted according to the law. This is strictly in accordance with the hotel's information policy.

   9.2 When sending or transferring personal data abroad, including storing personal data in any other database not managed by the hotel, the data recipient or service provider must implement data protection measures equivalent to or better than those outlined in this policy.

Paraphrase

Individuals located abroad are required to have personal data protection measures that are equivalent to or better than those outlined in this policy.

   9.3 In the event of a violation of the hotel's security measures or the use of information systems not under the hotel's responsibility, resulting in the unauthorized disclosure of personal data by any individual, the head of the unit who becomes aware of the incident must immediately notify the personal data coordinator to inform the personal data protection officer within 48 hours of becoming aware of the incident, as far as possible. If the violation poses a risk to the rights and freedoms of the personal data owner, the hotel will promptly notify the data owner of the violation and the proposed remedies. However, the hotel will not be liable for any damages resulting from the intentional, negligent, or reckless disregard of security measures by the personal data owner or any other individual with the owner's consent, leading to the use or disclosure of personal data to third parties or any other individuals.


10. Rights of Personal Data Subjects

   Data subjects have the right to request access to their personal data, obtain copies, withdraw consent, object to the collection, use, or disclosure, request deletion, destruction, or suspension of use, correct data to be up-to-date, complain, or request the transfer of their personal data to another data controller, unless this affects the rights and freedoms of others, is performed for public benefit or in accordance with the law, or is for market promotion. This is in accordance with the Personal Data Protection Act B.E. Professor 2019


11. Complaints, Reporting

   In the event of suspected or believed personal data breaches, complaints, or the exercise of personal data subjects' rights under this policy or the Personal Data Protection Act B.E. Professor 2562 can be contacted at 2074/99 Charoenkrung RD Soi 72/2, Wat Phrayakrai, Bangkorlaem, Bangkok 10120, Thailand +66 (0) 2-688-2596


12. Education

   The hotel provides education and assessment on personal data protection laws to managers and staff at all levels. In this regard, employees are required to participate in training, and employees in departments handling personal data are strictly required to attend training.


13. Policy Review

   The hotel will review this policy at least once a year or if the law changes or is amended.


14. Penalties

   The data controller, data processor, or person responsible for any specific operation within their duties, who neglects or fails to issue instructions, take action, or acts in any way within their duties that violates personal data policies and practices and/or the Personal Data Protection Act B.E. Professor 2562, resulting in legal violations and/or damage, the person responsible shall be subject to disciplinary action under the hotel's regulations and legal penalties based on the nature of the offense. Furthermore, if such offense causes damage to the hotel and/or any other party, the institution may consider pursuing further legal action.

We use cookies to ensure that we give you the best experience on our website. To learn more, go to the Cookie Policy Page

Cookies Setting Accept All