Privacy statement

Privacy statement

Last updated: 1 May 2022

Introduction

We value your privacy and rights to personal data protection and we are strongly committed to protecting your personal information.

As used in this privacy statement, ‘PwC’, ‘us’, and ‘we’ refer to the PricewaterhouseCoopers member firms in Thailand of the PricewaterhouseCoopers (PwC) global network of member firms. Each PricewaterhouseCoopers member firm is a separate legal entity which is explained further here www.pwc.com/structure.

This privacy statement is prepared primarily in line with the Personal Data Protection Act 2019 (PDPA). Personal data refers to any information relating to an identified or identifiable living person. When ‘you’ or ‘your’ are used in this privacy statement, we are referring to the relevant individual who is the subject of the personal data. This privacy statement describes what personal data we collect and use, and why and how we collect and use personal data. It also provides information about your rights in relation to personal data.

This privacy statement applies to personal data provided to us, both by individuals themselves or by others.

PwC’s clients Non clients  
  • Individual clients are any client who is an individual person
  • Corporate clients, include any authorised person, such as directors, legal representatives or staff/officers who act on behalf of a company.
  • Any person who isn’t classified under PwC’s clients, including but not limited to:
    • our vendors and sub-contractors, as individuals
    • job applicants
    • PwC employment alumni or trainees
    • business partners, as individuals
    • advisors, vendors, sub-contractors, customers, employees of our clients
    • any person authorised or has a business relationship with our client whose personal data is related to our services
  • Visitors of our websites and premises
  • Participants in our events, seminars or conferences including any corporate social responsibility activities
 

We may collect and use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

 

1. Lawful basis we use for collecting and using personal data

We collect, use, store and disclose (collectively referred to as ‘use’) your personal data only on a necessary basis or with any of the following lawful bases.

Lawful basis Example of Description of use  
1.1 Contractual obligations
  • To perform our obligations either as data controller or data processor, by providing advice, services and deliverables in a wide range of professional services, such as audit, advisory, tax and legal services – e.g., we use payroll data as part of an audit or to provide tax and pensions services
  • To perform billing and collection of payments relating to our agreement with you
 
1.2 Compliance with laws, regulations and regulatory orders
  • To use your personal data to comply with PDPA
  • To comply with any applicable laws as well as those relating to PwC’s business operations, e.g., accounting professions, securities and exchange, anti-money laundering law and labour laws and orders imposed by government and regulators
 
1.3 Legitimate interest
  • To use your personal data where it’s necessary for the effective delivery of services, including information provided to you, and the lawful operation of our businesses, so long as it doesn’t interfere with your rights, freedom, and interest according to PDPA
  • To attract and secure the best talent to work with us
  • To use your personal data in developing and improving our businesses, services and offerings and in developing new PwC technologies and offers including performing client feedback and surveys
  • To use your personal data for client relationship management
  • To conduct risk and quality management, including any internal operations (e.g., client risk assessments, internal audits) including handling complaints and managing disputes
  • To monitor and prevent crime and misconduct, e.g., fraud, money laundering, insider trading, corruption or bribery
  • To use closed-circuit television (CCTV) to support crime and safety prevention
  • To record visuals and sound of all parts of events during the events, seminars, or conferences
 
1.4 Vital interest
  • To use your personal data on a lawful basis if it’s to prevent or suppress the danger to your life, body or health, or in the event where you are incapable of giving consent by whatever reason
 
1.5 Consent
  • To use your feedback to improve our services provided to you
  • To use your personal data for registration of events, seminars and conferences, and social corporate responsibility
  • To use your personal data providing you with information about us and our services, products, newsletters, industry updates and insights or any communications that promote our services and facilitate our business relationship with you
  • To transfer or cross-border transfer your sensitive personal data to affiliates, other PwC firms and to third parties who support our operations and data management system
  • To use the personal data of your immediate family members or children and incompetent person’s personal data for regulatory and policy compliance, and the registration of events, seminars and conferences, and social corporate responsibility

Remarks:

  • When no other lawful basis is available, we rely on your permission to allow us to collect and use your personal data in line with the PDPA
  • The explicit consent will be accepted by PwC if you allow us to collect and use your sensitive personal data
  • You as a data subject may withdraw your consent at any time
 

2. Types of personal data we may process

The personal data we may collect and use personal data, as the case may require, includes the following:

Type of personal data Examples of personal data  
Identification and authentication details Identification card, identification card photo, passport, driving licence and signatures  
Personal  Name, age, date of birth, gender, marital status, country of residence and nationality  
Contact  Email address, phone number, postal address  
Financial  Salary, payroll details, other income, banking details, investment, benefits, tax status, other financial interests  
Job  Role, grade, job title, experience, performance information, education, references and details of workplace  
Security CCTV, video recordings or photos  
Sensitive personal data Religion, health-related data such as COVID-19 screening results, biometric data or criminal records  
Devices and software information IP addresses and your device information (e.g., model and operating system)  
Other information Exchanges or communications between you and PwC in whatever form, including any information you have provided to PwC by different channels  

3. How we process personal data

We process personal data from the below sources for the purposes identified in this section.

  • 3.1    Provision of professional services
  • 3.2    Business contact information
  • 3.3    Marketing activities
  • 3.4    Job applications
  • 3.5    Vendors/subcontractors
  • 3.6    Closed-circuit television (CCTV) operations
  • 3.7    Visitor records
  • 3.8    Visitor to our website

3.1 Provision of professional services

We collect and use personal data only on a necessary basis from our clients, or with a lawful basis relating to the services provided to the clients (both corporate and individual clients), or from a third party to provide services under contract or as instructed by clients, or to use the personal data for the purposes of the services.

We also collect personal data from our clients or from third parties as instructed by the client for the provision of specific services, which may include personal data of individuals who don’t have a direct contractual relationship with us – e.g., staff or customers of the clients. For example, in a due diligence review for the acquisition of a target on behalf of a client, we may obtain personal data from the target’s management and employees or from a third party. When we do this, we ask our clients to provide the relevant information to the data subjects regarding its use.

As the case may require, we process personal data:

  • to provide a range of professional services
  • to administer, manage and develop our business and services, such as business development, client relationship management and IT system management
  • to carry out security monitoring, quality and risk management activities, such as carry out a public search to identify risks in connection with sanctions, anti-money laundering, criminal convictions or reputational issues
  • to comply with legal requirements, regulations or a professional body of which we are a member, such as keeping certain records or documentation of our service provision that may contain personal data
  • to improve and develop our services, such as using the personal data for analysis to improve services and develop technologies and service offerings, and
  • to provide our clients and prospective clients with information about us and our range of services.

We may collect and process sensitive personal data including biometric data, race and ethnicity for our client acceptance procedures, monitoring IT security, providing training, performing regulatory compliances, to ensure compliance to our independence policy and including for providing immigration and tax services, or an audit of a business organisation.

3.2 Business contact information

We collect, either directly or indirectly, and use business contact information obtained from existing and prospective clients, publicly available sources (e.g., social media websites), media/press contacts or participants in our events, seminars or conferences, and contractors and/or individuals associated with them. We also process personal data about business contacts using a customer relationship management system (the PwC CRM). In addition, the PwC CRM system may collect data from PwC emails and calendars about interactions between PwC users, contractors and third parties.

The personal data stated above includes the name, employer’s name, job title or other business contact details, such as phone numbers and email addresses.

We use this personal data to:

  • host and facilitate registration for participation in any events, seminars or conferences
  • develop and improve our business and services, including events, seminars or conferences
  • perform analytics such as relationship maps, sales intelligence and analysing and evaluating the strength of interactions between PwC and a contact
  • administer and manage IT systems, websites and applications
  • manage relationships with clients, media/press contacts or participants in our events, seminars or conferences, and
  • provide information about PwC and its services as permitted by law, such as offering services, sharing updates and insights, and invitations to events, seminars or conferences.

During events, seminars or conferences, we may record the visuals and sound from any part of the event in public areas on a lawful basis.

3.3 Marketing activities

Marketing includes any communications about PwC’s products and services such as newsletters or insights. This includes other marketing activities involved with third parties such as corporate social responsibility. In cases where we’re legally required to obtain your explicit consent, we’ll only provide you with marketing materials if you’ve provided your consent for us to do so.

We retain contact information, including the name and email address, on our mailing lists until an individual unsubscribes from our mailing lists. If you unsubscribe from our mailing list, we may retain enough limited information to identify you so that we can honour your opt-out request. If you want to unsubscribe from one of our mailing lists, you can follow the instructions in the relevant material sent to you.

You can, at any time, contact us to request we stop sending you marketing materials. If you choose to no longer receive certain communications, please identify which one in your request.

PwC doesn’t sell personal data to any party for the purposes of marketing their products and services. We may only be allowed to do so if we have received the explicit consent from the data subject.

3.4 Job applications

This section describes why and how we collect and use personal data in connection with our recruitment activities. We may obtain personal data from sources such as job applicants, recruiters, agencies or public websites with information provided by the job applicants.

We collect personal data, which may include sensitive personal data, in connection with our recruitment activities, including:

  • contact details – name, ID card, email address and phone number.
  • areas of employment interest.
  • username and password for the PwC Workday platform to apply for a role.
  • CV information, including experiences, work history, education and academic and professional qualifications.
  • information provided as part of interviews and assessments, including interview recordings and results.
  • assessment results and feedback from on-line assessment tests.
  • information about your financial interests, and
  • information from and about third-party sources, such as references from your named referees and information about them, and information received from previous employers for verification purposes.

If your application is successful, we perform pre-employment screening checks as part of our onboarding process. During these checks, we may collect:

  • pre-employment screening information, such as medical examination results
  • bank account details
  • your immediate family’s financial relationships, and
  • information about your criminal record, depending on your role.

We collect sensitive personal data, such as your criminal record, to comply with legal and contractual obligations to ensure that an individual is eligible to work for us and to check whether an applicant has committed unlawful acts or been involved in dishonesty, malpractice or other serious improper conduct.

We use your personal data to:

  • evaluate the suitability for a job role
  • process and manage applications for roles at PwC, evaluate you for open positions that match your interests and experience throughout the PwC network, manage your profiles, send email notifications and other announcements, request additional information including marketing and advertising opportunities, or otherwise to contact you about your candidacy
  • promote opportunities at PwC including when arranging, hosting and participating in events, for marketing and advertising opportunities and when using recruiters to help us find talent
  • hire and onboard talent by making an offer to successful applicants and carry out pre-employment screening checks
  • conduct statistical analyses and create reports
  • administer and manage our careers websites and communicate with you about careers at PwC, and
  • promote our events, seminars or conferences in which you may be interested.

3.5 Vendors or subcontractors

We collect and use personal data of vendors or subcontractors relating to contractual relationships or in relation to goods or services we obtain from vendors or sub-contractors. So, we may process the personal data of vendors or subcontractors based on business relationships we have with these people which may include personal data of any involved individuals. Also, we process the personal data of vendors or subcontractors as a part of our vendors or sub-contractors’ acceptance process. This includes background checks for crime prevention purposes and to ensure all of the parties involved will comply with the law and regulations regarding the goods or service provided to us. The personal data in this case may include their name, ID card, email address, telephone number, title, role or payment information.

3.6 Closed-circuit television (CCTV) operations

We use closed-circuit television (CCTV) to record the images or motions of visitors or staff in the common and office areas, or other necessary areas in the PwC offices. This includes collecting the personal data of individuals as part of these monitoring activities based on lawful and legitimate reasons around safety measures and crime prevention. The CCTV data are securely stored and only accessed on a need-to-know basis such as for inspections or investigating an incident.

We may disclose CCTV data to law enforcement agencies as requested and permitted by laws.

3.7 Visitor records

We collect and use personal data of our visitors to facilitate security practices, for building access or to use facilities in our office, including for COVID-19 screening. The personal information we collect includes the name, ID card, email address and telephone number of the visitor. Visiting our offices, your images and motions will be recorded by CCTV in common and office areas on a lawful and legitimate basis for security purposes.

3.8 Visitor to our website

We collect and use your personal data or information that you registered or provided through our website on a lawful basis in line with the PDPA. By using or accessing www.pwc.com/th, you agree to the terms of this privacy statement and our terms of use. If you don’t agree, please don’t continue accessing www.pwc.com/th. This privacy statement may change from time to time and your continued use of www.pwc.com/th is deemed as acceptance of those changes.

3.8.1 Data collection

For visitors to our website, we only collect personally identifiable information that’s specifically and voluntarily provided by visitors to PwC’s website. PwC receives limited identifiable information, such as name, title, company address, email address, IP addresses, telephone and fax numbers, from website visitors. Typically, this information may be collected when users:

  • register for certain areas of the site, e.g., newsletter subscriptions or information regarding marketing our products and services
  • register to request further information
  • distribute requested reference materials, and
  • submit resumes.

We don’t actively seek demographic information, including gender and occupation, but it may be recorded when a visitor responds to an online job application. It’s PwC’s policy to limit the information we collect to the minimum required by law and on a necessity basis to complete a visitor’s request.

Although most publications are offered as downloads, visitors may purchase PwC publications through other channels. In these cases, we collect the order information and personal data which includes the customer’s credit card information, email and addresses, where applicable. We do this to facilitate the payment and shipment of the publication.

Visitors can contact us by email through the site. Their message will contain the user’s screen name and email address, as well as any additional information which the user includes in the message. As we use the website as a recruiting tool, a visit to the website may be a channel for the visitor to send a resume to an individual in PwC.

PwC’s intention isn’t to seek any sensitive personal data through our website unless legally required for recruitment purposes. Sensitive personal data includes any data relating to, for example race or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, sexual orientation, or criminal records. You aren’t required to provide sensitive personal data of this nature unless it’s a requirement for the purpose for processing personal data. If you do choose to provide sensitive personal data for any reason, PwC accepts your explicit consent to use that sensitive personal data in the ways described in this privacy statement or as described at the point where you choose to disclose that information.

3.8.2 Use of data

A website visitor may choose to provide personal information to:

  • order publications
  • submit resumes or work history information
  • participate in ‘join our mailing list’ initiatives
  • participate in bulletin boards, discussions, or message forums
  • contact us for further information
  • enter quick surveys, quizzes, or benchmarking surveys
  • register for events, seminars, and conferences, and
  • register for premium online services.

If you’d like to find out more about the different categories of information collected, please find the data collection section above.

Information attained by the website is used only for the intended purpose stated at the time that the information is collected. This data isn’t shared with other entities in the network for secondary or unrelated purposes. Also, it isn’t shared with a third party unless otherwise disclosed at the point of collection, or as provided in the letter of engagement or terms of business, or documents of a similar nature. If there’s an instance where information may be shared, the visitor will be asked for permission beforehand.

Except for described in section 3.3 Marketing activities, above, where visitors are able to explicitly choose to receive specific PwC marketing materials, PwC won’t use personal data collected from our websites to facilitate unsolicited marketing activities.

3.8.3 Cookies and log files

We may use cookies on some pages of our site. For more information about cookies and log files, please click here.

3.8.4 Choices

Visitors aren’t required to register to gain access to areas of the PwC websites. In certain cases, in the future, as your PwC website experience expands, we may require visitors to register to obtain a username and password for authentication. This will secure access to a transaction or certain confidential business or proprietary information services on premium websites.

Personal data provided to PwC through its website is provided voluntarily by visitors. Should visitors subsequently choose to unsubscribe from a mailing list or any registrations, we’ll provide instructions in the appropriate website area or in communications to our visitors. Otherwise, a visitor may contact the webmaster of the site at th_dpo@pwc.com.

3.8.5 Access

Each visitor has the right of access to personal data they have submitted to PwC through the websites.

Visitors can update their information by going back through the registration process. Enquiries about the accuracy of identifying information previously submitted to PwC through its website, or requests to have outdated information removed, should be directed to th_dpo@pwc.com. PwC provides reasonable and practical access to visitors to allow them the opportunity to identify and correct any inaccuracies, which is in line with the PDPA. If requested, and if it’s practical to do so, PwC will delete identifying information from the current operating systems, as permitted by the PDPA.

When personal data is retained, PwC assumes responsibility for keeping an accurate record of the information once a visitor has submitted and verified the data. PwC won’t assume responsibility for verifying the ongoing accuracy of the personal information. When practically possible, if PwC is informed that any personal data collected through a website is no longer accurate, PwC will make appropriate corrections based on the updated information provided by the authenticated visitor.

3.8.6 Third-party’s website

PwC’s policy is to disclose information about third parties when visitors submit their requests. For example, when ordering a publication, we display the party fulfilling the order.

PwC websites don’t collect or compile personally identifying information for dissemination or sale to outside parties for consumer marketing purposes, or host mailings on behalf of third parties.

Our website, www.pwc.com/th, may link to other websites that don’t operate under PwC’s privacy practices. When you navigate to other websites, a third party’s privacy statement may apply. We encourage visitors to review each site’s privacy statement before disclosing any personally identifiable information.

4. Information security

PwC has implemented generally accepted standards of technology and operational security to protect personal data from loss, misuse, alteration or destruction. All PwC personnel follow a networkwide information security policy. Only authorised PwC personnel are provided with access to personally identifiable information. These personnel have agreed to ensure strict confidentiality of this information. PwC’s policy is to use secure sockets layer technology to protect credit card information submitted through web forms.

For the transfer of personal data, we use a range of measures to keep your personal data safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out work on our behalf to comply with appropriate privacy standards. This includes obligations to protect any personal data and applying appropriate measures for the use and transfer of personal data.

5. Data retention

We retain the personal data that we process for as long as it’s considered necessary for the purposes for which it was collected and in line with PwC’s data retention policy and the applicable laws which include the PDPA. We won’t keep personal data for a period longer than we have a lawful basis to do so pursuant with any agreement, specified purposes or the PDPA on the necessity basis. However, the data retention period is aligned with the statute of limitations according to Thai law applied for the circumstance in which we may collect, use, store and disclose your personal data. Examples include the Civil and Commercial Code, and laws relating to securities and exchange, accounting, tax, labour, computer crime, anti-money laundering and anti-corruption. We have a policy that sets a standard for data retention. If we aren’t required to retain personal data, we’ll delete or destroy, or anonymise these data in line with the PDPA.

6. Children

PwC understands the importance of protecting children’s privacy, especially in an online environment. The PwC sites covered by this privacy statement aren’t intentionally designed for or directed at children. In practice, we don’t intentionally collect or use personal data of children under Thai Laws. In certain circumstances, we may collect the personal data of children for conducting activities having purposes related to regulatory and policy compliance, and the registration of events, seminars and conferences, and social corporate responsibility. If we do so, we’ll obtain consent in line with the PDPA.

7. Your legal rights about personal data

We only collect and use personal data to the extent permitted by applicable laws. You have a legal right to:

  • withdraw your consent for the collection and use of your personal data as permitted by law , at any time
  • access and request a copy of the personal data that we collect as a data controller, except if required by law, court orders or if the request will result in adverse effect on the rights and freedoms of others. In these cases, we may reject your request
  • request to receive information about your personal data that we collect and use as a data controller provided that the personal data is available in a readable format or in a format used by automatic devices. You may also request to transfer the personal data to another controller unless it isn’t technically possible to do so
  • object to the collection, use and disclosure of your personal data as permitted by law where we process your personal data on a basis of legitimate interest or for the purpose of direct marketing, unless we have a legal ground to reject your request
  • request we delete, destroy or anonymise your personal data as permitted by law. However, if legal grounds to reject your request have been established, we may reject your request
  • restrict personal data processing in circumstances permitted by law, such as when we assess your suitability as our client and you wish to rectify your personal data
  • request your personal data be amended or rectified where it’s inaccurate, e.g., if you change your address, and to have incomplete personal data completed.

To comply with the PDPA, when we obtain information to complete your request, we will fulfil the request from you without undue delay, not exceeding 30 days from the date of receiving the request.

8. Transfer of personal data

8.1 Cross-border transfers

Where necessary, the personal data PwC collects may be transferred to other individual PwC member firms in our worldwide network, government, regulatory agencies and/or professional bodies of which we are a member. We will only do this to:

(i)    achieve the purpose for which you have submitted the information including for services provided by other PwC member firms

(ii)    provide you with information at a later date that may be of relevance and interest to you based on the nature and purpose of your requests

(iii)    maintain our operations or client relationship management systems

(iv)    conduct quality and risk management reviews

(v)    support marketing activities, or

(vi)    comply with any legal requirements, regulations or a professional body of which we are a member.

Your personal information may also be transferred to third-party service providers who process information on PwC's behalf, including providers of IT, identity management, website hosting and management, data analysis, data back-up, and security and storage services. As a result, your personal information may be transferred outside Thailand.

If we transfer your personal data to other countries or to the destination countries that don’t have adequate data protection standards, we’ll proceed to transfer personal data by taking appropriate measures to ensure adequate data protection standards in line with the PDPA. We’ll also apply protection measures to these personal data where necessary and appropriate. 

Each firm in the PwC network is a separate legal entity. For a list of PwC firms, see:

www.pwc.com/gx/en/about/corporate-governance/legal-entities.html

For countries and regions in which PwC firms operate, see: www.pwc.com/gx/en/about/office-locations.html

8.2 Third-party providers’ transfer

We may transfer or disclose the personal data we collect to third-party contractors, subcontractors and/or their subsidiaries and affiliates if we have a lawful basis to do so in line with agreements or the PDPA. Third parties include those who support the PwC network to provide its services and help provide, run and manage IT systems. These include contractors who are providers of identity management, website hosting and management, data analysis, data backup, and security and cloud storage services. The servers powering and facilitating our IT infrastructure are located at secure data centres around the world, and personal data may be stored in any one of them.

The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It’s our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by PwC, and to flow those same obligations down to their sub-processors.

9. Other disclosure

We may also disclose personal data:

  • to advisers or business partners in connection with the services they have been engaged to provide
  • when explicitly requested by you
  • when required to deliver publications or reference materials requested by you
  • when required to facilitate conferences or events hosted by a third party, or
  • to law enforcement, regulatory and other government agencies and professional bodies in line with applicable laws or regulations. PwC may also review and use your personal information to determine whether disclosure is required or permitted.

10. Changes to this privacy statement

This privacy statement was last updated in May 2022.

We may update this privacy statement at any time by publishing an updated version here. For ease of identification, we’ll show the revision date at the top of this document whenever we make changes to this privacy statement. The amended privacy statement will apply from that revision date. So, we encourage you to review this privacy statement periodically to be accurately informed about how we are protecting your information. We reserve the right to update this privacy statement from time to time, at our discretion. We may use any appropriate means to inform you of any update as required by law, however we deem appropriate.

11. Contact us

Please submit a request to exercise your legal rights in relation to your personal data, or an enquiry if you have a question or complaint about the handling of your personal data. Fulfilling the request may take up to 30 days from the date of receipt of request based on the fact that the necessary information we ask from the data subject has been provided.

You may also contact us at:

The Data Protection Office

Email:th_dpo@pwc.com
Address: PwC Thailand: 15th Floor, Bangkok City Tower 179/74-80 South Sathorn Road, Thung Maha Mek, Sathon, Bangkok 10120 Thailand