PRIVACYPOLICYHTML

Privacy and Personal Data Protection Policy

 

Privacy and Personal Data Protection Policy (Updated: 27 September 2021)

7 key principles using in Yves Rocher Personal Data Protection program

Yves Rocher (Thailand), as Data Controller under Personal Data Protection Act B.E.2562, is willing to be part in creating respectful and privacy society. Given that, we set up policies and internal control measurements to ensure that the personal data of customers, employees and related persons are well treated under regulations in follow principles;

1) Transparency, Fairness and Lawfulness: Personal data shall be processed with duly care, in line with regulations

2) Purpose limitation: The data processing shall be limited by the given purpose only

3) Minimization principle: The data processing shall be based on necessity

4) Accuracy principle: The personal data must be accurate and updated

5) Retention principle: The personal data shall not be retained over the specific retention period

6) Integrity and Confidentiality principle: The personal data shall be kept within secured and safeguard measurement
 
7) Accountability: Privacy and related measurements shall be in place
Although, your personal data have been well protected under our protection program, we will continue developing the program with utmost priority.
You can read the full Personal Data Protection policy here: https://www.yves-rocher.co.th/pws/homeoffice/tabs/privacy-policy
If you have any questions pertaining the personal data protection policy or management, please contact our DPO (thinnavut.phoombanchoed@yrnet.com )


This privacy and personal data protection policy (the “Policy”) indicates how Yves Rocher (Thailand) Co., Ltd. (“Yves Rocher”) manages the Personal Data it collects from you, and also sets out your rights concerning your Personal Data.

In cases where the Policy that is written in any other languages is in conflict with the Thai version, the Thai version shall prevail. Yves Rocher reserves the right to amend, change, or add to the Policy. Any amendment shall take effect once you have been notified by Yves Rocher.

1. Collection of Personal Data

Personal Data means data concerning a person, which could identify the person, either directly or indirectly, but does not include data of deceased persons.

Yves Rocher will collect your Personal Data when you agree to accept this Policy by clicking “I agree to accept this Policy” when you are applying to be a member. If you are less than 20 years of age and have not become sui juris in other legal respects, you confirm that consent from your legal representative has been obtained.

For the purposes of the business operation, you are required to provide your Personal Data to Yves Rocher. If you do not provide your Personal Data, Yves Rocher will not be able to proceed with its obligations as set out in the contract entered into between you and Yves Rocher, and you will not be able to receive benefits in accordance with any contracts you entered into with Yves Rocher.

Your Personal Data which will be collected by Yves Rocher is as follows:

  • Full name;
  • Address;
  • Date of birth;
  • Sex;
  • Identification card number;
  • Passport number;
  • Photo(s);
  • Email;
  • Telephone number;
  • Bank account number;
  • Social Network Account details; and
  • Technical information on your computer, e.g., IP Address, log-in information, web browser, period of time spent on website, search engine results on website, others statistical information, cookies and web beacon.

Apart from the Personal Data collected directly from you, your Personal Data is collected by Yves Rocher from your usage of services as follows:

1. Registration application process

2. Voluntary surveys

3. Email correspondence or any other methods of communication between you and Yves Rocher

4. Your usage of Yves Rocher’s website through your browser’s cookies

5. Any communications between you and Yves Rocher’s Customer Service division

In addition, Yves Rocher may collect your Personal Data from other sources as follows:

1. Third party event organizers

2. Social media platforms, e.g., Facebook, Instagram, Twitter

3. Parent company and Yves Rocher’s affiliates

4. Yves Rocher’s business partners

5. Third parties who disclose data

Yves Rocher receives your Personal Data from other sources by way of:

1. Log-in information

2. Information entered in forms with respect to products and services   

3. Information gathered from third party event organizers that you have registered with

4. Information obtained from the Social media platforms as aforementioned

5. Information gathered from purchase orders

6. Information gathered from co-promotions

If your consent is required to be obtained at the time of collecting data or before collecting data, Yves Rocher will notify you of the collection of such Personal Data from such sources and ask for your consent within 30 days from the date of Personal Data collection.

In the case that you provide Yves Rocher with a third party’s Personal Data, you confirm that such third party has read this Policy and agree to the collection, use, and disclosure of the Personal Data under this Policy.

2. Objectives and basis of processing Personal Data

Yves Rocher collects your Personal Data as aforementioned for the purpose of processing and using your Personal Data on the following basis:

2.1 Performance of contract

    • To process the information for the registration to be a member of Yves Rocher Social.
      For communication and sending notifications between you and Yves Rocher.
    • To facilitate the Yves Rocher Social business operation, e.g., making compensation payments, determining the line (a network of associated consultants), using the services, providing after-sales services, or returning products.
    • To process payments for products and track the payment status thereof.
    • To deliver the products and process delivery status. 

2.2 Consent

For the improvement of products, services and marketing, and for research, analysis, surveys and statisticalization thereof;

    • To publicize marketing information, sales promotions, details of Yves Rocher’s products, and activities, such as meetings, seminars and trainings;
    • To promote sales through social networks;
    • To conduct loyalty program;
    • To organize trips for participants;
    • To improve Yves Rocher’s website and activities; and
    • To offer benefits, Yves Rocher’s products and services via telephone, messages, emails, or social media platforms for direct marketing purposes.

If you wish to withdraw your consent, you can do so by taking actions as per the details that appear in Clause 11 hereunder (Contact Yves Rocher). In this regard, the withdrawal of consent shall not affect the processing of Personal Data for which you have already given lawful consent. The consequence of withdrawal of consent may include, but not limited to, not receive any related product campaigns or marketing promotions.

2.3 Necessity for legitimate interests of Yves Rocher

Yves Rocher collects your Personal Data to facilitate the risk management of Yves Rocher's operations, fraud prevention, arrangement of security measures for your property and Yves Rocher’s which is necessary to protect the legitimate interests of Yves Rocher, provided that such benefits are more essential than the basic rights of the data subject.

2.4 Compliance with the law

To comply with applicable laws or court orders, such as the Revenue Department, the Office of the Consumer Protection Board, the Royal Thai Police, Office of the Attorney General, Courts, etc., which may request Yves Rocher to share your Personal Data retained by Yves Rocher. Yves Rocher may be obliged to send your Personal Data to such government authorities.

3. Processing of Personal Data

Upon receipt of your Personal Data, Yves Rocher shall use your Personal Data as follows:

3.1 Collection of Personal Data

Yves Rocher shall collect and record the Personal Data, whether or not by automated means, in the form of electronic data in servicer and/or on printed paper.

3.2 Use of Personal Data

Yves Rocher shall use the Personal Data by organization, structuring, storage, adaptation or alteration, retrieval, consultation, analysis, placement, restriction, deletion or destruction.

3.3 Disclosure or transfer of Personal Data

Yves Rocher may disclose, send, or transfer your Personal Data to third parties situated in Thailand and in a foreign country, which may have personal data protection standards lower than the standards set out under Thai laws, for the purposes set forth in this Policy. Yves Rocher shall request your consent before disclosing your Personal Data if personal data protection laws require that your consent must be obtained for the disclosure of such Personal Data. Details of third parties that Yves Rocher may disclose or transfer your Personal Data to are as follows:

3.3.1 Parent company and Yves Rocher’s affiliates

Yves Rocher may disclose your Personal Data to its parent company and affiliates

3.3.2 Personal Data processors employed by Yves Rocher.

Yves Rocher may hire other persons or companies to assist in the processing of Personal Data and/or process Personal Data on behalf of Yves Rocher for the purposes as informed to you by Yves Rocher. Yves Rocher shall disclose your Personal Data only as necessary for its operations as aforementioned. Yves Rocher shall enter into a data processing agreement with the data processor to ensure that the operation of the data processor is in compliance with personal data protection laws, that the data processor shall not process the Personal Data beyond the scope assigned by Yves Rocher, and that your Personal Data is secured in accordance with the standards put in place by Yves Rocher prior to the disclosure. The personal data processors may include the following: (1) technical and information technology service providers, including website developers and application developers which provide services to Yves Rocher;; (2) warehouse and freight service providers; (3) survey, research or data analytics service providers; (4) advertising and marketing service providers; (5) telecommunications and communications service providers; (6) cloud storage and data center service providers; (7) storage, collection, and processing of personal data service providers; (8) statistical service providers; (9) maintenance and update of data and database service providers; and (10) personal data verification service provider, etc.

3.3.3 Business partners

Yves Rocher may disclose your Personal Data to Yves Rocher's business partners. Such business partners may be those that offer you products or services jointly with Yves Rocher, or Yves Rocher's business partners in various sectors that Yves Rocher did not jointly offer any products or services with; for example, finance and banking, payment systems, marketing, offline and online wholesaling and retailing, transportation of goods, survey, research and data analytics, and loyalty programs for members. In this regard, Yves Rocher shall request your consent before disclosing your Personal Data if personal data protection laws require that your consent must be obtained for the disclosure of such Personal Data.

3.3.4 Advisors and professionals in various fields

Yves Rocher may disclose your Personal Data to business consultants, including professionals in various fields for Yves Rocher's operations; such as lawyers and auditors, etc.

3.3.5 Individuals or entities as required by law

Yves Rocher may need to disclose your Personal Data to agencies that have legitimate authority to request data from Yves Rocher; such as, courts, legal officials who have authority over Yves Rocher, as well as disclose your Personal Data in order for Yves Rocher to be in compliance with the laws.

3.3.6 Transfer your Personal Data overseas

Yves Rocher may disclose or transfer your Personal Data to companies or service providers abroad. In this regard, Yves Rocher shall proceed with caution and ensure that the companies or service providers abroad or the countries they are located in have sufficient personal data protection standards in place as required by the personal data protection law. If Yves Rocher discovers that the companies or service providers abroad or the countries they are located in have insufficient personal data protection standards, Yves Rocher shall take any actions as required by the personal data protection law before disclosing or transferring your Personal Data.

4. Processing period for Personal Data

Yves Rocher will retain your Personal Data for the period of not exceeding 10 years from the date a legal relationship between you and Yves Rocher end. Yves Rocher will only retain your Personal Data for the period that it is necessary to do so.

For the purposes of establishment of legal claims, compliance with or exercise of legal claims, defense of legal claims, or compliance with the law, Yves Rocher shall be entitled to retain your Personal Data as necessary.

Yves Rocher shall delete your Personal Data at the end of the retention periods as aforementioned, or within 30 days from the date on which you have requested the cancellation of your membership and the deletion of your Personal Data, or you have withdrawn your consent, or when the retention period based on the necessity ends, as the case may be. Yves Rocher shall delete your Personal Data from the server and destroy printed files that contain your Personal Data.

5. Retention of Personal Data

You acknowledge and agree that your Personal Data will be transferred in the form of electronic data for storage in a server located in a foreign country, which may have personal data protection standards lower than the standards set out under Thai laws and/or stored in the form of printed files at Yves Rocher.

6. Protection of Personal Data

6.1 Yves Rocher recognizes the importance of the protection of your Personal Data, therefore, Yves Rocher has put in place appropriate security measures to protect the Personal Data which are in line with confidentiality obligations concerning Personal Data in order to prevent data loss, or unauthorized or unlawful access, use, alteration, amendment or disclosure of Personal Data. Yves Rocher shall review such measures when necessary, or when the technology has changed in order to ensure that these security measures remain applicable and sufficient. Yves Rocher shall comply with Yves Rocher’s policies and guidelines in relation to the protection of information technology which are in line with the standards set out by the Personal Data Protection Committee.
 

6.2 You should keep your User ID and Password confidential and not write down or record such information on any media or disclose the same to any person in order to ensure that you are the only person who is aware of such information. Yves Rocher does not have and will not introduce any policies that will ask for your User ID and Password. If you suspect that your User ID and/or Password may have been disclosed to third parties, lost or stolen or used to make an unauthorized transaction, please inform Yves Rocher immediately.

7. Cookies and how they are used

Cookies are information or small messages contained in your computer that are used to store details of your internet usage and website visiting behavior. Cookies are used on all websites of Yves Rocher for the following purposes:

7.1 Essential cookies are essential for the functionality and performance of the website. If you deactivate the essential cookies, you may not be able to use Yves Rocher’s website.

7.2 Preference cookies are cookies that recognize user settings; such as, language settings, locations, visiting history, etc.

7.3 Analytics cookies are cookies for tracking movements of the user on the website in order to improve the functionality of the website.

7.4 Advertising cookies are cookies which are used to present relevant products, services or advertising media so that Yves Rocher can present products, services or advertising media that match the user's interests.

You can set up the browser that you are using to block cookies that Yves Rocher has installed. However, each browser will have different settings for doing this.

8. Marketing activities and marketing campaigns

During the service period, Yves Rocher may send you information regarding marketing activities and marketing campaigns, and services which Yves Rocher considers you may be interested in, to benefit and complement the services provided to you. Once you have agreed to receive such information from Yves Rocher, you can withdraw your consent at any time by taking actions as per the details that appear in Clause 11 hereunder (Contact Yves Rocher).

9. Data subject’s rights

You, as the data subject, have the rights as set out in Attachment 1 attached hereto.

In exercising any rights of the data subject as stated in paragraph 1 above, Yves Rocher shall use its best endeavors to respond to the exercising of the right within a reasonable period, provided that it shall be no longer than the period specified by law. In this regard, Yves Rocher shall comply with the provisions of the law with respect to the rights of the data subject, and Yves Rocher reserves the right to charge any service fee that is necessary in connection with the exercising of the right (if any).

10. Data protection policies of other websites

This Policy is only applicable to Yves Rocher’s services and the use of Yves Rocher’s website. If you have clicked on a link to another website, even though the link to such other website is linked to Yves Rocher's website, you must examine and comply with the data protection policies of those websites separately.

11. Contact Yves Rocher

If you wish to submit a request to Yves Rocher in order to exercise any of your rights as stated in Clause 9, or you have any queries in relation to this Policy, please contact:


Yves Rocher (Thailand) Co., Ltd.

No. 539/2, Gypsum Metropolitan Tower, Floor 10, Si Ayutthaya Road, Phaya Thai Sub-district, Ratchathewi District, Bangkok Metropolis 10400

Telephone no.: 02 642 5210

Data Protection Officer (DPO)

No. 539/2, Gypsum Metropolitan Tower, Floor 10, Si Ayutthaya Road, Phaya Thai Sub-district, Ratchathewi District, Bangkok Metropolis 10400

Telephone no.: 064 552 2998

Email: Thinnavut.phoombanchoed@yrnet.com 

Attachment 1

Rights of the Data Subject

The data subject is entitled to:

1. Withdraw his or her consent for Yves Rocher to collect, use and disclose his or her Personal Data at any time, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject. However, the withdrawal of consent shall not affect the collection, use, or disclosure of Personal Data that the data subject has already given its consent for.

2. Request access to and obtain a copy of the Personal Data related to it, which is the responsibility of Yves Rocher, or request the disclosure of how its Personal Data was obtained without its consent.

3. Receive the Personal Data concerning him or her from Yves Rocher in the event that Yves Rocher arranges such Personal Data to be in a format that is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. The data subject is also entitled to:

a) request Yves Rocher to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by automatic means;

b) request to directly obtain the Personal Data in such formats that Yves Rocher sends or transfers to other Data Controllers, unless it is impossible to do so because of technical issues.

4. Object to the collection, use, or disclosure of the Personal Data concerning him or her, at any time, in the following circumstances:

a) where the Personal Data is collected with the exemption to consent requirements under the Personal Data Protection Act B.E. 2562 (2019) (including any amendment thereto), unless Yves Rocher can prove that:

(1) it can be demonstrated by Yves Rocher that there are compelling legitimate grounds for the collection, use, or disclosure of such Personal Data;

(2) the collection, use, or disclosure of such Personal Data is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims;

b) the collection, use, or disclosure of such Personal Data is for the purpose of direct marketing;

c) the collection, use, or disclosure of the Personal Data for the purpose of scientific, historical or statistic research, unless it is necessary for the performance of a task carried out in the public interest by Yves Rocher.

5. Request Yves Rocher to erase or destroy the Personal Data, or anonymize the Personal Data to become anonymous data which cannot identify the data subject, in the following circumstances:

a) The Personal Data is no longer necessary in relation to the purposes for which it was collected, used or disclosed;

b) The data subject withdraws its consent for the collection, use, or disclosure thereof, and thus Yves Rocher has no legal grounds for such collection, use, or disclosure;

c) The data subject objects to the collection, use, or disclosure of the Personal Data referred to in Clause 4 a) of the Attachment 1, and Yves Rocher cannot refuse such request as referred to in Clauses 4 a) (1) or 4 a) (2) of the Attachment 1, or where the data subject exercises his or her right to object as referred to in Clause 4 b) of the Attachment 1;

d) The Personal Data has been unlawfully collected, used, or disclosed in accordance with Chapter 3 of the Personal Data Protection Act B.E. 2562 (2019) (including any amendment thereto).

6. Request Yves Rocher to restrict the use of the Personal Data, where the following apply:

a) When Yves Rocher is under the examination process in accordance with the data subject's request pursuant to Clause 7 of Attachment 1;

b) When it is Personal Data that shall be erased or destroyed pursuant to Clause 5 d) of Attachment 1, but the data subject requests the restriction of the use of such Personal Data instead;

c) When it is no longer necessary to retain such Personal Data for the purposes of such collection, but the data subject requests the retention thereof for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims;

d) When Yves Rocher is pending verification with regard to Clause 4 d) of Attachment 1, or pending examination with regard to Clause 4 c) of Attachment 1 in order to reject the objection request made by the data subject in accordance with the Personal Data Protection Act B.E. 2562 (2019) (including any amendment thereto).

7. Request Yves Rocher to ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading, if Yves Rocher does not take action regarding the request, Yves Rocher shall record such request of the data subject together with the reasons therefor, in accordance with Section 39 of the Personal Data Protection Act B.E. 2562 (2019) (including any amendment thereto).

8. File a complaint in the event that Yves Rocher or the Data Processor, including the employees or the service providers of Yves Rocher or the Data Processor violates or does not comply with the Personal Data Protection Act B.E. 2562 (2019) (including any amendment thereto) or notifications issued in accordance with this Act.