1.General

Yves Rocher (Thailand) Co., Ltd. (“Yves Rocher” or “the company”) acknowledges and respects that personal data is important to the data subjects (“customers” or “you”) and should be protected according to international standards and applicable laws. The company has implemented the protection of personal data as part of its social responsibility, ensuring that any personal data you provide will be managed with clarity, transparency, accuracy, and fairness.

As a data controller, the company has developed this notice to explain its management and processing of personal data in compliance with the Personal Data Protection Act B.E. 2562 (“the Act”). This notice will help you understand the principles, legal basis, purposes, details, and your rights as a data subject.

2.Scope

This notice shall apply to the processing of personal data for customers at the company’s retail stores.

3.Data and Types of Personal Data Collected by the Company

3.1) Personal Data Collected by the Company

The company may collect the following personal data from you:

(1) Personal Data means any information about a person that can directly identify you, or a combination of information that can indirectly identify you, but it does not include information about deceased individuals.

(2) Sensitive Personal Data means personal data that is classified as sensitive by the act.

3.2) Types of Personal Data Collected by the Company

General Personal Details: This includes your title, full name, gender, date of birth, information from your ID card (e.g., ID number, photo of the card, laser code on the back of the ID card—however, if the company receives a copy of your ID card for verification, it will not collect information about your race, nationality, or religion), survey feedback, complaints, suggestions, photos, video footage, telephone conversations, and data from CCTV.

Membership Details: This includes your membership number, join date, terminated or cancellation date of membership, accumulated points, points expiration date, and details about points redemption.

General Contact Information: This includes your mailing address, address from your ID card, current address, address for product delivery or returns, email address, phone number, location data, and social media accounts like LINE ID, Facebook ID, or TikTok ID.

Financial Information related to transactions with the company: This includes the date and time of the transaction, the store where the transaction occurred, the transaction amount, payment method (e.g., bank account name and number, partial credit/debit card information, PromptPay details), payment receipts, financial transaction slips, refund details, and other related financial information.

Information about products or services you selected: This includes your treatment appointment date and time, rescheduling or cancellation of a service, the type and quantity of products, or the treatment services you purchased.

Marketing Information: This includes your preference to receive or not receive marketing information, such as new products, promotions, discounts, or marketing activities from the company.

Digital Data and data when connecting to the Yves Rocher website: This includes internet activity data, IP address, information about the device you use (e.g., computer, mobile phone, operating system), domain name, connection time, settings, or other device information, social media comments, and other information you have made public.

Sensitive Personal Data: This includes information about your health, skin, hair, or facial condition, medical certificates, or medical history.

Analytical Data: This includes data or statistics derived from processing or analyzing one or more data sets from points (1) to (8), which can identify you.

4.Collection and Processing of Personal Data

The company will collect personal data directly from you and/or indirectly from information you have provided to the company or to reliable third parties. The company will collect and process your personal data carefully, only as relevant and necessary under a legal basis that is appropriate for the context of your service usage. The company will obtain your explicit consent when required by law before collecting and processing your personal data.

5.Legal Basis and Purposes for Processing Personal Data

The company may collect, use, disclose, transfer, or process any personal data using the following lawful bases : (1) to prevent or suppress harm to a person’s life, body, or health , (2) when it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract , (3) when it is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by your fundamental rights to personal data , (4) to comply with a legal obligation of the data controller , and (5) with your consent.

The company may collect, use, disclose, or process your personal data as necessary using legal basis (1) to (4) for the following purposes:

• To register you as a member, verify your identity, contact you about member benefits, and manage the membership system.
• To communicate with you for treatment appointments, product delivery, or product returns, to process and update your information, provide after-sales service, consultations, advice, and assistance with product and service usage, and to handle complaints, feedback, and technical issues.
• To prepare tax documents or other official documents for submission to government agencies as required by law.
• To verify and prevent the loss of company and customer assets within the company’s retail stores.
• To create statistical data and perform data analytics based on your interests and purchasing behavior, using either non-directly identifiable or directly identifiable information that does not overly infringe upon your rights and freedoms.
• To survey feedback on service or product purchases, and to inspect, develop, or improve existing products or services to enhance their quality and efficiency, without overly infringing upon your rights and freedoms.
• To allow participation in promotional events held at the company’s retail stores or other locations, including the use of photos, video recordings, and audio recordings from such events.
• To assess and manage business risks and prevent fraud.
• To prevent or suppress harm to a person’s life, body, or health.
• To perform duties under a contract, agreement, or as required by law.
• To use or disclose personal data to third parties as necessary to fulfill various purposes.
• To use or transfer personal data to a foreign country with adequate personal data protection standards.
• To improve the website to suit your interests.

If you are unable to provide the personal data that the company collects for any of the purposes above, it may prevent the company from performing the relevant service or activity. In some cases, your failure to provide personal data may also affect the company’s ability to comply with legal obligations and could result in penalties.

The company may collect, use, or disclose your personal data using legal basis (5) for the following purposes:

• To offer products and services, promote marketing activities, and provide personalized marketing based on your interests or purchasing behavior. This includes special offers, discounts, and news about new products and services via SMS, phone calls , or the company’s official Line account. By adding the company’s official Line account, you agree to receive such messages. You can withdraw your consent by unfriend the company from your friends list at any time.
• To collect, use, and disclose sensitive personal data, such as information about your health, skin, hair, or facial characteristics, medical certificates, or medical history.
• To recommend products suitable for your skin, hair, or facial condition using medical analysis tools.
• To transfer your personal data outside of Thailand to a destination country that does not have sufficient personal data protection standards.
• The company will only collect, use, disclose, or transfer sensitive personal data abroad with your explicit consent.

If you have given consent for a specific purpose and later withdraw the consent, the withdrawal will not affect the collection, use, disclosure, and/or transfer of personal data and sensitive personal data that was processed with your consent before the withdrawal. You have the right to withdraw your consent at any time by contacting the email address in section 11.

However, the consequences of not providing or withdrawing consent may prevent you from using certain services, or you may not receive information, special offers, or discounts from the company.

6.Parties to whom the company may disclose or transfer your personal data

The company may disclose or transfer your personal data to third parties both within and outside of Thailand to achieve the purposes set by the company or required by law. The company will review and assess the data protection processes of the destination country and the external recipients to ensure adequate protection standards. You can read the privacy policies of these third parties for more information on their data processing methods. If the destination country does not have an equivalent level of protection, the company will implement measures to ensure the transfer is secure and that the recipient has an appropriate level of data protection, or as otherwise required by law. The company will also seek your consent if required by law before the transfer. Details of the parties to whom the company may disclose or transfer your personal data are in the Personal Data Disclosure Table at the end of this document.

7.Personal Data Retention Period

The company will retain your personal data with appropriate security measures for as long as necessary to achieve the stated purposes, such as throughout the duration of a contract with you. However, the company may need to retain your data for a longer period if required by law. For example, the company is legally obligated to retain tax documents, which contain some personal data, for 5 years from the date the accounts are closed or until the accounts are submitted.

8.Data Security Measures

The company will protect your personal data using appropriate technical and organizational measures to ensure the security of the data processing and prevent data breaches. These measures include restricting access to personal data to authorized staff and setting up procedures to prevent recipients from using or disclosing data for purposes other than what was specified, or without authority. The company also installs security software on all company computers, such as Forcepoint, CrowdStrike, E-mail filtering, PhishAlarm, and VIP O365 Protection.

Despite the company’s efforts to secure data with technical and human management tools, errors caused by the data subject themselves may still occur. Therefore, you should also stay informed about data theft prevention measures for your own smartphones or computers.

9.Review and Amendments

The company’s Data Protection Officer (DPO) will review this notice at least once a year, or whenever there are significant legal changes or additions, whichever comes first. This is to ensure the notice remains up-to-date. The company will announce any changes through appropriate channels before they take effect.

10.Your Rights Regarding Personal Data

The company respects the rights of data subjects as specified by the Personal Data Protection Act. These rights are as follows:

10.1) Right to Withdraw Consent

If you have provided consent for the company to process your personal data for any purpose, you have the right to withdraw that consent at any time while the company holds your data, unless there are legal restrictions on this right.

Note: Withdrawing your consent may prevent you from receiving certain benefits or prevent the company from performing activities for the stated purposes. For example, if you withdraw consent to receive marketing information, you may not receive news, promotions, discounts, or special benefits. The withdrawal of consent will not affect the collection, use, disclosure, or transfer of personal data and sensitive personal data that was already processed with your consent before the withdrawal.

10.2) Right to Access Personal Data

You have the right to request a copy of your personal data held by the company and to request an explanation of how that data was obtained.

10.3) Right to Data Portability

You have the right to request that the company transfer your personal data in a commonly used electronic format, unless it is technically unfeasible. This right is subject to legal conditions.

10.4) Right to Object to the Collection, Use, or Disclosure of Personal Data

You have the right to object to the processing of your personal data at any time by submitting an objection request. If you object, the company will review your request to determine if it is a valid legal right. However, the company will continue to process your data if it can demonstrate a legitimate reason that outweighs your fundamental rights, or if it is necessary to establish, exercise, or defend legal claims.

10.5) Right to Erasure or Destruction of Personal Data

You have the right to request the deletion or destruction of your personal data, or to make it non-identifiable, if you believe your data has been unlawfully processed, if the company no longer needs to retain it for the purposes of this notice, or if you have withdrawn your consent or objected to the processing as mentioned above.

10.6) Right to Restrict the Use of Personal Data

You have the right to request a temporary restriction on the use of your personal data while the company is verifying a request to rectify or object to the data. This right also applies if the company is no longer required to retain your data but you request a restriction on its use instead of deletion.

10.7) Right to Rectification

You have the right to request that your personal data be corrected to be accurate, current, complete, and not misleading.

10.8) Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant legal authority if you believe the collection, use, and/or disclosure of your personal data violates or fails to comply with the relevant laws.

The company will make its best effort to fulfill your rights as a data subject within a reasonable time. The company will comply with all legal requirements related to data subject rights and reserves the right to charge any necessary and related fees for the exercise of these rights (if any).

11.Managing Your Rights or Inquiries Regarding Your Personal Data

If you wish to submit a request for the company to act on your rights or if you have any questions about the processing of your personal data under this notice, please contact:

Data Protection Officer (DPO)

Email: yrdpo-asia@yrnet.com; or

Address: Yves Rocher (Thailand) Co., Ltd.

188 Spring Tower, Rooms 1-3, 19th Floor, Phayathai Road, Thung Phayathai Subdistrict, Ratchathewi District, Bangkok 10400.

Process for Submitting a Request:

1	Send an email or registered letter with the subject line “Request for Data Subject Rights” or “Inquiry about Personal Data Processing Notice” and include your name, surname, and contact information.
2	For inquiries about the notice, the DPO will respond within 7 business days. For a rights request, the request will be forwarded to the data controller to verify your identity. The company may require you to send documents such as a copy of a government-issued ID (e.g., ID card, driver’s license) and other relevant documents to process the request.
3	The DPO will consider whether the request can be fulfilled, such as by assessing its reasonableness or any potential negative impact on others, or if there are legal grounds for refusal.
4	If the request meets the criteria, the DPO will proceed and notify you through the contact information provided in your request form.
5	If the request does not meet the criteria, the DPO will inform you through the provided contact information and state the reason for the refusal. You have the right to file a complaint with the regulator, and this will be noted in the letter informing you of the decision.
6	The process for fulfilling a rights request will not exceed 30 days from the date of receiving the complete request and supporting documents.

Appendix 1

Personal Data Disclosure Table

The company may disclose personal data to internal and external parties as necessary and in accordance with the stated purposes.

Internal Parties

External Parties

(A) Different departments within the company and employees whose duties are related to personal data processing. (B) The parent company located in France or affiliated companies.

(A) Government agencies, regulators, or other entities required by law. (B) Consulting firms, or companies providing legal, IT, banking, human resources, marketing, advertising, event organization, printing, logistics, warehousing, or external auditing services. (C) Companies providing IT systems, cloud computing, or networking services, and external data processors. (D) External auditors. (E) The company’s business partners, such as marketplace platforms and hospitals. (F) Other third parties.