Last updated: 1 May 2022
We value your privacy and rights to personal data protection and we are strongly committed to protecting your personal information.
As used in this privacy statement, ‘PwC’, ‘us’, and ‘we’ refer to the PricewaterhouseCoopers member firms in Thailand of the PricewaterhouseCoopers (PwC) global network of member firms. Each PricewaterhouseCoopers member firm is a separate legal entity which is explained further here www.pwc.com/structure.
This privacy statement is prepared primarily in line with the Personal Data Protection Act 2019 (PDPA). Personal data refers to any information relating to an identified or identifiable living person. When ‘you’ or ‘your’ are used in this privacy statement, we are referring to the relevant individual who is the subject of the personal data. This privacy statement describes what personal data we collect and use, and why and how we collect and use personal data. It also provides information about your rights in relation to personal data.
This privacy statement applies to personal data provided to us, both by individuals themselves or by others.
|PwC’s clients||Non clients|
We may collect and use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.
1. Lawful basis we use for collecting and using personal data
We collect, use, store and disclose (collectively referred to as ‘use’) your personal data only on a necessary basis or with any of the following lawful bases.
|Lawful basis||Example of Description of use|
|1.1 Contractual obligations||
|1.2 Compliance with laws, regulations and regulatory orders||
|1.3 Legitimate interest||
|1.4 Vital interest||
2. Types of personal data we may process
The personal data we may collect and use personal data, as the case may require, includes the following:
|Type of personal data||Examples of personal data|
|Identification and authentication details||Identification card, identification card photo, passport, driving licence and signatures|
|Personal||Name, age, date of birth, gender, marital status, country of residence and nationality|
|Contact||Email address, phone number, postal address|
|Financial||Salary, payroll details, other income, banking details, investment, benefits, tax status, other financial interests|
|Job||Role, grade, job title, experience, performance information, education, references and details of workplace|
|Security||CCTV, video recordings or photos|
|Sensitive personal data||Religion, health-related data such as COVID-19 screening results, biometric data or criminal records|
|Devices and software information||IP addresses and your device information (e.g., model and operating system)|
|Other information||Exchanges or communications between you and PwC in whatever form, including any information you have provided to PwC by different channels|
3. How we process personal data
We process personal data from the below sources for the purposes identified in this section.
3.1 Provision of professional services
We collect and use personal data only on a necessary basis from our clients, or with a lawful basis relating to the services provided to the clients (both corporate and individual clients), or from a third party to provide services under contract or as instructed by clients, or to use the personal data for the purposes of the services.
We also collect personal data from our clients or from third parties as instructed by the client for the provision of specific services, which may include personal data of individuals who don’t have a direct contractual relationship with us – e.g., staff or customers of the clients. For example, in a due diligence review for the acquisition of a target on behalf of a client, we may obtain personal data from the target’s management and employees or from a third party. When we do this, we ask our clients to provide the relevant information to the data subjects regarding its use.
As the case may require, we process personal data:
We may collect and process sensitive personal data including biometric data, race and ethnicity for our client acceptance procedures, monitoring IT security, providing training, performing regulatory compliances, to ensure compliance to our independence policy and including for providing immigration and tax services, or an audit of a business organisation.
3.2 Business contact information
We collect, either directly or indirectly, and use business contact information obtained from existing and prospective clients, publicly available sources (e.g., social media websites), media/press contacts or participants in our events, seminars or conferences, and contractors and/or individuals associated with them. We also process personal data about business contacts using a customer relationship management system (the PwC CRM). In addition, the PwC CRM system may collect data from PwC emails and calendars about interactions between PwC users, contractors and third parties.
The personal data stated above includes the name, employer’s name, job title or other business contact details, such as phone numbers and email addresses.
We use this personal data to:
During events, seminars or conferences, we may record the visuals and sound from any part of the event in public areas on a lawful basis.
3.3 Marketing activities
Marketing includes any communications about PwC’s products and services such as newsletters or insights. This includes other marketing activities involved with third parties such as corporate social responsibility. In cases where we’re legally required to obtain your explicit consent, we’ll only provide you with marketing materials if you’ve provided your consent for us to do so.
We retain contact information, including the name and email address, on our mailing lists until an individual unsubscribes from our mailing lists. If you unsubscribe from our mailing list, we may retain enough limited information to identify you so that we can honour your opt-out request. If you want to unsubscribe from one of our mailing lists, you can follow the instructions in the relevant material sent to you.
You can, at any time, contact us to request we stop sending you marketing materials. If you choose to no longer receive certain communications, please identify which one in your request.
PwC doesn’t sell personal data to any party for the purposes of marketing their products and services. We may only be allowed to do so if we have received the explicit consent from the data subject.
3.4 Job applications
This section describes why and how we collect and use personal data in connection with our recruitment activities. We may obtain personal data from sources such as job applicants, recruiters, agencies or public websites with information provided by the job applicants.
We collect personal data, which may include sensitive personal data, in connection with our recruitment activities, including:
If your application is successful, we perform pre-employment screening checks as part of our onboarding process. During these checks, we may collect:
We collect sensitive personal data, such as your criminal record, to comply with legal and contractual obligations to ensure that an individual is eligible to work for us and to check whether an applicant has committed unlawful acts or been involved in dishonesty, malpractice or other serious improper conduct.
We use your personal data to:
3.5 Vendors or subcontractors
We collect and use personal data of vendors or subcontractors relating to contractual relationships or in relation to goods or services we obtain from vendors or sub-contractors. So, we may process the personal data of vendors or subcontractors based on business relationships we have with these people which may include personal data of any involved individuals. Also, we process the personal data of vendors or subcontractors as a part of our vendors or sub-contractors’ acceptance process. This includes background checks for crime prevention purposes and to ensure all of the parties involved will comply with the law and regulations regarding the goods or service provided to us. The personal data in this case may include their name, ID card, email address, telephone number, title, role or payment information.
3.6 Closed-circuit television (CCTV) operations
We use closed-circuit television (CCTV) to record the images or motions of visitors or staff in the common and office areas, or other necessary areas in the PwC offices. This includes collecting the personal data of individuals as part of these monitoring activities based on lawful and legitimate reasons around safety measures and crime prevention. The CCTV data are securely stored and only accessed on a need-to-know basis such as for inspections or investigating an incident.
We may disclose CCTV data to law enforcement agencies as requested and permitted by laws.
3.7 Visitor records
We collect and use personal data of our visitors to facilitate security practices, for building access or to use facilities in our office, including for COVID-19 screening. The personal information we collect includes the name, ID card, email address and telephone number of the visitor. Visiting our offices, your images and motions will be recorded by CCTV in common and office areas on a lawful and legitimate basis for security purposes.
3.8 Visitor to our website
3.8.1 Data collection
For visitors to our website, we only collect personally identifiable information that’s specifically and voluntarily provided by visitors to PwC’s website. PwC receives limited identifiable information, such as name, title, company address, email address, IP addresses, telephone and fax numbers, from website visitors. Typically, this information may be collected when users:
We don’t actively seek demographic information, including gender and occupation, but it may be recorded when a visitor responds to an online job application. It’s PwC’s policy to limit the information we collect to the minimum required by law and on a necessity basis to complete a visitor’s request.
Although most publications are offered as downloads, visitors may purchase PwC publications through other channels. In these cases, we collect the order information and personal data which includes the customer’s credit card information, email and addresses, where applicable. We do this to facilitate the payment and shipment of the publication.
Visitors can contact us by email through the site. Their message will contain the user’s screen name and email address, as well as any additional information which the user includes in the message. As we use the website as a recruiting tool, a visit to the website may be a channel for the visitor to send a resume to an individual in PwC.
PwC’s intention isn’t to seek any sensitive personal data through our website unless legally required for recruitment purposes. Sensitive personal data includes any data relating to, for example race or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, sexual orientation, or criminal records. You aren’t required to provide sensitive personal data of this nature unless it’s a requirement for the purpose for processing personal data. If you do choose to provide sensitive personal data for any reason, PwC accepts your explicit consent to use that sensitive personal data in the ways described in this privacy statement or as described at the point where you choose to disclose that information.
3.8.2 Use of data
A website visitor may choose to provide personal information to:
If you’d like to find out more about the different categories of information collected, please find the data collection section above.
Information attained by the website is used only for the intended purpose stated at the time that the information is collected. This data isn’t shared with other entities in the network for secondary or unrelated purposes. Also, it isn’t shared with a third party unless otherwise disclosed at the point of collection, or as provided in the letter of engagement or terms of business, or documents of a similar nature. If there’s an instance where information may be shared, the visitor will be asked for permission beforehand.
Except for described in section 3.3 Marketing activities, above, where visitors are able to explicitly choose to receive specific PwC marketing materials, PwC won’t use personal data collected from our websites to facilitate unsolicited marketing activities.
3.8.3 Cookies and log files
Visitors aren’t required to register to gain access to areas of the PwC websites. In certain cases, in the future, as your PwC website experience expands, we may require visitors to register to obtain a username and password for authentication. This will secure access to a transaction or certain confidential business or proprietary information services on premium websites.
Personal data provided to PwC through its website is provided voluntarily by visitors. Should visitors subsequently choose to unsubscribe from a mailing list or any registrations, we’ll provide instructions in the appropriate website area or in communications to our visitors. Otherwise, a visitor may contact the webmaster of the site at firstname.lastname@example.org.
Each visitor has the right of access to personal data they have submitted to PwC through the websites.
Visitors can update their information by going back through the registration process. Enquiries about the accuracy of identifying information previously submitted to PwC through its website, or requests to have outdated information removed, should be directed to email@example.com. PwC provides reasonable and practical access to visitors to allow them the opportunity to identify and correct any inaccuracies, which is in line with the PDPA. If requested, and if it’s practical to do so, PwC will delete identifying information from the current operating systems, as permitted by the PDPA.
When personal data is retained, PwC assumes responsibility for keeping an accurate record of the information once a visitor has submitted and verified the data. PwC won’t assume responsibility for verifying the ongoing accuracy of the personal information. When practically possible, if PwC is informed that any personal data collected through a website is no longer accurate, PwC will make appropriate corrections based on the updated information provided by the authenticated visitor.
3.8.6 Third-party’s website
PwC’s policy is to disclose information about third parties when visitors submit their requests. For example, when ordering a publication, we display the party fulfilling the order.
PwC websites don’t collect or compile personally identifying information for dissemination or sale to outside parties for consumer marketing purposes, or host mailings on behalf of third parties.
Our website, www.pwc.com/th, may link to other websites that don’t operate under PwC’s privacy practices. When you navigate to other websites, a third party’s privacy statement may apply. We encourage visitors to review each site’s privacy statement before disclosing any personally identifiable information.
4. Information security
PwC has implemented generally accepted standards of technology and operational security to protect personal data from loss, misuse, alteration or destruction. All PwC personnel follow a networkwide information security policy. Only authorised PwC personnel are provided with access to personally identifiable information. These personnel have agreed to ensure strict confidentiality of this information. PwC’s policy is to use secure sockets layer technology to protect credit card information submitted through web forms.
For the transfer of personal data, we use a range of measures to keep your personal data safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out work on our behalf to comply with appropriate privacy standards. This includes obligations to protect any personal data and applying appropriate measures for the use and transfer of personal data.
5. Data retention
We retain the personal data that we process for as long as it’s considered necessary for the purposes for which it was collected and in line with PwC’s data retention policy and the applicable laws which include the PDPA. We won’t keep personal data for a period longer than we have a lawful basis to do so pursuant with any agreement, specified purposes or the PDPA on the necessity basis. However, the data retention period is aligned with the statute of limitations according to Thai law applied for the circumstance in which we may collect, use, store and disclose your personal data. Examples include the Civil and Commercial Code, and laws relating to securities and exchange, accounting, tax, labour, computer crime, anti-money laundering and anti-corruption. We have a policy that sets a standard for data retention. If we aren’t required to retain personal data, we’ll delete or destroy, or anonymise these data in line with the PDPA.
PwC understands the importance of protecting children’s privacy, especially in an online environment. The PwC sites covered by this privacy statement aren’t intentionally designed for or directed at children. In practice, we don’t intentionally collect or use personal data of children under Thai Laws. In certain circumstances, we may collect the personal data of children for conducting activities having purposes related to regulatory and policy compliance, and the registration of events, seminars and conferences, and social corporate responsibility. If we do so, we’ll obtain consent in line with the PDPA.
7. Your legal rights about personal data
We only collect and use personal data to the extent permitted by applicable laws. You have a legal right to:
To comply with the PDPA, when we obtain information to complete your request, we will fulfil the request from you without undue delay, not exceeding 30 days from the date of receiving the request.
8. Transfer of personal data
8.1 Cross-border transfers
Where necessary, the personal data PwC collects may be transferred to other individual PwC member firms in our worldwide network, government, regulatory agencies and/or professional bodies of which we are a member. We will only do this to:
(i) achieve the purpose for which you have submitted the information including for services provided by other PwC member firms
(ii) provide you with information at a later date that may be of relevance and interest to you based on the nature and purpose of your requests
(iii) maintain our operations or client relationship management systems
(iv) conduct quality and risk management reviews
(v) support marketing activities, or
(vi) comply with any legal requirements, regulations or a professional body of which we are a member.
Your personal information may also be transferred to third-party service providers who process information on PwC's behalf, including providers of IT, identity management, website hosting and management, data analysis, data back-up, and security and storage services. As a result, your personal information may be transferred outside Thailand.
If we transfer your personal data to other countries or to the destination countries that don’t have adequate data protection standards, we’ll proceed to transfer personal data by taking appropriate measures to ensure adequate data protection standards in line with the PDPA. We’ll also apply protection measures to these personal data where necessary and appropriate.
Each firm in the PwC network is a separate legal entity. For a list of PwC firms, see:
For countries and regions in which PwC firms operate, see: www.pwc.com/gx/en/about/office-locations.html
8.2 Third-party providers’ transfer
We may transfer or disclose the personal data we collect to third-party contractors, subcontractors and/or their subsidiaries and affiliates if we have a lawful basis to do so in line with agreements or the PDPA. Third parties include those who support the PwC network to provide its services and help provide, run and manage IT systems. These include contractors who are providers of identity management, website hosting and management, data analysis, data backup, and security and cloud storage services. The servers powering and facilitating our IT infrastructure are located at secure data centres around the world, and personal data may be stored in any one of them.
The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It’s our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by PwC, and to flow those same obligations down to their sub-processors.
9. Other disclosure
We may also disclose personal data:
10. Changes to this privacy statement
This privacy statement was last updated in May 2022.
We may update this privacy statement at any time by publishing an updated version here. For ease of identification, we’ll show the revision date at the top of this document whenever we make changes to this privacy statement. The amended privacy statement will apply from that revision date. So, we encourage you to review this privacy statement periodically to be accurately informed about how we are protecting your information. We reserve the right to update this privacy statement from time to time, at our discretion. We may use any appropriate means to inform you of any update as required by law, however we deem appropriate.
11. Contact us
Please submit a request to exercise your legal rights in relation to your personal data, or an enquiry if you have a question or complaint about the handling of your personal data. Fulfilling the request may take up to 30 days from the date of receipt of request based on the fact that the necessary information we ask from the data subject has been provided.
You may also contact us at:
The Data Protection Office
Address: PwC Thailand: 15th Floor, Bangkok City Tower 179/74-80 South Sathorn Road, Thung Maha Mek, Sathon, Bangkok 10120 Thailand