GIT Information Center

 Customer Privacy Policy

The Gem and Jewelry Institute of Thailand (Public Organization) respects the importance of the protection of personal data of individuals. The Privacy Policy has been composed to explain methods employed in collecting, using, disclosing, or transferring personal data outside of Thailand as well as notifying of legal rights related to personal data. The Gem and Jewelry Institute of Thailand (Public Organization) is, hereinafter, referred to as “the Institute”. Personal data collected, used, disclosed, or transferred to foreign countries according to the Privacy Policy shall be personal data of the following types of customers.

- Individual customers of the Institute.

- Individual customers of business partners or individuals who are provided with services by the Institute or have business or legal relationship with the Institute.

- Individuals who are related to juristic persons, namely, juristic person representatives, shareholders, individuals, contact persons, individual representatives, attorneys, employees, officials, personnel, and other individuals of similar nature of juristic person customers or juristic person customers of users of the Institute.

- Other individuals having relationship, interaction, contact in other ways or providing personal date with the Institute in any means.

The Privacy Policy applies to collection, usage, disclosure or transfer to other countries. The Institute may collect such personal data through the following channels.

1. LabSys System: to collect data of customers who have submitted specimens of gemstones and precious metals for testing to produce work receipts for gem and precious metal testing services.

2. E-service System: to collect data of users/ membership applicants/ training course applicants/ jewelry trade channel expansion for entrepreneurs.

3. Customer Relationship Management (CRM): to use for application of individual and corporate memberships.

4. ERP System: to issue receipts and tax invoices.

5. Carat Application: to collect data of users.

6. Access to library services and museum visits.

7. Arrangement of training courses, seminars, and knowledge dissemination.

8. Cookies management of the website.

Please read the Privacy Policy, Terms and Conditions, Agreements, Contracts, or other documents related to the services which may contain separate details related to collection, usage, and disclosure of personal data related to data subjects.

1. Personal Data Collection of the Institute

1.1 Personal Data Collected by the Institute

“Personal Data” refers to any data related to an individual person which can directly or indirectly identify that person but does not include data of a deceased person.

“Sensitive Personal Data” refers to Personal Data which is classified as Sensitive Personal Data according to laws. The Institute shall collect, use, disclose, or transfer the Sensitive Personal Data outside of Thailand, only if the Institute has obtained a clear consent or is permitted by laws.

1.2 Types of Personal Data Collected by the Institute

The institute shall collect Personal Data of a data subject, depending on contexts of interaction between the Institute and data subjects, types of products or services requested from the Institute. Details are as follows.

(1) Personal Data of customers and/or individuals who are related to corporate customers and persons who have contacted with companies of which data may be collected by the Institute

1.1) Personal details: name, last name, age, date of birth, occupation, identification card number, education, work experience, social network ID, religion, passport number

1.2) Contact details: telephone number, fax number, postal address, business address, e-mail address, social network ID

1.3) Financial transaction details: front page of bank passbook, credit card number, copy of identification card

(2) Sensitive Personal Data which may be collected by the Institute: Sensitive Personal Data, namely, Sensitive Personal Data stated in identification document, e.g., religion 

The institute may collect, use, or disclose the Sensitive Personal Data only after granted clear consent from the data subject or as permitted by laws

(3) Personal Data of third parties: name, last name, address details, and telephone number for emergency contact. The data subject must inform of the Privacy Policy to the third party or request for consent, if necessary.

(4) Personal Data from any other sources which are not obtained directly from the data subject shall be proceeded as follows.

4.1) Personal Data which are exempted for consent according to Section 24 or Section 26, the Institute shall notify of data collection from other sources, in accordance with the Privacy Policy, to the data subject within 30 days from the collection date.

4.2) Personal Data which require consent: The Institute shall inform of data collection from other sources, in accordance with the Privacy Policy, to the data subject within 30 days from the collection date and the date the consent obtained.

(5) If a data subject is a minor who has not obtained legal age by marriage or any legal age according to Section 27 of the Civil and Commercial Code. The Institute shall proceed the followings to request for consent from the data subject.

5.1) If the minor is not allowed to consent on his/her own as stipulated in Section 22, Section 23, or Section 24 of the Civil and Commercial Code, consent must be obtained from a guardian who can act on behalf of the minor.

5.2) If the minor is under 10 years old, consent must be requested from a guardian who can act on behalf of the minor.

- If the data subject is an incompetent person, consent must be requested from a guardian who can act on behalf of the data subject.

- In case of a quasi-incompetent data subject, consent must be obtained from a curator with the power to act on behalf of the quasi-incompetent person.

2. Purpose of the Institute in Collection, Usage, or Disclosure of Personal Data

The Institute may collect, use, disclose or transfer the Personal Data, based on lawful basis for processing Personal Data for the following purposes.

2.1 Consent must be obtained from the data subject related to the followings.

(1) Marketing, sales promotion, and communication: To proceed in marketing and communication, marketing advertisement, sales, special offers, news, public relations, promotion and presentation of products and services of financial business groups, business partners, and other juristic persons as the data subject has specified or had previously used the service as well as information of products and services similar to the interest, and the directly and indirectly receipt history of products and services; To participate in sales offers, special offers and privileges, activities, seminars, contests, lucky draws, sweepstakes, booths and events, as well as other sales promotions, and all related advertisement services; To accommodate the data subject in joining activities of the Institute, business partners, and other juristic persons, which is unable to consider to be based on any other applicable legal basis.

(2) Sensitive Personal Data stated in identification documents: such as religion, to verify and authenticate the identity of the data subject.

2.2. Based on Legal Basis

Legitimate interests; contract performance; legal obligation; public task/state authority; history, research, statistics; suppressing danger to the data subject’s life/body, as permitted by laws regarding personal data protection, provided that it shall be considered individually for the following purposes.

(1) To achieve the missions of the Institute: data of customers of gem and precious metal testing for functioning of the LabSys system; data of users/ membership applicants/ training course applicants for the e-service system; data of users of the Carat Application; data of library users and museum visitors; jewelry trade channel expansion for entrepreneurs; arrangement of academic seminars; dissemination of marketing knowledge; production of work receipts and orders for gem and precious metal testing; issuance of receipts and tax invoices

(2) To verify and authenticate identity: verification and authentication of identity of the partner of contract or authorized representative of the juristic person, authentication of the person with bargaining power, verification of documents received for the contract, fact inspection

(3) To operate business: compliance with the regulations on storage of internal records, internal management, auditing, reporting, data submission or filing, data processing, or other related or similar activities.

(4) To provide security: security, risk prevention, conflict resolution, dispute recording and handling, crime or fraud prevention

(5) To comply with applicable laws: including but not limited to effective laws on data protection and other applicable laws in Thailand and other countries, compliance with orders from legal authorities, legal obligations, rights and duties under laws applicable to the Institute, policies, and/or internal fraud audit, other inspections according to other laws or regulations.

(6) To provide risk management and protect rights, properties, security, or operation of the Institute: remedies or limitation of the damages the Institute may sustain can be requested, agreement violation investigation, establish, exercise, or defend legal rights, claims or other similar cases. The Institute may need to transfer the Personal Data to the third party.

(7) To prevent, handle, and reduce possible risks of frauds, cyber threats, default/breach of contract, other legal violations, e.g., money laundering, financing of terrorism and proliferation of weapons of mass destruction, offences regarding property/life/body/freedom/reputation, including disclosure of Personal Data to elevate standards of the operations of the Institute in preventing, handling, reducing, or executing other implementations of similar nature to eliminate the aforementioned risks.

(8) Prevention or suppression of danger to life, body, or health of the individual

If the data subject does not wish to provide the Personal Data to the Institute, this may affect the data subject in not being able to obtain products/services, convenience, or performance as promised by the contract and may experience damages/ loss of opportunities. Not providing the data may affect compliance with any laws imposed on the Institute or the data subject and there may be related penalties. If consent from the data subject must be obtained, the Institute shall strictly request for the consent in compliance with laws.

3. Disclosure or Transfer of Personal Data of Data Subjects to Third Parties

The Institute may disclose or transfer the Personal Data to the following third parties in order to achieve the purposes under the Privacy Policy. These third parties may be located in Thailand or other countries. The Privacy Policy for Individuals explains details regarding collection, usage, and disclosure of Personal Data.

3.1 Service Provider of the Institute

The Institute may use services, agencies, or other contractors to provide other services on behalf of the Institute or to help supplying products and services to the data subject. The Institute may share the Personal Data with external service providers or suppliers as follows.

(1) Providers of the Internet and software, website and digital media developers, providers of information technology and companies which provide information technology support

(2) Logistics and shipping service providers

(3) Payment and payment system service providers

(4) Research service companies

(5) Analytical companies

(6) Surveying companies

(7) Auditors

(8) Customer information centers

(9) Service providing companies regarding marketing, advertising media, design, creativity, and communication

(10) Companies providing services on campaigns, activities, marketing events, and customer relation management

(11) Companies providing services of telecommunication and communication

(12) Providers of data storage and cloud storage

(13) Lawyers, legal counselors for interests of the Institute as well as exercise of rights according to laws and legal defend to support business operation of the Institute.

(14) Providers of services regarding document storage and/or destruction

During the process of providing the service, the service provider may have the right to access the Personal Data of the data subject. However, the Institute shall only allow access to data which are necessary for providing of the service. The Institute shall request the service provider not to use the Personal Data for other purposes. The Institute shall ensure that the service provider, working with the Institute, shall protect the Personal Data security in compliance with laws.

3.2. Business Partner of the Institute

The Institute may transfer Personal Data of the data subject to business partners of the Institute, namely, service providers of the Institute which have the data subject as a customer to operate business and provide services. The Institute shall ensure that the business partner which obtain the Personal Data agree to treat the Personal Data in compliance with the Privacy Policy.

3.3. Third Party as Stipulated by Laws

The Institute may need to disclose the Personal Data in compliance with laws. This includes law enforcement agencies, namely, courts, Legal Execution Department, government agencies, Anti-Money Laundering Office and/or other agencies, or other persons, if the Institute believes that there is necessity to comply with laws or to protect the rights of the Institute, rights of third parties, or for security of individuals, or to inspect, prevent, or solve fraud, security and other risks.

3.4. Assignee of Rights and/or Duties

In case of rehabilitation, merging, partially or entirely transferring of business, selling, buying, joint venture, entrusting, or partially or entirely transferring of business, properties, or shares, or other similar transactions, the Institute is required to disclose the Personal Data to the third party who is the receiving party or wish to obtain the transfer of the rights of the Institute. The Institute shall ensure that the third party comply with the Privacy Policy in personal data processing.

4. Transferring of Personal Data of Data Subjects to Other Countries

The Institute may transfer the Personal Data to other countries of which personal data protection standards may be different from that of Thailand, namely, transmitting Personal Data of training course participants to other countries to record and produce certificates of training courses. If it is required to transfer the Personal Data to other countries of which personal data protection standards are less adequate than that of Thailand, the Institute shall ensure that related laws regarding personal data protection allow such data transferring, provided that the Institute may need to receive confirmation, according to contract, from the third party who has the right to access the Personal Data that the data shall be protected under personal data protection standard equivalent to that of Thailand.

5. Retention Period of Personal Data Stored by the Institute

The Institute shall retain the Personal Data as long as it is necessary for implementation according to the purpose of obtaining the Personal Data. In order to comply with laws, the Institute may have to retain the Personal Data for a longer period of time, if it is stipulated by laws.

6. Rights of Data Subjects

The rights refer to legal rights related to Personal Data. The rights may be requested from persons stipulated by laws. Under conditions of applicable laws and right management procedures of the Institute, the rights may include the followings.

(1) Rights to access: Rights to access or request for a copy of the Personal Data which the Institute has collected, used, and disclosed related to the data subject. For privacy and security, the Institute may ask the data subject to authenticate identity before providing the requested data.

(2) Rights to modify data: Rights to request for modification of the Personal Data which the Institute has collected, used, and disclosed, if the data is incomplete, inaccurate, misleading, or outdated.

(3) Rights of data transferring: Rights to ask for the Personal Data related to the data subject, obtained by the Institute, in an electronic format with clear structure, and rights to ask for the Personal Data to be transferred to other personal data controllers. The data are:

 (a) Personal Data given by the data subject to the Institute

 (b) If the Institute processes the Personal Data with consent of the data subject or to comply with the contract made with the data subject.

(4) Rights to oppose: Rights to oppose collection, usage, and disclosure of some Personal Data of the data subject

(5) Rights to limit usage of Personal Data: Rights to limit usage of the Personal Data of the data subject in some cases

(6) Rights to revoke consent: Rights to revoke, at any time, consent given to the Institute to collect, use, and disclose the Personal Data of the data subject.

(7) Rights to delete Personal Data: Rights to request the Institute to delete the Personal Data or making the data become unable to identify individuals, unless the Institute is not required to exercise the process if the Institute has to store the data to comply with laws or to establish rights to make legal claims, compliance or exercise of legal rights, or raise to defend legal claim rights

(8) Rights to make a complaint: Rights to make a complaint to related agencies if the data subject believes that collection, usage, and disclosure of the data is unlawful or not compliance with the Personal Data Protection law. If the data subject wish to exercise any rights as specifies, they can contact the Institute. A request to exercise any aforementioned rights may be limited by related laws. There may be some cases which the Institute can duly and lawfully decline the request of the data subject, namely, when the Institute has to comply with laws or a court order. If the data subject believes that collection, usage, or disclosure of the Personal Data by the Institute has violated related laws on personal data protection, the data subject has the rights to make a complaint to agencies related to personal data protection. However, in order to resolve concerns of the data subject, please contact the Institute before contacting related agencies.

7. Modification of the Privacy Policy

The Institute may modify the Privacy Policy occasionally when there is a change in guidelines regarding personal data protection of the Institute due to various reasons, namely, technological changes and legal adjustments. Modification in the Privacy Policy shall be effective when the Institute publishes it on the website of the Institute (www.git.or.th). However, if such modifications have significant effects on the data subject, the Institute shall notify the data subject in advance before the modification becomes effective.

8. Contact Information of the Institute

If the data subjects have any questions concerning guidelines and activities of the Institute related to their Personal Data, they can contact the Institute or the personal data protection officer of the Institute as the details below.

1. The Gem and Jewelry Institute of Thailand (Public Organization)

140, 140/1-3, 140/5 ITF-Tower Building, 1st-4th, 6th Floor, Silom Road, Suriyawong

Bang Rak, Bangkok 10500

Tel: 0 2634 4999   Fax: 0 2634 4970    

E-mail: jewelry@git.or.th

2. Personal Data Protection Officer

Ms. Thidarat Jirachusakul, Risk Management and Internal Control Officer

140, 140/1-3, 140/5 ITF-Tower, 1st-4th, 6th Floor, Silom Road, Suriyawong

Bang Rak, Bangkok 10500

Tel: 0 2634 4999 ext. 611 Fax: 0 2634 4970

E-mail: dpo@git.or.th