Airports of Thailand Public Company Limited

AOT Personal Data Protection Policy

Airports of Thailand Public Company Limited (AOT) is an airport operator providing airport services according to the law and the standards of the International Civil Aviation Organization (ICAO). The provision of airport services and other work processes involves the use of information and communication technology which gives easy access to personal data.

In protecting and legally collecting, using, disclosing, and managing the personal data of its users, employees, outsource staff, people concerned, and external service provider associated with AOT & airport operation, AOT established this personal data protection policy according to the Personal Data Protection Act B.E. 2562 (2019) as follows:

  1. Scope

This policy shall be applied to the personal data processing of AOT and contract parties or third parties who process personal data for or on behalf of AOT through products or services such as websites, platforms, applications, documents, or other services under the control of AOT. The purposes of this policy is to inform data subjects about how their personal data are handled and assure them that AOT shall maintain the confidentiality, integrity, and availability of their personal data to prevent from loss, illegal access, use, modifications, or disclosure.

  1. Definitions

2.1 “Personal Data” shall mean personal information that may be used to identify a person whether directly or indirectly, but not including information of a deceased person in particular, such as:

(1) Name and surname

(2) Identification number and taxpayer identification number

(3) Address, e-mail, and telephone number

(4) Travel information and employment information

2.2 “Sensitive Personal Data” shall mean particular personal information concerning the racial or ethnic origin, political opinion, cult, religion, philosophy, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, or bio metric data or any data which may affect the Data Subject in the same manner as prescribed by the Personal Data Protection Committee.

2.3 “Data Subject” shall mean a person who can be identified by the data.

2.4 “Data Controller” shall mean a person or legal entity who has the authority to make decisions concerning the collection, use, or disclosure of personal data.

2.5 “Data Processor” shall mean a person or legal entity who collects, uses, or discloses personal data as instructed by or on behalf of a Data Controller, provided that such person or legal entity is not a Data Controller.

2.6 “Personal Data processing” shall mean any processing of to personal data such as collection, use, or disclosure of personal data.

2.7 “Committee” shall mean the Personal Data Protection Committee.

2.8 “Office” shall mean the Office of Personal Data Protection Committee.

  1. Personal Data Collection

            AOT shall collect the personal data of its users, employees, outsource staff, people concerned, and external service providers associated with AOT’s airport operation as much as necessary according to the objectives of collecting the personal data of which Data Subjects are informed prior to or upon.:

3.1 AOT shall collect or obtain personal data from the following sources:

(1) Personal data collected directly by AOT through service channels such as subscription, registration, job application, contracts, documents, surveys, use of products or services, or other service channels controlled by AOT, or other communication between the data subjects and AOT through channels controlled by AOT.

(2) Personal data collected by AOT from the data subjects when they use the websites, products, or other services according to contracts or missions such as observing behavior of using the websites, products or services of AOT (via the use of cookies) or software on devices of data subjects.

(3) Personal data collected by AOT from sources other than Data Subjects, provided that such sources are authorized by the law or given consent from the data subjects to disclose the personal data to AOT such as when using a digital service hub provided by the government for convenience of the public and the data subjects, when AOT receives the personal data from other government units as part of the mission of AOT to provide a central data exchange hub to support government units in providing digital services for the public, and when AOT is required by an agreement to exchange personal data with its contractual parties.

3.2 AOT shall obtain consent from Data Subjects to collect their personal data except being able to collect personal data without consent as follow:

(1) To maintain historical manuscripts or archives for the public, research, or statistical data, with proper security measures to protect the rights and freedom of the data subjects.

(2) To prevent or stop fatal danger from threatening life, body, or health of a person.

(3) To necessitate fulfilling the obligations of an agreement made between a data subject and AOT, or upon the request of a data subject prior to signing an agreement with AOT.

(4) To necessitate performing its duty in serving the public, or to exercise its official authority.

(5) To necessitate reserving its legal rights.

(6) To follow the law.

3.3 AOT shall not collect sensitive personal data except explicitly receiving consent from Data Subjects or according to exception established by law.

  1. Rights of Data Subjects

            Data subjects may request AOT to do as follows:

4.1 Right to Access Personal Data

Data subjects have the right to request AOT to grant access to their personal data, request AOT to provide a copy thereof, and request AOT to reveal the source of their personal data collected by AOT without their consent. However, AOT has the right to refuse such requests to the extent permitted by the law or court order, or when granting the access may harm the rights and freedom of other persons.

4.2 Right to Correct Personal Data

Data subjects have the right to request AOT to correct, update, or complete their personal data to prevent misunderstandings.

4.3 Right to Delete or Destroy Personal Data

Data subjects have the right to request AOT to delete, destroy their personal data, or make it anonymous. However, AOT may refuse such requests to the extent permitted by the law.

4.4 Right to Suspend the Use of Personal Data

Data subjects have the right to request AOT to suspend the use of their personal data in the following cases.

(1) Pending AOT’s investigation as in 4.2.

(2) The personal data is collected, used, or disclosed illegally and the data subject does not exercise their right provided in 4.3. However, AOT may refuse the request if the collection, use, or disclosure is justified by another law.

(3) It is no longer necessary to store the personal data but the data subject requests AOT to retain it for a legal purpose.

(4) Pending AOT’s investigation to prove its justification to refuse the data subject’s objection provided in 4.5.

4.5 Right to Object

Data subjects may submit a request to object to the collection, use, or disclosure of their personal data. However, AOT may refuse the request if it is justified by a superior law, AOT is exercising its legal right, or AOT is required to perform a duty according to its mission for the public, perform its duties under the law, is protecting its legal interest as provided in 3.2 (4) and (5), and fulfilling the purpose of scientific, historical, and statistical research.

4.6 Right to Revoke the Consent

Data subjects may submit a request to revoke their consent for AOT to collect, use, or disclose their personal data at any time. However, it shall not be applied to actions that have already been committed prior to such revocation, and AOT may refuse the request to the extent permitted by the law.

4.7 Right to Receive or Transfer Personal Data

Data subjects have the right to request AOT to provide a copy of their personal data or transfer it to another data controller in a readable electronic format compatible with common devices and have the right to review such data transfers under the following conditions:

(1) The personal data is collected, used, or disclosed with the data subject’s consent.

(2) The personal data is collected, used, or disclosed as necessary to provide a service or fulfill a contractual obligation made between the data subject and AOT as in 3.2 (3).

 

  1. Personal Data Storage Duration

AOT shall store personal data for a duration specifically required by the law or as long as necessary to fulfill the purpose of the collection. After such duration has passed, and it is no longer necessary to store the personal data for the purpose, AOT shall delete, destroy it or make it anonymous.

 

  1. Third-Party Services or Subcontractors

AOT may assign or hire third parties (data processors) to process personal data for or on behalf of AOT. The third parties may include services such as hosting, outsourcing, cloud computing, or other forms of services.

AOT shall provide agreements that contain the rights and obligations of AOT as the data controller and the assigned persons as the data processors, including the types of personal data assigned, purpose, scope of the data processing, and other relevant conditions. The data processors may not process the personal data for other purposes outside the agreed scope and instructions of AOT.

If the data processors wish to assign a subcontractor (sub-data processor) to process the personal data for or on behalf of them, AOT shall ensure that the data processors provide an agreement between them and the sub-data processor with a standard and model not inferior to the agreement made between AOT and the data processors.

  1. Personal Data Protection

AOT provides personal data protection measures by restricting access to personal data. Only specific or authorized personnel are allowed to use the personal data as necessary to fulfill the purpose as informed to the data subject. The personnel shall strictly adhere to the personal data protection measures of AOT and are obliged to maintain the confidentiality of the personal data obtained through the course of duty. The personal data protection measures of AOT cover both the organizational and technical aspects and meet the international standards and requirements of the Personal Data Protection Committee.

If AOT transfers, sends, or discloses personal data to a third party whether to provide a service, fulfill a contractual obligation, or other forms of agreements, AOT shall provide proper personal data protection confidentiality measures according to the law to ensure that personal data collected by AOT are secured at all times.

  1. External Website Connections or Services

Services provided by AOT may be linked to third-party websites or services which may have a personal data protection policy that is different from this policy. AOT is not involved in and does not have control over the personal data protection measures of such websites or services, and shall not be responsible for the contents, policy, damage, or action done by such third-party websites or services. 

  1. Personal Data Protection Policy Revisions

AOT shall revise this personal data protection policy to ensure that it is suitable and that it is in compliance with changes in the law and AOT’s operation.

  1. Communication Channels

Data subjects may express their opinions, inquire for more information regarding this personal data protection policy or its implementation, and exercise their rights under the personal data protection law by contacting AOT through the following channels:

            Airports of Thailand Public Company Limited

            333 Cherdwutagard Road, Srikan Subdistrict, Don Mueang, Bangkok 10210

            Telephone 0 2535 1192 Fax 0 2535 3864, 0 2535 5685

            AOT Contact Center 1722

            Website: www.airportthai.co.th E-mail Address: aotpr@airportthai.co.th