This Business Partner Privacy Notice (herein also referred to as "Privacy Notice" or "Notice") explains how Baker & McKenzie Limited (herein also referred to as "Baker McKenzie", "we", "us" or "our") handles any identified or identifiable information ("Personal Data") we collect from employees, personnel, authorized persons, directors, shareholders and other related persons ("you" or "your", or "yours") working under or in relation to our business partners (such as suppliers, vendors, business contacts) (each a "Business Partner" and collectively, “Business Partners”), and your rights in relation to your Personal Data.
We are the data controller for the Personal Data we collect from you in connection with your business relationship, meaning that we are responsible for deciding how we hold and use Personal Data about you. We are required under applicable data protection laws to notify you of the information contained in this Privacy Notice.
1. Personal Data collected
1.1 General Personal Data
Subject to this Notice, Baker McKenzie will treat as confidential the Personal Data that Baker McKenzie collects, either directly or indirectly, from you, other sources, or through our affiliates, subsidiaries, suppliers, other business partners, and/or other applicable channels of communication. The specific type of data collected by Baker McKenzie will depend on the communication and interaction between you and Baker McKenzie, business relation between you and Baker McKenzie, your scope of work or the service to be provided, including but not limited to:
(1) General information: such as, name, surname and nickname, signature, government issued documents or information (e.g., national identification card, passport), work related information (e.g. title, position, company you work for);
(2) Contact information: such as, personal and business address, personal and business telephone number, email address;
(3) Financial data: such as, fee quotation and proposal, bank account information, bills and invoices, billing amount, pay requisite information, tax ID number, withholding tax information and type of income, purchase order;
(4) Corporate information: such as, supporting documents for payment
(e.g. affidavit with a list of directors, Por Por 20) shareholder information, fix asset code, supplier information (e.g. contract/agreement);
(5) Other information collected, used or disclosed in connection with the past, existing, or potential relationship between us and the Business Partner,
such as, stills or moving footage from CCTV on Baker McKenzie premises; information you give us in correspondences, contracts, forms or surveys, and information from the translation assignment received from the clients.
1.2 Sensitive Personal Data
For Personal Data which is classified by law as sensitive personal data ("Sensitive Data"), we will only collect, use, or disclose it on the basis of your explicit consent, or other legal basis permitted by law where it is applicable. Sensitive Data which we may collect includes:
(1) Religious Belief included in official identification document(s) or their copy(ies) if necessary; and
(2) Health Data included screening information for COVID-19.
Personal Data of third party
If you have provided Personal Data of any third party to us, you confirm that (i) such third party individual is notified of the information from this Notice, including how we may collect, use, disclose, and/or transfer across border their Personal Data; (ii) you have obtained any required consent from such third party individual (if required) or other legal basis is relied on; and (iii) you have the permission to provide such Personal Data which permits us to lawfully collect, use, and/or disclose such Personal Data in accordance to this Notice.
Personal Data of Minors, Incompetent Persons and Quasi-Incompetent Persons
We only collect the Personal Data of minors, incompetent persons, or quasi-incompetent persons where the persons exercising parental power, curators, or guardians, as applicable, have given their consent or where we can rely on other legal basis permitted by law. We do not knowingly collect Personal Data from minors without the consent of the persons exercising parental power when it is required, or from incompetent persons or quasi-incompetent persons without the consent from their curators or guardians, as applicable.
In the event we learn that we have unintentionally collected Personal Data from any minors without the consent of the persons exercising parental power when it is required, or from incompetent persons or quasi-incompetent persons without their curator's or guardian's consent when it is required, we will delete it in a timely manner or collect, use, and disclose only if we can rely on other legal bases apart from consent.
2. Purposes of use of Personal Data
2.1 Purposes for which Baker McKenzie rely on consent
(1) Baker McKenzie collects, uses, and/or discloses your Sensitive Data for the following purposes:
- Religious Belief included in official identification document(s) or their copies if due to verification of identity processes (if necessary).
Consent refusal or withdrawal of consent may results in us not being able to perform certain contractual obligations we may have with you.
2.2 Purposes for which Baker McKenzie rely on other legal grounds
Apart from the purposes where we may seek your consent, Baker McKenzie may rely on the following legal bases for the processing of your Personal Data:
(1) contractual basis, for our initiation and fulfilment of our employment contract/work relationship with you;
(2) legal obligation, for the fulfilment of our legal obligations;
(3) legitimate interest, for the purpose of our legitimate interests, and the legitimate interests of third parties;
(4) vital interest, for preventing or suppressing a danger to a person's life, body or health;
(5) public interest, for the performance of a task carried out in the public interest or for the exercising of official authorities; and/or
(6) for the purpose of establishment, compliance, and exercise of legal claims.
We may collect, use and disclose your Personal Data for the following purposes:
- Business Partner selection: such as, to verify your identity and Business Partner status; to perform Business Partner's due diligence and/or any other form of background check; to create vendor code; to create, maintain and update lists/directories/database of Business Partners; to determine vendor's qualification; to issue request for quotation; to enter into a contract/agreement;
- Verification and authentication: to verify, identify, and authenticate you or your identity;
- COVID-19 screening: to check and screen for COVID-19 for onsite visit;
- Business relationship management: such as, to contact and communicate; to deliver relevant documents; to manage contractual relationship with you and the Business Partner; to proceed with vendor payment/refund related purposes; to manage trust funds; to maintain receivable record in system/database; to create, register and maintain fix asset codes; to receive and store assets; to sell fixed asset; to issue invoice, tax withholding certificate and/or other related documents;
- Complying with applicable government reporting and other legal requirements, obligations and/or order: such as, to comply with legal obligations (e.g. tax filing), legal proceedings, or government authorities' orders; to cooperate with courts and government authorities and law enforcement bodies when we reasonably believe we are legally required to do so, and when the disclosure of your Personal Data is strictly necessary to comply with said legal obligations, proceedings, or government orders;
- Internal management purposes: such as, to prepare financial-related report (e.g. office operating budget report and budget commentary report); to refer vendors to our affiliates; to perform internal accounting and auditing tasks; to perform internal investigation, interrogation;
- Security and system monitoring, such as to authenticate and implement access controls where applicable; to monitor our system, device and internet; to ensure IT security, and risk prevention; and
- Health and Life: such as, to ensure security and safety to a person or property in the office area; to prevent or suppress danger to a person's life, body, or health.
If you fail to provide us with your Personal Data that is necessary for us, we may not be able to perform certain processing activities (e.g. perform certain contractual obligation) described in this Notice. In some instances, we may not be able to continue your business relationship with us.
3. Disclosure of Personal Data
For the purposes as described in the previous section, Baker McKenzie may disclose or transfer your Personal Data to the following third parties.
(1) Baker McKenzie group companies: Baker McKenzie may disclose your Personal Data to our regional and global Baker McKenzie International team/network.
(2) Service Provider: Baker McKenzie uses other companies and outsourcing service providers to provide service, perform on behalf of or to assist with Baker McKenzie's business operation. Baker McKenzie may share your Personal Data to service providers including, but not limited to, the following: (1) banks and financial institutions; (2) data storage and cloud service providers; and (3) telecommunications or IT system service providers or software vendors.
Where the processing of Personal Data is delegated to a third party data processor, such as those listed above, Baker McKenzie will ensure that the processor acts on our behalf and under our instructions.
(3) Other Business partners: Baker McKenzie may disclose your Personal Data to business partners for purposes as listed under this Notice.
(4) Third parties, as required by law or performance of work: under certain circumstances, we may be required to disclose your Personal Data in order to comply with legal or regulatory obligations or performance of work. This includes law enforcement agencies, courts, regulators, government authorities or other third parties where we believe it is necessary to comply with a legal or regulatory obligations; or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security, or safety issues.
(5) Assignee of rights and/or obligations: third parties as our assignee, in the event of any reorganization, merger, business transfer, whether in whole or in part, will comply with this Notice to respect your Personal Data.
4. International transfer of your Personal Data
We may disclose or transfer your Personal Data to other member offices/network of Baker McKenzie International or to other third parties, or servers, in connection with provision of services located in the United States, Hong Kong or other jurisdictions. Those destination countries may or may not have been announced by the competent authority as having the required data protection standards as Thailand. We take steps and measures to ensure that your Personal Data is securely transferred and that the receiving parties have in place suitable data protection standards or other derogations as allowed by law. We will request your consent where consent to
cross-border transfer is required by law.
5. Our retention period
Baker McKenzie will retain your Personal Data for as long as it is reasonably necessary to fulfil the purposes for which we obtained it, and to comply with our legal and regulatory obligations. However, Baker McKenzie may have to retain your Personal Data for a longer duration, as required by applicable law.
6. Your rights as a data subject
Subject to applicable laws and exceptions thereof, you may have the following rights to:
1) Access: You may have the right to access or request a copy of the Personal Data Baker McKenzie collects, uses, and discloses about you. For your own privacy and security, Baker McKenzie may request a proof of your identity before providing the requested information to you;
2) Rectification: You may have the right to have incomplete, inaccurate, misleading, or not up-to-date Personal Data that Baker McKenzie collects, uses, and discloses about you rectified;
3) Data Portability: You may have the right to obtain Personal Data Baker McKenzie holds about you, in a structured, electronic format, and to send or transfer such data to another data controller, where this is (a) Personal Data which you have provided to Baker McKenzie, and (b) if Baker McKenzie processes such data on the basis of your consent or to perform a contract with you;
4) Objection: You may have the right to object to certain collection, use, and disclosure of your Personal Data;
5) Restriction: You may have the right to restrict the use of your Personal Data in certain circumstances;
6) Withdraw Consent: For the purposes you have consented to the collection, usage, and disclosure of your Personal Data, you have the right to withdraw your consent at any time;
7) Deletion: You may have the right to request that Baker McKenzie delete or de-identify Personal Data that we collect, use, and disclose about you. However, Baker McKenzie is not obliged to do so if we need to retain such data in order to comply with legal obligations or to establish, exercise, or defend legal claims; and
8) Lodge a complaint: You may have the right to lodge a complaint to the competent authority where you believe the collection, use, and disclosure of your Personal Data is unlawful or non-compliant with applicable data protection laws. We would, however, appreciate the chance to deal with your concerns before you approach the competent authority, so please contact us in the first instance.
7. About this Privacy Notice
This Notice does not form part of any contract you might enter into and does not create contractual rights or obligations.
We may amend/update this Notice from time to time in accordance with our processing activities. We may also make significant changes to this Privacy Notice as required by applicable laws. On some occasions, we may provide an additional Privacy Notice to inform you of our specific data processing activities.
Updates to this Notice will be posted on our website and/or notified to you as appropriate.
8. Security measures standard
Baker McKenzie has arranged for appropriate security measures, which cover administrative, technical and physical safeguards in relation to access control, to protect Personal Data against any unauthorized ¬or unlawful loss, alteration, correction, use, disclosure, or access, for example: restricting access to Personal Data as well as storage and processing equipment; imposing access rights or permission; implementing user access management to limit access to Personal Data to only authorized persons; implementing user responsibilities to prevent unauthorized access, disclosure, knowledge acquisition or unlawful duplication of Personal Data or theft of device used to store and process Personal Data; and enabling the re-examination of unauthorized, alteration, erasure, or transfer of Personal Data. These measures are in place to protect the confidentiality, integrity, and availability of Personal Data as required by law.
9. Contact details
For any questions about this Notice, or if you wish to contact us in relation to your Personal Data processing and/or related rights, please contact our Data Privacy Team or our office at the contact details set forth below:
Data Privacy Team at Baker & McKenzie Limited
Email: BKK-Privacy@bakermckenzie.com
Address: Baker & McKenzie Limited
5th, 10th and 21st - 25th Floors
990 Abdulrahim Place
Rama IV Road, Silom, Bangrak
Bangkok 10500, Thailand