Privacy Policy

Siam Ocean World Bangkok Co., Ltd. (the Company), operator of the aquarium Sealife Bangkok, is committed to protecting personal data, respecting and complying with the Personal Data Protection Act B.E. 2562 (2019) as well as other additional laws that arise in the future related to personal data protection. The Company has therefore created this Privacy Policy to explain details on collecting, using, disclosing (collectively known as ‘processing’) your personal data. It also covers the types of personal data the Company collects, the purposes of processing this data, disclosing your personal data to third parties, details on how to maintain security and the retention period of your personal data, including your rights in accordance with applicable personal data protection laws. Details are as follows:

Types of persons about whom the Company collects personal data

1.1 Types of persons about whom the Company collects personal data

	Type	Details	Source
(a)	Clients	- Individuals who use services and/or purchase products from the Company and/or who may have purchased a ticket to enter the Company's aquarium through partners or agents of the Company’s service operator, individuals who sign up for annual memberships or who purchase tickets online in advance through the Company's website. - Persons making inquiries about purchases and/or receiving services from the Company. - Respondents giving information about the Company's products and/or services. - Persons who give opinions and recommendations on visits to the Company's aquarium. - Persons related to or representing customers who are legal entities, organizations, schools and/or persons whose personal data appears in documents for sales, such as directors, employees, agents, contact persons, purchasers, etc.	- When individuals express their intent and desire to use services or buy products from the Company and enter into a contract with the Company. - When individuals inquire about using Company services and/or products by telephone, through a website, by email, direct chat or by any other means. - When individuals use the visitation services of the Company’s aquarium. - When individuals participate in marketing activities, events or other related activities. - Data collection from public relations service providers and when recommendations of services/products are made, or when individuals have commented on the use of the Company's aquarium services. - When sales transactions are conducted with corporate customers, and they are the person whose personal data appears in relevant documents.
(b)	Trading partners/ business partners/ expected partners	- Persons/entities who bid to sell products and/or offer services to the Company. - Persons/entities who are contractually related to the Company, including sellers, suppliers, service providers, contractors, consultants, experts and other similar persons/entities. - Persons/entities related to or representing partners or business partners who are legal entities, or people whose personal data appears in various documents for various related processes.	- When person/entities express their intention to enter into a contract and/or will register as a partner or business partner of the Company. - When persons/entities enter into a contract with the Company and send information or documents containing personal information to the Company. - When persons/entities make inquiries about information or provide comments to the Company via email, telephone or by any other means. - The Company may collect a person’s or entity’s personal data from public sources. It may collect commercial information that the person or entity has disclosed themselves or given consent to others to disclose.
(c)	Job applicants	- Individuals who have directly sent information related to an application for a job with the Company or individuals who allow others to disclose personal information related to their application for a job with the Company. - Persons linked to individuals being considered for roles in the Company. This includes persons related to job applicants, those whose personal information appears in documents related to job applications, such as referees, family members, emergency contact persons, etc.	- When submitting a job application and accompanying information via email to the Company, or applying for a job through the Company's websites: § www.merlincareers.com/th § www.visitsealife.com/bangkok/information/work-for-us/ - When submitting an application to the Company in person. - When applying at events or Company recruitment booths. - When attending a job interview with the Company. - The Company may receive applicants’ personal information from employment agencies or job websites. - The Company may receive applicants’ personal information from referees given in the job application process, or from educational institutions or government agencies. This includes getting information from social media platforms that the applicant has provided access to themselves or has given consent to others to disclose on their behalf.
(d)	Personnel	- Individuals who are employees, workers or any other persons who work or perform duties for the Company and receive a salary, wages, welfare or other remuneration from the Company, such as directors, executives, employees, personnel, trainees, or similar.	- When individuals are considered Company personnel and/or have entered into a contract to become Company personnel following the Company's human resource management process.
(e)	Persons related to job applicants and personnel	- Persons related to job applicants and personnel, including those whose personal data appears in relevant documents such as referees, family members, emergency contact persons, life insurance beneficiaries, work guarantors, etc.	- The Company may collect personal data of related third parties during the job application process or when the candidate is considered Company personnel, and they provide such personal data on the basis of having obtained consent from such persons to disclose this personal information to the Company.
(f)	Guests	- Any individual other than those considered in the above categories for whom the Company processes personal data both when the Company receives it directly or collects it automatically through the use of cookies, or other technology such as general contacts, as well as people who are recorded through CCTV, visit the Company's website, etc.	- When contacting the Company, whether in person or through various channels. - When entering the Company’s website, whether intentionally or not. - When CCTV is recording or a photo is taken under the Company’s control.

Personal data collected by the Company

Personal information that the Company collects, uses and/or discloses. For example:

Personal data such as a title, first name, last name, nickname, date of birth, marital status, gender, ID number, passport number, nationality, signature, photograph, military status, family information (e.g., father, mother, spouse, children, etc.), health data, biological data (e.g., fingerprints, face shots, etc.).
Contact information such as a home address, house registration address, workplace, delivery address, phone number, email, LINE application ID, emergency contact information, etc.
Information about commercial transactions such as a customer code, partner code, order reference number, etc.
Payment information such as a bank account number, credit limit receipt, personal data appearing in documents related to a payment, etc.
Information used as evidence in transactions or juristic acts, such as personal data that appears in a copy of: an ID card, passport, house registration, name change certificate, professional license, application to open a customer account, company certificate, power of attorney, sales contract or any other contract related to legal acts, military conscription certificate, bank application to open a partner account, work history, work delivery slip, job application, medical certificate for an insurer’s registration form, letter of consent for personal history examination, background check, employment contract, work guarantee and related documents, etc.
Information about education and training, such as educational transcripts, certificates for language skills, computer skills and typing skills, training and testing information, information on activities undertaken during studies, etc.
Information about applying for a job such as a resume and work history that appears on your resume/CV, cover letter, a criminal record check, bankruptcy history, health history, psychological analysis, ability to work provincially/overseas, job position, expected salary, referee information, job interview information, evidence or references, information that appears in the interview evaluation form, etc.
Information about work and evaluations, such as an employee’s code, position, affiliation, chain of command, performance appraisal, work behavior, previous achievements or awards, photos of participation in various Company activities, training information, disciplinary information, employee transfer information, resignation documents after being a Company employee, etc.
Information about compensation and benefits, such as salary, wages, compensation, bonuses, benefits, information about the beneficiary, social security, provident funds, tax, personal tax deductions, employee health benefits, including family members’ information in a medical certificate, annual health check results, claims for life and accident insurance, etc.

2.10 Information about work registration, such as the date of commencing work, trial period end date, workdays and times, shifts, attendance, number of hours worked, leave, as well as records of entering and exiting the Company’s premises and the work area, borrowing equipment, etc.

2.11 Digital data such as log-in data for the Company's various systems, including data from computer traffic, automatic logins (e.g., computer number and IP address) and information that the Company collects through cookies or other similar technology, etc.

2.12 Other information such as photos and video recordings through CCTV, etc.

2.13 In the event that the Company collects your personal data, the Company will continue to process your personal data for its original purpose in accordance with the Personal Data Protection Act for collection, use or disclosure before the effective date. You will be notified of the collection of your personal data, from which you have the right to withdraw your consent as detailed in Article 6 of this Policy.

Purposes and lawful basis for processing personal data

The Company processes your personal data based on the following purposes and lawful basis (collectively referred to as the ‘designated purposes’).

	Purpose	Lawful basis for data processing
(a) Providing services and selling products to customers, and other related activities
(1)	Registering to buy tickets to the aquarium, advance bookings for the Company's aquarium tickets or opening a customer account.	- Contractual basis: it is necessary when processing customer requests to register and visit the aquarium for a specified period of time, make advance bookings for the Company’s aquarium tickets and purchase different ticket types to visit the Company’s aquarium. - Legitimate interest basis: to open new corporate client accounts, it is necessary to process personal data of corporate client representatives, persons related to corporate customers or the person whose name appears in documents used to open a customer account as part of the Company’s business operations.
(2)	Executing contracts, agreements, sales of goods and services.	- Contractual basis: it is necessary when entering into a contract, sales agreement and for other related contract processes. - Legitimate interest basis: to enter into a contract or agreement with corporate customers, it is necessary to process personal data of corporate client representatives, persons related to corporate customers or the person whose name appears in documents used to open a customer account as part of the Company’s business operations.
(3)	Managing orders from customers, providing services, preparing products, and any other related activities.	- Contractual basis: It is necessary when fulfilling service and purchase contracts where customers are contracting parties (such as with accommodation arrangements if a group of customers wishes to visit the aquarium and stay overnight), billing, payments and receipts, etc. - Consent basis: · It is necessary when assessing a customer's physical health for certain activities in the Company's aquarium – in the event that the customer expresses their intention to participate in such activities. · It is necessary when obtaining consent from parents, as required by law. This is for cases where the customers visiting the Company's aquarium are minors (under the age of 20) and wish to enter the aquarium alone. - Legitimate interest basis: In the case of juristic persons, it is necessary to process personal data of corporate client representatives, persons related to corporate customers or the person whose name appears in documents used to open a customer account as part of the Company’s business operations.
(4)	Making changes to a customer’s details and receiving complaints.	- Legitimate interest basis: It is necessary when enabling the customer to amend their details so that they are accurate, current, complete and do not cause misunderstandings. And to improve the Company's service quality in the event of receiving complaints or suggestions from customers.
(b) Procurement and transactions with partners, and other related activities
(1)	Purchasing and procuring, and selecting trading and business partners, or any other similar entities.	- Contractual basis: It is necessary when fulfilling a bidding partner’s request, or with any other similar entity before entering into a purchase agreement, service contract or any other contract related to Company procurement. - Legitimate interest basis: In the case of juristic business partners, it is necessary to process personal data of corporate partner representatives, persons related to business partners or whose names appear in relevant documents as part of the Company’s business operations.
(2)	Opening a new partner account or an account for any other similar entities.	- Contractual basis: It is necessary when fulfilling requests of prospective partners, business partners or any other similar entities, to open a new partner account and any other related activities. - Legitimate interest basis: In the case of juristic business partners, it is necessary to the process personal data of corporate partner representatives, persons related to business partners or whose names appear in relevant documents as part of the Company’s business operations.
(3)	Preparing and managing contracts between the Company and any contracting party.	- Contractual basis: It is necessary when fulfilling the request of any party that has expressed their intention to enter into a contract with the Company. - Legitimate interest basis: In the case of juristic business partners, it is necessary to the process personal data of corporate partner representatives, persons related to business partners or whose names appear in relevant documents as part of the Company’s business operations.
(4)	Performing duties specified in a contract that partners or any other similar entities have entered into.	- Contractual basis: This is necessary when performing contractual duties with partners or any other similar entities, such as communicating, ordering goods or services, receiving products, inspecting services, collecting debts, paying for goods or services, etc.
(c) Communication and marketing activities
(1)	Communication	- Legitimate interest basis: It is necessary when communicating, providing services or selling products.
(2)	Public relations and marketing activities of the Company	- Consent basis: With consent, the Company carries out any marketing activities, such as sending marketing communications messages, disseminating marketing publicity through various media channels, etc.
(d) Data analysis and developing the quality of Company services and products
(1)	Conducting data analysis and customer behavior surveys or assessing any other similar persons.	- Consent basis: In the event that the Company is the party requesting the collection of personal data, such as from interview requests and questionnaires to analyze data and survey customer behavior, the Company will only proceed after obtaining consent.
(2)	Analyzing website and various application usage.	- Consent basis: In the event that the Company processes personal data of users of its website and various applications to analyze and improve the quality of its services, the Company will only proceed after obtaining consent.
(e) Human resource management
(1)	Recruiting, selecting job applicants, interviewing and any actions related to the job application process.	- Contractual basis: This is necessary when considering the applicant's expressed intention to apply for a job and be part of the Company's recruitment process. - Consent basis: · Processing the personal data of a family member or a job applicant's referee will be done with prior consent. · In the event that the Company collects personal data of a prospective employee from other sources at its own discretion, such as job application websites, the prospective employee is considered as not having expressed their intention to apply for a job with the Company yet.
(2)	Carrying out employment-related operations and staffing, entering into an employment contract, or any other activity related to employment, such as the checking criminal record, medical history, etc. of a candidate.	- Contractual basis: It is necessary when entering into an employment contract and other related contracts, as well as when taking any necessary actions before entering into such contracts. - Consent basis: Processing an employee’s sensitive personal data such as their criminal record, health data and biometrics, will be done after obtaining the employee’s consent.
(3)	Managing employee welfare and benefits, including but not limited to medical expense reimbursements, welfare discounts for employees’ annual health check-ups and group insurance.	- Contractual basis: It is necessary for the Company to comply with employment contracts and other contracts to which personnel are parties. - Consent basis: Processing an employee’s sensitive personal data, including of those related to the employee, such as health information to manage group insurance or other benefits, will be done after obtaining consent from the employee and persons related to them. - Legitimate interest basis: Processing personal data of an employee and related persons is necessary for the Company's human resource management when allocating welfare, including various employee and related persons’ benefits. - Legal obligation basis: it is necessary when fulfilling labor protection and social security requirements. Processing employee’s personal data is necessary to act in accordance with the law, fulfill labor protection and social security requirements, and provide welfare in the form of medical treatment for persons according to the Protection for Motor Vehicle Victims Act or social protection provisions.
(4)	Performing employee duties described in the employment contract or agreement, an appointment letter or any other contract entered into with the Company.	- Contractual basis: It is necessary to perform duties or work that is within the scope specified in the employment contract or agreement, appointment letter or any other contract the employee has entered into with the Company.
(5)	Recording working hours, the payment of salaries, wages, bonuses, compensation or any benefits.	- Contractual basis: it is necessary when paying salaries, wages, bonuses, compensation or any benefits specified in the employment contract and any other contract the employee is a party to. - Legal obligation basis: It is necessary to comply with the law, such as the withholding tax requirements specified by the tax law, social security deductions, etc. - Consent basis: It is necessary to process sensitive personal data of the employee, such as biodata and fingerprints. This will be done after obtaining consent from the employee.
(6)	Managing employee training and related procedures.	- Legitimate interest basis: It is necessary when managing employee training arrangements, such as registration for training courses, providing employee training plans, as well as allocating various facilities to organize trainings, etc. - Legal basis: It is necessary to process the personal data of the employee to comply with the law, such as submitting a contribution form to the Skill Development Fund under the Skill Development Promotion Act, 2002, etc.
(7)	Complying with laws related to human resource management or that are applicable to the Company.	- Legal obligation basis: processing personal data of employees and related persons is in compliance with corporate laws. This includes, but is not limited to, labor laws, social security laws, tax laws, securities and exchange laws, laws on personal data protection, for example, employee’s personal data for relevant government agencies such as the Revenue Department, Social Security Office, Department of Skill Development, etc.
(8)	Evaluating employee performance.	- Legitimate interest basis: It is necessary when assessing the performance of employees, human resource management or for any other purposes related to the Company's business operations.
(9)	Transferring employees.	- Contractual basis: It is necessary to fulfill the terms of an employment contract or an employee transfer contract to which the employee is a contracting party, or any other contract of a similar nature. - Consent basis: In some cases, the Company may request the consent of its employees to disclose or transfer employees’ personal information to foreign countries following the rules prescribed by the personal data protection laws.
(10)	Managing other human resource matters such as disciplinary actions, dismissals, resignations, retirements, etc.	- Contractual basis: It is necessary to execute duties under an employment contract or other agreement to which an employee is a contracting party, such as a termination of employment if the employee resigns or retires from their work, disciplinary records for an employee who violates work rules or regulations, etc. - Legal obligation basis: It is necessary to comply with corporate laws, such as when implementing the employment termination process and the resignation or retirement of an employee following the laws on labor protection, provident funds, etc. - Legal obligation basis: It is necessary to comply with corporate laws to fulfill labor protection requirements, such as taking disciplinary action, terminating employment, etc.
(11)	Communicating with job applicants, employees and those related to employees or job applicants.	- Legitimate interest basis: It is necessary when communicating with job applicants, employees and related persons.
(f) Performance of duties in accordance with laws that are relevant or applicable to the Company, and the establishment of legal claims
(1)	Complying with laws that are relevant or applicable to the Company.	- Legal obligation basis: It is necessary to comply with laws applicable to the Company, such as the Personal Data Protection Act, tax laws, labor laws, social security laws, civil and commercial laws, etc.
(2)	Establishing legal claims and taking other related actions.	- Legitimate interest basis: It is necessary to establish a legal claim, or defend Company claims within various legal processes – litigations, court battles, etc.
(g) Security
(1)	Inspecting and supervising to maintain order and ensure the security of individuals, Company assets and property of the general public.	- Legitimate interest basis: It is necessary to maintain order and ensure the security of individuals, Company assets and property of the general public, such as through the use of CCTV video recording to prevent Company losses or damages to property or to the general public, and control access to Company premises, etc. - It is necessary to prevent or suppress any threats to a person's life, body or health, to monitor, prevent or suppress any incident that may endanger the life, body or health of a person.

In the event that the Company processes personal data for purposes not listed above, the Company will provide additional policies or notices regarding personal data protection, and/or will provide written notices to describe the data processing for such purposes. Please study any additional policies or announcements related to this announcement and/or notices provided to you.

Disclosure of personal data

The Company may disclose personal data under the specified purposes and in accordance with the rules prescribed by law to the following individuals and entities:
Merlin Entertainments Group, both domestically and internationally. This includes executives, directors, employees, relevant personnel within the company (as necessary) to process your personal data.
Service providers that the Company appoints or hires to manage personal data for its services, such as for employee health check-ups, IT services, parcel delivery services, insurance, including life insurance, or data related to the Company's business operations such as for financial institutions, hospitals, insurance companies, life insurance companies, training providers, etc.
The Company's advisors such as auditors, legal advisors, lawyers, any other internal or external specialists, etc.
Government agencies that have legal oversight or that request the disclosure of personal data by virtue of the law, for legal proceedings or as permitted by relevant laws. These include the Department of Labor Protection and Welfare, Department of Skill Development, Revenue Department, Social Security Office, Department of Provincial Administration, Department of Business Development, Department of Intellectual Property, Personal Data Protection Commission, Royal Thai Police, Court, Legal Execution Department, etc.
Customers, trading partners, business partners, contractual parties of the Company or any other similar persons/entities for which you are the contact person or that are related to duties you perform in your position.
Any other person or entity to whom you have given your consent to disclose your personal data, such as sharing photos of participating in Company activities through various Company media channels or via social media, etc.
Disclosure of your personal data to other parties will be done in accordance with the specified purposes or other legal requirements. It will only be in the event that your consent is required by law that the Company will seek your consent before disclosure.
In disclosing your personal data to other parties, the Company will take appropriate measures to protect your personal data to comply with personal data protection standards and duties as required by the personal data protection laws. When sending or transferring your personal information abroad, the Company will take steps to ensure that the country of destination, international organization or the recipient abroad has adequate personal data protection standards, or ensure that the transmission or transfer of your personal data abroad is in accordance with rules specified in the personal data protection laws. This would be applicable in the event that the Company requests your consent for the transmission or transfer of your personal data abroad.

Personal data retention period

The Company will retain your personal data for the period necessary to fulfill the processing purposes specified for it. The personal data retention period will change depending on the intended personal data processing purpose.
The Company will keep personal data for the period specified by relevant laws, and take into account the Company's guidelines and those of relevant business sectors for each type of personal data. After this period, the Company will delete or destroy the personal data from its storage and/or its system. This includes the data of persons who provide services to the Company (if any), except in the case where the Company is required to continue keeping such personal data according to the personal data protection laws or other relevant laws.

Your rights under the Personal Data Protection Act, 2019

As the data subject, you have various rights regarding your personal data based on rules, procedures and conditions that are in accordance with the Personal Data Protection Act. They are as follows:

Right of access:

You have the right to access your personal data and ask the Company to make a copy of such personal data for you as stipulated by the personal data protection laws.

Right to data portability:

You have the right to obtain personal data about you, including the right to request the transmission or transfer of your personal data to another data controller or to yourself, except if unable to do so, as stipulated by the personal data protection laws.

Right to object:

You have the right to object to the processing of your personal data as stipulated by the data protection laws.

Right to erasure / Right to be forgotten:

You may request that the Company deletes, destroys, or makes your personal information non-personally identifiable as stipulated by the personal data protection laws.

Right to restrict processing:

You have the right to ask the Company to restrict the processing of your personal data as stipulated by the personal data protection laws.

Right to rectification:

You have the right to request that your personal data be corrected if your personal information is inaccurate, not current, non-exhaustive or causes misunderstandings.

Right to withdraw consent:

In the event that the Company processes your personal data based on your consent, you have the right to withdraw your consent to this processing that you had previously given.

Right to lodge a complaint:

If you have any concerns or questions about the Company's guidelines or your personal data, please contact the Company by using the contact details under Clause 7 of this Policy. If there has been a violation of personal data protection laws, you have the right to lodge a complaint with a panel of experts appointed by the Personal Data Protection Committee following the rules and procedures prescribed by the personal data protection laws.

The data subject exercises the above rights by submitting a request to exercise these rights to the Company in writing or via email, using the request form to exercise rights that the Company has specified. The Company will consider and notify the data subject of the result within 30 days from the date the Company receives the request. The Company may deny these rights requested by the data subject as stipulated by the law.

Contacting the Company

Data Protection Officer

Siam Ocean World Bangkok Co., Ltd.

Email: DPO.Bangkok@merlinentertainments.biz

Tel: +66 956644647

Address: B1-B2 Floor, Siam Paragon, 991 Rama 1 Road, Pathum Wan, Bangkok 10330, Thailand

Changes to this Privacy Policy

The Company may change this Policy from time to time to comply with any changes related to the processing of your personal data, and as required by the personal data protection laws or other relevant laws. The Company will notify you of any important policy changes together with an announcement of the revised policy through appropriate channels. Please check the announced changes to this Policy periodically.

This Policy is effective from 1 July 2021.

Link : Data Subject Access Request Form

Privacy Policy

Please download 'Data Subject Access Request Form'