Privacy Notice

Personal Data Protection | Privacy Notice

The Creative Economy Agency (Public Organization) or CEA (“Agency”) recognizes and values the protection of personal data of its visitors and users (“You”). The Agency manages and takes care of your personal data in a transparent and fair manner and in compliance with the regulatory requirements of the Personal Data Protection Act and other applicable laws. This Privacy Notice is to inform you about how the Agency collects, uses, discloses (“processes”), and safeguards your personal data.

The Agency requests that you read and understand this Notice before sharing any personal data with the Agency itself. If you have any concerns, questions, or need more information about this Notice or other applicable notices and policies, please contact the Agency via contact information at the end of this Notice.


1. Your Personal Data

Personal data is any information that can be used to identify a person, directly or indirectly, such as name, surname, national ID number, phone number, date of birth, personal code, photo, or video recorded from closed-circuit television (CCTV), including biometric data such as face and fingerprint, but excluding data of a deceased person.

Generally, the Agency will collect personal data directly from you, such as when you fill out a form, provide information over the telephone, or use the Agency’s websites or applications. In some cases, the Agency may receive your personal data from third parties and reasonably believes that such third parties have the right to collect and disclose your personal data to the Agency. The Agency will collect personal data only as necessary and use it for the specified purposes, which are lawful or in compliance with regulatory requirements that require the Agency to collect such data.

In addition, if you contact or use the Agency’s websites or applications, the Agency is required by law to collect your data from such uses in order to improve your experience using such websites or applications. The Agency may use automation to collect your usage data, which may include cookies and other similar tracking technologies. The Agency collectively refers to these technologies as ‘cookies.’

Using Cookies: Cookies are small files that are stored on your computers or mobile devices—laptops, tablets, or smartphones—when you visit a website through a web browser. They are used to store data about your visit, such as the date and time you visited, the links you clicked, the pages you viewed, and your preferences. Here are some cases where cookies will not harm your computer or mobile device:

  • Your personal data may be stored to improve your online service experience. This includes remembering your language preferences and customizing your usage data to meet your needs.
  • Cookies are used to confirm your identity, security information, and the services in which you are interested. They are also used to measure the volume of online service usage.
  • The content on our website may be customized based on your previous and current usage behaviors. This may include advertisements and other technologies of similar nature on our websites or on your devices, depending on the service you use. This is done to ensure the safety of our services and to provide you with a convenient and enjoyable experience when using our website.

These data will be used to improve the Agency's websites to better meet your needs. You can set or delete cookie usage manually from the settings in your web browser.

Sensitive Data: The Personal Data Protection Act defines certain types of data as sensitive data, such as race, religion, sexual orientation, political view, disability, genetic data, biometric data, and health data. The collection of these data is thus permitted only if it is in accordance with the law, which may include obtaining consent from the data subject. The Agency will collect sensitive data only when necessary and will clearly inform you of the reason for the collection. In some cases, the Agency may request your consent to collect such sensitive data.

  • The Agency will process personal data of minors, quasi-incompetent persons, and incompetent persons (collectively referred to as “Persons with Limited Legal Capacity to Transact”) only in cases where necessary and in accordance with the guidelines set forth in the Personal Data Protection Act. In cases where the Agency is required to process the personal data of a person with limited legal capacity to transact for any activities, we will also seek consent from their parent, guardian, curator, or custodian, who has the authority to act on their behalf, depending on the case. However, if the person is a minor who is over 10 years old and the processing of their personal data is specific to them, suitable to their conditions in life, or actually required for their reasonable needs, they can give consent on their own.

The following is personal data that the Agency may collect from you:

1)  When you contact, participate in activities, or request any services from the Agency, or when the Agency is carrying out research and survey tasks, we may collect personal data from you, such as:

  • Personal information such as name, surname, national ID number, etc.
  • Contact information such as email, phone number, address, social media, workplace, etc.
  • Information about your work, such as your occupation, position, affiliated organization, etc.
  • Technical data and data usage such as IP address, e.g., when you use the Agency's online services.
  • Other personal data that you voluntarily provide to the Agency.

2)  When you enter the Agency premises, we may record your image through CCTV. The Agency will post a sign to inform you that CCTV is being used on the premises.
3)  If you enter an area where the Agency is holding a meeting, seminar, public hearing, or any other event, you may be recorded in our photographs or videos. We use these recordings to record the event or to produce our public relations materials. We will post a sign to inform you that photographs or videos are being taken in the area.


2. Why We Have to Collect Your Personal Data

The Agency needs to collect, use, or disclose (“process”) your personal data for the following purposes:

  • To operate the Agency, conduct research, resolve problems, analyze data, test, and compile statistics in accordance with the Agency’s purposes.
  • To improve the quality of our services.
  • To verify or identify individuals, recruit employees, procure goods and services, accept and make payments, or perform any financial and accounting activities of the Agency.
  • To protect user accounts.
  • To share activities, news, and newsletters with users.
  • To notify users of upcoming changes.
  • To provide information for accessing and using our websites or services.
  • To investigate fraud, ensure safety, and manage user accounts.

3. How the Law Permit the Agency to Collect, Use, and Disclose Your Personal Data

The Agency will collect, use, and disclose (“process”) your personal data only as necessary and in compliance with the Personal Data Protection Act. This is because the Personal Data Protection Act sets out a number of legal grounds, depending on the situation, that allow the Agency, as the personal data controller under this Act, to collect, use, and disclose (“process”) your personal data.

In general, the Agency will collect, use, and disclose (“process”) your personal data only when there is a legal basis for doing so. These legal bases include:

  • Consent: your consent, or the consent of your legal representative.
  • Contract: to comply with a contract that you have entered into with the Agency, or to carry out your requests before entering into a contract with the Agency.
  • Vital Interest: to protect or prevent harm to the life, body, or health of a person.
  • Public Task/Official Authority: to perform the Agency's duties in carrying out its public tasks, or to exercise its public authority.
  • Legitimate Interest: for the legitimate interests of the Agency, or of another person or legal entity, unless such interests are less important than your fundamental rights to personal data.
  • Scientific or Research: to process your personal data for historical, scientific, or research purposes, such as preparing historical documents or archives, conducting educational or statistical activities, or serving the public interest, under appropriate protective measures to protect your rights and freedoms, in accordance with the declarations by the Personal Data Protection Committee.
  • Legal Obligation: to comply with applicable laws.

This Notice establishes the main principles and practices of the Agency. We carry out a variety of activities and services, both for external services and for internal operations, as part of the Agency's legal obligations. Each of these activities and services requires the collection, use, and disclosure (“processing”) of your data.


4. Summary of the Collection, Use, and Disclosure (“Processing”) of Your Personal Information in Each Activity and Service

4.1 External service-related activities

Data Collection Details    

1. Services for members and visitors. The Agency may collect some or all of the following personal data:

  • Name and surname
  • National ID number and information on the ID card
  • Contact information, e.g. address, phone number, or email
  • Work information, e.g. position or entity
  • IP address (in case of using the service through websites)
  • ขContact information through social media, e.g. Facebook account or Line ID

2. Training, seminar, and meeting activities. The Agency may collect some or all of the following personal data:

  • Name and surname
  • Contact information, e.g. address, phone number, or email
  • Work information, e.g. position or entity
  • Contact information through social media, e.g. Facebook account or Line ID
  • Photographs and/or videos
  • Other personal data that you voluntarily provide to the Agency

3. Information services, public relations, consultancy services, and complaint handling through websites. The Agency may collect some or all of the following personal data:

  • Name and surname
  • Contact information, e.g. address, phone number, or email
  • National ID number and information on the ID card (in case of complaints)
  • IP address and cookies
  • Other personal data that you voluntarily provide to the Agency

*Once the data retention period has lapsed, the Agency will cease using your personal data. Furthermore, when the scheduled cycle for data and document destruction is reached, we will also de-identify, erase, or shred your personal data.

4.2 Internal service-related activities

Data Collection Details    

1. Recruitment of employees and interns. The Agency may collect some or all of the following personal data:

  • Name and surname 
  • Photographs
  • National ID number and information on the ID card 
  • Contact information, e.g. address, phone number, or email
  • Education information, e.g. academic results, major, or educational institution
  • Work information, e.g. position or entity

2. Procurement and Asset Management. The Agency may collect some or all of the following personal data:

  • Name and surname 
  • National ID number and information on the ID card; passport number and information on the passport (only if you use a passport instead of a national ID card as a document for submitting a proposal)
  • Contact information, e.g. address, phone number, or email
  • Education information, e.g. major and educational institution (only if you need to use education information as a document for submitting a proposal)
  • Work information, e.g. position, entity, or professional background (only if you need to use professional background as a document for submitting a proposal)
  • Other personal data that you voluntarily provide to the Agency as a document for submitting a proposal

Once the data retention period has lapsed, the Agency will cease using your personal data. Furthermore, when the scheduled cycle for data and document destruction is reached, we will also de-identify, erase, or shred your personal data. If you have any concerns or need more information about this Notice, please feel free to contact us via dpo@cea.or.th


5. Your Rights to Personal Data

The Agency recognizes the rights of personal data owners under the Personal Data Protection Act and places significant emphasis on assisting and facilitating data owners in exercising the following rights:

  • Right to be informed: The Agency will provide a “Personal Data Notice” that clearly states the purpose(s) of collecting, using, and disclosing personal data.
  • Right to withdraw consent: You can withdraw your consent to the Agency at any time.
  • Right to access data: You have the right to request access to your personal data, including a copy of the data. You can also request that the Agency disclose how the data was obtained.
  • Right to rectify data: You can request that the Agency rectify any inaccurate personal data to make the data accurate, up-to-date, and not misleading.
  • Right to erase data: You can request that the Agency erase, shred, or de-identify your personal data.
  • Right to data portability: If the Agency’s information system supports automated tools or equipment and can use or disclose personal data through automatic means, you can request a copy of your personal data, including requesting that such data be automatically transferred to another data controller, and obtain personal data that has been sent or transferred.
  • Right to restrict data use: You can request that the Agency restrict the use of your personal data.
  • Right to object to data processing: You can object to the processing of your personal data.

In some cases, the Agency may refuse to grant the above rights if there is a legal ground, if it is a matter of compliance with a law or a court order, or if it may affect and cause damage to the rights or freedoms of the data subject or other persons.


6. How the Agency Shares Your Data

The Agency will not publish, sell, distribute, share, exchange, transfer, or disclose any of your personal data that we have collected to any third party, except as stipulated in this Notice, upon your request or consent, or under certain circumstances as follows:

  • In cases where the Agency believes in good faith that it is required to do so by law, or to comply with a court order, judicial process, or order of a legitimate government authority.
  • In cases where the Agency may share your personal data with other reliable organizations that work on behalf of or for the Agency under an agreement or contract that ensures that such organizations will also comply with the applicable data protection law(s). Purposes of sharing your personal data may include storage, delivery of services to you, and carrying out projects or activities related to surveys, data analysis, public relations, etc.
  • In cases where the Agency believes in good faith and has reasonable purpose(s) to disclose your personal data, these are situations where the Agency considers the disclosure to be more important than protecting your privacy, and they rarely happen. These situations may include:
    - To investigate, interrogate, and suspend criminal offenses, corruptions, and frauds;
    - To prevent or deal with threats and actions that may cause damage to the rights, property, or safety of the public, including the Agency’s and the relevant parties;
  • - To prevent or deal with actions that violate the Agency’s terms of service or the law.

If the Agency is concerned about your physical safety or if we believe that we need to take some actions to protect you from any threats or actions that may harm you, the Agency will discuss this with you. If possible, the agency will ask for your permission to inform other people of the situation you are experiencing of what you need to know before taking any action.

If such cases occur, the Agency will keep records as evidence of which data has been disclosed under what reasons and circumstances. This is done so that you can be informed about any actions the Agency has taken regarding your personal data.


7. How the Agency Protects Your Personal Data

The Agency values your trust in providing important data to us. According to the Personal Data Protection Act, the Agency, as the data controller, must have security measures and management practices in place to ensure that the data will be protected and accessible to the data owners.

Examples of security measures and management practices used by the Agency to protect and care for personal data include:

  • Implement physical security measures and restrict access to personal data only to Agency personnel who have a legitimate need(s) to access such information.
  • Implement measures to protect access to systems and data, such as the use of passwords to log into systems, in order to prevent unauthorized individuals from accessing your personal data.
  • Encrypt data with multiple layers of confidentiality to prevent unauthorized access.
  • Establish data protection procedures and handle suspected or potential personal data breaches. In the event of such incidents, the Agency will promptly inform you and, if required by law, report the matter to the relevant government authorities responsible for overseeing these issues.
  • Conduct training for Agency staff to raise awareness and understanding of the procedures for handling and protecting personal data, as well as how to respond to suspected or potential personal data breaches.
  • Review the processes for protecting personal data within the specified timeframes to ensure that they are appropriate and aligned with the current situation.
  • Inspect and test systems that store or process personal data to ensure that the systems or technologies used are secure and that the latest security management software version (update patches) has been updated and installed.

However, please be aware that sending data through a public network, using a public computer, or even using your personal computer or communication device that is infected with malware, is risky. The Agency is not able to guarantee the security of your data, which may be accessed, disclosed, or transferred without authorization and may cause you harm.


8. Data Storage and Transfer

The Agency stores, uses, and processes your personal data on a system located in Thailand. However, in some cases, data may be transferred to another location or country. The Agency will always perform inspections to ensure that the data transfer is safe and that the recipient of the data has measures to protect the data in compliance with applicable laws. In addition, the Agency will enter into a contract with third parties involved in data transfer, storage, or processing to ensure compliance with the personal data protection and protecting measures set by the Agency.


9. Retention Period for Your Personal Data

The Agency will retain your personal data for as long as it is necessary for the purposes for which it was collected and as required by law. Once the period has lapsed and your personal data is no longer necessary for the purposes of the law, we will erase, destroy, or de-identify your personal data. However, in case of a dispute, exercise of rights, or litigation involving your personal data, we reserve the right to retain such data until the dispute has been resolved by a final order or judgment.

Nevertheless, the Agency may need to retain your personal data beyond the period specified above, if we are notified or reasonably believe that there may be a breach of the Agency’s terms of service, a violation of law(s), or a dispute, and an investigation, inquiry, and collection of evidence are necessary to take legal action. The Agency will retain your personal data for as long as necessary until the process is completed, or for the period of time specified by the applicable laws.


10. Link(s) to Third-party Services

Some of the Agency’s services may contain links to third-party websites, applications, or services. These links are provided for your convenience only. If you use any of these links, you will leave the Agency’s service(s). We are not affiliated with and do not control, verify, or endorse the accuracy or reliability of these websites, applications, or services.

This Privacy Notice applies only to the Agency’s services. If you use any of the links to third-party services that are outside the scope of this Notice, the Agency recommends that you read and understand the privacy policies or notices of those services before using them.


11. Notice Review and Update

The Agency may update this Notice from time to time to ensure that the content is appropriate, up-to-date, and in compliance with the Personal Data Protection Act and other applicable laws. If any amendments are made to this Notice, the Agency will display the latest version of the Notice on cea.or.th, and may notify you through different channels as appropriate.

By continuing to use the Agency’s services after the Notice has been amended and displayed, you agree to be bound by the amended Notice.


12. Contact Us

If you have any questions, suggestions, or would like to learn more about this Notice, please contact the Agency via: Data Protection Officer (DPO) Team

Data Protection Officer : DPO
Contact: Creative Economy Agency (Public Organization)
Address: The Grand Postal Building, 1160 Charoenkrung Road, Bang Rak, Bangkok 10500
Email: dpo@cea.or.th
Telephone: 02 105 7400 ext. 207