Personal Data Protection Policy cover

Personal Data Protection Policy

Privacy Policy

Department of Physical Education

Ministry of Tourism and Sports

1. Introduction

The Department of Physical Education (hereinafter referred to as "DPE") recognizes the importance of personal data and other data concerning you (collectively referred to as "Data"). To ensure that you can be confident that DPE maintains transparency and accountability in the collection, use, or disclosure of your data in accordance with the Personal Data Protection Act B.E. 2562 (2019) ("Personal Data Protection Law") and other relevant laws, this Personal Data Protection Policy ("Policy") has been established to clarify the details regarding the collection, use, or disclosure (collectively referred to as "Processing") of personal data executed by DPE, including its officers, relevant persons, and those acting for or on behalf of DPE, with the essential substance as follows.

2. Scope of Policy Application

This Policy applies to the personal data of individuals who currently have or may have a relationship with DPE in the future, whose personal data is processed by DPE, its officers, contractual employees, business units, or other organizational forms operated by DPE, including contractors or third parties who process personal data for or on behalf of DPE ("Data Processors") under various services such as websites, systems, applications, documents, or other service formats supervised by DPE (collectively referred to as "Services").

Individuals who have a relationship with DPE under the first paragraph include:

  1. Service recipients

  2. Employees, officers, or staff members

  3. Trading partners and service providers who are natural persons

  4. Directors, attorneys, representatives, agents, shareholders, employees, or other persons with similar relationships to juristic persons that have a relationship with DPE

  5. Users of DPE's products or services

  6. Visitors or users of the website www.dpe.go.th, as well as other systems, applications, devices, or communication channels supervised by DPE

  7. Other individuals whose personal data is collected by DPE, such as service recipients, officers, guarantors, or insurance policy beneficiaries, etc.

Clauses 1) through 6) are collectively referred to as "You."

In addition to this Policy, DPE may establish specific Privacy Notices ("Notices") for particular DPE products or services to clarify to the Data Subjects who use those services about the specific personal data processed, the purposes and lawful bases for processing, the data retention periods, and the rights that the Data Subjects are entitled to in relation to those specific products or services.

In the event of any material conflict between the provisions of a specific Privacy Notice and this Policy, the provisions of the Privacy Notice of that specific service shall prevail.

3. Definitions

  • DPE means the Department of Physical Education.

  • Person means a natural person, including a juristic person.

  • Personal Data means any information relating to a natural person, which enables the identification of such person, whether directly or indirectly, such as name, surname, email, telephone number, IP Address, etc., but excluding the information of deceased persons in particular.

  • Sensitive Personal Data means personal data as provided under Section 26 of the Personal Data Protection Act B.E. 2562 (2019), which includes data regarding racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any other data which affects the Data Subject in a similar manner, as specified and announced by the Personal Data Protection Committee.

  • Processing of Personal Data means any operation performed upon personal data, such as collection, recording, copying, organization, storage, adaptation, alteration, use, recovery, disclosure, transmission, dissemination, transfer, combination, erasure, destruction, or modification.

  • Data Subject means a natural person who owns the personal data that DPE collects, uses, or discloses.

  • Data Controller means a person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data.

  • Data Processor means a person who operates in relation to the collection, use, or disclosure of personal data according to the orders or on behalf of the Data Controller, provided that the person executing such operations is not the Data Controller.

  • Data Protection Officer (DPO) means a person assigned to perform the duty of providing advice and auditing the personal data processing operations of the agency to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019).

4. Sources of Personal Data Collected by DPE

DPE collects or obtains various types of personal data from the following sources:

  1. Personal data that DPE collects directly from the Data Subject through various service channels, such as during application, registration, job application, signing contracts, documents, completing surveys, or using products, services, or other service channels supervised by DPE, or when the Data Subject contacts DPE at its office or through other communication channels supervised by DPE, etc.

  2. Data that DPE collects from the Data Subject's utilization of websites, products, or other services under contracts or operational missions, such as tracking website, product, or service usage behavior through the deployment of cookies or from software installed on the Data Subject's device, etc.

  3. Personal data that DPE collects from sources other than the Data Subject, provided that such sources have the authority, legitimate grounds, or have obtained consent from the Data Subject to disclose the data to DPE, such as the integration of digital services from government agencies to provide comprehensive public interest services directly to the Data Subject; the receipt of personal data from other government agencies wherein DPE has an operational mission to establish a central data exchange center to support government agency operations in serving the public through digital systems; as well as out of necessity to fulfill contractual services where personal data may be exchanged with contracting agencies.

Furthermore, this includes instances where you provide the personal data of third parties to DPE. In such cases, you are responsible for notifying those individuals of the details contained within this Policy or the specific service Notices, as applicable, and obtaining their consent if consent is legally required for the disclosure of data to DPE.

Should a Data Subject decline to provide personal data that is necessary for DPE's service provision, it may result in DPE being completely or partially unable to provide those services to the Data Subject.

5. Lawful Bases for Personal Data Collection

DPE determines the lawful bases for collecting your personal data appropriately and in accordance with the context of the services provided. The lawful bases utilized by DPE consist of:

Public Task / Exercise of Official Authority

To enable DPE to exercise state authority and execute missions for the public interest in accordance with DPE's mandates, which are defined under:

  • The Administration of Government Agencies Act B.E. 2545 (2002)

  • The Digital Administration and Government Services Provision Act B.E. 2562 (2019)

  • The Ministerial Regulation on the Organizational Division of the Department of Physical Education, Ministry of Tourism and Sports B.E. 2553 (2010), including its amendments, as well as relevant laws, regulations, orders, and Cabinet resolutions.

Legal Obligation

To enable DPE to comply with statutory duties governing DPE under:

  • The Ministerial Regulation on the Organizational Division of the Department of Physical Education, Ministry of Tourism and Sports B.E. 2553 (2010) and its amendments

  • The Official Information Act B.E. 2540 (1997)

  • Including relevant laws, regulations, orders, and Cabinet resolutions.

Legitimate Interests

Out of necessity for the legitimate interests of DPE and other persons, provided that such interests are not overridden by the fundamental rights and freedoms regarding the personal data of the Data Subject, such as maintaining the physical security of DPE's buildings and facilities, or processing personal data for DPE's internal administrative tasks.

Vital Interests

Out of necessity to prevent or suppress a danger to a person's life, body, or health, or for public interest, such as epidemic prevention, accident prevention, or medical service provision.

Contractual Necessity

To enable DPE to perform duties under a contract or to take necessary steps at your request prior to entering into a contract to which you are a party with DPE, such as employment, hire-of-work, entering into Memorandums of Understanding (MOU), or other contractual forms.

Historical Documents, Research, or Statistics

To enable DPE to compile or support the compilation of historical documents, research, or statistics as assigned to DPE, such as establishing a directory of directors or committee members, compiling statistics on public digital service utilization, and tracking the implementation of digital government policies.

Consent

To collect, use, or disclose personal data in cases where DPE is required to obtain your consent, provided that the purposes of the collection, use, or disclosure have been notified prior to requesting consent, such as the collection of Sensitive Personal Data for purposes that do not fall under the exemptions of Section 24 or Section 26 of the Personal Data Protection Act B.E. 2562 (2019), or presenting public relations and marketing materials of contractors or business partners to you.

6. Types of Personal Data Collected by DPE

In cases where DPE needs to collect your personal data to comply with a contract, perform a legal obligation, or take steps to enter into a contract, if you decline to provide such personal data or object to the processing activities, it may result in DPE being completely or partially unable to execute or provide the services you have requested.

Personal Identification Data

Data identifying your name or data from official government documents that specify your unique identity, such as title, first name, surname, middle name, nickname, signature, National Identification Number, nationality, driver's license number, passport number, house registration data, business registration number, professional license number (for respective professions), insured person identification number, or social security number, etc.

Personal Characteristic Data

Detailed data regarding yourself, such as date of birth, gender, height, weight, age, marital status, military enlistment status, photographs, spoken language, behavioral data, personal preferences, bankruptcy status, or data regarding being an incompetent or quasi-incompetent person, etc.

Contact Data

Data used to contact you, such as home telephone number, mobile phone number, fax number, email address, postal mailing address, social media username (e.g., Line ID), or residential location maps, etc.

Employment and Educational Data

Employment details, including work history and educational background, such as employment type, occupation, rank, position, duties, expertise, work permit status, reference person data, Tax Identification Number, position history, employment records, salary data, employment commencement date, termination date, performance evaluation results, welfare and benefits, government property in possession of the personnel, achievements, bank account numbers, educational institutions, degrees, academic transcripts, or graduation dates, etc.

Insurance Policy Data

Details regarding personnel insurance policies, such as the insurer, the insured, the beneficiary, policy number, policy type, coverage limit, insurance claim data, or athlete insurance policies for overseas competitions, etc.

Social Relationship Data

Your social relationship data, such as holding directorships, relationships with DPE personnel, data regarding being an employment contractor with DPE, or data regarding being a stakeholder in businesses/activities conducted with DPE, etc.

DPE Service Utilization Data

Details regarding DPE products or services, such as account username, password, Single Sign-on data (SSO ID), OTP codes, computer traffic data (log files), location data, photographs, videos, voice recordings, usage behavior data (on websites under DPE supervision such as www.dpe.go.th or various applications), search history, cookies or similar tracking technologies, device identifier (Device ID), device type, connection details, browser type, language used, or operating system type, etc.

Sensitive Personal Data

Your sensitive personal data, such as racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, biometric data (such as facial recognition maps), or medical history, etc.

Records Identifying the Data Subject

Various logged data used to track or audit an individual's activities, and data that can be used to search for other personal data on the internet under personal data categories.

7. Cookies

DPE collects and uses cookies and other similar tracking technologies on websites under its supervision, namely www.dpe.go.th, or on your device depending on the services you utilize. This is implemented to ensure security in DPE's service provision and to provide users with convenience and an optimized user experience. This data will be used to further improve DPE's websites to better meet your needs. You can manually configure or delete cookie settings through your own web browser configuration.

8. Personal Data of Minors, Incompetent Persons, and Quasi-Incompetent Persons

In the event that DPE becomes aware that personal data requiring consent for collection belongs to a Data Subject who is a minor, an incompetent person, or a quasi-incompetent person, DPE will not collect such personal data until consent is obtained from the person exercising parental power authorized to act on behalf of the minor, the guardian, or the curator, as the case may be, in accordance with the conditions stipulated by law.

In cases where DPE was not previously aware that the Data Subject was a minor, an incompetent person, or a quasi-incompetent person, and subsequently discovers that it has collected such personal data without the necessary consent from the authorized person exercising parental power, guardian, or curator, DPE will promptly delete or destroy that personal data, unless DPE can rely on a lawful basis other than consent to collect, use, or disclose such data.

9. Purposes of Personal Data Collection

DPE collects your personal data for multiple purposes, depending on the type of product, service, or activity you utilize, as well as the nature of your relationship with DPE or contextual considerations in each instance. The purposes stated below serve as a general framework for DPE's data utilization. Only the purposes relevant to the products, services, or relationships you are involved with shall apply to your data:

  1. To execute tasks necessary to fulfill public interests assigned to DPE, or out of necessity to exercise legal authority vested in DPE according to its mandates under the Administration of Government Agencies Act B.E. 2545 (2002) and its amendments, the Ministerial Regulation on the Organizational Division of the Department of Physical Education, Ministry of Tourism and Sports B.E. 2553 (2010) and its amendments, and relevant laws, regulations, orders, and Cabinet resolutions.

  2. To provide and manage DPE services, encompassing both services under a contract made with you or in alignment with DPE's core missions.

  3. To process financial and operational transactions of DPE.

  4. To supervise, operate, track, audit, and manage services to facilitate and correspond with your needs.

  5. To maintain and update data concerning you, including official documents referencing you.

  6. To compile records of personal data processing activities as mandated by law.

  7. To analyze data and resolve issues relating to DPE's services.

  8. To execute operations necessary for internal organizational administration, including job recruitment, selection of committee members or position holders, and qualification assessments.

  9. To prevent, detect, avoid, and investigate fraud, security breaches, or prohibited or illegal activities that could cause damage to both DPE and the Data Subject.

  10. To verify, authenticate, and check data when you apply for DPE services, contact DPE for services, or exercise your legal rights.

  11. To improve, upgrade, and develop products and services to ensure they remain modern and up to date.

  12. To assess and manage operational and organizational risks.

  13. To send notifications, transaction confirmations, communicate, and distribute news updates to you.

  14. To compile and deliver relevant and necessary documents or information.

  15. To verify identity, prevent spam, or counter unauthorized or unlawful actions.

  16. To monitor how Data Subjects access and use DPE services, both in aggregate and on an individual basis, for research and analytical purposes.

  17. To take steps necessary to perform duties that DPE owes to regulatory authorities, tax authorities, law enforcement agencies, or to comply with DPE's statutory obligations.

  18. To take steps necessary for the legitimate interests of DPE, other individuals, or other juristic persons involved in DPE's operations.

  19. To prevent or suppress dangers to a person's life, body, or health, including public health surveillance against epidemics.

  20. To compile historical documents for public interest, academic research, or statistical processing as assigned to DPE.

  21. To comply with applicable laws, notices, enforceable orders, or to manage legal cases, process data under court subpoenas, and handle the exercise of your data protection rights.

10. Categories of Persons to Whom DPE Discloses Your Personal Data

Under the purposes specified in Clause 9 above, DPE may disclose your personal data to the following categories of persons. The categories of recipients listed below serve as a general framework for data disclosure, and only the recipients relevant to the products, services, or relationships you are involved with shall apply:

Government Agencies or Authorized Entities

Entities to which DPE must disclose data to comply with legal obligations or key public interest purposes, such as name details or official government identification documents (e.g., titles, first names, surnames, signatures, National ID numbers, nationality, driver's license numbers, passport numbers, house registration records, or social security details, etc.).

Relevant Committees and Boards

Committees established to execute legal and administrative duties of DPE, such as the Royal Decoration Screening Committee, the Sub-Committee on Civil Service Personnel of the Ministry of Tourism and Sports, the Sub-Committee on Civil Service Personnel of the Department of Physical Education, and performance evaluation committees, etc.

Welfare and Benefit Contractors

Third parties contracted by DPE to administer personnel welfare and benefits, such as insurance companies, hospitals, payment processing firms, commercial banks, telecommunication service providers, and the Social Security Office, etc.

Service Providers and Vendors

Third parties assigned to act on behalf of or support DPE's operations, such as cloud storage providers (Government Data Center and Cloud Services - GDCC), software/application developers, website hosts, Internet Service Providers (ISP), Digital ID service providers (Certification Authorities - CA), telecommunication firms, social media platform providers, risk management consultants, document delivery services, banking institutions, external consultants, or logistics providers, etc.

Other Data Recipients

Other categories of recipients involved in DPE operations, such as individuals contacting DPE, family members, non-profit foundations, temples, hospitals, educational institutions, or other entities, for purposes such as service coordination, training, award presentations, merit-making, or charitable donations, etc.

Public Disclosures

DPE may disclose your data to the public when legally mandated or structurally necessary, such as publishing announcements in the Royal Gazette or processing Cabinet resolutions; publishing name lists of activity participants, procurement winners, athletic competitors, job recruitment selections, or official position appointments on the Department of Physical Education website (www.dpe.go.th) and official social media channels, including Facebook and DPE's Line Official account, etc.

11. International Transfer of Personal Data

In certain instances, DPE may need to transmit or transfer your personal data to foreign countries to fulfill its service objectives, such as transmitting data to a cloud computing system with platforms or servers located abroad to support information technology infrastructure situated outside of Thailand, depending on the specific DPE services you utilize.

When DPE transfers your personal data to a destination country, DPE will ensure that the destination country maintains adequate personal data protection standards in accordance with international criteria, or proceed in accordance with the conditions allowing lawful cross-border transfer, which include:

  1. Compliance with a law that mandates DPE to transmit or transfer personal data abroad.

  2. Notifying you and obtaining your explicit consent in cases where the destination country lacks adequate data protection standards as determined by the Personal Data Protection Committee.

  3. Contractual necessity to perform obligations under a contract to which you are a party with DPE, or to take steps at your request prior to entering into that contract.

  4. Compliance with a contract concluded between DPE and other natural or juristic persons for your benefit.

  5. To prevent or suppress a danger to your life, body, or health, or that of other persons, when you are incapable of giving consent at that time.

  6. Out of necessity to execute a mission for substantial public interest.

12. Retention Period of Personal Data

DPE will retain your personal data only for as long as it remains necessary for the purposes for which it was collected, as specified in this Policy, specific Notices, or applicable laws. Once the retention period expires and the personal data is no longer necessary for the stated purposes, DPE will erase, destroy, or completely anonymize your personal data so that it can no longer identify you, in accordance with the erasure and destruction standards prescribed by the Committee, applicable laws, or international standards.

However, in the event of legal disputes, the exercise of data protection rights, or lawsuits relating to your personal data, DPE reserves the right to retain that data until the dispute has been conclusively resolved by a final order or court judgment.

13. Third-Party Services and Sub-Contractors

DPE may assign or procure third parties (Data Processors) to process personal data for or on behalf of DPE. These third parties may offer various service formats, such as hosting providers, outsourcing vendors, cloud computing service providers, or other forms of hire-of-work agreements.

In assigning third parties to process personal data as a Data Processor, DPE will establish a Data Processing Agreement specifying the rights and duties of DPE as the Data Controller and the assigned party as the Data Processor. This agreement will outline the categories of personal data assigned for processing, the purposes, the scope of processing, and other relevant terms. The Data Processor is strictly obligated to process personal data within the scope defined in the agreement and according to the instructions of DPE, and cannot process the data for any other purposes.

In the event that the Data Processor engages a sub-contractor (Sub-processor) to process personal data for or on its behalf, DPE will supervise the Data Processor to ensure that a written agreement is executed between the Data Processor and the Sub-processor containing terms and standards that are no less stringent than those established between DPE and the Data Processor.

14. Personal Data Security Measures

DPE implements robust personal data protection measures by restricting access to personal data solely to authorized officers or assigned personnel who strictly require such data to fulfill the purposes notified to the Data Subject. Authorized personnel must strictly adhere to and comply with DPE's data protection measures and maintain the confidentiality of the personal data they become aware of during their duties. DPE deploys both organizational and technical security measures that align with international standards and comply with the announcements of the Personal Data Protection Committee.

Furthermore, when DPE transmits, transfers, or discloses personal data to third parties—whether to fulfill operational missions, contractual duties, or other forms of agreement—DPE will define appropriate security and confidentiality measures as mandated by law to guarantee that the personal data collected by DPE remains securely protected at all times.

15. Links to External Websites or Services

DPE's services may contain links to third-party websites or services, which may maintain privacy policies that differ from this Policy. DPE highly recommends that you thoroughly study the privacy policies of those respective websites or services to understand their details prior to utilization. DPE is not affiliated with and has no control over the data protection measures of those external websites or services, and cannot accept responsibility for the content, policies, damages, or actions originating from third-party websites or services.

16. Your Rights Under the Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2562 (2019) establishes multiple rights for Data Subjects, which comprise:

  1. Right of Access: You have the right to request access to, obtain a copy of, and request disclosure of the source of your personal data collected by DPE without your consent, unless DPE has a legal right or a court order to deny your request, or if exercising your right would cause adverse effects to the rights and freedoms of other persons.

  2. Right to Rectification: If you find that your personal data is inaccurate, incomplete, or out-of-date, you have the right to request rectification to ensure the data is accurate, up-to-date, complete, and does not cause any misunderstandings.

  3. Right to Erasure: You have the right to request DPE to erase, destroy, or completely anonymize your personal data so that it can no longer identify the Data Subject, provided that the request falls under the specific conditions stipulated by law.

  4. Right to Restriction of Processing: You have the right to request the restriction of the use of your personal data under the following circumstances:

    • A) During the period where DPE is auditing data pursuant to your request to rectify your personal data to ensure accuracy, completeness, and currency.

    • B) When the personal data of the Data Subject has been unlawfully collected, used, or disclosed.

    • C) When the personal data is no longer necessary for the retention purposes notified by DPE, but the Data Subject requests DPE to retain the data to support the establishment, compliance, exercise, or defense of legal claims.

    • D) During the period where DPE is proving compelling legitimate grounds for collecting the personal data, or verifying the necessity of processing the personal data for public interest following the Data Subject's exercise of their right to object.

  5. Right to Object: You have the right to object to the collection, use, or disclosure of your personal data, unless DPE demonstrates compelling legitimate grounds to deny your request (e.g., demonstrating that the collection, use, or disclosure of your personal data relies on legitimate grounds that override your interests, or is executed for the establishment, compliance, exercise, or defense of legal claims, or for DPE's public interest tasks).

  6. Right to Withdraw Consent: In cases where you have granted consent to DPE to collect, use, or disclose your personal data (whether granted prior to or after the enforcement of the Personal Data Protection Act B.E. 2562), you have the right to withdraw your consent at any time throughout the duration that your personal data is retained by DPE, unless restricted by law or by an existing contract between you and DPE that provides you with benefits.

  7. Right to Data Portability: You have the right to obtain your personal data from DPE in a format that is readable or commonly usable by an automated device or equipment, and can be used or disclosed by automated means. You may also request DPE to directly transmit or transfer the data in such format to another Data Controller, provided that the request falls under the conditions stipulated by law.

17. Penalty for Non-Compliance with the Privacy Policy

Failure to comply with laws, regulations, or rules may constitute an offense and result in disciplinary action in accordance with DPE's regulations (for DPE officers or staff members) or according to the terms of the Data Processing Agreement (for Data Processors), depending on the case and the nature of your relationship with DPE. Non-compliance may also lead to statutory penalties as prescribed by the Personal Data Protection Act B.E. 2562 (2019), including its relevant subordinate laws, rules, regulations, and orders.

18. Amendments and Review of the Privacy Policy

DPE may consider updating, amending, or changing this Policy as it deems appropriate, and will notify you of such modifications through the following channels:

  1. DPE's operational website: www.dpe.go.th

  2. Line Official account: @dpe.mots

Each updated version will have an effective date attached. DPE highly recommends that you regularly check for updated policy versions through applications or specific activity channels managed by DPE, particularly prior to disclosing personal data to DPE.

Accessing or utilizing DPE products or services following the enforcement of a updated policy version constitutes acknowledgement of the updated terms. Please immediately cease utilization if you do not agree with the details contained within this Policy, and contact DPE to clarify the facts accordingly.

Inquiries and Exercise of Rights

If you have questions, suggestions, or concerns regarding DPE's collection, use, and disclosure of personal data, or regarding this Policy, or if you wish to exercise your statutory data protection rights, you can contact:

Data Controller

  • Name: Department of Physical Education

  • Address: No. 154 National Stadium, Rama 1 Road, Wang Mai Subdistrict, Pathum Wan District, Bangkok 10330

  • Contact Channel: dpecontact@dpe.go.th or Call Center: 0 2214 0120

Data Protection Officer (DPO)

  • Name: Personal Data Protection Officer Committee, Department of Physical Education

  • Address: No. 154 National Stadium, Rama 1 Road, Wang Mai Subdistrict, Pathum Wan District, Bangkok 10330

  • Contact Channel: dpo@dpe.go.th