Privacy Policy

At Sala Hospitality, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy outlines how we collect, use, and safeguard the information you provide to us when you visit our website or interact with our services. By using our website or providing us with your information, you consent to the terms outlined in this Privacy Policy.

Privacy Policy Cookies Policy PDPA Policy CCTV Policy

Information on processing of personal data

By way of introduction, we would like to draw your attention to our extensive information on creating transparency according to Articles 13 and 14 GDPR.

  1. Controller for data processing
    The controller for data processing on this website pursuant to Article 4 No 7 GDPR and the provider of the website (service provider) is SALA Hospitality Group
    10 Soi Vibhavadi Rangsit 32 Yaek 7,
    Khwaeng Chatuchak, Khet Chatuchak,
    Bangkok 10900 Thailand
    E-mail: dataprotection@salahospitality.com
  2. Contact details of the Data Protection Officer
    You can reach our Data Protection Officer at SALA Hospitality Group
    10 Soi Vibhavadi Rangsit 32 Yaek 7,
    Khwaeng Chatuchak, Khet Chatuchak,
    Bangkok 10900 Thailand
    E-mail: dataprotection@salahospitality.com
  3. Purposes and legal basis for processing personal data
    We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR)
    (a)  For processing and managing reservation inquiries and reservations as well as for providing our services under the accommodation agreement, including execution of your hotel stay and payments processing (in particular also for tracking your use of our services (telephone, bar, spa, pay TV programmes, etc.) – the legal basis for this is the first sentence of Article 6(1)(b)) GDPR.
    (b)  For fulfilling a legal obligation to which our company is subject as controller (e.g. by reason of reporting legislation, tax laws, accounting obligations, etc.) – the legal basis for this is the first sentence of Article 6(1)(c)) GDPR.
    (c)  For sending our e-mail newsletter including managing your subscription to the newsletter – the legal basis for this is your consent pursuant to the first sentence of Article 6(1)(a)) GDPR.(d)    For maintaining, safeguarding and improving the quality of our products and services, in particular by performing and analysing satisfaction surveys and guest comments, by processing your personal data in our centralised guest database enabling us to recognise you as a returning guest, to better appreciate your expectations and wishes, to improve the quality and individual character of our communication with you and to create offerings tailored to you – the legal basis for this is the first sentence of Article 6(1)(f)) GDPR. Our overriding legitimate interests arise from the accommodation agreement entered into with you representing a relative and appropriate relationship within the meaning of Recital 47 of the GDPR, as well as from the fact that this type of data processing is standard industry practice with international hotel groups and is in keeping with the reasonable expectations of the majority of guests. As part of the group of undertakings to which the companies operating hotels under the umbrella brand SALA Hospitality belong (in this regard cf. also item 4 below – Categories of recipients), our company moreover has a legitimate interest, pursuant to Recital 48 of the GDPR, in transmitting personal data of the guests within the group of undertakings for internal administrative purposes.
    (e)  For direct advertising of our offerings and services – the legal basis for this is the first sentence of Article 6(1)(f)) GDPR. Our overriding legitimate interest follows from Recital 47 of the GDPR.
    (f)  For ensuring compliance with house rules, for preventing and clarifying criminal acts (in particular also by video monitoring), for establishing and defending against legal claims and for safeguarding interests in legal disputes, for ensuring IT security and IT operation, for identifying credit risks – the legal basis for this is the first sentence of Article 6(1)(f) GDPR. Our overriding legitimate interests following from our obligation to ensure that our guests have a safe stay in the hotel as well as from our interest in enforcing our tangible and intangible claims and safeguarding our rights as well as defending against unjustified claims. Furthermore, the processing of personal data in the scope which is absolutely required to prevent fraud pursuant to Recital 47 of the GDPR likewise constitutes a legitimate interest of our company.
    Minors
    Minors may not send any personal data to us without the consent of their parents or guardians. Through our website, we do not process any personal data knowingly acquired from minors.
  4. Categories of personal data recipients
    If and to the extent required for the purposes as set out above under item 3, we also disclose your personal information to the following recipients or categories of recipients pursuant to Article 4 No 9 GDPR:Within our company only those persons or entities are permitted to view or access your data (to the extent required in each case) who need such data for performance of our contractual and statutory duties.Furthermore, a disclosure of data may be made to public bodies and institutions if a statutory obligation to do so exists (e.g. financial authorities, criminal prosecution authorities).Further data recipients may be those entities for which you have given us your consent to data transfer.
  5. Transfer of personal data to a third country
    A transfer of personal data to entities in countries outside the European Union (third countries) takes place if
    (a)  it is required to carry out your reservations or execute your hotel stay,
    (b)  it is prescribed by law, or
    (c)  you have given us your consent. Our company for certain tasks uses service providers which have their corporate seat in a third country or which belong to an international group with companies in third countries or which for their part work together with service providers having their seat in a third country. A transfer of personal data to such service providers is permissible if the European Commission has decided that the third country in question ensures an adequate level of protection (pursuant to Article 45 GDPR). If the Commission has not made such decision, our company or the service provider may transfer personal data to a third country or an international organisation only if appropriate safeguards are provided for and enforceable data rights and effective legal remedies are available (Article 46(1) GDPR).
    Beyond the cases mentioned above, our company does not transfer personal data to entities in third countries or to international organisations.
  6. Period of storage of personal data and criteria for defining such period
    We process and store your personal data for as long as required for us to fulfil our contractual and legal duties. If the data are no longer required for fulfilment of contractual duties, they are normally deleted unless their further processing for a limited term is required by retention periods prescribed by commercial or tax legislation. The periods prescribed for their storage and/or documentation purposes range from two to ten years.
  7. Your rights as a data subject
    Every data subject whose personal data are processed has the right to obtain information from the controller about the personal data in question pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object to the processing pursuant to Article 21 GDPR as well as the right to data portability pursuant to Article 20 GDPR. The right to obtain information and the right to erasure are further subject to the restrictions pursuant to sections 34 and 35 BDSG-new.Further information on your right to object to processing pursuant to Article 21 GDPR.If the processing of your personal data is based on a consent granted to us, you have the right to revoke your consent at any time without the legality of the processing performed on the basis of such consent up to revocation being affected thereby.Your also have the right to lodge a complaint with the competent data protection supervisory authority pursuant to Article 77 GDPR in conjunction with section 19 BDSG-new.
  8. Obligation to provide data
    As part of our contractual relationship, you are required provide such personal data which are required to establish and perform the accommodation agreement or which we are legally required to collect. Without such data, we will generally not be able to conclude the agreement with you or to execute the same. We are particularly required by local law to record certain personal data about you on the registration card. In the event you should not provide us with the necessary information, we might not be able to provide you with the requested services or might not be able to do so completely.
  9. Automated decision-making and profiling
    When establishing and executing our contractual relationship, you will not be subjected to a decision based solely on automated processing, including profiling, pursuant to Article 22 GDPR, which produces legal effects concerning you or similarly affects you in a serious way.
  10. Additional information on your right to object pursuant to Article 21 GDPR
    You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning yourself which are based on the first sentence of Article 6(1)(e)) GDPR (data processing in the public interest) or the first sentence of Article 6(1)(f)) GDPR (data processing based on a balancing of interests), including profiling based on those provisions pursuant to Article 4(4) GDPR.If you make an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.If your personal data are processed by us for direct marketing purposes, you have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing.The objection may be made without any particular form and should be directed to our Data Protection Officer under the contact details specified in item 2 above.

II. Additional information on data processing on this website

    1.  E-mail newsletter
      With the e-mail newsletter we keep you regularly informed about the offerings and services of the hotels belonging to SALA Hospitality. If you wish to receive the e-mail newsletter, we will need a valid email address for you. For those registering for our newsletter, we use what is known as the double-opt-in procedure. That means that after your registration we send you an e-mail to the e-mail address specified in which we ask you to confirm that you wish to be sent the newsletter. If you do not confirm your registration within 2 weeks, your information is blocked and after one month automatically deleted. Moreover, we store in each case your IP addresses used and times of log-on and confirmation. The purpose of the procedure is to be able to prove your registration and where necessary to clarify any potential misuse of your personal data.As a subscriber to the e-mail newsletter, you may at any time revoke your consent to the processing of your e-mail address for sending the newsletter. Consent may be revoked via the link provided for this purpose in each e-mail newsletter or by sending an e-mail with the subject “unsubscribe” to: dataprotection@salahospitality.com
    2. Analysis tools
      The tracking measures used by use as specified below are performed on the basis of the first sentence of Article 6(1)(f) GDPR. With the tracking measures used we want to ensure that our website is designed to meet the needs of users and optimised on a continuous basis. We moreover use the tracking measures to statistically record the use of our website and to evaluate such use to optimise our offering for you. Such interests are to be deemed legitimate within the meaning of the aforementioned provision. The respective data processing purposes and data categories can be found in the relevant statements on such tracking tools.Web tracking
      This website also uses Google Analytics, a web analysis service of Google Inc. based in Mountain View, USA (“Google”). Google Analytics uses “cookies”. These are text files that are saved to your computer that allow your usage of the website to be analysed. The information generated by the cookie about your use of this website will generally be transmitted to and stored by Google on a server in the United States.Google provides IP anonymisation (so-called IP masking) and this is activated on this website (by extending Google Analytics by the code “gat._anonymizeIp();”); Google will therefore shorten and therefore anonymise your IP address within the European Union or in another member state of the European Economic Area. Only in exceptional cases will a full IP address be transmitted to a Google server in the USA and be shortened there.On behalf of the operator of this website, Google will use the information collected through Google Analytics to analyse your use of the website, to compile reports on website activities and to render other services related to the use of the website and of the Internet in general to the website operator. The IP address transmitted by your browser in the context of Google Analytics will not be mixed with other Google data.You may prevent the setting of cookies by Google Analytics by configuring your browser software accordingly; however, please note that in this case you may not be able to make full use of all functions of this website. In addition, you may prevent collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google and processing of these data by Google by downloading and installing the browser plug-in available under the following link (http://tools.google.com/dlpage/gaoptout?hl=com).Furthermore, you can prevent Google Analytics from recording your use of the website by setting an “opt-out cookie” that will prevent your data from being collected during any future visits to this website.The operator of this website also uses Google Analytics to analyse data from AdWords and the DoubleClick cookie for statistical purposes. If you wish to opt out, please deactivate this function via the ads settings manager http://www.google.com/settings/ads?hl=de

       

      You will find more information on the terms and conditions of usage and data protection of Google Analytics at http://www.google.com/analytics/terms/de.html and https://www.google.de/intl/de/policies/.

    3. Inclusion of third-party services and content (e.g. YouTube and Google Maps)
      Third-party content such as videos from YouTube or maps from Google Maps (hereafter referred to as “Third Party Providers”) are included in this website. To use such content, the user’s IP address for technical reasons must be sent to the respective Third Party Provider, since without the IP address the Third Party Providers would not be able to send the content included in the Website to the browser of the respective user. We do not have any control over whether a Third Party Provider stores the IP address e.g. for statistical purposes or otherwise.
    4. Social media plug-ins
      The plug-in provider stores the data collected about you in the form of a user profile and uses the data for advertising and market research and/or to make any required changes in the design of its website. Such evaluation is performed particularly (also for users not logged in) enable ads tailored to user demand and to inform other users of the social network about your activities on our website. You have a right to object to the creation of such user profiles. To exercise such right, you must contact the plug-in provider by following the procedure as set out below. Through plug-ins we offer you the possibility of interacting with social networks and other users. In that way we can improve our offering and make it more attractive for you as a user. The legal basis for the user of plug-ins is the first sentence of Article 6(1)(f) GDPR.Data are disclosed regardless of whether you have an account with the plug-in provider and have logged in there. If you are logged in to the plug-in provider, your data collected from us are allocated directly to the account you hold with the plug-in provider. If you click on the activated button and e.g. link the page, the plug-in provider also stores this information in your user account and publicly discloses it to your contacts. As a rule, we recommend logging off after using a social network, especially, though, before activating the button, since that allows you to avoid your data being allocated with your profile with the plug-in provider.Facebook
      The website uses social plug-ins (hereafter referred to as “plug-ins”) for the social network facebook.com, which is run by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (hereafter referred to as “Facebook”). The plug-ins display one of the Facebook logos (white “f” on blue tile or “thumbs up” symbol) or are designated with the comment “Facebook social plug-in”. A list and display of Facebook social plug-ins is available here: https://developers.facebook.com/docs/plugins/.When a user accesses a page of our website that contains such a plug-in, his/her browser establishes a direct link to the servers of Facebook. The content of the plug-in will be transmitted from Facebook directly to the user’s browser, which will integrate it into the web page. The provider therefore has no control over the extent of data which Facebook collects through this plug-in. Based on the Provider’s most recent knowledge, Facebook proceeds as follows:By imbedding of the plug-ins, Facebook receives the information that a user has accessed the respective web page of the Provider’s website. If the User is logged in to Facebook, Facebook may allocate the visit to the user’s Facebook account. If users interact with the plug-ins, for instance by clicking the “Like” button or leaving a comment, this information will be sent from the user’s browser directly to Facebook where it will be stored. If a user is not a Facebook member, there is still a possibility that Facebook will register and store this user’s IP address.For details on the purpose and scope of the data collection and further processing and use of the data by Facebook and users’ rights and configuration options to protect their privacy, users are advised to refer to the privacy information of Facebook at https://www.facebook.com/about/privacy/.If a user is a Facebook member and does not wish Facebook to collect data about him/her via the Provider’s website and to link this to the user’s member data stored at Facebook, the user must log out of Facebook before visiting the provider’s website.

      Likewise, it is possible to block the Facebook social plug-in with add-ons for the user’s browser, e.g. the “Facebook blocker”.

      Instagram
      The website uses plug-ins of Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). The plug-ins are designated with an Instagram logo, e.g. in form of an Instagram camera.

      When you access a page of this website which contains such a plug-in, your browser will establish a direct connection to the servers of Instagram. The content of the plug-in will be transmitted from Instagram directly to your browser, which will integrate it in the web page. Through this embedding, Instagram is provided with the information that your browser has accessed the respective page of our website, even if you do not have an Instagram profile or are not logged in to Instagram at the time. This information (including your IP address) will be transmitted directly to an Instagram server in the USA by your browser, and will be stored there.

      If you are logged in to Instagram, Instagram may directly allocate the visit to our website to your Instagram account. If you interact with the plug-ins, e.g. click the “Instagram” button, this information will likewise be transmitted directly to an Instagram server and be stored there. This information will also be published in your Instagram account and be displayed alongside your contacts.

      For details on the purpose and scope of the data collection and further processing and use of the data by Instagram and your rights as a user and configuration options to protect your privacy, please refer to the privacy information of Instagram: https://help.instagram.com/155833707900388/

      If you do not wish Instagram to allocate the data collected through our website directly to your Instagram account you must log out of Instagram before you access our website. You may also completely prevent the loading of Instagram plug-ins by using add-ons for your browser, e.g. the script blocker “NoScript” (http://noscript.net/).

      Current version and updating of this Private Policy

      This Private Policy shall apply with effect from May 2018.

      We will update this Private Policy from time to time to reflect relevant changes to our website, changes in the processing of personal data or amendments to legislation. The revised version shall apply as of the published effective date. In the event of any material amendments to this Private Policy, we will inform you in good time prior to the effective date of such amendments by posting a notice on our website. Where applicable, we will also inform our guests of the amendments by e-mail or other means.

We use cookies on our website. These are small files which are created by your browser automatically and which are stored on your terminal device (laptop, tablet, smartphone, or similar) when you visit our website. Cookies do not damage your terminal device, do not contain any viruses, Trojans or other malware. A cookie stores information resulting in each case in connection with the specifically used terminal device. However, that does not mean that we thereby directly obtain knowledge of your identity. Use of cookies serves, on the one hand, to make the use of our offering more convenient for you, and on the other to allow us to statistically record the use of our website and to evaluate such use for the purpose of optimising our offering for you. Specifically, we use the following types of cookies:

 

  1. Necessary cookies: These cookies are essential when it comes to helping improve your navigating and booking experience on our website. With them, fundamental functionalities and applications such as shopping carts or electronic invoicing processes are optimised and made easier to use. These cookies do not collect any information on you that can be used for marketing campaigns or statistical analyses.
  2. Performance cookies: Performance cookies are used to collect anonymous statistical data on how Internet sites are used and at what places errors occur. They are supplemented by anonymised general data, such as information on visitor demographics or coverage. These cookies are essential when it comes to keeping Internet sites as performance-oriented as possible and make it possible to discover any errors or weaknesses.
  3. Advertising cookies: With the help of these cookies, advertisements with content of relevant interest are supported. They are normally used by marketing networks with the operator’s consent and recognise users on different Internet sites of the participating organisations. These cookies are also used for services of third parties and make data available. We use targeted or advertising cookies for the link e.g. to Facebook in order to measure the effectiveness of our online and offline advertising.
  4. Re-targeting cookies: Here, our website pages use what are called re-targeting technologies. We use these technologies to make our Internet offering more attractive for you. This technology makes it possible to address users having already taken an interest in our shop and our products through advertising on our partners’ websites. We are convinced that the insertion of a personalised ad of relevant interest as a general rule is more attractive for Internet users than advertising not having such personal reference. Such ads on the sites of our partners are inserted on the basis of a cookie technology and an analysis of a user’s usage history. This form of advertising takes place completely anonymously. No user profiles are combined with your personal data. By using our website, you consent to the use of cookies and thus to your usage data being collected, stored and used. Furthermore, your data in cookies are stored beyond the end of the browser session and, for example, can be accessed once again the next time you visit the websites. You may revoke this consent at any time with effect for the future by refusing acceptance of cookies in your browser settings.

The data processed by cookies are required for the aforementioned purposes of safeguarding our legitimate interests as well as those of third parties pursuant to the first sentence of Article 6(1)(f) GDPR.

In your browser settings you may allow cookies to be stored only if your give your consent. Most browsers accept cookies automatically. However, you may configure your browser in such a way that no cookies are stored on your computer or that a notice is always displayed before a new cookie is created. But completely deactivating cookies may mean that you cannot use all functions of our website. If you wish to use only SALA Hospitality cookies but do not wish to accept cookies of partners, please select the option “Block cookies of third-party providers” in your browser. In the drop-down menu of your web browser, you will be displayed a help function showing you how to reject cookies and to disable cookies already received. In the case of shared-use computers that accept cookies and flash cookies, we recommend always logging off completely after the end of the session.

PDPA Policy 

Introduction

At SALA Hospitality Group (hereinafter “SALA”) we value the rights and freedoms of all people. This includes respecting your privacy and protecting your data in compliance with the Personal Data Protection Act B.E. 2562 (“PDPA”), relevant laws, and regulations. SALA has formulated this personal data protection policy (this “Policy”) to inform you, as a data subject, of the objectives and details for collection, use and/or disclosure of personal data, including your legal rights.

Purpose of Policy

This privacy notice describes how we collect, use, and disclose (or “process”) your information. It provides you how to contact us as well as outlining what rights you have concerning your personal data.

Scope of Policy

This policy applies to all employees, contractors, and third-party vendors who collect, use, or disclose (“Processing”) SALA’s data, regardless of the format (Electronic, Hard copy, or Verbal)

Important Information

Who are we?

Throughout this document, “we”, “us”, “our”, and “ours” refer to the SALA Hospitality Group.
Wherever we have said “you”, “your” or “yours”, this means you (Data Subject).

Controller

SALA Hospitality Group is the Data Controller when we collect and process Personal Data about you.

We have appointed an external group Data Protection Officer (DPO) responsible for overseeing questions concerning this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please get in touch with the external DPO using the following address below.

SALA Hospitality Group

 

Our Data Protection Officer (DPO)

10 Soi Vibhavadi Rangsit 32 Yaek 7,

 

VinarcoPDPA (Thailand) Ltd

Khwaeng Chatuchak, Khet Chatuchak,

 

1168/111, 37th Floor, Lumpini Tower

Bangkok 10900 Thailand

 

Rama 4 Road, Thungmahamek,

Phone: +66 (0) 2231 2588

 

Sathorn, Bangkok 10120, Thailand

Email: info@salahospitality.com

 

Email: dpo@salahospitality.com

 
You have the right to lodge a complaint at any time to the Office of Persona Data Protection Committee (PDPC), which serves as the supervisory authority for data protection issues in Thailand. You can contact them using the information provided below.

The Personal Data Protection Committee (“PDPC”)

The Government Complex Commemorating His Majesty
Ratthaprasasanabhakti Building 7th Floor,
Chaengwattana Road, Thung Song Hong Sub-District, Lak Si District
Bangkok, Thailand 10210
Tel:  02 141 6993, 02 142 1033
E-mail: Saraban@pdpc.or.th

Website: www.PDPC.or.th

We would, however, appreciate the opportunity to address your concerns before you approach the PDPC. Therefore, we kindly request that you first contact us directly.

 

The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped as follows:

  • Identity Data: includes but is not limited to first name, last name, username or similar identifier, title, date of birth, and other details.
  • Contact Data includes billing address, residential address, email address and telephone numbers.
  • Financial Data: includes bank account details, bank statements, credit card details and payment details.
  • Transaction Data: includes details about payments to and from you and financial information and identification documents (e.g., for KYC verification, for bursary assessment or for fundraising).
  • Technical Data: commonly known as online identifiers and includes internet protocol (IP) address, unique mobile device identification numbers (such as your Media Access Control (MAC) address, Identifier For Advertising (IDFA), and/or International Mobile Equipment Identity (IMEI), type of device, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the website.
  • Academic Data: includes your login details, recruitment, disciplinary, and other training-related records, references, and training examination results.
  • Usage Data: includes information about how you use our website, and services, products, and employment data; images, audio, and video recordings or CCTV.
  • Marketing and Communication Data: includes your preferences in receiving marketing communication from us and/or our third parties, news about our products/services and your communication preferences.
  • Aggregated Data: such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

If you decide to make a payment for any of our products/services, your Financial Data, including your bank account and payment card details, will be collected, and processed by our external payment service provider. We will not have access to collect, use, store, or transfer your Financial Data

We collect, use, and share Aggregated Data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, suppose we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you. In that case, we treat the combined data as personal data that will be used according to this privacy policy.

 

Sensitive Personal Data

When necessary, we need to process personal data which is designated as “sensitive” or “special category personal data” in order to facilitate our company operations and activities.  Such data includes personal data regarding a data subject’s concerning:

  1. Health;
  2. Accessibility;
  3. Information relating to securing;
  4. Criminal records;
  5. Ethnicity;
  6. Religious or Philosophical beliefs;
  7. Biometric data (e.g. fingerprint, facial recognition, etc.)
  8. Sexual behaviour; or
  9. Political opinion.
     

How Is Your Personal Data Collected

We collect the majority of the personal data we process directly from the data subject concerned. There are instances where we collect data from third parties (for example, referees/references, and previous companies) or from publicly available resources.

We collect data about you when:

  • you have expressed an interest in applying for our company;
  • you have registered to attend (or have attended) one of our events;
  • you visit our website or social media;
  • you sign up to receive email from our newsletter;
  • you have expressed an interest in working for, or with, us; or
  • you are employed by an organization with whom we have a business relationship.

How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • We are about to enter or have entered a contract with you for the performance of a contract.
  • Where it is necessary for our legitimate interests (or those of a third party), your interests and fundamental rights do not override those interests and
  • Where we need to comply with a legal or regulatory obligation.

 

Purposes For Which We Will Use Your Personal Data.

In the table below, we describe how we may use your personal data and which of the legal bases we rely on to do so. We have identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. In addition, processing of your data is not limited solely to the purpose/activity contained within this table.

Purpose/Activity

Type of Data

Lawful basis for processing including basis of legitimate interest

The recruitment, selection, and onboarding of Employee

a)      Identity

b)      Contact

c)      Technical

d)      Academic

e)      Usage

f)       Financial

g)      Sensitive

 

a)      Performance of a contract with you

b)      Explicit consent

The protection of employee welfare and provision of welfare, health care services and support.

a)      Identity

b)      Contact

c)      Academic

d)      Sensitive

e)      Technical

a)      Performance of a contract with you

b)      Explicit consent

Compliance with legal and regulatory requirements

a)      Identity

b)      Contact

c)      Technical

d)      Academic

e)      Usage

f)       Sensitive

g)      Financial

h)      Transaction

a)      Legal obligation

Operational management including the compilation of customer records, employee records; the management of invoices, fees and accounts; the management of Company property; the management of security and safety arrangements (including the use of CCTV and monitoring of the Company’s IT and communications systems in accordance with our Acceptable use of the Company’s ICT facilities and the internet agreement); the management and implementation of our Company’s rules and policies for employee; health and safety management; and the maintenance of historic archives.

a)      Identity

b)      Contact

c)      Technical

d)      Academic

e)      Usage

f)       Sensitive

g)      Financial

h)      Transaction

 

 

a)      Performance of a contract with you

b)      Explicit consent

c)      Necessary for our legitimate interests

d)      Vital Interests

Employee management including the recruitment of employee/engagement of contractors; management of payroll, pensions, and sick leave; review and appraisal of employee performance; conduct of any grievance, capability, or disciplinary procedures; and the maintenance of appropriate human resources records for current and former employee; and providing references

a)      Identity

b)      Contact

c)      Technical

d)      Academic

e)      Usage

f)       Sensitive

g)      Financial

h)      Transaction

a)      Performance of a contract with you

b)      Explicit consent

c)      Necessary for our legitimate interests

Maintaining relationships with our former employee and customer

a)      Identity

b)      Contact

 

a)      Necessary for our legitimate interests

For keeping a record of historical and memorable events relevant to the maintenance of a historical record

a)      Identity

b)      Contact

c)      Academic

 

a)      Necessary for our legitimate interests

To manage our relationship with employee and customer, which will include, but not limited to:

a)      Notifying you about changes to our terms or privacy policy

a)      Asking you to leave a review or take a survey

b)      Identity

c)      Contact

d)      Marketing and Communications

a)      Performance of a contract with you

b)      Necessary to comply with a legal obligation.

c)      Necessary for our legitimate interests

d)      Explicit consent

 

To management and protect our company and the website (including cookies, troubleshooting, testing, system maintenance, support, reporting and hosting of data)

a)      Identity

b)      Contact

c)      Technical

d)      Transaction

e)      Usage

 

a)      Performance of contract

b)      Necessary for our legitimate interests

c)      Necessary to comply with a legal obligation.

d)      Explicit consent

 

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

a)      Technical

b)      Usage

c)      Marketing and Communications

d)      Aggregated data

a)      Necessary for our legitimate interests

b)      Explicit consent

 

 

Change of Purpose

We will only use your personal data for the purposes we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and obtain your consent to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

 

Marketing

We provide you with choices regarding our use of your personal data for marketing and advertising purposes. We have established the following personal data control mechanisms:

  • You will receive marketing communications from us if you have subscribed for an account with us or purchased/used services from us and you have consented to receive that marketing. All our marketing communications contain an opt-in option, and you can opt-out at any time. Please note that the opt-out will not affect the lawfulness of the processing that has taken place before the opt-out.

 

Third-Party Links

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on these links or enabling connections may result in third parties collecting or sharing data about you. We do not control those third-party websites and are not responsible for their privacy policies. We recommend that you review the third party’s privacy policy of every website you visit when leaving our site.

Third-Party Marketing

We will get your explicit opt-in consent before sharing your personal data with any third-party company for marketing purposes.

Disclosure of Your Personal Data

  • We will keep your personal data confidential and do not have a policy to sell your personal data to a third party. If there is a legal necessity to disclose your personal data, we will only disclose your personal data to authorized persons or parties as necessary. We may share your personal data with third parties as set out below for the purposes specified in the table in section 4 above:
    • Our company partners and our authorized representative personnel;
    • Service providers such as representative companies, travel agencies, contractors, consultants, financial institutions, healthcare providers, cloud service providers, online travel agents (OTA) websites, marketing companies, and information technology (IT) development companies. Such parties may locate either domestically or internationally and all party is under agreement with us;
    • Government or regulatory agencies, to comply with law or request of authorized departments.
  • We may seek to acquire other businesses or merge with them, or our business or part of our business may be sold. If a change happens to our business, we will notify such changes to you about your personal data. Your personal data may be disclosed to our advisers and those of any prospective purchaser or partner. The new owners or partners may use your personal data in the same way as set out in this privacy policy. Your data will only be disclosed for the purposes identified in this privacy policy (as may be updated periodically) unless a law or regulation allows it explicitly or requires otherwise.

We require all third parties to respect the security of your personal data and treat it according to the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our agreement. All our third-party processing partners are vetted under our third-party due diligence process and have signed Data Processor Agreement with us.

International Transfers

Some of our external third parties are based outside the Kingdom of Thailand, so their processing of your personal data will involve a transfer of data outside the Kingdom of Thailand.

Whenever we transfer your personal data out of the Kingdom of Thailand, we ensure an adequate level of personal data protection is offered to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the Personal Data Protection Committee (PDPC) (as appropriate).
  • Appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses and/or data protection clauses approved by the Personal Data Protection Commission (as appropriate)
  • The transfer is otherwise allowed under data protection laws (including where we have your consent, or the transfer is necessary for the performance of a contract with you).

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, disclosed, or unavailable. In addition, we limit access to your personal data to those employees, agents, professional advisers, contractors, and other third parties who have a business need to know on the principle of least privilege (PoLP). They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We periodically review all privacy and security policies and update them, when necessary, in line with changes in data protection laws or when any new technologies are introduced into our business. Where the introduction of new technologies results in a high risk to your personal data, we will perform a Data Protection Impact Assessment (DPIA). We will only proceed if we are able to mitigate any identified high risks. Our methods of collecting personal data are reviewed by management before they are implemented to confirm that personal data is obtained fairly, without intimidation or deception, and lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal data.

In the unlikely case of a data breach incident, we have implemented procedures to address any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. You can see our “Data Breach Policy” for risk classification of a breach as a reference.

Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including meeting legal, accounting, or reporting requirements. Our “Data Retention Policy” is available upon request.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law, we must keep basic information about our service users/employee (including Contact, Identity, Financial, and Transaction Data) for ten tax years as part of our legal obligations to do so.

You can request the deletion of your data under certain circumstances. Please contact the above Data Protection Officer (DPO) to request erasure and for more information.
Additionally, in some cases, we may anonymize your personal data for research or statistical purposes, making it no longer associated with you. In such instances, we may use this information indefinitely without further notice to you.

 

Your Data Subject Rights

We value your rights under the Personal Data Protection Act (PDPA) and recognize the importance of protecting your personal data. As such, you have the following rights:

  • The right to be informed about the purpose of collecting and processing the data.
  • The right to withdraw the given consent.
  • The right to access and obtain the data collected from you.
  • The right to object the collection, use, and disclosure of your data.
  • The right to restrict the use of your data.
  • The right to correction of your data.
  • The right to transfer your data to another data controller.
  • The right to have your data erased, destroyed, or anonymized. 

What We May Need from You: To prevent unauthorized access to your personal data, we may need to request specific information from you to confirm your identity and ensure your right to access your personal data or exercise any other rights. We may contact you to ask you for further information concerning your request to speed up our response.

Time Limit to Respond: We try to respond to all legitimate requests within 30 days. Occasionally it may take us longer than thirty days if your request is particularly complex or you have made several requests, in which case we will inform you of the reason and expected time of completing the request.

DSAR Submission:    If you wish to exercise any of your PDPA rights, please email dpo@salahospitality.com to submit your request.

Policy Updates

Our policies and procedures are regularly reviewed and adjusted to align with the requirements of applicable laws and regulations, ensuring compliance and protection of your privacy rights. This review occurs at least annually and whenever changes are made to relevant laws and regulations.

This Policy is dated 1st July 2025 and will be reviewed by SALA Hospitality Group periodically as necessary or upon the development of the concerning technology to ensure effective and appropriate security measures in line with minimum legal requirements as prescribed by the law’s relevant authorities.

 

CCTV Policy

,

Introduction

A CCTV policy includes a set of guidelines, rules, and regulations governing the use of closed-circuit television (CCTV) systems. These policies outline the permissible purposes for CCTV deployment, surveillance scope, data retention protocols, privacy safeguards, and procedures for accessing and disclosing footage.

Purpose

This policy establishes the guidelines for the use of closed-circuit television (“CCTV”) within the SALA Hospitality Group (hereinafter “SALA”)

The CCTV equipment is in use for the following purposes:

  • Prevention, investigation, and detection of crimes against person and/or property.
  • Apprehension and prosecution of offenders (including use of images as evidence in criminal proceedings).
  • Safety of visitors, contractors, and employees.
  • Monitoring the security of premises and assets.

 

Scope

This CCTV Policy applies to all areas controlled by SALA.

This CCTV Policy applies to all SALA customers, employees, contractors, and visitors.

This CCTV Policy is guided by and supports the relevant requirements of the Thailand Personal Data Protection Act, B.E.2562 (“PDPA”).

All CCTV footage disclosure must be approved by the Data Protection Officer and the Hotel Manager/IT Manager

 

Principles of CCTV Usage

CCTV data shall only be used for the purposes stated above. CCTV cameras are strategically installed and positioned to monitor specific areas, with exceptions such as changing rooms, toilets, and shower rooms. Warning signs, as required by legislation, are placed in company areas covered by CCTV cameras. The movement of cameras shall be limited to their intended coverage zones to prevent manipulation. CCTV operators shall be mindful of the privacy implications associated with CCTV usage.

 

Records Storage and Retention

  • CCTV data shall be retained for a maximum period of 28 days, after which it must be deleted in line with the data retention policy. Each property within the group is required to determine and specify its CCTV retention period in the CCTV Notice, which may be shorter than 28 days but must not exceed this maximum period. A longer retention period may only be applied if there is a justified and documented reason.
  • Specifically, if data is in use for investigation or evidential purposes then the data shall be retained for as long as required by the investigation.
  • If the data is retained for evidential purposes, it shall be retained in a secure place to which access is controlled.
  • Monitors displaying images from areas in which individuals have an expectation of privacy shall not be viewed by anyone other than authorized operators of the equipment.
  • Access to and viewing of the recorded images is restricted to the Hotel Manager or designated member of employee, who will decide whether to allow requests for access by third parties in accordance with our documented disclosure procedure.
  • The removal and return of CCTV footage/images for viewing purposes shall be documented.
  • All operators and employees with access to CCTV footage/images shall be aware of the procedure for accessing the CCTV footage/images.
  • The removal and return of CCTV footage/images for use in legal proceedings shall be documented.
  • All relevant employee or CCTV equipment operators shall be familiar with and shall follow our policies and procedures on records retention and storage.

 

 Access and disclosure of CCTV footage/images to third parties

  • Access to recorded CCTV footage/images is restricted to accredited employee.
  • All access to storage CCTV footage/images shall be documented.
  • Disclosures shall be governed by a disclosure agreement unless such disclosure is required by law.
  • All requests for access or for disclosure shall be documented. If access or disclosure is denied, the reason shall be documented.
  • Disclosure to third parties is limited to the following circumstances:
    • Law enforcement agencies where the images recorded would assist in a specific criminal enquiry.
    • Prosecution agencies
    • Relevant legal representatives
    • People whose CCTV footage/images have been recorded and retained (unless disclosure to the individual would prejudice criminal enquiries or criminal proceedings)
    • No disclosures shall be made to the CCTV footage/images unless under direction of our communications policy and in accordance with the requirements of the relevant agency.
    • CCTV footage/images are NOT to be made widely available - such as on the Internet or public domains.

Data subject access

All relevant employees or CCTV equipment operators must be able to recognize a request for access and shall be familiar with and follow our data subject access request procedure.

 

Data subject rights

Subject to the conditions and exceptions outlined in applicable laws, you may have rights        regarding the CCTV data held by SALA. These rights may include access, obtaining a copy, transferring, rectifying, deleting, destroying, or anonymizing your data.

Additionally, you may have the right to restrict or object to certain activities involving your personal data. If your data is processed with your consent, you have the right to withdraw it, although this may affect our ability to provide products or services to you.

Furthermore, you may have the right to request disclosure of how your personal data is obtained without consent and to lodge a complaint to the Personal Data Protection Committee (PDPC)

We would, however, appreciate the opportunity to address your concerns before you approach the PDPC. Therefore, we kindly request that you first contact us directly.

 

DSAR Submission: : If you wish to exercise any of your PDPA rights, please email dpo@salahospitality.com to submit your request.

 

Contact

If you have any questions, concerns, or would like to exercise your rights regarding your CCTV data, please feel free to contact us or our Data Protection Officer at the following address:

SALA Hospitality Group

 

Our Data Protection Officer (DPO)

10 Soi Vibhavadi Rangsit 32 Yaek 7,

 

VinarcoPDPA (Thailand) Ltd

Khwaeng Chatuchak, Khet Chatuchak,

 

1168/111, 37th Floor, Lumpini Tower

Bangkok 10900 Thailand

 

Rama 4 Road, Thungmahamek,

Phone: +66 (0) 2231 2588

 

Sathorn, Bangkok 10120, Thailand

Email: info@salahospitality.com

 

Email: dpo@salahospitality.com

 

Policy updates

This CCTV Policy is dated 1st July 2025 and will be reviewed by SALA Hospitality Group periodically as necessary or upon the development of the concerning technology to ensure effective and appropriate security measures in line with minimum legal requirements as prescribed by the law’s relevant authorities.

FOLLOW US

@SALAHOSPITALITY
24. '@salachawengbeach lap up the sun by the oceanfront
24. @salakhaoyai Follow us for the best luxury villa deals
25.'@salaphuketmaikhaobeach Book your family getaway now
27. '@salabangpa in your ideal escape to the summer palace