Privacy Policy for Employees
Big C Supercenter Public Company Limited (“the Company”), including its affiliates, acknowledges and recognizes the importance of individuals’ rights to privacy and personal data protection. These rights are fundamental and protected by law. Since certain information that the Company is required to obtain from you for the purpose of providing services and conducting the Company’s business constitutes personal data protected by law, the Company is committed to establishing high standards in its operations and in safeguarding personal data.
To ensure that the collection, use, or disclosure of such data complies with the Personal Data Protection Act B.E. 2562 (2019), the Company has issued this Notice to inform you of the details regarding your personal data that the Company collects, uses, or discloses, the retention period of such data, as well as the necessity and purposes for collecting your personal data, including your legal rights. Please read this Notice carefully and make sure you understand it in order to fully exercise your rights with the Company.
If you have any questions regarding the information in this Notice, you may contact the Company through any of the channels provided below at your convenience.
How does the Company collect your personal data?
The Company primarily collects your personal data directly from you through various communication and transaction channels. These include completing application forms, documents, contracts, or through any other means of communication, as well as via electronic systems such as websites, applications, cookies, or the Company’s online platforms. The Company may also collect data through other communication channels, such as telephone systems, where call recordings may be made as permitted by law.
In some cases, the Company may collect your personal data from sources other than directly from you. These sources may include the Company’s affiliates or related group companies, business partners, or public sources or legally accessible public databases. In such instances, the Company will inform you of the collection of such data without delay and obtain your consent when required by applicable law.
What Personal Data Does the Company Collect from You?
The Company places great importance on the protection of your personal data and is committed to collecting, using, and disclosing such data in a transparent, fair, and lawful manner in accordance with applicable personal data protection laws. The Company will collect and use your personal data only as necessary, under lawful purposes and in alignment with its business operations, service provision, and legal compliance obligations.
The types of personal data that the Company may collect from you depend on the nature of your use of the Company’s services, your contractual relationship with the Company, and relevant legal requirements. Such personal data may be categorized as follows:
Identity Data refers to any data that can be used to identify or verify your identity, either directly or indirectly. This includes, but is not limited to, your title, first and last name, date of birth, national identification number, passport number, customer ID or membership number, occupation, gender, and age.
Identification Document Data refers to information contained in official documents issued by government authorities. This includes, but is not limited to, copies of national ID cards, passports, visas, work permits, household registration documents, name change certificates, driver’s licenses, or military documents.
Contact Data refers to information that enables the Company to communicate with you, such as your mailing address, telephone number, email address, and communication channels linked to the Company’s online platforms.
User Profile Data refers to information related to your account registration, identity verification, and account management. This includes your username, encrypted password, account settings, and system access permissions.
Transaction Data refers to information related to your transactions or use of services. This includes, for example, order or service history, transaction dates and times, selected products or services, and transaction reference numbers.
Financial Data refers to information related to your financial activities or financial status, including your income information, bank account details, payment methods, invoices, receipts, and other financial documents.
Technical Data refers to information automatically collected when you use the Company’s website, systems, or applications. This includes your IP address, device type, operating system, browser type, and log files.
Usage Data refers to information about how you interact with the Company’s services, such as pages you visit, time spent using the service, interactions with features, and general usage patterns.
Location Data refers to information indicating your geographical location, whether precise or approximate. This includes country or province, location derived from your IP address, or GPS based location data where consent is required.
Communication Data refers to information generated through your interactions with the Company, such as messages, emails, documents you submit, chat logs, and call recordings.
Sensitive Personal Data refers to data that requires special protection under the Personal Data Protection Act. The Company collects this type of data only when necessary and supported by a valid legal basis. This includes, but not limited to data related to health, religious or belief information, labor union information, and biometric data such as fingerprints or facial recognition data.
Aggregated Data refers to data that has been combined, analyzed, or processed in a way that does not directly identify you, such as overall usage statistics, analytical reports, or anonymized data.
Purposes for Collection, Use, and Disclosure of Personal Data
To ensure that you receive the full benefits of our services, and to enable the Company to provide services to you effectively and efficiently, the Company intends to process your personal data as described below.
| Purposes | Types of Personal Data | Lawful Basis |
| To conduct recruitment, assess qualifications, perform background checks, and prepare employment contracts. | - Identity Data - Contact Data |
- Necessary for the Performance of Contract - Legitimate Interest |
| To maintain and administer employee records, personnel information, and human resources operations in accordance with the company’s policies. | - Identity Data - Identification Document - Contact Data - Sensitive Data - Financial Data |
- Compliance with Legal Obligations - Necessary for the Performance of Contract - Legitimate Interest |
| To manage work administration, including time attendance recording, scheduling, leave approval, performance evaluation, and employee development. | - Identity Data - Usage Data |
- Necessary for the Performance of Contract - Legitimate Interest |
| To administer payroll, compensation, bonuses, overtime payments, withholding tax, and related accounting processes. | - Identity Data - Financial Data |
- Necessary for the Performance of Contract - Legitimate Interest |
| To manage employee welfare and benefits such as social security, health insurance, provident fund, and other benefits in accordance with rights and company policy. | - Identity Data - Identification Document - Contact Data - Transaction Data - Financial Data |
- Compliance with Legal Obligations - Legitimate Interest |
| To ensure the security of employees and company assets, including access control, employee identification systems, CCTV monitoring, and information security systems. | - Identity Data | - Legitimate Interest |
| To prevent, investigate, and manage potential incidents related to fraud, policy violations, or workplace irregularities. | - Identity Data - Contact Data - Usage Data - Transaction Data |
- Legitimate Interest |
| For internal audit purposes, risk assessments, and reporting to management or affiliated companies as necessary. | - Aggregated Data - Usage Data - Transaction Data - Financial Data |
- Legitimate Interest |
| To manage company equipment, tools, and assets, including issuance, asset tracking, and return of equipment upon termination of employment. | - Identity Data - Contact Data - Technical Data |
- Legitimate Interest |
| To manage IT operations and information security, including system access authorization, user account management, log recording, incident monitoring, and cybersecurity protection. | - Identity Data - Technical Data - Usage Data - Contact Data |
- Compliance with Legal Obligations - Legitimate Interest |
| For internal communication and corporate announcements, including contact list preparation, management communications, and internal organizational activities such as organizing corporate activities, build corporate culture, enhance employee engagement, and record photos or videos of internal events as appropriate. | - Identity Data - Contact Data |
- Legitimate Interest |
| To create statistics, analyze human resources data, and support the company’s strategic planning. | - Aggregated Data | - Legitimate Interest |
| To process employment termination matters, including issuance of employment certificates, settlement of outstanding benefits, asset return, and retention of records for legally required periods. | - Identity Data - Contact Data |
- Compliance with Legal Obligations - Necessary for the Performance of Contract - Legitimate Interest |
In general, the Company does not intend to collect or use information relating to your religion and/or blood type that may appear on a copy of your national identification card. If you submit a copy of your identification card to the Company, please ensure that these details are redacted in advance. However, if you do not redact such information, it will be deemed that you allow to the Company redacting it on your behalf, and the document will remain valid and legally effective even after redaction. In the event that the Company is unable to redact such information due to technical limitations, the Company will collect and use this specific portion of the data solely for the purpose of verifying your identity.
Security Measures
The Company recognizes and understands the importance of your personal data. Accordingly, we continuously enhance and strengthen our personal data security systems to ensure full compliance with applicable laws, while maintaining security standards that are modern, reliable, and aligned with international best practices. The Company is committed to implementing all necessary measures to uphold our Personal Data Protection Policy, taking into consideration technical measures, organizational measures, and physical measures to ensure the highest level of protection for your personal data.
The Company also emphasizes to all personnel who are authorized to process your personal data, or any individuals who have legal obligations concerning such data, the importance of maintaining confidentiality, integrity, and availability of personal data. These principles ensure that your information is protected appropriately, securely, and in accordance with relevant regulations.
In cases where you or the Company need to send or transfer any personal data to another country, the Company will comply with all legal requirements regarding cross-border data transfer. The Company will not transfer personal data to a destination country that does not have adequate data protection standards, unless explicit consent has been obtained from you or an applicable legal exception applies.
Period for Retention of Your Personal Data
The Company retains your job application and any supporting documents for a maximum period of one (1) calendar year from your application date to assess your suitability for other potential roles, unless you request that your data be deleted earlier.
The Company retains and processes your personal data for the entire duration of your employment. Upon the termination of your employment, the Company continues to retain your personal data for as long as necessary to comply with relevant labor, tax, and accounting regulations, as well as to support audits, internal reviews, or the establishment, exercise, or defense of potential legal claims. Your personal data will be retained for a minimum of two (2) years and up to ten (10) years from the date of employment termination, unless specific categories of data are legally required to be retained for a longer period.
After the applicable retention period expires, the Company will retain only the data strictly necessary for employment reference purposes or essential administrative documentation. If you request the deletion or destruction of your personal data, the Company will consider such request in accordance with applicable data protection laws, provided that the requested deletion does not conflict with mandatory legal retention requirements.
Where your personal data is subject to an ongoing investigation, factâfinding procedure, litigation process, regulatory inquiry, or court order, the Company may be required to retain your information beyond the standard retention period until the relevant legal or internal proceedings have been fully concluded.
Disclosure of Personal Data to Third Parties
The Company may disclose your personal data to external individuals or entities to the extent necessary for employment administration, the performance of your employment contract, compliance with applicable laws and regulations, and the Company’s business operations. The Company will disclose only the data required for legitimate and relevant purposes.
The Company may disclose your personal data to banks or financial institutions for the processing of payroll, compensation, and employee benefits, as well as to employee benefits providers such as life insurance companies, health insurance providers, or other service providers engaged under the Company’s benefits programs.
The Company may disclose your personal data to governmental authorities and regulatory bodies, including tax authorities, social security offices, or other agencies with lawful authority. Such disclosures may be required for tax purposes, social security matters, labor law obligations, or compliance with official requests, subpoenas, court orders, or legal procedures.
The Company may disclose your personal data to cloud service providers or information technology service providers responsible for data storage, backup, system security, or data processing in accordance with the Company’s IT policies. The Company will ensure that these service providers implement appropriate data protection and security measures.
In addition, the Company may disclose your personal data to contractual partners or external service providers involved in business operations, including security service providers, office equipment providers, external specialists or consultants, and workplace safety service providers. Disclosures will be limited to the personal data necessary for the relevant operational purpose and will be subject to confidentiality and security requirements as mandated by applicable laws.
Cross Border Transfer of Personal Data
In general, the Company does not transfer or disclose your personal data to recipients located outside the country, unless such transfer is necessary for business operations, such as the use of cloud service providers located overseas, or where the transfer is required to fulfil the purposes of personal data processing previously communicated to you.
Where a cross border transfer of personal data is required, the Company will ensure that the recipient has appropriate and adequate data protection measures in place. Such transfers will be carried out only for lawful purposes and may involve transferring data to:
- Countries or jurisdictions that have been recognized as providing an adequate level of data protection under applicable laws, or
- Recipients who are bound by legally enforceable data protection agreements, such as a Data Processing Agreement (DPA) or other legally required standard contractual terms.
In certain situations where the Company needs to transfer personal data overseas but the transfer does not fall under a legal exception, or where such transfer may carry a higherâthanâusual level of risk, the Company may request your explicit consent as appropriate. Prior to obtaining your consent, the Company will inform you of the purpose, relevant details, and potential risks associated with the transfer.
The Company will transfer only the personal data that is necessary and will strictly comply with the Personal Data Protection Act B.E. 2562, other applicable laws, and relevant international standards.
Data Subject Rights
As the owner of your personal data, you are entitled to the rights provided under the Personal Data Protection Act B.E. 2562 (PDPA), including the following:
(1) Right to Withdraw Consent
If the Company has requested and obtained your consent to collect, use, or disclose your personal data, you have the right to withdraw your consent at any time. Once withdrawn, the Company will stop processing your personal data that relied on such consent.
(2) Right to Access and Obtain a Copy of Your Personal Data
You have the right to request access to and obtain a copy of your personal data that the Company maintains. Once the Company receives your request, we will review and process it appropriately within 30 (thirty) days from the date of receipt. However, the Company reserves the right to deny your request if such denial is permitted by law or ordered by a court, or if granting access to that data may adversely affect the rights and freedoms of another individual.
(3) Right to Request Disclosure of the Source of Personal Data
If the Company receives your personal data from a source other than directly from you, and intends to use such data, the Company will notify you within 30 (thirty) days from the date the data is obtained (unless an exemption under the law applies). In such cases, you have the right to inquire about and request the Company to disclose the source from which your personal data was collected.
(4) Right to Data Portability
You have the right to request a copy of your personal data from the Company in a format that is structured, commonly used, and machine readable, where the Company has prepared such data in a format that can be processed automatically and transferred through automated means. You also have the right to request that the Company transfer or transmit such personal data to another data controller, where technically feasible and where the transfer can be done through automated means. In addition, you have the right to request that the Company send or transfer your personal data directly to another data controller, unless this is not technically possible.
(5) Right to Object to the Collection, Use, or Disclosure of Personal Data
You have the right to object to the Company’s collection, use, or disclosure of your personal data in the following circumstances:
- Where the collection of your personal data is carried out without requiring consent, based on the Company’s legitimate interests or those of a third party, unless such interests are overridden by your fundamental rights and freedoms relating to your personal data.
- Where the collection, use, or disclosure of your personal data is for direct marketing purposes. Once the Company receives your objection request, we will immediately segregate your personal data from other data sets. However, the Company reserves the right to deny your request if we can demonstrate that the processing based on legitimate interests is supported by compelling legal grounds, or the processing is necessary for the establishment, exercise, or defense of legal claims.
(6) Right to Request Erasure or Anonymization of Personal Data
You have the right to request that the Company delete and/or anonymize your personal data in the following circumstances:
- When the personal data is no longer necessary for the purposes for which it was collected, used, or retained.
- When you withdraw your consent and the Company no longer has a legal basis to continue collecting, using, or disclosing such personal data.
- When you exercise your right to object, and the Company does not have grounds to deny your request.
- When your personal data has been collected, used, or disclosed unlawfully. Once the Company receives your request, we will review and take appropriate action within 90 (ninety) days from the date of receipt. However, the Company reserves the right to deny your request where we have a necessary and lawful basis to do so.
(7) Right to Request the Restriction of Personal Data Processing
You have the right to request that the Company temporarily suspend the use of your personal data in the following circumstances:
- When the Company is verifying the accuracy, completeness, or updating of your personal data in accordance with your request.
- When your personal data could be deleted or destroyed, but you request that the Company restrict its use instead of deleting or destroying it.
- When your personal data is no longer necessary for the purposes for which it was collected, but you require the data to be retained for the establishment, exercise, or defense of legal claims.
- When the Company is in the process of reviewing your objection request regarding the collection, use, or disclosure of your personal data.
Once the Company receives your request, we will review and take appropriate action within 30 (thirty) days from the date of receipt. However, the Company reserves the right to deny your request if we have a necessary and lawful basis to do so.
(8) Right to Request Correction of Personal Data
You have the right to request that the Company update, correct, or complete your personal data to ensure that it is accurate, up to date, and complete. If there are any changes to the personal data you have provided, or to the data the Company has collected and retained within the applicable retention period specified in this Privacy Notice, you may notify the Company at any time to request a correction or update.
(9) Right to Lodge a Complaint in Case of Non Compliance with the PDPA
If you believe that the Company and/or its employees have acted in violation of, or have failed to comply with, the Personal Data Protection Act B.E. 2562, you have the right to file a complaint. You may raise the issue with the Company via our Call Center at 1756, or contact the Company’s Data Protection Officer (DPO) at [email protected]. You may also file a complaint with the Office of the Personal Data Protection Committee (PDPC) at [email protected].
Channels for Exercising Your Rights under the Personal Data Protection Act B.E. 2562
If you wish to update or correct your employmentârelated personal data, you may do so directly through the Employee SelfâService (ESS) system, in accordance with the functionalities and permissions provided within the system. For other rights under the Personal Data Protection Act B.E. 2562, including the right to request deletion of data, the right to restrict processing, the right to object to processing, or the right to request data portability, you may contact your HR Business Partner (HRBP) to proceed in accordance with the Company’s established procedures.
Contact Channels for the Company and the Data Protection Officer
Big C Supercenter Public Company Limited
Head Office: No. 88/9 , Soi Samanchan-Barbos ,
Prakanong Sub-district , Klongtoey District, Bangkok, 10110
Tel. 0-21465959 or Call Center: 1756
Data Protection Officer
Head Office: No. 88/9 , Soi Samanchan-Barbos ,
Prakanong Sub-district , Klongtoey District, Bangkok, 10110
Email: [email protected]
Changes to This Privacy Policy
This Privacy Policy was reviewed and last updated on 1 March 2026. It may be revised from time to time to ensure alignment with the Company’s practices relating to the collection, use, and disclosure of personal data, as well as to maintain fairness and transparency for data subjects. Should any updates be made to this Policy, the Company will inform employees through its website, mobile application, and official social media channels.