Privacy Policy for Vendor Supplier and Contractor

Big C Supercenter Public Company Limited (“the Company”), including its affiliates, acknowledges and recognizes the importance of individuals’ rights to privacy and personal data protection. These rights are fundamental and protected by law. Since certain information that the Company is required to obtain from you for the purpose of providing services and conducting the Company’s business constitutes personal data protected by law, the Company is committed to establishing high standards in its operations and in safeguarding personal data.

To ensure that the collection, use, or disclosure of such data complies with the Personal Data Protection Act B.E. 2562 (2019), the Company has issued this Notice to inform you of the details regarding your personal data that the Company collects, uses, or discloses, the retention period of such data, as well as the necessity and purposes for collecting your personal data, including your legal rights. Please read this Notice carefully and make sure you understand it in order to fully exercise your rights with the Company.

If you have any questions regarding the information in this Notice, you may contact the Company through any of the channels provided below at your convenience.

How does the Company collect your personal data?
The Company primarily collects your personal data directly from you through various communication and transaction channels. These include completing application forms, documents, contracts, or through any other means of communication, as well as via electronic systems such as websites, applications, cookies, or the Company’s online platforms. The Company may also collect data through other communication channels, such as telephone systems, where call recordings may be made as permitted by law.

In some cases, the Company may collect your personal data from sources other than directly from you. These sources may include the Company’s affiliates or related group companies, business partners, or public sources or legally accessible public databases. In such instances, the Company will inform you of the collection of such data without delay and obtain your consent when required by applicable law.

What Personal Data Does the Company Collect from You?
The Company places great importance on the protection of your personal data and is committed to collecting, using, and disclosing such data in a transparent, fair, and lawful manner in accordance with applicable personal data protection laws. The Company will collect and use your personal data only as necessary, under lawful purposes and in alignment with its business operations, service provision, and legal compliance obligations.

The types of personal data that the Company may collect from you depend on the nature of your use of the Company’s services, your contractual relationship with the Company, and relevant legal requirements. Such personal data may be categorized as follows:

Identity Data refers to any data that can be used to identify or verify your identity, either directly or indirectly. This includes, but is not limited to, your title, first and last name, date of birth, national identification number, passport number, customer ID or membership number, occupation, gender, and age.

Identification Document Data refers to information contained in official documents issued by government authorities. This includes, but is not limited to, copies of national ID cards, passports, visas, work permits, household registration documents, name change certificates, driver’s licenses, or military documents.

Contact Data refers to information that enables the Company to communicate with you, such as your mailing address, telephone number, email address, and communication channels linked to the Company’s online platforms.

Transaction Data refers to information related to your transactions or use of services. This includes, for example, order or service history, transaction dates and times, selected products or services, and transaction reference numbers.

Financial Data refers to information related to your financial activities or financial status, including your income information, bank account details, payment methods, invoices, receipts, and other financial documents.

Communication Data refers to information generated through your interactions with the Company, such as messages, emails, documents you submit, chat logs, and call recordings.

Aggregated Data refers to data that has been combined, analyzed, or processed in a way that does not directly identify you, such as overall usage statistics, analytical reports, or anonymized data.

Purposes for Collection, Use, and Disclosure of Personal Data

Purposes	Types of Personal Data	Lawful Basis
To contact, coordinate, verify vendor/service provider qualifications, and conduct preliminary assessments, such as product inquiries, requesting quotations, proposing terms, or participating in vendor selection processes.	- Identity Data - Contact Data	- Necessary for the Performance of Contract - Legitimate Interest
To prepare contracts and register vendors in the Company's system, including verifying information for accuracy prior to contract execution and completing supplier onboarding for procurement processes.	- Identity Data - Identification Document - Contact Data	- Necessary for the Performance of Contract - Legitimate Interest
To perform obligations under the contract, including making payments and receiving payments in accordance with contractual terms.	- Identity Data - Identification Document - Contact Data - Transaction Data - Financial Data	- Necessary for the Performance of Contract - Legitimate Interest
To improve and enhance the efficiency and quality of the Company’s products and services.	- Aggregated Data	- Legitimate Interest
To support internal audit, internal control, and corporate reporting requirements, including accounting and procurement audits.	- Identity Data - Transaction Data - Financial Data - Communication Data	- Legitimate Interest
To exercise legal rights and comply with legal obligations related to products and services.	- Identity Data - Identification Document - Contact Data - Transaction Data - Financial Data	- Compliance with Legal Obligations - Legitimate Interest
To ensure security, monitor, detect, and prevent fraud, misconduct, or criminal activities.	- Identity Data - Identification Document - Contact Data	- Legitimate Interest

 

In general, the Company does not intend to collect or use information relating to your religion and/or blood type that may appear on a copy of your national identification card. If you submit a copy of your identification card to the Company, please ensure that these details are redacted in advance. However, if you do not redact such information, it will be deemed that you allow to the Company redacting it on your behalf, and the document will remain valid and legally effective even after redaction. In the event that the Company is unable to redact such information due to technical limitations, the Company will collect and use this specific portion of the data solely for the purpose of verifying your identity.

Security Measures
The Company recognizes and understands the importance of your personal data. Accordingly, we continuously enhance and strengthen our personal data security systems to ensure full compliance with applicable laws, while maintaining security standards that are modern, reliable, and aligned with international best practices. The Company is committed to implementing all necessary measures to uphold our Personal Data Protection Policy, taking into consideration technical measures, organizational measures, and physical measures to ensure the highest level of protection for your personal data.

The Company also emphasizes to all personnel who are authorized to process your personal data, or any individuals who have legal obligations concerning such data, the importance of maintaining confidentiality, integrity, and availability of personal data. These principles ensure that your information is protected appropriately, securely, and in accordance with relevant regulations.

In cases where you or the Company need to send or transfer any personal data to another country, the Company will comply with all legal requirements regarding cross-border data transfer. The Company will not transfer personal data to a destination country that does not have adequate data protection standards, unless explicit consent has been obtained from you or an applicable legal exception applies.

Period for Retention of Your Personal Data
The Company will retain and process your personal data for as long as the contract or business relationship between the Company and the vendor remains in effect, including for purposes of communication, coordination, procurement activities, contract administration, and compliance with applicable laws. After the contract or business relationship has ended, the Company will continue to retain your personal data for a period of ten (10) years from the contract termination date. This retention is necessary to support retrospective audits, the exercise or defense of potential legal claims, and compliance with accounting, tax, or other relevant legal obligations, and will be limited only to the data required for such purposes.

After the ten year retention period, the Company will retain only the personal data that remains necessary for business reference or for verifying the accuracy of past transactions. All other personal data—particularly sensitive personal data (if any) and identity verification documents such as copies of identification cards, passports, or other identification documents—will be deleted, destroyed, or anonymized. Such actions will be carried out in accordance with the Company's security measures and the retention requirements set out under data protection laws.

However, if the data is subject to lawful orders, requests from law enforcement authorities, or ongoing investigations, audits, or judicial proceedings, the Company may be required to retain your personal data beyond the standard retention period until the relevant processes have been fully completed.

Disclosure of Personal Data to Third Parties
The Company will keep your personal data confidential and will not disclose it to any external parties or to the public, except where such disclosure is necessary to fulfill the services you have requested, required by applicable laws, or ordered by a competent governmental authority. The Company may also disclose your personal data when your explicit consent has been obtained in accordance with legal requirements.

Cross Border Transfer of Personal Data
In general, the Company does not transfer or disclose your personal data to recipients located outside the country, unless such transfer is necessary for business operations, such as the use of cloud service providers located overseas, or where the transfer is required to fulfil the purposes of personal data processing previously communicated to you.
Where a cross border transfer of personal data is required, the Company will ensure that the recipient has appropriate and adequate data protection measures in place. Such transfers will be carried out only for lawful purposes and may involve transferring data to:

1. Countries or jurisdictions that have been recognized as providing an adequate level of data protection under applicable laws, or
2. Recipients who are bound by legally enforceable data protection agreements, such as a Data Processing Agreement (DPA) or other legally required standard contractual terms.

In certain situations where the Company needs to transfer personal data overseas but the transfer does not fall under a legal exception, or where such transfer may carry a higher‑than‑usual level of risk, the Company may request your explicit consent as appropriate. Prior to obtaining your consent, the Company will inform you of the purpose, relevant details, and potential risks associated with the transfer.

The Company will transfer only the personal data that is necessary and will strictly comply with the Personal Data Protection Act B.E. 2562, other applicable laws, and relevant international standards.

Data Subject Rights
As the owner of your personal data, you are entitled to the rights provided under the Personal Data Protection Act B.E. 2562 (PDPA), including the following:

(1) Right to Withdraw Consent
If the Company has requested and obtained your consent to collect, use, or disclose your personal data, you have the right to withdraw your consent at any time. Once withdrawn, the Company will stop processing your personal data that relied on such consent.

(2) Right to Access and Obtain a Copy of Your Personal Data
You have the right to request access to and obtain a copy of your personal data that the Company maintains. Once the Company receives your request, we will review and process it appropriately within 30 (thirty) days from the date of receipt. However, the Company reserves the right to deny your request if such denial is permitted by law or ordered by a court, or if granting access to that data may adversely affect the rights and freedoms of another individual.

(3) Right to Request Disclosure of the Source of Personal Data
If the Company receives your personal data from a source other than directly from you, and intends to use such data, the Company will notify you within 30 (thirty) days from the date the data is obtained (unless an exemption under the law applies). In such cases, you have the right to inquire about and request the Company to disclose the source from which your personal data was collected.

(4) Right to Data Portability
You have the right to request a copy of your personal data from the Company in a format that is structured, commonly used, and machine readable, where the Company has prepared such data in a format that can be processed automatically and transferred through automated means. You also have the right to request that the Company transfer or transmit such personal data to another data controller, where technically feasible and where the transfer can be done through automated means. In addition, you have the right to request that the Company send or transfer your personal data directly to another data controller, unless this is not technically possible.

(5) Right to Object to the Collection, Use, or Disclosure of Personal Data
You have the right to object to the Company’s collection, use, or disclosure of your personal data in the following circumstances:

1. Where the collection of your personal data is carried out without requiring consent, based on the Company’s legitimate interests or those of a third party, unless such interests are overridden by your fundamental rights and freedoms relating to your personal data.
2. Where the collection, use, or disclosure of your personal data is for direct marketing purposes. Once the Company receives your objection request, we will immediately segregate your personal data from other data sets. However, the Company reserves the right to deny your request if we can demonstrate that the processing based on legitimate interests is supported by compelling legal grounds, or the processing is necessary for the establishment, exercise, or defense of legal claims.

(6) Right to Request Erasure or Anonymization of Personal Data
You have the right to request that the Company delete and/or anonymize your personal data in the following circumstances:

1. When the personal data is no longer necessary for the purposes for which it was collected, used, or retained.
2. When you withdraw your consent and the Company no longer has a legal basis to continue collecting, using, or disclosing such personal data.
3. When you exercise your right to object, and the Company does not have grounds to deny your request.
4. When your personal data has been collected, used, or disclosed unlawfully.

Once the Company receives your request, we will review and take appropriate action within 90 (ninety) days from the date of receipt. However, the Company reserves the right to deny your request where we have a necessary and lawful basis to do so.

(7) Right to Request the Restriction of Personal Data Processing
You have the right to request that the Company temporarily suspend the use of your personal data in the following circumstances:

1. When the Company is verifying the accuracy, completeness, or updating of your personal data in accordance with your request.
2. When your personal data could be deleted or destroyed, but you request that the Company restrict its use instead of deleting or destroying it.
3. When your personal data is no longer necessary for the purposes for which it was collected, but you require the data to be retained for the establishment, exercise, or defense of legal claims.
4. When the Company is in the process of reviewing your objection request regarding the collection, use, or disclosure of your personal data.

Once the Company receives your request, we will review and take appropriate action within 30 (thirty) days from the date of receipt. However, the Company reserves the right to deny your request if we have a necessary and lawful basis to do so.

(8) Right to Request Correction of Personal Data
You have the right to request that the Company update, correct, or complete your personal data to ensure that it is accurate, up to date, and complete. If there are any changes to the personal data you have provided, or to the data the Company has collected and retained within the applicable retention period specified in this Privacy Notice, you may notify the Company at any time to request a correction or update.

(9) Right to Lodge a Complaint in Case of Non Compliance with the PDPA
If you believe that the Company and/or its employees have acted in violation of, or have failed to comply with, the Personal Data Protection Act B.E. 2562, you have the right to file a complaint. You may raise the issue with the Company via our Call Center at 1756, or contact the Company’s Data Protection Officer (DPO) at [email protected]. You may also file a complaint with the Office of the Personal Data Protection Committee (PDPC) at [email protected].

Channels for Exercising Your Rights under the Personal Data Protection Act B.E. 2562
You may exercise any of your rights described above by contacting the Company through our Call Center at 1756. Please note that once the Company receives your request, we will review and proceed with appropriate actions within 30 days from the date of receipt. However, the Company reserves the right to deny your request if it is not compliant with applicable laws, relevant regulations, or the Company’s internal policies, or if fulfilling the request would affect the rights and freedoms of others. The Company may also deny your request where we have a necessary and lawful basis to do so.

Contact Channels for the Company and the Data Protection Officer 
Big C Supercenter Public Company Limited
Head Office: No. 88/9 , Soi Samanchan-Barbos , 
Prakanong Sub-district , Klongtoey District, Bangkok, 10110 
Tel. 0-21465959 or Call Center: 1756

Data Protection Officer
Head Office: No. 88/9 , Soi Samanchan-Barbos ,
Prakanong Sub-district , Klongtoey District, Bangkok, 10110
Email: [email protected]

Other Websites
This website may contain links to third party websites. Once you click on a link that directs you to another website, third parties may be able to collect and process your personal data. The Company does not control these external websites and is not responsible for their privacy notices or practices. When you leave the Company’s website, we encourage you to read the privacy notice of every website you visit.

Changes to This Privacy Policy
This Privacy Policy was reviewed and last updated on 1 March 2026. It may be revised from time to time to ensure alignment with the Company’s practices relating to the collection, use, and disclosure of personal data, as well as to maintain fairness and transparency for data subjects. Should any updates be made to this Policy, the Company will inform employees through its website, mobile application, and official social media channels.