Privacy Policy

The Application “ThailandPlus” (hereinafter referred to as the “App”) is the application that enables user to self-observe and evaluate a risk of COVID-19 infection based on locations. The App is a part of COVID-19 monitoring project (hereinafter referred to as the “Project”), which is developed and set up with the cooperation of the Ministry of Digital Economy and Society, the Department of Consular Affairs, the Department of Disease Control and the Tourism Authority of Thailand. The App is operated by the Digital Government Development Agency (Public Organization) (hereinafter referred to as “We”), a Data Processor under the instruction, control and supervision of the Department of Disease Control ,the Ministry of Public Health and the Data Governance Council, Data Controllers in compliance with the provisions of the Personal Data Protection Act B.E.2562 and the Order of the Centre for the Administration of the Situation due to the Outbreak of the Communicable Disease Coronavirus 2019 (COVID-19) No. 8/2563

The Project concerning the development of a monitoring system for handling the country’s emergency situations to support doctors, nurses, medical personnel, government authorities handling the COVID-19 pandemic, and private agencies, as well as the App users in looking after and preventing potential COVID-19 infection.

In order to be fully operated, the App collects, uses, and discloses personal data (hereinafter referred to as “Processing”) as necessary to protect the vital interests of App users, those in their immediate vicinity, and the public in general. It tracks infection and potential risk and monitors the spread of the COVID-19 virus through information provided by App users.

Before using the App, we request that you (the user) carefully read this Data Protection Policy and its amendments (hereinafter referred to as the “Policy”), including any terms and agreements referred in the App. You will be legally bound by these terms and agreements if you begin to use the App.

If you have questions regarding this Policy, please contact us through the channels mentioned below.

1. How does the App help ?

1.1 It Provides self-observation information to determine whether you have entered a potential COVID-19 risk area to protect yourself and those around you.

1.2 It assists doctors, nurses, and hospital personnel during the patient admission procedure and expedites the medical history interview and patient treatment processes.

1.3 It provides an infection risk alert when it detects a nearby infected person and issues recommendations such as seeking immediate medical attention.

 2. How do we collect your personal data?

We collect your personal data directly from you via the registration process of the App. The collection commences on the day you use the App and continues throughout the usage period. We will not collect your personal data from other sources except the information of infected provide by the Ministry of Public Health and other relevant authorities in accordance with the Policy and missions imposed by laws.

 3. What personal data do we collect ?

Personal data we gather from you is necessary for the App to monitor and prevent the spread of COVID-19. The following information will be collected from you.

3.1 Certificate of Entry Number.

3.2 Reference ID (only for CoE Number proofing)

3.3 Selfie photograph from your camera or select from your  image, audio, video, download and files. This data will be kept local. We will not transfer any image from your mobile phone.

3.4 Check-in or location , bluetooth and physical activity information.

3.5 Contact tracing information which is determined and collected by the App

Besides, the app uses RSA-2048 and SHA-256 techniques for data encryption.

 4. Purpose of processing personal data

The Processing of your personal data is in accordance with the Personal Data Protection Act B.E. 2562 (2019). Your personal data, in 3.1 and 3.2 will be used in the registration and authentication processes of the App.   The Personal Data in 3.3 which has access to camera or image, audio, video, download and files. will be used to create engagement feeling in the App and to be self-proven that the app is really yours. And your personal data in 3.4 and 3.5 which has access to location, bluetooth and physical activity will be used to analyze, process, and display your behavioral information, e.g. likely risk exposure to COVID-19 areas, activities or persons, to allow you to exercise avoidance measures such as refraining from entering an area where an infected individual has been recently found.

 5. Legal Basis of personal data processing

We process your personal data and disclose with other relevant authorities under legal bases as following :

– It is necessary for compliance with laws which we are subjected

– It is necessary to prevent or suppress a threat to a person’s life, physical well-being or health.

– It is necessary to carry out a task in the public interest or the exercise of official authority vested in the Project. This includes disclosing to the relevant public authorities for their use of personal data to provide proper preventive measures and self-care suggestions, for example, a hospital visit, self-quarantine procedures, or self-monitoring (see relevant public authorities list at www.dga.or.th). Moreover, your information concerning a visit to a place which is at risk of potential exposure to COVID-19, including those individuals with suspected symptoms of COVID-19, may be disclosed to doctors, nurses and other medical personnel (see relevant public health authorities list at www.dga.or.th).

– When it is necessary for the legitimate interests of the Project, person or juristic persons, providing that your fundamental rights remain protected.

We have implemented information security measures to protect your personal data from misuse and unauthorized disclosure. In order for the App to be more efficient and to affirm our transparency in collecting and processing your personal data, we assess all personal data which is collected, shared or processed whether it is in compliance with the purpose of collection announced and to improve those activities to ensure its compliance with the purpose. We will voluntarily send report of data collection, processing and disclosure to be audited by empowered agencies including the Office of the Personal Data Protection Committee and Office of the Official Information Commission at least every three months. The report will be including at least types of personal data collected, number of collected data, types of data disclosed, purposes of disclose, recipients of shared data, means of sharing data (one-time or continuous sharing), date and time of sharing, reason of stop sharing, report of processing activities of data which recipient obtain from us, record of data breach, misuse and complaint. Furthermore, we will reveal the report to public via our website and the App including other online social channels under our control that will have hyperlink to the report.

6. Sharing of information

We will not publish, sell, distribute, exchange, or transfer your personal data (eg. location, bluetooth, physical activity, camera image, audio, video, download and files) to a third party in addition to other relevant authorities, which such sharing is extremely required in order to fulfil the purpose of the Project, therefore, we will also keep all record of such disclosure.

We will record every time the data is disclosed by covering the matter type and number of data, purpose, relevant organization, date time and the way of how data is shared.

 7. Process and transfer information internationally

The Project utilizes cloud services from Amazon Web Services (AWS) (see the AWS Privacy Policy at https://aws.amazon.com/privacy/?nc1=f_pr) without sending or transferring personal data abroad (refer to Guideline on Cross-border Data Transfer (Section F), Thailand Data Protection Guidelines 2.0). In addition, we have appropriate information security measures to protect your personal data from misuse and unauthorized disclosure.

8. Data retention period

We will retain your personal data only for 60 days as this will be necessary for lawful purposes and as needed to provide you with an effective App service. Your personal data includes

o Certificate of Entry Number.

o Check-in or location and bluetooth information.

o Contact tracing information which is determined and collected by the App

The following personal data will not be saved in our storage:

o Reference ID (since it only serves for your authentication)

o Selfie photograph(s) from your camera or select from your image, audio, video, download and files  (since it only records in user’s mobile phone)

Physical Activity (since it only serves to trigger your location and bluetooth transmission.

Moreover, upon your request, we will erase, destroy or anonymize your personal data, unless if retention of such data is necessary for legal purposes. In such circumstance, we will ensure that throughout the retention period personal data will be protected under strict security measures.

9. Your rights on your personal data

The Personal Data Protection Act B.E. 2562 (2019) entitles you the right to access your personal data which is collected and processed by us and request a copy, including the right to rectification, the right to erasure, the right to restrict and the right to object to the processing of your personal data.

  To exercise any of the rights mentioned, please contact us through the channel mentioned below. We will act on your request within 30 days from the date of receiving the notice from the Data Governance Council.

  According to the decision of the Data Governance Council, where user cancels of registration and uninstalls the App, we will stop processing and automatically erase your personal data within 60 days from the cancelation or uninstalling the App. Moreover, in case of user’s device has no connection or logon for more than 75 days, such situation will be also considered as a implicitly cancelation of registration, and the registration data as mentioned in section 3 will be immediately deleted.

10. Changes to the Policy

We may occasionally make updates to the Policy. You are recommended to this policy read as usual basis to make sure that you have updated the newest information of the latest privacy policy. For each modification, we will have record of detail changed, date and time of effective and reference number of the policy for convenient of referable.

In announcement of updated Policy, we will set effective date of the new Policy to be in 7 days after the announcement, this is for you to acknowledge the change and decide whether to continue using the App. Where you continue use the App after the effective date, we will assume that you have agreed with all the terms of our Policy including all subsequent changes. However, in the state of emergency and the revised sections of the Policy will have obvious more coverage to you, such revised sections will have immediate effect while others will be in force at the effective date imposed.

For personal data collected prior to the revision, if the coverages of the previous and the revised Policy are different, the one with more coverage will have effect. On the other hand, personal data collected after the effective date of the revision can have coverage only under of the revised Policy.

We will inform users of the App and recipients who obtain data from us (under section 5.) about the policy revision via 1. Our website 2. Website of the App 3. App store platform of the App 4. Online social in control of the App controller or our own and 5. The App. Therefore, we encourage you to periodically access to any informing channel and review the latest update on our Policy.

In case of persons being informed are the recipients of personal data on section 5, they will be obligated to give us a notification of acknowledgement of the revised Policy within 3 days before the effective date of the revision policy imposed, we will record such acknowledgement notifications for auditing purpose. Where there is no response from the recipient within the period mentioned, it will be considered as the recipients disagree on the revised Policy, therefore, the previous one will be still effective for them.

The recipients of personal data on section 5 who disagree with the revised Policy (giving disagreement response or having no response) will be immediately restricted from access and process personal data in connection with the Project, and will have obligated to delete all personal data obtained from us as part of the Project within 24 hours (whether such personal data obtained under any policy versions), inform us about means of deleting, give record of data deleted, date and time of deleting and keep the record for auditing purpose.

In case of sharing personal data via API, we will immediately cut off the connection where we acknowledged that the recipients in section 5 disagree to be bound on the revision of the Policy.

11. Contact Us

If you have any concerns or queries regarding personal data protechtion, please contact:
Digital Government Development Agency (Public Organization) (DGA)
17th Floor, Bangkok Thai Tower Building 108 Rangnam Rd. Phayathai, Ratchatewi, Bangkok 10400
Contact Center : (+66) 0 2612 6060

E-mail : contact@dga.or.th

If you have any problems with the App, please call: Tourist Police Center 1155 We will try our best to help or resolve your problems.

This Data Protection Policy became effective in December 2020
Version 2020.03