Privacy Policy

Introduction

At Stamford International University (“University”), we value the rights and freedoms of all people. This includes respecting your privacy and protecting your personal data in compliance with the Personal Data Protection Act B.E. 2562 (“PDPA”), relevant laws and regulations. This privacy notice describes how we collect, use, and disclose (“Process”) your information. It is to tells you how to contact us as well as outlining what rights you have regarding your personal data.

1.  Important Information

Who are we?
Throughout this document, “we”, “us”, “our”, “ours” refer to Stamford International University

Wherever we have said “you”, “your” or “yours”, this means YOU.

Controller
Stamford International University is the Data Controller when we collect and process Personal Data about you.

We have appointed an external group data protection officer (DPO) responsible for overseeing questions concerning this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please get in touch with the external DPO using the details set out below.

Stamford International University (Rama9 campus)
16, Motorway Road – Km2, Prawet, Bangkok 10250 Thailand.
Tel: (+66)0 2-769-4000
Email: pdpa@stamford.edu

Our Data Protection Officer (DPO)
Personal Data Policy Department
16, Motorway Road – Km2, Prawet, Bangkok 10250 Thailand.
Email: pdpa@stamford.edu

You have the right to make a complaint at any time to the Office of Persona Data Protection Committee, the Thailand supervisory authority for data protection issues, by contacting them

The Personal Data Protection Committee (the “PDPC”)
The Government Complex Commemorating His Majesty
Ratthaprasasanabhakti Building 7th Floor,
Chaengwattana Road, Thung Song Hong Sub-District, Lak Si District
Bangkok, Thailand 10210
Tel:  02 141 6993, 02 142 1033
E-mail: pdpc@mdes.go.th
Website: Thailand PDPC

We would, however, appreciate the chance to deal with your concerns before you approach the PDPC, so please get in touch with us in the first instance.

Changes to The Privacy Policy and Your Duty to Inform Us of Changes
This version was last updated on 03 February B.E. 2563, and historic versions can be obtained by contacting us.

It is essential that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-Party Links
This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

2. The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data: includes but is not limited to first name, last name, username or similar identifier, title, date of birth, and other details.
  • Contact Data: includes billing address, residential address, email address and telephone numbers.
  • Financial Data: includes bank account details, bank statements, credit card details and payment details.
  • Transaction Data: includes details about payments to and from you and financial information and identification documents (e.g., for KYC verification, for bursary assessment or for fundraising).
  • Technical Data: commonly known as online identifiers and includes internet protocol (IP) address, unique mobile device identification numbers (such as your Media Access Control (MAC) address, Identifier For Advertising (IDFA), and/or International Mobile Equipment Identity (IMEI), type of device, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Academic Data: includes your login details, admissions, academic, disciplinary, and other education related records, references, examination scripts and marks.
  • Usage Data: includes information about how you use our website, and services, education, and employment data; images, audio, and video recordings or CCTV.
  • Marketing and Communication Data: includes your preferences in receiving marketing from our third parties and us, news about our products and your communication preferences.

If you decide to make a payment for any of our services, your Financial Data, including your bank account and payment card details, will be collected, and processed by our external payment service provider. We will not have access to collect, use, store or transfer your Financial Data

We collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, suppose we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you. In that case, we treat the combined data as personal data that will be used according to this privacy policy.

Sensitive Personal Data

As a University, from time to time we need to process personal data which is designated as “sensitive” or “special category personal data” to facilitate our university operations and activities.  Such data includes personal data regarding a data subject’s concerning:

  1. health;
  2. special education needs;
  3. Information relating to safeguarding;
  4. criminal records;
  5. ethnicity;
  6. religion; or
  7. biometric data (e.g. fingerprint).

3. How Is Your Personal Data Collected

We collect most of the personal data we process directly from the data subject concerned. There are instances where we collect data from third parties (for example, referees/references, and previous Company) or from publicly available resources.

We o collect data about you when:

  • you have expressed an interest in having attend our University;
  • you have requested a planned visit to the University;
  • you have registered to attend (or have attended) one of our events;
  • you visit our website or social media;
  • you sign up to receive email our newsletter and/or prospectus;
  • you have expressed an interest in working for, or with, us; or
  • you are employed by an organization with whom we have a business relationship.

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • We are about to enter or have entered into a contract with you for the performance of a contract.
  • Where it is necessary for our legitimate interests (or those of a third party), your interests and fundamental rights do not override those interests and/or
  • Where we need to comply with a legal or regulatory obligation.

Purposes For Which We Will Use Your Personal Data.

In the table format below, we have set out a description of how we may use your personal data and which of the legal bases we rely on to do so. We must identify what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Purpose/ActivityType of DataLawful basis for processing including basis of legitimate interest
The enquiry, selection, and admission of Staff;a) Identity
b) Contact
c) Technical
d) Academic
e) Usage  
a) Performance of a contract with you
b) Explicit consent
The provision and delivery of the education curriculuma) Identity
b) Contact
c) Technical
d) Academic
e) Usage  
a) Performance of a contract with you
b) Explicit consent
The safeguarding of staff’ welfare and provision of pastoral care, welfare, health care services and support.a) Identity
b) Contact
c) Academic
d) Sensitive  
a) Performance of a contract with you
b) Explicit consent
Compliance with legal and regulatory requirementsa) Identity
b) Contact
c) Technical
d) Academic
e) Usage
f) Sensitive
g) Financial
h) Transaction  
a) Legal obligation
Operational management including the compilation of staff records; the administration of invoices, fees and accounts; the management of University property; the management of security and safety arrangements (including the use of CCTV and monitoring of the University’s IT and communications systems in accordance with our Acceptable use of the University’s ICT facilities and the internet agreement); the administration and implementation of our University’s rules and policies for staff; health and safety management; and the maintenance of historic archives.  a) Identity
b) Contact
c) Technical
d) Academic
e) Usage
f) Sensitive
g) Financial
h) Transaction    
a) Performance of a contract with you
b) Explicit consent
c) Necessary for our legitimate interests to maintain security of University
d) Vital Interests
Staff administration including the recruitment of staff/engagement of contractors; administration of payroll, pensions, and sick leave; review and appraisal of staff performance; conduct of any grievance, capability, or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff; and providing references.  a) Identity
b) Contact
c) Technical
d) Academic
e) Usage
f) Sensitive
g) Financial
h) Transaction
a) Performance of a contract with you
b) Explicit consent
Maintaining relationships with our alumni and former employees  a) Identity
b) Contact  
a) Necessary for our legitimate interests to maintain our University historic records
For keeping a record of historical and memorable events relevant to the maintenance of a historical record  a) Identity
b) Contact
c) Academic  
a) Necessary for our legitimate interests to maintain our relationships and promote fund raising activities
To manage our relationship with you, which will include:
a) Notifying you about changes to our terms or privacy policy
b) Asking you to leave a review or take a survey
a) Identity
b) Contact
c) Marketing and Communications
a) Performance of a contract with you
b) Necessary to comply with a legal obligation
c) Necessary for our legitimate interests (to keep our records updated and to study how customer use our University services)  
To administer and protect our University and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)a) Identity
b) Contact
c) Technical
d) Transaction
e) Usage
f) Academic
a) Performance of contract
b) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)
c) Necessary to comply with a legal obligation
d) Necessary for our legitimate interests to detect or prevent unlawful acts  
To use data analytics to improve our website, products/services, marketing, customer relationships and experiencesa) Technical
b) Usage
c) Marketing and Communications  
a) Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)  
To process your job application to work with usa) Identity
b) Contact
c) Sensitive
a) For our legitimate interest in filling a vacancy and the candidate to apply
b) Performance of a contract with you (employment contract)  

Marketing

We provide you with choices regarding our use of your personal data for marketing and advertising purposes. We have established the following personal data control mechanisms:

You will receive marketing communications from us if you have subscribed for an account with us or purchased/used services from us and you have consented to receiving that marketing. All of our marketing communications contain an opt-in option, and you can opt out at any time. Please note that the opt-out will not affect the lawfulness of the processing that has taken place before the opt-out.

Third-Party Marketing

We will get your explicit opt-in consent before sharing your personal data with any outside University for marketing purposes.

Change of Purpose

We will only use your personal data for the purposes we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and obtain your consent to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5. Disclosure of Your Personal Data

  • We will keep your personal data confidential and do not have policy to sell your personal data to third party. If there is legal necessity to disclose your personal data, we will only disclose your personal data to an authorized person or party as necessary. We may share your personal data with third parties as set out below for the purposes specified in the table in section 4 above:
    • Our University partners and our authorized representative personnel;
    • Service providers such as representative companies, travel agencies, contractors, consultants, financial institutions, cloud service providers, online travel agents (OTA) websites, marketing companies, educational websites, and information technology (IT) development companies. Such parties may locate either domestically or internationally and all party is under agreement with us;
    • Government or regulatory agencies, to comply with law or request of authorized departments.
  • We may seek to acquire other businesses or merge with them, or our business or part of our business may be sold. If a change happens to our business, then your personal data may be disclosed to our advisers and those of any prospective purchaser or partner. The new owners or partners may use your personal data in the same way as set out in this privacy policy. Your data will only be disclosed for the purposes identified in this privacy policy (as may be updated from time to time) unless a law or regulation allows explicitly or requires otherwise.
  • We require all third parties to respect the security of your personal data and treat it according to the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. All our third-party processing partners are vetted under our third-party due diligence process and have signed data processor contracts with us.

6. International Transfers

Some of our external third parties are based outside the Kingdom of Thailand, so their processing of your personal data will involve a transfer of data outside the Kingdom of Thailand.

Whenever we transfer your personal data out of the Kingdom of Thailand, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the Personal Data Protection Committee (PDPC) (as appropriate).
  • Appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses/ data protection clauses approved by the Personal Data Protection Commission (as appropriate)
  • The transfer is otherwise allowed under data protection laws (including where we have your consent, or the transfer is necessary for the performance of a contract with you).

7. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, disclosed or being unavailable. In addition, we limit access to your personal data to those employees, agents, professional advisers, contractors, and other third parties who have a business need to know on the principle of least privilege (PoLP). They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We periodically review all privacy and security policies and update, when necessary, in line with changes in data protection laws or when any new technologies are introduced into our business. Where the introduction of new technologies results in a high risk to your personal data, we will perform a data protection impact assessment. We will only proceed if we are able to mitigate any identified high risks. Our methods of collecting personal data are reviewed by management before they are implemented to confirm that personal data is obtained

  • fairly, without intimidation or deception, and
  • lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. You can see our Data Beach Policy for risk classification of a breach as reference.

8. Data Retention

How Long Will You Use My Data For?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. A copy of our Data Retention Schedule is available upon request.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law, we have to keep basic information about our service users/staff (including Contact, Identify, Financial and Transaction Data) for 5 tax years as part of our legal obligations to do so.

You can ask us to delete your data in some circumstances: please contact the above DPO to Request erasure and for further information.

In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. Your Data Subject Rights

  • The right to be informed about the purpose of collecting and processing the data.
  • The right to withdraw the given consent.
  • The right to access and obtain the data collected from you.
  • The right to objects the collection, use, and disclosure of your data.
  • The right to restrict the use of your data.
  • The right to correction of your data.
  • The right to transfer your data to another data controller.
  • The right to have your data erased, destroyed, or anonymized. 

What We May Need from You: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it. We may contact you to ask you for further information concerning your request to speed up our response.

Time Limit to Respond: We try to respond to all legitimate requests within thirty days. Occasionally it may take us longer than thirty days if your request is particularly complex or you have made a number of requests, in which case we will inform you of the reason and expected time of completing the request.

10. Policy Updates

Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually, and whenever changes to such laws and regulations are made, privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.