Privacy Policy and Data Protection Policy
Chiang Mai Expats Club
www.chiangmaiexpatsclub.com
Effective Date: October 6, 2025
Last Updated: October 6, 2025
1. Introduction
The Chiang Mai Expats Club (CEC) is a non-profit social organization dedicated to supporting expatriates in Chiang Mai, Thailand, under the theme "Expats Helping Expats." Our mission is to foster friendships, enhance quality of life, promote safe and legal residency, and facilitate adaptation to local customs and traditions. We operate through our website at www.chiangmaiexpatsclub.com (the "Website"), Facebook (Chiang Mai Expats Club Group), our email newsletter, events, and membership activities.
This Privacy Policy and Data Protection Policy (the "Policy") explains how CEC collects, uses, discloses, and protects personal data in compliance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA) of Thailand, as well as other applicable data protection laws. It applies to all personal data processed by CEC as a data controller, including data collected via the Website, membership registrations, event registrations, newsletters, and other interactions.
We are committed to protecting your privacy and handling your personal data responsibly. By using our Website, joining as a member, or participating in our activities, you consent to the practices described in this Policy. If you do not agree, please do not provide your personal data or use our services.
For questions about this Policy, contact our Data Protection Officer at [email protected] or via the contact form on the Website.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable individual, such as name, email, phone number, or address.
- Sensitive Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or criminal records.
- Data Subject: You, as an individual whose personal data we process (e.g., members, event attendees, Website visitors).
- Data Controller: CEC, which determines the purposes and means of processing personal data.
- Data Processor: Third parties that process personal data on our behalf (e.g., email service providers).
- Processing: Any operation on personal data, including collection, use, disclosure, storage, or deletion.
3. Personal Data We Collect
We collect only the personal data necessary for our non-profit activities. Types of data include:
3.1 Data Provided by You
- Membership Registration: Name, email address, phone number, nationality, date of birth, address in Thailand, and emergency contact details.
- Event Registration: Name, email, phone number, dietary preferences (which may include health-related sensitive data if disclosed).
- Newsletter Subscription: Email address and name.
- Website Forms/Contacts: Name, email, message content, and any attachments.
- Payments: Payment details (processed via third-party providers; we do not store full card details).
3.2 Data Collected Automatically
- Usage Data: IP address, browser type, device information, pages visited, time and date of access (via cookies and analytics tools).
- Cookies: We use essential cookies for site functionality and optional cookies for analytics (e.g., Google Analytics). You can manage preferences via your browser settings.
3.3 Sensitive Personal Data
We do not intentionally collect sensitive personal data unless you voluntarily provide it (e.g., health info for event accommodations). If provided, we process it only with explicit consent and heightened protections.
We do not collect data from children under 13 without parental consent, in line with global best practices.
4. Purposes of Data Processing
We process personal data for legitimate non-profit purposes, including:
- Facilitating membership services, event organization, and community building.
- Sending newsletters, updates, and promotional information about CEC activities.
- Improving the Website and services through analytics.
- Complying with legal obligations (e.g., tax receipts for membership fees).
- Preventing fraud and ensuring security.
Processing is based on:
- Consent (e.g., newsletter subscriptions).
- Contractual necessity (e.g., membership fulfillment).
- Legitimate interests (e.g., site analytics, balanced against your rights).
- Legal obligations.
5. Legal Basis for Processing
Under the PDPA, we process data lawfully. For sensitive data, we require explicit consent. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
6. Sharing and Disclosure of Personal Data
We do not sell or rent personal data. Disclosures are limited to:
- Service Providers: Data processors like email platforms (e.g., Mailchimp), payment gateways (e.g., PayPal), and hosting services (e.g., WordPress). They are bound by data processing agreements ensuring PDPA compliance.
- Event Partners: Limited data for co-hosted events (e.g., venue details).
- Legal Requirements: To authorities if required by law (e.g., law enforcement).
- Business Transfers: In case of merger or acquisition.
International transfers (e.g., to U.S.-based providers) occur only with safeguards like Standard Contractual Clauses or adequacy decisions.
7. Data Retention
We retain personal data only as long as necessary:
- Membership data: Duration of membership plus 2 years for records.
- Event data: 1 year post-event.
- Newsletter data: Until unsubscribed.
- Usage data: 26 months for analytics.
Data is securely deleted or anonymized afterward. We maintain records per PDPA requirements (e.g., processing logs for 2 years).
8. Your Rights as a Data Subject
Under the PDPA, you have the following rights. To exercise them, contact our Data Protection Officer. We respond within 30 days.
- Access: Request confirmation of processing and a copy of your data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Delete data when no longer needed (subject to legal retention).
- Restriction: Limit processing during disputes.
- Portability: Receive data in a structured format.
- Objection: Oppose processing based on legitimate interests or direct marketing.
- Withdraw Consent: At any time, without affecting prior processing.
- Complaint: Lodge with the Personal Data Protection Committee (PDPC) at www.pdpc.or.th.
We do not charge for these rights unless requests are excessive.
9. Data Security
We implement appropriate technical and organizational measures to protect data, including:
- Encryption for data in transit and at rest.
- Access controls (e.g., role-based permissions).
- Regular security audits and staff training.
- Breach notification to PDPC and affected individuals within 72 hours if required.
In case of a breach, we will notify you if it poses high risk.
10. Cookies and Tracking Technologies
Our Website uses cookies for functionality and analytics. Essential cookies cannot be disabled. For others:
- We display a cookie consent banner on first visit.
- You can manage via browser settings or our consent tool.
Third-party cookies (e.g., Google Analytics) track anonymized usage. See our Cookie Policy [link if separate] for details.
11. Children's Privacy
Our services are not directed at children under 13. If we discover unintended collection, we delete it promptly.
12. Changes to This Policy
We may update this Policy to reflect legal changes or operational needs. Changes will be posted here with the updated date. Significant changes will be notified via email or Website notice. Continued use constitutes acceptance.
13. Contact Information
Data Controller: Chiang Mai Expats Club
Address: [Insert Physical Address, e.g., c/o [Location in Chiang Mai], Chiang Mai, Thailand]
Email: [email protected]
Data Protection Officer: [Name or Title], reachable at [email protected]
For PDPA inquiries, contact the PDPC at 02-348-3737 or www.pdpc.or.th.
14. Governing Law
This Policy is governed by Thai law. Disputes shall be resolved in Chiang Mai courts.
---
This Policy serves as both a public-facing privacy notice and an internal data protection framework for CEC. As a non-profit, we prioritize transparency and trust. Thank you for being part of our community.