KISEKI PLANT FACTORY (THAILAND) Co., Ltd.
Privacy Policy

KISEKI PLANT FACTORY (THAILAND) Co., Ltd. (the “Company” or “we”) is committed to protecting the personal data of all individuals who interact with us, including our customers, employees, business partners, and other persons. This Privacy Policy has been updated to ensure full compliance with Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), which governs how we collect, use, disclose, and protect personal data in Thailand. Our goal is to handle your personal data lawfully, fairly, and transparently, in accordance with the PDPA and other applicable laws, while making our practices easy to understand1.
Scope: This Policy applies to all personal data we process in connection with our business in Thailand. “Personal Data” in this Policy means any information relating to an identified or identifiable natural person (data subject), as defined under the PDPA. We may collect personal data from you directly (e.g. when you fill out forms or communicate with us) or indirectly from other sources for the purposes described below.

Personal Data We Collect

We limit our collection of personal data to what is relevant and necessary for our business purposes. The types of personal data we collect and process may include:
Identification and Contact Details: e.g. name, address, telephone number, email address, date of birth, nationality, and other contact information.
Government-issued Identification: e.g. national identification number (Citizen ID card), passport number, work permit details (for employees or contractors), and taxpayer identification number (as needed for statutory purposes).
Financial and Transaction Data: e.g. bank account numbers, salary and payroll information (for employees), payment card details and transaction records (for customers or vendors, if we engage in financial transactions).
Employment and Education Information: for our employees and job applicants – e.g. employment history, education qualifications, job title/position, performance evaluations, training records, and any other information necessary for human resource management and fulfilling our obligations as an employer.
Business Partner Information: for individual contractors, suppliers, or contacts at corporate clients – e.g. name, position, business contact information, and other data provided in the course of business cooperation.
Visual Images: still or video CCTV footage and photographs recorded at our facilities or events, for security and safety management (signage will indicate areas under surveillance).
Sensitive Personal Data: In general, we try to avoid collecting Sensitive Personal Data (as defined by the PDPA) unless necessary. Sensitive Personal Data under Thai law includes information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union membership, genetic data, biometric data, or any other data that could uniquely affect the data subject. If we must collect sensitive data – for example, health information for employee benefits or biometric identifiers for security access – we will do so only with your explicit consent and in compliance with the PDPA’s strict requirements (unless an applicable legal exemption applies)2. We implement additional safeguards for any sensitive data we handle.

Purposes of Collection, Use, and Disclosure of Personal Data

We collect, use (process), and disclose personal data for the following purposes, to the extent relevant to our relationship with you:
Service Delivery and Business Operations: To provide and deliver our products and services to you (e.g. cultivating and supplying plants or related products), to process transactions and orders, to communicate regarding your requests or inquiries, and to maintain our general business operations. For example, if you are a customer, we will use your contact and order information to fulfill your purchase orders and provide customer support. If you are a business partner or supplier, we will use your personal data to manage our relationship, such as facilitating contracts, payments, and collaboration.
Employment Management: For recruitment and HR management if you are an employee or job applicant. This includes evaluating candidates, executing employment contracts, administering payroll and benefits, monitoring performance, providing training, ensuring workplace safety, and complying with labor laws and regulations. Employee personal data is used only for legitimate employment-related purposes and as required by law (e.g. tax reporting, social security contributions).
Communication and Marketing: To send you communications related to our services. This may include responding to inquiries, sending administrative information (such as changes to our terms or policies), and with your consent or as otherwise permitted, sending you marketing or promotional materials about our new products, services or events. You can opt-out of marketing communications at any time. We will obtain your consent for marketing where required by PDPA or other laws.
Security and Asset Protection: To maintain the security of our premises, facilities, networks, and information systems. For example, we may use CCTV surveillance at our facilities for security purposes and collect visitor data as part of access control. We also monitor our IT systems to prevent unauthorized access or cyber incidents, and we may use personal data (like device or login information) to protect against fraud, abuse, or security threats.
Legal Compliance and Risk Management: To comply with our legal obligations under Thai laws and regulations, as well as to exercise our legal rights or defend against legal claims. For instance, we may process personal data to meet record-keeping or reporting obligations (e.g. under tax law, accounting rules, or orders from regulatory authorities). We may also use and disclose data as needed to prevent or investigate illegal activities, fraud, or policy violations, and to protect our rights, safety, and property (or those of others). If necessary, personal data could be used in connection with audits, compliance assessments, dispute resolution, or in response to lawful requests by government authorities or court orders.
Legal Bases for Processing: We will only collect and use your personal data where we have lawful bases to do so under the PDPA. These bases include: (a) when you have given consent to the specific purpose (where required); (b) when it is necessary to fulfill a contract with you or to take steps requested by you before entering a contract (e.g. processing an order or hiring an employee); (c) when it is necessary for us to comply with a legal obligation (e.g. employment laws, safety regulations); (d) when it is necessary to protect your vital interests (e.g. in a medical emergency); (e) when it is necessary for the performance of a task carried out in the public interest or for the exercise of official authority (this is less common for our private business); and (f) when it is necessary for our legitimate interests or those of another person, except where overridden by your fundamental rights. For example, we may rely on legitimate interests to improve our services, manage internal operations, and secure our facilities – but we will balance those interests against your privacy rights.
In situations where none of the above bases applies, we will seek your explicit consent for the collection or use of your data. Notably, if we need to process Sensitive Personal Data, we will always obtain explicit consent beforehand unless an exemption under the PDPA allows otherwise (such as an emergency to save someone’s life)3. You have the right to refuse or withdraw consent at any time, as described below, and we will not collect or use data for which consent is required without obtaining it. We also do not engage in any automated decision-making or profiling that produces legal effects concerning you without your knowledge or consent.

Disclosure of Personal Data (Recipients)

We may disclose or share your personal data with third parties in certain circumstances, in accordance with the PDPA. We will only share the data as necessary for the purposes stated above and will ensure appropriate safeguards are in place. Categories of recipients with whom we may share data include:
Affiliated Companies: We may share information with our parent company in Japan (KISEKI GROUP CORP.) or other affiliated companies within the Kiseki corporate group, for internal administrative purposes, business management, or if you are involved in joint dealings with multiple group entities. Any such transfer will comply with PDPA and applicable cross-border transfer requirements (see “Cross-Border Transfers” below).
Service Providers (“Data Processors”): Third-party companies that provide services on our behalf, such as IT system providers, cloud storage services, data analytics, payment processing, logistics and delivery companies, marketing agencies, auditors, or professional advisors (law firms, accounting firms). These service providers are contractually obligated to use personal data only to provide services to us and to implement appropriate security measures to protect your data.
Business Partners: In some cases, we may work with other businesses or organizations on joint projects (e.g. research collaborations, co-hosted events, or strategic alliances). We might need to share contact information or relevant data with these partners in connection with those activities, but we will do so under confidentiality agreements and only as permitted by law or with your consent if required.
Government Authorities and Law Enforcement: We may disclose personal data to courts, regulators, governmental agencies, or law enforcement officials if required to do so by law or legal process. For example, we might need to share data with the Office of the Personal Data Protection Committee (the PDPC) if they are conducting an inquiry, or with tax authorities and social security offices as part of our legal reporting obligations. We will verify any request and only provide the minimum data necessary in response to lawful requests.
Professional Advisors: We may share personal data with our external professional advisors (such as lawyers, accountants, consultants) where necessary to obtain advice or protect our legal rights, and always under a duty of confidentiality.
Corporate Transactions: In the event of a reorganization, merger, joint venture, acquisition, or other transfer of all or part of our business, personal data relevant to that transaction may be disclosed to prospective or actual buyers/investors (and their representatives) as part of due diligence or transfer, under appropriate confidentiality and security measures. If such a transfer occurs, the receiving party will be required to handle your personal data in line with this Policy and the PDPA.
We do not sell or rent your personal information to third parties for their own marketing purposes. Whenever we disclose personal data to third parties, we will take reasonable steps to ensure they have an obligation to keep the data secure and to use it only for the intended purposes in compliance with the PDPA. A record of disclosures (especially those made without consent under a legal exception) will be maintained as required by law.

Data Subject Rights

Under the PDPA, data subjects (individuals whose data we hold) have certain legal rights regarding their personal data. We respect your rights and have established procedures to enable you to exercise them. You have the following rights in relation to your personal data that we collect and hold5:
Right to Withdraw Consent: If you have given consent for any particular processing of your personal data, you have the right to withdraw that consent at any time. Upon withdrawal, we will stop the processing that was based on consent. (Please note that withdrawal will not affect the lawfulness of processing already carried out with your consent in the past). For example, you can withdraw consent for marketing emails and we will cease sending them.
Right of Access: You have the right to access and obtain a copy of the personal data we hold about you, and to ask us to reveal the sources of that data (if it was obtained from others) and details about how we use it. This is sometimes called a “data subject access request.” We will provide the information in a reasonable time as required by law.
Right to Data Portability: You have the right to request that we transfer your personal data to another data controller, or to directly obtain your personal data in a structured, commonly used and machine-readable format, where technically feasible. This right applies to personal data that you have provided to us and which we processed by automated means, where processing is based on your consent or on a contract with you.
Right to Rectification: If you believe that any personal data we hold about you is inaccurate, outdated, incomplete, or misleading, you have the right to request that we correct or update it. We strive to keep personal data accurate and will make corrections promptly upon verification.
Right to Erasure (“Right to be Forgotten”): You can ask us to delete or destroy your personal data (or anonymize it such that it can no longer identify you) in certain circumstances. For instance, if the data is no longer necessary for the purposes collected, or if you have withdrawn consent and we have no other legal basis to keep it, or if it was unlawfully collected. We will comply with such requests unless retention is permitted or required by law (for example, we may need to keep certain records to comply with legal obligations or to establish/exercise legal claims). We will also inform other parties with whom we shared the data (if any) of your deletion request, as required by PDPA.
Right to Restriction of Processing: You have the right to request that we suspend the processing of your personal data in certain cases. You might exercise this right if you contest the accuracy of the data (for a period enabling us to verify it), or if you need us to preserve data that would otherwise be erased in order to establish a legal claim, or if our processing is unlawful and you prefer restriction over deletion, or if we no longer need the data but you require us to keep it for your own legal purposes. When processing is restricted, we will only store the data and not further process it except with your consent or for legal reasons.
Right to Object: You have the right to object to the collection, use or disclosure of your personal data in certain situations. This includes the right to object to processing for direct marketing at any time – if you object, we will stop using your data for marketing. It also includes the right to object where we rely on “legitimate interests” as our legal basis (per PDPA Section 24(5)), or on a public task basis, and your situation has personal reasons that justify an objection. We will cease the contested processing upon your objection unless we have compelling legitimate grounds to continue or the processing is for legal claims.
Right to Lodge a Complaint: If you believe we have violated the PDPA or failed to protect your rights under the law, you have the right to file a complaint with Thailand’s Personal Data Protection Committee (PDPC) or the Office of the PDPC. You can also lodge a complaint with other regulators as authorized. We encourage you to contact us first to resolve any issue, but this right ensures you can seek regulatory enforcement if needed.
Please note that these rights are subject to certain conditions and exceptions under the PDPA. There may be lawful reasons for us to refuse or defer fulfilling a request (for example, we might reject a deletion request if the personal data must be retained to comply with a legal obligation, or we may decline a portability request if it infringes on another person’s rights). In any case, we will inform you of the decision and reasoning if we cannot honor a request in full.
To exercise your rights, you (or an authorized representative) may contact us via the contact details provided in the “Contact Us” section below. We may need to verify your identity (for your protection) before processing your request. We will respond to your request within the timeframe specified by applicable law and will let you know the outcome in writing or electronic form. Generally, under the PDPA, we will comply with your request without undue delay once your identity and right to make the request are verified. No fee will be charged for making a request, except in the case of unfounded or excessive/repetitive requests where the PDPA allows us to charge a reasonable fee.
If you withdraw consent or request erasure, note that we may still retain certain information as required by law or for the establishment, exercise, or defense of legal claims. We will also take steps to notify third parties (to whom we have disclosed your data) about any significant rectification, erasure, or restriction that you request, as required by PDPA.
Finally, if you believe your data protection rights have not been respected, you may contact the PDPC’s Office to lodge a formal complaint, or you can seek remedies as provided under the PDPA (which include administrative fines, civil damages, or even criminal penalties for serious offenses). We take your rights seriously and will work to address any concerns directly, aiming to prevent the need for you to escalate issues5.

Data Security Measures

We take the security of personal data very seriously. In accordance with PDPA requirements, we have implemented appropriate technical and organizational measures to protect your personal data from unauthorized or unlawful access, alteration, disclosure, or destruction, as well as accidental loss or damage. These measures include, for example: controlling access to personal data (only authorized personnel with a need-to-know can access relevant data); maintaining secure IT systems with encryption, firewalls, and anti-malware protection; using passwords and access credentials policies; and physical security controls for areas where personal data is stored (e.g. locked file cabinets, restricted server rooms). We also ensure that any sensitive personal data receives a higher level of protection (with stricter access control and encryption where feasible).
Our management has established internal policies and procedures for safe handling of personal data, and we train our employees on data protection best practices and their duties under the PDPA. All staff and personnel are required to keep personal data confidential and secure; disciplinary measures can apply in case of unauthorized disclosure or misuse of personal data. We periodically review and update our security measures to adapt to new threats and to ensure ongoing compliance with the PDPA’s standards, including any specific security standards issued by the PDPC.
In the event of a personal data breach (for example, a significant data loss, leak, or hack), we have an incident response plan. We will notify the Office of the PDPC within 72 hours of becoming aware of a significant personal data breach, as required by law. If the breach is likely to result in a high risk to your rights and freedoms, we will also inform the affected data subjects without undue delay, as per PDPA regulations. We document all data breaches and remedial actions taken, and will take necessary steps to prevent future incidents.
If we engage third-party data processors to process personal data on our behalf, we will ensure through contracts that they also implement appropriate security measures and only process data according to our instructions. This is to guarantee that your personal data receives consistent protection even when handled by service providers.
Overall, while we cannot guarantee absolute security (no method of data transmission or storage is 100% secure), we strive to use industry-standard practices and comply with PDPA-prescribed security standards to safeguard your personal information. Our enhanced focus on security also aligns with PDPA’s requirements (which are more stringent than prior Japanese standards), thereby minimizing the risk of data incidents6.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with applicable laws. In determining the appropriate retention period, we consider the volume, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing, and whether those purposes can be achieved by other means. We also take into account various legal requirements that mandate certain data be kept for minimum periods (e.g. employment records, tax and accounting records might be required by law to be retained for a number of years).
Where possible, we specify fixed retention periods in our internal data retention schedule. For example, we might retain general customer transaction data for 5 years after the transaction (to support after-sales service and legal compliance), and keep employee data for the duration of employment plus a certain number of years after termination (to comply with labor laws or possible legal claims). If it is not feasible to specify a fixed period, we will retain the data for a duration that can be reasonably expected based on industry standards and the nature of our relationship with you. Once the retention period expires, or if you request deletion and we have no lawful basis to deny the request, we will proceed to erase, destroy, or permanently anonymize the personal data7.
There may be cases where we need to retain data longer than our standard period – for instance, if you are involved in a dispute or litigation with us, we may retain relevant information until that issue is resolved, or if a law enforcement authority asks us to preserve data, we will retain as directed. Conversely, if data is no longer needed sooner and we have no legal obligation to keep it, we will securely delete it. We continuously review the personal data in our possession and erase or anonymize data that is no longer required.
Our data destruction methods follow industry standards to ensure that personal data is not reconstructable or readable after deletion. For physical documents, we shred or incinerate them, and for electronic files, we use secure deletion or encryption. We maintain logs of data disposal as required by any applicable regulations.

Language and Accessibility of Policy

This Privacy Policy is issued in both Thai and English languages for ease of reference and to ensure clarity for all readers. We recognize that the PDPA and its guidelines emphasize using clear and easy-to-understand language when communicating privacy information to data subjects. Providing a Thai version of this Policy helps to meet this requirement for our Thai-speaking data subjects.
In case of any inconsistency or ambiguity between the English and Thai versions of this Policy, the Thai version will prevail (as it is the authoritative language for legal compliance in Thailand). We will also make this Policy available through multiple channels – for example, on our company website and in printed form upon request – to ensure you can conveniently access the information. If you require any assistance in understanding this Policy, or need it in an alternative format due to any disability, please contact us and we will do our best to accommodate you.

Contact Us

If you have any questions or concerns about this Privacy Policy or our personal data practices, or if you wish to exercise your rights under the PDPA, please contact us at:
KISEKI PLANT FACTORY (THAILAND) Co., Ltd. – Personal Data Inquiries
Address: 10/16 Moo 12, Bang Phli Yai Sub-district, Bang Phli District, Samut Prakan 10540, Thailand.
Phone: +66 80-080-9929 (office hours: Monday–Friday, 9:00–16:00)
Email: info@kisekicannabis.com (Please include “PDPA Request” in the subject line for rights requests)
Data Protection Officer: At present, the nature and scale of our data processing activities do not make it mandatory for us to appoint a Data Protection Officer under the PDPA (which is only required for certain large-scale or sensitive data processing operations). However, we have an internal privacy compliance team that fulfills similar responsibilities. If in the future we formally designate a Data Protection Officer (“DPO”), we will update this Policy to include the DPO’s contact information as required by law. For now, please direct all privacy-related communications to the contact above, and our team – under management supervision – will respond and take appropriate action.
We value your trust and are committed to safeguarding your personal data. (Last updated: June 2025)

Footnotes

The PDPA came into full effect on 1 June 2022 and introduced GDPR-inspired data protection requirements in Thailand. This updated Policy incorporates additional provisions (e.g. detailed consent, data transfer, and data subject rights terms) to comply with the PDPA, which were not explicitly required under Japan’s privacy law (APPI) that the original policy was based on.
Under Section 26 of the Thai PDPA, processing of sensitive personal data (such as health, biometric or religious data) is prohibited without explicit consent of the data subject, except under limited exceptions (e.g. to save a life, for public interest, or as otherwise permitted by law). This is stricter than Japanese law, and therefore we have added clear provisions to obtain explicit, affirmative consent before handling any sensitive data. PDPA guidelines require that consent be given through a clear affirmative action (e.g. checking an unchecked box or other explicit conduct) and not via pre-ticked boxes or passive means. These changes ensure our policy meets the PDPA’s consent standard, which is higher than that under Japan’s APPI.
Thai PDPA permits personal data processing without consent in certain cases (e.g. contractual necessity, legal obligations, vital interests, public tasks, or legitimate interests). This is similar to the GDPR framework and differs from Japan’s APPI, which does not explicitly enumerate lawful bases in this manner. We have updated our policy to clarify the legal bases for transparency. Additionally, for sensitive data, PDPA mandates explicit consent unless a specific exception applies, so our policy explicitly includes that commitment (whereas under Japanese law, the requirements for sensitive data consent were less strict or specific).
PDPA Section 28 establishes that personal data may only be sent or transferred out of Thailand if the recipient jurisdiction meets the required data protection standards, or if certain exceptions apply. This is a notable difference from Japanese law – under Japan’s APPI, cross-border transfers are generally allowed if specific conditions (like consent or an adequacy finding, or certain contractual measures) are met, but the mechanisms differ. The Thai PDPA’s approach is to require either an adequacy decision by the PDPC, the implementation of PDPC-approved safeguards (such as contractual clauses or BCRs), or reliance on a statutory exemption (e.g. consent, contract necessity, vital interest) for each transfer. We have therefore added explicit language about ensuring adequate protection or obtaining consent for overseas transfers to comply with these stricter Thai requirements.
We have enumerated all the data subject rights as required by PDPA Section 23(6), including rights that were not explicitly available under Japan’s APPI (such as the right to data portability and the general right to object to processing). Thai PDPA provides a broader set of rights, so this Policy now reflects each of them in clear terms. By informing data subjects of these rights and the methods to exercise them, we fulfill a key PDPA compliance obligation. (Under Japanese law, individuals had more limited rights – for example, no statutory right to portability or to object to processing – thus this detailed section represents an important PDPA-driven revision.)
The PDPA explicitly requires data controllers to implement appropriate security measures and to regularly review them. We have bolstered the security section of our Policy to reflect the PDPA’s standards, which are generally consistent with global best practices (and go beyond what was mandated under Japan’s law). Additionally, PDPA subordinate regulations (e.g. Notification of Security Measures 2022) call for organizational, technical, and physical safeguards and even require raising employee awareness – hence we have included those commitments. This ensures our Policy communicates our legal obligations and efforts under Thai law to protect personal data.
Retention period disclosure is a PDPA requirement – Section 23(3) mandates informing data subjects of how long their data will be kept, or if that cannot be fixed, the expected period according to standard practices. This was not a strict requirement under Japanese law, where many companies did not specify retention times in privacy notices. We have added a clear statement on our retention policy to comply with the PDPA and to increase transparency. Keeping personal data no longer than necessary also aligns with the data minimization and storage limitation principles under the PDPA (and GDPR).