PEPSICO PRIVACY POLICY

Introduction & General Terms

Pepsi-Cola (Thai) Trading Co., Ltd. and PepsiCo Services Asia Limited (collectively known as ‘PepsiCo’), care about your privacy and are committed to protecting your personal information to the best of our ability.

This privacy policy describes what personal information PepsiCo may collect from you, why PepsiCo process your collected personal information, when will PepsiCo disclose or transfer collected personal information about you, international transfer of personal information, informing you of our collection of your personal information, sources of your personal information, data retention period, data security, changes to this Privacy Policy, how you can contact us, and your rights under the Personal Data Protection Act, B.E. 2562 (the ‘PDPA’) including but not limited to ministerial regulations, notifications, interpretations or other regulations issued under such Act.

Please carefully read our Privacy Policy to understand your rights to your collected personal information. PepsiCo website may contain hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies and are also likely to use cookies. PepsiCo recommend that you review these policies which will govern the use of personal information which you may submit when visiting these websites and which may also be collected by cookies. PepsiCo do not accept any liability for using such third party websites.

1. What personal information PepsiCo may collect from you

When you engage in any business or transaction with PepsiCo or participate in, access or sign up to any of PepsiCo’s services, activities or online contents (including on social media and messaging applications), such as newsletters, promotions, live chats, message boards, website and mobile notifications or votes, PepsiCo may collect or receive personal information about you. This may include your name and surname, email address, postal address, telephone or mobile number, gender, nationality, date of birth, educational background, occupation, marital status, identification card number, passport number, driving license number, photo, bank account detail, as well as information collected about your use of PepsiCo services, such as what you read, watched or did on our website, app or when using our other services.

Please note that sometimes you may decide to provide us with additional personal information, and sometimes sensitive personal information (e.g. information about your racial or ethnic origin, religious or philosophical beliefs, criminal records, health data or disability condition, biometric data). If you do this, PepsiCo will provide further information about how PepsiCo will use your collected personal information and may seek your explicit consent at the time.

Some of our services enable you to sign-in via third party service providers, such as Facebook, Twitter and Instagram. If you choose to sign-in via a third party service provider, you will be presented with a dialog box which will ask your permission to allow PepsiCo to access your personal information (e.g. your name and surname, date of birth, email address or any other information you have made publicly accessible on the third party site).

PepsiCo also collects information about how you use PepsiCo mobile app, PepsiCo website or other PepsiCo content online, and the device(s) you use to access the services as well as unique online identifiers such as IP addresses, which are numbers that can uniquely identify a specific computer or other network device on the internet.

2. Why PepsiCo process your collected personal information

PepsiCo only collects, uses, discloses, transfers or processes your personal information where it is necessary or there is a lawful basis to do so which may include:

a) to prepare historical documents or archives for the public interest, or in relation to research or statistics;

b) believing that the use of your personal information is of vital interest or to prevent or avoid danger to a person’s life, body or health;

c) believing that the use of your personal information is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;

d) believing that the use of your personal information is necessary for the performance of our task carried out in the public interest or in the exercise of official authority vested in us;

e) believing that the use of your personal information is necessary for the legitimate interests pursued by us or by a third party, unless the interests are overridden by your interests or fundamental rights and freedoms;

f) believing that the use of your personal information is necessary for compliance with a legal obligation to which PepsiCo are subject.

Apart from the mentioned lawful basis, PepsiCo may process your personal information on the ground of consent. If PepsiCo needs to ask for your consent, PepsiCo will make it clear what PepsiCo is asking for and ask you to confirm your choice to give us that consent. If PepsiCo cannot provide a service or product without your consent to process your personal information, PepsiCo will make this clear when PepsiCo asks for your consent.

PepsiCo will use or process your personal information for a number of purposes including the following:

2.1 Our contract with you

PepsiCo will process your personal information in accordance with the contract between you and us, and for the following reasons:

  •  Delivering products and/or services to you or procuring them from you;
  •  Administering, implementing, maintaining, managing and operating our products and/or services;
  •  Processing, assessing and determining any applications or requests made by you in connection with our products and/or services;
  • Issuing or executing contracts and maintaining your account with us;
  • Exercising rights or performing obligations under executed contracts; or
  • Participating in activities organised by or on behalf of us e.g. Lay campaign

2.2 Our legitimate interests

PepsiCo will rely on the purpose of legitimate interests pursued by us or by a third party which require us to process your personal information, except where the interests are overridden by your interests or fundamental rights and freedoms. To give you an idea of when PepsiCo rely on the legitimate interests, after considering your interests, rights and freedoms, PepsiCo has legitimate interests which allow us to process your personal information in the circumstances as follows:

  • the provision of our services, activities or online contents, or communicating information about them (e.g. relating to upcoming promotions or new product launches) or dealing with your requests and enquiries;
  • service administration, which means that PepsiCo may contact you for reasons related to the business, transaction, service, activity or online content you have executed or signed up for (e.g. notifying you about the administration of a promotion that you have participated in, or notifying you that a particular service, activity or online content has been suspended for maintenance or updating our Privacy Policy);
  • customising the content that you see on our website and app, and the advertising that you see on our website, app, or other sites and services;
  • working with third parties to show you relevant advertising on that third party websites;
  • contacting you about any submission you have made;
  • using IP addresses and device identifiers to identify the location of users, blocking disruptive use, establishing the number of visits from different countries, tailoring the content of our website, app or other services based on browsing behaviours, and determining which country you are accessing the services from;
  • analysis and research so that PepsiCo may improve the services offered by PepsiCo;
  • investigating suspected misconduct activities reported by or against you or third party via PepsiCo Speak Up Hotline including enquiring those who witnessed the misconduct activities; or
  • conducting a third-party due diligence (TPDD) against you to find out any corruption and for our Global Anti-Bribery Compliance Policy including investigation via public sources.

 

2.3 Legal obligations

PepsiCo will rely on the purpose of legal obligations in which the processing of your personal information is necessary for compliance with a legal obligation to which PepsiCo are subject.

2.4 Legal claims

We may rely on the legal claims basis to process your sensitive personal information to establish, comply, exercise or defend legal claims against you or initiate litigation action to protect our interests.

2.5 Consents

PepsiCo will process your personal information on grounds of consents; especially, in the case where our processing activities have potential impact on your sensitive personal information. PepsiCo may inform the objectives of our personal information usage and request your consent or explicit consent to process your personal information in the circumstances as follows:

  • When PepsiCo do not have other lawful grounds to collect your general personal information or sensitive personal information;
  • When you are classified as a minor, quasi-incompetent or incompetent of which the consent will be requested from your legal representatives, guardians or curators, as the case may be;
  • When PepsiCo will conduct meetings either physically or virtually through reliable programs, app or software.

If you change your mind or no longer wish for us to process your collected personal information, you can exercise your rights to withdraw your consent at any time by requesting your consent withdrawal by email to Thailand.privacy@pepsico.com. Where PepsiCo proposes using your personal information for any other purposes, PepsiCo will ensure that PepsiCo notifies you first and/or requests your consent as required by the PDPA.

 

3. When will PepsiCo disclose or transfer collected personal information about you

PepsiCo may from time to time disclose or transfer your collected personal information to other entities in the PepsiCo group or to third parties for any of the purposes listed in item 2. Examples of relevant third parties to whom PepsiCo may disclose or transfer your collected personal information include governmental agencies and private sectors or third parties who perform services on our behalf, such as web hosting providers, payment providers, customer relationship management providers, marketing partners, media and fulfilment partners, and website analytics providers.

When PepsiCo discloses or transfers your collected personal information to third parties who perform services on our behalf, PepsiCo ensures that such service providers use your collected personal information only in accordance with our instructions, and PepsiCo does not authorise them to use, disclose or transfer your collected personal information except as necessary to perform services on our behalf or to comply with applicable legal obligations.

PepsiCo may also disclose or transfer your collected personal information to third parties in the circumstances as follows:

  • where the disclosure or transfer is required to do so by laws or comply with a specific order from any competent authority;
  • where the disclosure or transfer is required for the purposes of, or in connection with, any legal proceedings, or otherwise for the purpose of establishing, exercising or defending our legal rights;
  • where the disclosure is required by law enforcement authorities or other government agencies who have issued a lawful disclosure request for the personal information;
  • where PepsiCo believe the disclosure is necessary to prevent harm or financial loss, or in connection with an investigation of suspected or actual criminal activity; or
  • where PepsiCo sell or transfer all or a portion of our business or assets (including through a merger, reorganisation, spin-off, dissolution or liquidation).

4. International transfer of personal information

Due to the global nature of our operations, PepsiCo deals with many international organisations and uses global information systems; as a result, PepsiCo may disclose or transfer your collected personal information to group companies located in countries outside Thailand whose data protection laws may not be the same or as extensive as those in Thailand.

PepsiCo will only disclose or transfer your collected personal information to a country which the Personal Data Protection Commission considers to have adequate data protections laws.

Where such data security standards are deemed inadequate, PepsiCo will provide appropriate safeguards to protect your interest and the disclosure or transfer will take place if one of the exceptions defined by PDPA is met. The exceptions are:

  • the transfer is necessary for compliance with the laws;
  • you have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer due to the absence of an adequacy decision or adequate safeguards;
  • the transfer is necessary for the performance of a contract with you or the implementation of pre-contractual measures taken at your request;
  • the transfer is necessary for the conclusion or performance of a contract in your interest between PepsiCo and another natural or legal person;
  • the transfer is necessary to protect your vital interests or those of other persons, where the data subject is incapable of giving consent; or
  • the transfer is necessary for important reasons of public interest.

5. Informing you of our collection of your personal information

Before PepsiCo collect or process your personal information, PepsiCo will always notify you about our purpose of processing. Only in some circumstances, it is not necessary for us to inform you of our purpose of processing, such as when:

  • you are aware of such new purposes or details of our processing;
  • PepsiCo believes that notice of such new purposes or the details of our processing is impossible or will obstruct the use or disclosure of your collected personal information, where PepsiCo has taken suitable measures to protect your rights, freedoms and interests;
  • it is urgent to use or disclose your collected personal information as required by laws and PepsiCo has implemented suitable measures to protect your interests; or
  • PepsiCo is aware of or acquire your personal information from our duty, occupation or profession, and PepsiCo has maintained such new purposes or certain details with confidentiality as required by laws.

6. Sources of your personal information

PepsiCo will collect your personal information directly from you, but sometimes PepsiCo may collect them from publicly available sources and/or from other parties, in which case PepsiCo will ensure that PepsiCo and/or other parties fully comply with the PDPA.

7. Your rights

The PDPA aims to give you more control of your personal information. You have legal rights concerning your collected personal information which includes:

7.1 Right to access

You have a right to get access and obtain a copy of your personal information that PepsiCo hold about you, or you may ask us to disclose the sources of where PepsiCo obtained your personal information to which you have not consented to.

7.2 Right to data portability

You have a right to request us to transfer your collected personal information to other persons/organisations, or request to see your collected personal information that PepsiCo have transferred to other persons/organisations, unless it is impossible for us to carry out your request due to technical circumstances.

7.3 Right to object to the processing of your personal information

You have the right to object to the processing of your personal information, unless there are circumstances that do not allow you to make the objection. This may include the cases where PepsiCo have compelling legitimate interests ground or when the processing of your personal information is carried out to comply, exercise or defend legal claims or for the public interest.

7.4 Right to erasure

You have a right to request us to delete, destroy or anonymise your collected personal information in the following circumstances where.

a) Your collected personal information is no longer necessary for the purpose for which it was collected, used or disclosed;

b) You have withdrawn your consent to which the collection, use or disclosure is based on and PepsiCo do not have other lawful grounds to collect, use or disclose your collected personal information;

c) You have objected to the collection, use or disclosure of your collected personal information and PepsiCo do not have other lawful grounds to reject such request; and/or

d) When your personal information has been lawfully collected, used or disclosed under the PDPA.

7.5 Right to restrict the processing of your personal information

You have a right to request us to restrict the processing of your personal information in the following circumstances when:

a) It is under the pending examination process of checking whether your collected personal information is accurate, up-to-date, complete and not misleading or not;

b) It is your collected personal information that should be deleted or destroyed as it does not comply with the law and you request to restrict it instead;

c) Your collected personal information is no longer necessary to retain for the purpose for which it was collected, used or disclosed, but you still have the necessity to request the retention for the purposes of the establishment, compliance, or exercise or defence of legal claims;

d) PepsiCo is pending verification in order to reject the objection request for the collection, use or disclosure of your personal information.

7.6 Right to rectification

You have a right to rectify inaccurate personal information in order to make it accurate, up-todate, complete and not misleading. If PepsiCo rejects your request, PepsiCo will record such rejection with reasons.

7.7 Right to lodge a complaint

You will have the right to make a complaint in the case of where we, our data processors including our employees or contractors do not comply with the PDPA or other announcements under the PDPA.

7.8 Right to withdraw consent

You may withdraw your consent at any time, unless PepsiCo have a lawful basis to deny your request. If you change your mind about how you would like us to have or process your personal information and would like to withdraw your consent, you can tell us anytime by requesting your consent withdrawal by email to Thailand.privacy@pepsico.com.

8. Data retention period

PepsiCo will keep your collected personal information for as long as is necessary for the relevant activity unless a longer retention period is required or permitted by laws which in many cases is up to 10 years after the end of our relationship with you. If PepsiCo needs to keep your collected personal information for a longer period to comply with the legal obligation, or if some existing claims or complaints will reasonably require us to keep your collected personal information or for regulatory or technical reasons, PepsiCo will continue to protect that collected personal information.

Generally, if you provide your personal information to enter into a promotion, PepsiCo will only keep your collected personal information for as long as is necessary for the administration of that promotion.

If you sign up for our email newsletters or marketing communications, PepsiCo will keep your collected personal information until such time as you request that your collected personal information be deleted (if you elect to unsubscribe at any time then PepsiCo will generally retain some of your personal information in order to ensure that you are not contacted again).

PepsiCo may need to retain images and video footages from CCTV surveillance systems installed for security and safety of persons within our premises for 60 days.

9. Data security

PepsiCo uses a range of measures to keep your collected personal information safe and secure, which may include encryption and other forms of security. PepsiCo require our employees and third parties who carry out work on our behalf to comply with the PDPA and the appropriate privacy standards including obligations to protect any leakage of information and to apply appropriate security measures for the processing of information.

10. Changes to this Privacy Policy

PepsiCo reserves the right to change, amend or update the privacy policy at any time as PepsiCo deems appropriate by notifying you of the said change, amendment or update on our website or via Thailand.privacy@pepsico.com in which you can check at any time.

11. How you can contact us

If you have any comments, suggestions, questions or want to make a complaint or exercise your rights regarding your collected personal information, please contact us at 02 610 2444, or by email at Thailand.privacy@pepsico.com.