When you provide personal data about yourself and others

We would primarily collect your personal data directly from you when you provide those personal data to our team or enter directly into our global HR information systems (“HRIS”) and other system used to manage our employment relationship.

Where you provide data of the Associated Persons to dentsu organisation, you shall be responsible for ensuring that such persons have been duly informed of the processing of their personal data by dentsu organisation pursuant to the terms of this Notice and Thailand Notice.

In addition, to the extent that consent is required for the processing of the personal data of the Associated Persons, you agree to assist dentsu organisation in obtaining valid and enforceable consent from such persons in accordance with the requirements prescribed by the applicable data protection laws.

We may collect your personal data from other organisations

We may obtain information about you from other organisations. For example, references from your previous employer(s) and background checks, where permitted by applicable law and upon the receipt of the explicit consent from you. In addition, we also typically collect your personal data from other sources, such as job boards or other online public sources; provided that in case your personal data are obtained indirectly or from other sources, we will notify you of the sources in the manner as required under the applicable data protection laws.

When you discover our job postings on any platforms and choose to submit documents or data to us, you acknowledge that you have reviewed our Notice and Thailand Notice we make available through such platforms (if applicable). In the event that we experience a technical problem, or the operators of such platforms do not allow us to post our link to the Notice and Thailand Notice on such platforms, we encourage you to read our Notice and Thailand Notice via our website. However, please note that we will provide you with the Notice and Thailand Notice again when we first communicate with you.

For Thailand, dentsu organisation processes personal data of the job candidates, employees, leavers, and related parties on the following circumstances:

RECRUITMENT

We will need to process the personal data of all prospective Workers from the moment you become a prospect or candidate for a role. This allows us to assess your suitability for the role and our business. The types of processing are as follows:

Purposes of Processing Your Personal Data	Details	Collected Personal Data	Grounds for Processing
Assessing Suitability for the Role	We will use your personal data to: assess your suitability for the role; enable shortlisting; prepare for any interviews and assessments required; contact you to arrange, conduct, evaluate and feedback on assessments and interviews; and where successful, to make you an offer/provide you with an employment contract	Full name Date of birth and Age Gender Contact Information (i.e. resident address, phone number and email address) Nationality Photo Copy of Identity card or Passport Marital status Educational background Work experience and employment history Other work professions and qualifications (i.e. skills and training) Information defining in CV, resume and application form Information generated by us and you, through a combination of recruiting activities to further assess suitability for the role (collectively referred to as the “Application Information”)	Contractual Performance and Legitimate Interest
Applicant Administration	We will carry out pre-employment checks either using in-house resources or approved third parties, to establish eligibility to work and other pre-Employment Checks which shall be commensurate to the risks and responsibilities of each job	Job candidates Application Information Criminal background result Referee and any person appeared in the CV Full name Contact detail Job Title and Company Name	Legitimate interest and Explicit consent for carry out criminal background check
Talent Pool	If you are unsuccessful following assessment for the role or are a prospect, we will retain your details in our talent pool so that we can contact you should any further suitable roles arise.	Application Information (1 calendar year and exceptional 3 years)	Legitimate interest
Reasonable Adjustment	Where applicable, we will make reasonable adjustments to the recruitment process based on the accessibility requirements you make us aware of or we become aware of.	Details of any accessibility requirements Feedback and recommendations from the Candidate	Legitimate interest
Equal Opportunities Monitoring	Under the Gender Equality Act of 2015, we may need to ask you to share information about you to ensure our compliance with equality and diversity requirements and to help us improve our employment practices.	Application Information, in particular, your gender	Legal Obligations

Unless otherwise stated above we use this information as it is in our legitimate interests as a recruiter to fully understand and assess an applicant’s suitability for a role and verify the information provided to us.

WORKING FOR DENTSU

We will use your personal data for the purposes of your contract/agreement with us, to comply with legal obligations, or where we have a legitimate interest in doing so to manage and protect our business. We will rely on legitimate interest pursued by dentsu where it is not overridden by the interests or fundamental rights and freedoms of you. The table below lists out the ways in which we do so.

A. To Assist You in Your Role

Purposes of Processing Your Personal Data	Details	Collected Personal Data	Grounds for Processing
Employee Administration	We will maintain and process general records necessary for the management of workers, to operate the employment contract between you and the dentsu organisation, and we will need to allocate and manage your duties and responsibilities and the business activities to which they relate, in particular, to: enter into an employment contract and establish a legal relationship between you and us; facilitate your onboarding to the organisation (for example, when receiving IT equipment, setting you up on our systems and making sure you can access our premise) provide support with visa applications (if required) provide support for the obtainment of building car park card respond to requests that have been made for you for instance by new employers or financial institution track and approve leaves and overtime process information required to help you participate in activities and programmes you are eligible for	Application Information Signature on the contract Employment contract entered into between you and us Employee photograph Corporate account (i.e., employee ID, corporate email, password, device information) Fingerprint scanned (if you would like us to collect; provided that we will only collect your fingerprint if you give us explicit consent) Workdays and presence record Leave request, including the medical certificate where we reserve the right to request; provided that the explicit consent will be obtained from you Vehicle information for building car park card and other relevant usage information of such card Any information defining in the request that you have made Any information defining in the request that other third party may request from you	Contractual Performance, Legal Obligations, Legitimate Interest and Explicit consent in case of fingerprint
Payroll  management	We would need to process your personal data for the purpose of providing and administering payroll including tax and social security deductions and contributions (e.g. provident fund), and any other deductions or garnishments required by law or your contract (including without limitation the deduction according to court or other legal requirements)	Application Information Bank account information Tax-related information and social security information Employment contract entered into between you and us Information of the beneficiary (e.g. full name and relationship with the Employee) Other information required in the application for the provident fund Information defining in the deduction order (e.g. from court judgment or Student Loan)	Legal Obligations and Contractual Performance
Remuneration and Benefit Administration	In addition to the payroll management, we, as the employee, would need to process your personal data for the purpose of providing and administering remuneration, benefits and recognition/ incentive scheme to reward good performance. In particular, we may contact you or send you gifts on special occasions such as your birthday, wedding, baby-delivering, funeral and to recognise ‘length of service’ milestones working for us. We will do this using any personal data you provide us with (either in a HRIS or more generally) but you can always ask for this to not happen by contacting your People Services. For the reference purposes, the benefit provided by us would include: annual health checkup (provided that no health information will be shared back to us); outing trip (provided that in case the specific medical information will be needed, we would request for explicit consent from you); Joy application benefits (provided that the details of the personal data to be processed for each activity or benefits will be defined separately and in particular where the medical information will be required, the explicit consent will be requested from you on-spot); provident fund; group insurance; family planned insurance (if eligible as defined in the terms and conditions by each dentsu organisation).	Application Information Bank account information Employment contract entered into between you and us Position, salary base and benefit scheme that you are eligible for Any information relating to the request and/or the provision of the remuneration and benefit from us to you (including without limitation the wedding invitation card or photo or other evidence as the Company may require) Work performance and employment track record Associated Person’s personal data as required for the provision of each benefit (including the full name, identification card information of the family included in the planned insurance).	Contractual Performance, Legitimate Interest and Explicit Consent in case of the special category of personal data (i.e. medical information)
Expense Management	We would need to process your personal data for the purpose of reimbursing expenses where you have paid for something which is considered a genuine cost of business or providing access to corporate credit cards.	Evidence of the expenses and payment made on our behalf and for our business	Contractual Performance
Conducting reviews and determining performance requirements	Where applicable, we may need to conduct reviews to assess or investigate performance, capability, conduct, absence, or grievance concerns and other informal and formal HR or Legal processes (i.e. Speak Up system), to make related management decisions and anything else required under our contract with you. In particular, we will review and track your performance at regular intervals.	Working track record Employment contract entered into between you and us KPI and other achievement / goals set Tracking progress Feedback about your work performance from managers, peers, direct reports and others in the organisation Any information defining in the grievance or relating to the informal and formal HR or Legal processes undertaken	Contractual Performance and Legitimate Interest
Processing employee work-related claims	Where relevant, we will need to process any claim made by or involving you when a party is seeking compensation in cases of illness, injury or any other damages that you may cause.	Application Information, in particular your contact information (if required in the process of resolving the claim) Any information that we may seem appropriate and necessary to address the claim made	Legitimate Interest

B. To Ensure Our Success As A Business

Purposes of Processing Your Personal Data	Details	Collected Personal Data	Grounds for Processing
Day to Day business operations	We will process your personal data because or your day-to-day activities in your role with us at dentsu. The type of data processed will depend on the nature of your role, but can include: Including your personal data in group / ‘all office’ email distribution lists internally Staff time management and scheduling; Sharing contact information with clients, including for pitches; Booking and invoicing for services; Inviting you to and confirming your attendance at internal and external dentsu events; System permitting IT staff to remotely operate staff system on your devices Tracking intranet usage	Staff business records such as email, Office 365, Teams, Workday and other working system used and OneDrive as well as your working calendar Corporate contact information Working time records and timesheet Intranet and other corporate infrastructure usage	Legitimate Interest and Contractual Performance
Business Management and Planning	Your personal data may be stored to allow dentsu to manage its business operations and plan appropriately for the future. This will include resource planning, project planning, staff cost management, resource allocation, client profitability analysis and timesheet compliance.	Staff business record Work performance, assessment and feedback Any information collected from your work performance in your role that may affect the business operation of dentsu organisation	Legitimate Interest
Accounting and Auditing	Your personal data will be stored for the purpose of managing forecasting, budget / account management and planning for future as well as for the purpose of accounting and auditing process	Any information collected from your work performance in your role that may affect the business operation of dentsu organisation	Legitimate Interest
Preventing and Detecting Crime	We use your information to prevent and detect unlawful activity, including IT and building access rights and security monitoring, use of CCTV, fraud detection and prevention measures.	IT and physical access logs CCTV image	Legitimate Interest
Network and Information Security	We have systems in place to prevent unauthorized access to our computer and electronic communications systems and preventing the distribution of malicious software. Your personal data is processed for several reasons, including authenticating legitimate users, contacting you in the event of an incident, training and testing in phishing awareness, setting up IT alerts, and restricting where corporate data can be stored.	IT and System access and transaction logs Browsing activities and other transaction you undertaken using dentsu-managed devices and dentsu corporate apps Training records Contact information needed for the alert or incident management	Legitimate Interest
Data analytics and reporting	We may retain your personal data to review and better understand employee retention and attrition rates, and to understand the success of our systems / programmes. Also, your information may be gathered for business operational and reporting documentation such as the preparation of annual reports. Your data, if used, will normally be anonymised so that you would not be personally identified.	Employee survey and feedback Photographic images and testimonials	Legitimate Interest

C. To Keep Us Compliant

Purposes of Processing Your Personal Data	Details	Collected Personal Data	Grounds for Processing
Complying with applicable laws	We are required to monitor and document activity as required to demonstrate legal compliance. This includes conflict of interest records, gifts and hospitality and anti-bribery and corruption reporting, and mandatory compliance training. This also includes our obligations in relation to maternity or parental leave legislation, working time and health and safety legislation, taxation rules, worker consultation requirements, other employment laws and regulations to which dentsu is subject.	Application Information Working track record that may relate to compliance with all these applicable laws Information from the Speak Up Scheme and other grievance or whistle-blowing mechanism	Legal Obligations and Legitimate Interest
Equal Opportunities Monitoring	Under the Gender Equality Act of 2015, we may need to ask you to share information about you to ensure our compliance with equality and diversity requirements and to help us improve our employment practices.	Gender information Relevant work position and working conditions for the purpose of the comparison to ensure the equal opportunities	Legitimate Interest
Education, Training, Development Requirements	Throughout your employment with dentsu, you will undergo various training programmes to both enhance your skills and also to fulfil mandatory compliance requirements. This depends on your role and where you are working, in the form of the course delivered by the external coach or the in-house online learning platform	Participation record to each assigned training course Tracking of the learning content utilization, assessment scores, platform access, learning completions, and attendance in live learning programs	Legitimate Interest
Complying with health& safety obligations	This will include us needing to process your personal data to assess eligibility for incapacity or permanent disability related remuneration or benefits; determine fitness for work; and make management decisions regarding employment or engagement, or continued employment or engagement, or redeployment, and conduct-related processes.  This includes providing support in work related injuries, illness, management of your health and safety, providing any accessibility support you may need (including where you make us aware in your health declaration upon joining us and as updated by you when appropriate) and contacting your emergency contact if ever needed. We are also required by law to record details of any accident that occurs in the workplace.	Physical or mental health or conditions Information relating to the special request that you may make to get the special support or assistance from us	Legal Obligations, Contractual Performance and Consent in case the health declaration is needed
Business Continuity	We may contact you in the event of an emergency or potential threat to you or our business such as a natural disaster or cyber-attack. To ensure you are promptly informed about such events, we may use any personal data you provide us with (either in a HRIS or more generally) which may include your private contact details e.g. private phone number or email.	Contract information, including your private contact details and your emergency contact Personal data in HRIS	Legitimate Interest

D. To Resolve Dispute

Purposes of Processing Your Personal Data	Details	Collected Personal Data	Grounds for Processing
Gathering evidence for disciplinary action or termination	Sometimes we may need to gather personal data in relation to any allegations, complaints, investigations and disciplinary processes that occur during your time working at dentsu, whatever your role in the process. We may also need to manage litigation proceedings on behalf of dentsu. Your data may be processed where required.	Whistle blowing or speak up now report Relevant evidence that may be gathered directly or indirectly during the investigation	Legitimate Interest
Monitoring of work communication	In accordance with relevant laws, we reserve the right to monitor and scan electronic communications to ensure that dentsu IT resources are being used in compliance with the law and are in line with dentsu policies.	Electronic work communication sent using the account, network and equipment we provide you for work	Legitimate Interest

Unless otherwise stated above we use this information as it is in our legitimate interests and our contractual obligations as an employer to ensure the employment relationship that we have and to ensure the well-management of our business operation that may directly relates to your role as our employee.

AFTER YOU LEAVE DENTSU

After you end your role with us, we may need to retain your personal data to fulfil certain business obligations for the following purposes:

Purposes of Processing Your Personal Data	Details	Collected Personal Data	Grounds for Processing
Employee administration	When you leave dentsu, we run certain processes involving your personal data to understand why you left us, to help run our business or to support a legal obligation we have. Your data will be used when we are preparing for your departure, for example when you are returning IT equipment or corporate credit cards. We will also retain information to manage and administer our related legal obligations, including to prepare the employee registry as required under the Labor Protection law.	Application Information Working information during the employment term Leaver’s survey and exit interview Personal data entered into and executed on our system and environment (i.e. HRIS)	Legitimate Interest and Legal Obligations
Processing employee work-related claims	Sometimes we need to deal with claims or disputes involving you or others. We do this because we have a legal obligation to provide the information, or it is in our interests to bring or defend a claim.	Any information relating to your work track record and any other evidence required to manage and respond to the claims	Legitimate Interest
Business management and planning	After you leave, we will retain certain information to understand and evidence decision making in your role and maintain knowledge within the business; for example, this may include your handover notes, document or emails you have sent or accessed to for the purpose of the work transition.	Work track record and any knowledge or deliverables made during your employment term	Legitimate Interest
Complying with applicable laws	Where required, we may need to use your personal data to comply with our obligations to third parties in connection with your employment, such as tax authorities and professional bodies.	Any information that relates and necessary to ensure our compliance with the applicable law	Legal Obligations

Additional Process. We may need to request additional personal data from you for the specified purposes mentioned above. In addition, where there are additional purposes for processing your personal data beyond those stated above, we will ensure that you are duly informed details of processing your personal data, and we will obtain your consent (if necessary) in accordance with the applicable data protection laws.

Sensitive Personal Data Your sensitive personal data may appear on the copy of your ID card, i.e., your religion and/or blood type. However, dentsu organsation does not have an intention to process such sensitive personal data; therefore, dentsu organisation will require you to omit, blind or cross out the information about religion and/or blood type before providing a copy of your ID card to dentsu organisation. In the case where such sensitive personal data still appears on a copy of ID card, dentsu organisation may, at any time, blind or cross out such sensitive personal data in order to comply with the applicable data protection laws (which requires dentsu organisation to collect personal data to the extent that is necessary and relevant for our business operations). If it is necessary to process your religion and/or blood type, we will ensure that you are informed and that your consent is obtained.

Failure to provide your personal data to us. (a) where the legal basis for the processing of personal data is contractual obligation or to proceed with your request to enter into a contractual relationship with dentsu organisation, failure to provide required or necessary personal data may result in dentsu organisation being unable to proceed with your request to enter into an employment contract with us, to proceed with your job application, or perform our contractual obligations; and (b) there might be a circumstance where dentsu organsation may need to process your personal data for the purposes of complying with applicable laws or regulations (both domestic and foreign), order of the court, competent authorities, and/or government agencies, failure to provide required or necessary personal data may result in dentsu organisation being unable to proceed or undertake any act relating to the recruitment and employment functions, either in part or in whole, or that dentsu organisation and/or you may be in violation or non-compliance of applicable law or regulation or order of competent authorities.

Across dentsu

Dentsu is a global organisation. To ensure effective and efficient services and communications throughout the group, your personal data may be shared with other dentsu organisations, for example with our group companies in Japan and the USA.

The following people and teams within dentsu may be granted, on a need-to-know basis, access to your personal data:

• Local, regional and global HR managers and HR team members;
• Local, regional and executive management responsible for managing or making decisions in connection with your relationship with dentsu, or when involved in an HR process concerning your relationship with dentsu; system administrators;
• Where necessary for the performance of specific tasks or system maintenance, teams such as the Finance, Legal & Compliance, Technology & Security and HR teams;
• Where necessary for the performance of specific task in ensuring our success as a business, including without limitation to manage any conflict of interest in carrying out our business as usual and in carrying out any services for any client, teams such as other dentsu organization that would need to process such personal data; provided that the personal data shared would be limited and minimized to only on the need-to-know basis.

Outside dentsu

Your personal data may be also shared with organisations outside of the Dentsu group. To help you understand who these organisations are, here is a non-exhaustive list:

• Third-party suppliers: Organisations (and their sub-contractors) that provide us with technology solutions and/or support; and any other services relating to the management and enrichment of the employment relationship between you and us (including without limitation the insurance providers, the medical centre providing health checkup services and other HR consultant). Where we use a third-party service provider we’ll make sure we follow the requirements of the law and that your personal data is protected by the appropriate technical and organisational measures.
• dentsu’s professional advisers: We may need to share your information with professional advisers including but not limited to IT administrators, auditors, consultants, payroll providers, external lawyers, administrators of dentsu’s benefits programmes.
• Clients: We may share your information with our clients where necessary to manage and deliver services to them.
• Public authorities: We may share your information with public authorities to comply with lawful requests (including without limitation to meet national security or law enforcement requirements) or where otherwise required, whether within or outside your country. We only share your personal data in accordance with applicable laws and have strong internal oversight of what we do and take expert advice to inform our approach.
• Any other person that you may give consent to us to disclose or share your personal data with them.

Cross-Border Transfer of The Personal Data

To achieve the purposes described in this Privacy Notice, dentsu organization may transfers your Personal Data to its affiliates and group companies, located outside Thailand, which may have different data protection standards to those prescribed by the data protection authority in Thailand. In any event, dentsu organization will ensure to protect your Personal Data in accordance with the requirements of the PDPA and other applicable laws.

How do we protect your personal data?

We have implemented appropriate technical and organisational measures to protect your personal data pursuant to the minimum requirements under the applicable laws, including without limitation the access control, audit and log monitoring and other security measures to ensure the confidentiality, integrity and availability of your personal data.

How long do we keep your personal data?

We keep your personal data for as long as it is required to fulfil such purpose(s) for which it was collected. This will usually be the period of your employment or contract for services, or as otherwise set out in the context of prospective employees or other, with the dentsu organisation plus the length of any applicable statutory limitation period once that employment or contract period has ended. For example, data such as tax and pensions information, may need to be kept for longer. Otherwise, we will delete or anonymise it so that you cannot be identified, and it can no longer be associated with you.

In particular, (a) for unsuccessful job candidate, dentsu organisation will retain your personal data for one calendar year, except for the management-level job or other exceptional case, we reserve the right to retain the personal data for 3 calendar years after the end of your recruitment process; provided that If you would like us to delete this data, please contact the data protection officer details outlined hereunder; and (b) for successful job candidate who is entered into an employment contract with dentsu organisation as an employee, your personal data and personal data of your Associated Persons will be transferred to the file designated for our employee and retained for a period of 10 years after termination or expiration of your employment with us.

Subject to the conditions and limitations under the applicable laws, you have the following rights with respect to your personal data: (a) to withdraw your consent; (b) to request to access or to obtain a copy of any such personal data, and to request that we disclose the source(s) of your personal data which has been obtained without your consent; (c) to request that we correct or update any personal data that is related to you; (d) to request that we delete, destroy or de-identify your personal data; (e) to request to object the processing of your personal data; (f) to request to have your personal data in a format which is generally readable or usable by automatic device or tool, and which can be used or disclosed by automatic means, as well as to have your personal data in said format transmitted to another data controller; and (g) to request suspension of the processing of your personal data.

In addition to the rights above, you have the right to file a complaint in relation to our processing of your personal data with a Thailand Personal Data Protection Commission, in accordance with the procedures set out in the applicable laws.

If you exercise the rights above, the request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide adequate information that we can reasonably verify that you are the person about whom we collected the personal information (including information that enables us to verify the identifying information we possibly maintain about you). To protect your personal data, we will only honour requests if we have been able to verify your identity or authority to make the request and confirm the personal data relates to you.

We will respond to requests within the required timeframes, in particular pursuant to the timeline defined under the applicable law. If we need extra time to respond, we will let you know why, and how long we require, in writing.

If you have any inquiries in relation to your Personal Data, or you would like to exercise any of your data subject rights, you may contact the relevant dentsu organization at: 

Entities	Address
Dentsu (Thailand) Ltd.	No. 968 U-Chu Liang Building 27th - 28th  Floor, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand
Amplifi (Thailand) Co., Ltd.	No. 968 U-Chu Liang Building 27th Floor, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand
Carat (Thailand) Co., Ltd.	No. 968 U-Chu Liang Building 15th Floor, Unit A, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand
Dentsu Consulting Group (Thailand) Co., Ltd.	No. 968 U-Chu Liang Building 15th Floor, Zone B, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500
Dentsu Solutions Group (Thailand) Co., Ltd.	No. 968 U-Chu Liang Building 15th Floor, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500
iProspect (Thailand) Co., Ltd.	No. 968 U-Chu Liang Building 15th Floor, Unit C, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand
Dentsu Aegis Network Thailand Co., Ltd.	No. 968 U-Chu Liang Building 27th Floor, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand
Dentsu Holdings (Thailand) Ltd.	No. 968 U-Chu Liang Building 27th and 28th Floor, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand
Buffyshrek Holding Co., Ltd.	No. 968 U-Chu Liang Building 27th Floor, Rama 4 Road, Silom Sub-district, Bangrak District, Bangkok 10500, Thailand

 Or contact our Data Protection Officer (DPO) at THDPO@dentsu.com.

We may amend, change, or update this Notice and/or the Thailand Notice from time to time. In the event that the amendment, change, or update will affect the purposes for which your personal data has originally been collected, We will notify you about such changes and obtain your consent (if required by law), prior to such changes becoming effective.

This Privacy Notice shall take effect from 3 February 2025.