1. Introduction and scope

For sharing the fund updates and to improve the website’s performance, SEA DREAM (hereinafter referred to as “the organisation”, “we”, “our”, or “us”) processes some personal data of the website users. This policy concerns the processing of personal data of different categories of persons such as researchers, funders, third-party service providers, any other persons contacting the organisation, or any other persons whose personal data the organisation collects via our website.

SEA DREAM understands the importance of the protection of personal data and always carefully considers the protection of personal data during different personal data processing operations.

This policy is designed to provide a uniform minimum standard for the protection of personal data applicable to the organisation. This Policy will be applied by the organisation, except if other compulsory data protection legislation is applicable, which contains stricter obligations and conditions.

The data controller for the purposes of this policy is SEA DREAM with its registered office address at Mom Luang Pin Malakul Centenary Building, 920 Sukhumvit Road, Klongtoey, Bangkok 10110, Thailand.

2. Contact point for the protection of personal data

SEA DREAM has assigned a PDPA contact point to ensure the implementation and enforcement of the Personal Data Protection Act B.E. (referred to as “PDPA”) and this policy.

To exercise any of your rights (see article 10 of this policy), or if you have any other questions about how SEA DREAM processes your personal data, please email or write to the organisation by registered letter at the address below.

The organisation’s PDPA Contact:

• Email: info@sea-dream.org
• Address: Mom Luang Pin Malakul Centenary Building, 920 Sukhumvit Road, Klongtoey, Bangkok 10110, Thailand.

3. Definitions

The applicable data protection legislation uses specific language and refers to an abstract matter. Below you will find several definitions to enable you to better understand the terminology, and by extension, this policy.

3.1. Personal data

Personal data, or personal information, is any information from which a person can be identified directly or indirectly. It does not include the information where the identity has been removed (anonymised data) and that of the deceased persons. For example, a name, an identification number, location data, an online identifier or one or more elements that are characteristic of that natural person.

3.2. Data subject

Data subject means a natural person (not an organisation or company) who can be identified directly or indirectly by the personal data, except for deceased and juristic persons.

3.3. Data controller

Data controller means a natural person or juristic person having the power and duties to make decisions regarding the collection, use or disclosure of personal data.

3.4. Data processor

Data Processor means a person or a juristic person who operates in relation to the collection, use or disclosure of personal data under the orders or on behalf of the Data Controller, whereby such person or juristic person is not the Data Controller.

3.5. Processing personal data

Processing personal data means any activity relating to the collection, use or disclosure of personal data, whether by automated (e.g., software) or non-automated means.

4. Principles applicable when collecting and processing personal data

The PDPA has several basic principles which every data controller and data processor must comply with in order to be in accordance with this legislation. In the event of doubt regarding the application of these principles in a concrete case, you can always contact the PDPA contact point for further explanations.

4.1. Lawfulness

The PDPA provides that personal data must be processed lawfully and fairly with respect to the data subject. In order to process personal data lawfully, a legal basis must exist. In principle, the organisation processes personal data only when:

• The processing is necessary for the purposes of the legitimate interests pursued by the Organisation as a controller or the interests of a third party other than the data controller, except where the fundamental rights and freedoms of the data subject regarding the protection of his or her personal data override these interests.

Other than where processing is justified by the legitimate interests described above, the Organisation will process personal data only when one of the following lawful bases applies:

• Compliance with a legal obligation: Where the Organisation is required by law or regulation to collect, retain, or disclose certain information.
• Protection of vital interests: Where the processing is necessary to protect the life, health or safety of an individual.
• Public interest tasks: Where the processing is necessary for the performance of a task carried out in the public interest, such as administering research funding, supporting academic collaboration or promoting transparency in publicly funded activities.
• Research, statistical or archival purposes: Where the processing supports research, historical documentation or statistical analysis, provided that appropriate safeguards are in place to protect the rights and freedoms of data subjects.
• Consent: Where the data subject has given clear, informed consent for the specific processing activity. Before or at the time of collecting personal data, the Organisation will inform individuals of the purpose of the processing, the categories of data collected, their right to withdraw consent, and any relevant information regarding automated decision-making or international data transfers.

If you have given your consent for a specific processing purpose to us in order to process your data for that purpose, you can withdraw this consent at any time. We will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent. Where processing for additional purposes becomes necessary and is supported by an appropriate legal basis, we may continue to process your personal data in compliance with data protection requirements.

The organisation ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. If you have questions about the applicable legal basis that the organisation is referring to, you can always contact the PDPA contact point.

Some categories of personal data are of a sensitive nature and data protection legislation also has a stricter regime for these special categories of personal data (also known as “sensitive personal data”). These are data concerning racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data which may affect the data subject in the same manner. In general, we do not process these sensitive personal data unless the organisation has a legitimate reason to do so and can refer to one of the exceptions. In a limited number of cases, should the organisation process sensitive personal data, the data subject will be informed in advance. For more information about the organisation’s handling of sensitive personal data, please contact the PDPA contact point.

4.2. Fairness

The data controller ensures that personal data shall be processed:

• For specific, explicit and legitimate purposes and may not be processed beyond the initial purposes for which the data was collected.
• If possible, the data controller will anonymise the data or use pseudonyms in order to limit the impact on the data subject as much as possible. This means that the name or identifier will be replaced so that it is difficult or even impossible to identify an individual.
• Limited in time and only as necessary for the specific purpose.
• Accurately, and the data shall be updated where necessary. The data controller shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which it is processed.

4.3. Transparency

In principle, the organisation processes personal data it has received directly from the data subject or indirectly and shall inform him/her about the following matters:

• Information, address, contact channel, details of the controller;
• The purpose of the processing and its legal basis;
• If the personal data processing is supported by a legitimate interest, an explanation of this interest;
• The categories of recipients of the personal data;
• The transfer of personal data to third countries (outside Thailand) or international organizations (+ on what basis);
• The time limit for the storage of personal data or the criteria used to determine the time limit;
• The rights of the data subject (including the right to revoke consent);
• The right to lodge a complaint with the related supervisory authority;
• Explanation when the transmission of personal data is a legal obligation;
• If the organisation receives personal data from a third party, it shall clearly inform the data subject about the categories of personal data which it received from this third party and will also make this third party known to the data subject.

When the data subject already has all the information, the organisation will not inform the data subject unnecessarily about the processing of his/her personal data.

If the organisation processes personal data for purposes that are incompatible with those for which the data were originally collected (i.e., the new purpose was not described in the initial information notice and the data subject could not reasonably foresee this additional processing), the organisation will take all necessary measures to ensure the lawful processing of such data and will inform the data subject as fully as possible.

Specific legislative amendments may contain exceptions or set additional requirements which the organisation must comply with, with regard to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy.

4.4. Personal data to be processed

The personal data that the company collects may notably include the following information:

• Identification: first name, last name when subscribing for the organisation’s newsletter
• Contact: email, telephone (optional) when subscribing for the organisation’s newsletter
• Professional information: affiliation, role/position
• Image and videos (if the website hosts events, webinars, or profiles of selected researchers in the future)
• User behaviour data: technical logs (e.g., IP address, device info), usage analytics, etc. For the sake of security and operation and to improve website performance

4.5. Purpose of processing

The website is designed to provide our target audiences — such as grantees, applicants, researchers, policymakers, government officials, non-profit organisations, commercialisation partners, publishers and funders — with information about grant opportunities, the types of activities we support, progress updates and key achievements. In this context, the organisation may process your personal data for the following purposes:

• Providing regular updates to users who subscribe to our announcements or newsletters.
• Delivering relevant and appropriate content on the website in the most effective manner.
• Enhancing our outreach efforts to better engage and reach the intended audience.
• Ensuring the security, stability and proper functioning of the website.

4.6. Confidentiality and integrity

The organisation takes the required technical and organizational measures to ensure that the processing of personal data is always carried out with the appropriate safeguards to protect the data against unauthorized access or unlawful processing and against loss, destruction or damage, accidental origin. The organisation uses a range of physical, electronic and managerial measures to ensure that it keeps personal data secure, accurate and up to date:

• Education and training to relevant employees to ensure they are aware of our privacy obligations when handling personal data;
• Administrative and technical controls to restrict access to personal data on a need-to-know basis;
• Technological security measures;
• Physical security measures, such as staff security passes to access premises, locking filing cabinets, etc.

Transfer of personal data

In some cases, the organisation may have to transmit personal data to third-party receivers, both inside and outside the organisation. In any event, these personal data are only transferred on a need-to-know basis to these receivers who carry out the processing for specific purposes. The organisation shall always observe the necessary security measures when transferring the data and with respect to the receivers in order to guarantee the confidentiality and integrity of the personal data.

The transfer to third parties can take different forms, as described in more details below.

5.1. Transfer within the organisation

Third-party transfers can only intervene if the organisation has respected the various principles and obligations imposed by PDPA. This means, among other things, that the data subject must be informed about the transfer and the reason for this transfer and that the transferring organisation can rely on a legal basis (legitimate interest, consent from the data subject, performance of an agreement, etc.) for this transfer.
In this further processing, the organisation must also comply with other principles listed in article 5 of this policy.

5.2. Transfer to external third parties

Other than specified in the preceding paragraph, the company may send or transfer personal data to external third parties (e.g., law enforcement agencies). 

Time limit for the storage of personal data

The organisation will store your personal data securely on our systems for the longest of the following periods:

• the time reasonably necessary to carry out the relevant activities;
• any period required by applicable laws or regulations; or
• the duration during which legal action or investigations could reasonably arise involving the organisation.

To determine the appropriate retention period of the personal data, the organisation will consider the amount, nature and sensitivity of such personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purpose for which the organisation processes the personal data and whether that organisation can achieve those purposes through other means, and the applicable legal requirements.

After the final time limit has passed, the organisation shall delete or anonymize the personal data if the organisation still wishes to use such personal data for statistical purposes and may retain it for a longer period of time for dispute management, study or archiving purposes.

Rights of individual data subjects

Data protection legislation provides different rights for data subjects with respect to the processing of personal data so that the data subject can still exercise sufficient control over the processing of his or her personal data.

Through this policy, the organisation is already trying to provide as much information as possible to the data subjects in order to be as transparent as possible with respect to the processing of personal data.

he organisation understands that the data subject may still have questions or desire additional clarifications with regard to the processing of his or her personal data.  The organisation thus recognises the importance of the rights and shall therefore comply with these rights, considering the legal limitations in the exercising of these rights.  The different rights are described in detail below:

7.1. The right of access

The data subject has the right to request access to and obtain a copy of her/his personal data, which is under the responsibility of the organisation, or to request the disclosure of the acquisition of the personal data obtained without her/his consent. 

7.2. The right to rectification

When the data subject establishes that the organisation has incorrect or incomplete data about him or her, the data subject always has the right to inform the organisation of this fact so that appropriate action can be taken to rectify or supplement this data. It is the data subject’s responsibility to provide correct personal data to the organisation.

7.3. The right to erasure

The data subject can ask to have his or her personal data erased, or destroyed, if the processing is not in accordance with data protection legislation (Article 33 of PDPA).

7.4. The right to restriction of processing

The data subject may request the processing restricted if:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to check their accuracy;

• the processing is unlawful, and the data subject opposes the erasure of the data;
• the company no longer needs the data, but the data subject requests that they not be removed, given that he or she needs them for the exercise or defense of legal claims;
• the data subject has objected to processing, pending verification whether the legitimate grounds of the controller override those of the data subject.

7.5. The right to data portability

The data subject has the right to obtain his or her personal data which he or she provided to the organisation in case where the organisation has arranged such personal data to be in the format which is readable or commonly used by ways of automatic tools and can be used or disclosed by automated means.
In addition, the data subject has the right to have those personal data transmitted to another data controller (directly by the organisation). This is possible if the data subject has consented to the processing.

7.6. The right to object

The data subject can also object to processing due to a specific situation regarding the data subject. The organisation shall stop processing personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests of the data subject or for the exercise or defense of legal claims.

7.7. The right to withdraw consent

If you have given your consent for a specific processing purpose in order to process your data, you can withdraw this consent at any time by contacting the PDPA contact point. However, such withdrawal of consent shall not affect the processing of personal data that you have already given consent to us.

7.8. The right to complaint to the authority

The data subject has the right to file a complaint with the relevant data protection authority in the event that the organisation does not comply with the data protection legislation (the PDPA).
The data subject can exercise his/her rights provided in sections 7.1 to 7.7. by sending an e-mail or registered letter to the organisation’s PDPA contact point described in article 2 of this policy. The organisation may ask the data subject to identify themselves in order to ensure that the effective exercise of the rights is requested by the data subject.
In principle, the organisation shall respond to the request of the interested person within 30 days. Otherwise, the organisation informs the data subject of the reasons for their delay in the follow-up of the request.

Revision of this policy

The organisation reserves the right to adjust and review this policy when it deems necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection.