1. Home

CUSTOMER PRIVACY POLICY
OF SIAM MUSIC YAMAHA COMPANY LIMITED

Siam Music Yamaha Co., Ltd. (hereinafter referred to as “Yamaha”) has established this Customer Privacy Policy in its capacity as a controller or processor of personal data in Thailand, covering the collection, use, or disclosure of personal data both within and outside the country. As a data controller or processor, Yamaha is committed to conducting its business with integrity, ethics, and respect for the privacy rights of all customers. Yamaha acknowledges the importance of protecting the personal data of every individual customer (“Customer” or “You”), including former, current, and prospective customers, who purchase the company’s products and services.

This Customer Privacy Policy does not apply to the collection, use, or disclosure of personal data for personal or family-related activities, operations of governmental security agencies, media activities, artistic or literary works, legislative processes, judicial proceedings, and credit reporting businesses. Nevertheless, security measures for data protection must be maintained in accordance with established standards.

1. Personal Data Collected by the Company

Personal Data refers to information that can identify an individual, either directly or indirectly, excluding data related to deceased persons. Yamaha categorizes the personal data it collects into the following eight categories:

  • Personal identification data that can identify you.
  • Contact information.
  • Transaction-related information.
  • CCTV footage.
  • Information obtained through inquiries made to Yamaha.
  • Information derived from participation in Yamaha events.
  • Data obtained from the use of software or the internet.
  • Sensitive personal data.
  • Other information, including data not related to customers.

2. Objectives and Legal Bases for the Collection, Use, or Disclosure of Personal Data

Yamaha collects, uses, and/or discloses personal data based on clear objectives and legal bases. The main purposes are divided into the following four categories:

2.1 Customer Service

  • To contact or respond to inquiries regarding products and services, including recording data in the customer database and sharing information with business partners.
  • To provide services related to Yamaha Music School, such as creating profiles for teaching evaluations, conducting examinations, and issuing certificates.
  • To send notices and announcements related to examination results and issue certificates.
  • To facilitate sales transactions or execute sales agreements, including preparing leasing contracts.
  • To supply, maintain, and protect products and services, including conducting surveys, providing after-sales services, and ensuring customer care.
  • To provide services within the warranty period and after-sales care following activities related to Yamaha’s products and services.
  • To respond to inquiries and issue notices related to Yamaha’s products and services as requested by customers, including arranging for the delivery of products.
  • To manage repairs during the warranty period and provide after-sales care, including handling repairs related to Yamaha’s products and services.
  • To conduct satisfaction surveys and evaluate products or services, manage complaints, improve service delivery, analyze data, conduct research, or prepare internal organizational reports.

2.2 Event Organization

  • To facilitate participation in events, campaigns, or meetings organized by Yamaha.
  • To verify identity or confirm rights.
  • To select and judge participants in competitions.
  • To send notices and announcements related to events, including promotional materials for upcoming training sessions.
  • To store data of participants in training, seminars, and workshops.

2.3 Marketing or Promotional Purposes

  • To carry out Yamaha’s marketing activities, which require consent under the personal data protection law.
  • For commercial purposes, where such information may be disclosed via online and offline channels.
  • To collect, process, analyze data, and communicate for marketing purposes, including future marketing activities.
  • For the company’s internal management and for promotional purposes, including the dissemination of live performance recordings to the public via various channels.

2.4 Legal Compliance

  • To utilize CCTV systems, manage access to Yamaha’s premises, and support security measures.
  • To conduct research and development, including product improvement, which requires consent under the personal data protection law.
  • To create customer databases, manage debt collection, initiate legal proceedings, or utilize information in other legal processes.

In general, the company engages in activities such as market research, statistical analysis, data profiling, and product, goods, or service development to meet customer needs. Yamaha relies on the legal basis of legitimate interests to design and develop products, goods, services, strategies, and campaigns that align with your preferences, improve business efficiency, and tailor its content to better suit your preferences. Additionally, Yamaha evaluates and manages risks in line with your expectations.

In certain cases, the company will seek your consent before analyzing personal data for activities that cannot rely on other legal bases. For instance, Yamaha may request consent to analyze data for developing and designing new products, goods, or services by gathering information from external sources, which may exceed your expectations of such activities. Similarly, Yamaha may use your personal data to analyze and develop products and services offered by other companies that may not directly relate to you.

Legal Bases for Collection, Use, or Disclosure of Personal Data

1. Consent Basis

Consent serves as a legal basis for research or statistical purposes, provided it meets all legal requirements. Consent must be freely given, specific, clearly stated, and unambiguous. If these conditions are not met, the consent will not be binding. Consent may be given in various forms, including written documents, electronic formats, or verbal agreements. Examples include registering for competitions, examinations, or marketing activities through social media.

2. Legitimate Interest Basis

The processing of personal data for research or statistical purposes can rely on legitimate interests, provided it passes an assessment of suitability and balance between the benefits and the data subject’s rights. This includes activities such as scientific, historical, statistical, and marketing research.

3. Contractual Obligations Basis

Personal data may be collected, used, or disclosed under contractual obligations as outlined by the Personal Data Protection Act (PDPA). This applies when:

3.1 The company (data controller) needs to process personal data to fulfill a contract.

3.2 The processing is necessary for specific purposes, such as fulfilling a data subject’s request before entering into a contract or fulfilling a contract to which the data subject is a party. Examples include long-term piano rental agreements.

4. Legal Compliance Basis

The processing of personal data may be conducted without requiring consent if it fulfills obligations under relevant laws. This aligns with Section 24(6) of the Personal Data Protection Act (PDPA), B.E. 2562 (2019), and applies to the collection, use, or disclosure of data necessary for compliance with legal requirements imposed on the data controller.

3. Disclosure or Transfer of Personal Data

Yamaha may disclose or transfer personal data to relevant individuals or entities for business operations, services, or legal compliance. Yamaha’s systems include:

1. SMY Connect / YMS Connect (Siam Music Members)

2. Customer Data Management System

Service providers of such systems may have access to personal data within the operating system to the extent necessary for providing their services. However, Yamaha has implemented contracts and established conditions for personal data processing with each service provider to ensure that personal data is managed securely, adheres to appropriate privacy and security standards, and complies with applicable laws.

For international data transfers, Yamaha implements measures to comply with legal requirements, prioritizing the security and protection of personal data and the rights of data subjects.

4. Use of Cookies

Yamaha utilizes various types of cookies to enhance website performance. These cookies include:

1. Essential Cookies

2. Performance Cookies

3. Targeting Cookies

4. Functional Cookies

5. Retention of Personal Data

Yamaha will retain your personal data for as long as necessary (no longer than 10 years) for the purposes of collection, use, or disclosure as specified in this document. The retention period will be determined based on the necessity of using your personal data for the stated purposes, as well as any extended retention required to comply with legal obligations, relevant legal requirements, statutory limitations, establishment of legal claims, enforcement or defense of legal claims, or other reasons consistent with Yamaha’s internal policies and regulations.

The destruction of personal data will be carried out using appropriate and secure methods. Physical documents will be destroyed using a shredder, while digital data will be deleted from systems or storage devices to prevent unauthorized access or retrieval of the data

6. Your Rights as a Data Subject

  • 1. Right to Withdraw Consent

    This refers to the right of data subjects to withdraw their consent for the collection, use, or disclosure of their personal data at any time. The process of withdrawing consent must be simple and straightforward, similar to the process of giving consent. The withdrawal of consent will not affect the processing of personal data that was previously carried out based on the consent provided before its withdrawal.

  • 2. Right to Access and Obtain Copies of Personal Data

    Data subjects have the right to access their personal data and request a copy of the personal data concerning them. The information that can be requested includes the following:

    • Purposes of data processing
    • Types of personal data
    • Data controller details
    • Retention periods or criteria for determining them
    • Rights to rectify, delete, restrict, or object to data processing
    • Rights to file complaints with the data controller
    • Sources of personal data, if obtained from third parties

  • 3. Right to Data Portability

    Data subjects have the right to request that the personal data controller transfer their personal data to another personal data controller, provided it meets the conditions specified by law. Such data must be in an electronic format that is readable or usable in electronic systems and must consist of data that the data subject has provided to the original personal data controller. This right is applicable only if it does not infringe on the rights and freedoms of others.

  • 4. Right to Object to the Collection, Use, or Disclosure of Personal Data

    Data subjects have the right to object to the processing of their personal data in certain cases as stipulated under Section 32 of the Personal Data Protection Act, B.E. 2562 (2019). The data subject may exercise this right at any time under the following circumstances:

    • Collection, use, or disclosure of personal data for the legitimate interests of the data controller or others
    • Collection, use, or disclosure of personal data for direct marketing
    • Collection, use, or disclosure of personal data for scientific, historical, or statistical research purposes

    If a data subject exercises their right to object, the data controller must immediately cease the collection, use, or disclosure of the personal data in question, except in cases where the data controller can demonstrate that there are compelling legitimate grounds that outweigh the rights of the data subject or that the processing is necessary for the establishment, exercise, or defense of legal claims.

  • 5. Right to Request Deletion or Destruction of Personal Data

    Data subjects have the right to request the deletion or destruction of their personal data. Such a request may be made under the following circumstances:

    • The personal data is no longer necessary for the purposes for which it was collected or processed.
    • The data subject withdraws their consent for the processing of personal data, and no other legal basis for processing exists.
    • The data subject objects to processing based on public interest or legitimate interest grounds, and the data controller cannot demonstrate that such processing is necessary for performing tasks in the public interest or that the legitimate interest overrides the rights and freedoms of the data subject. This does not apply to processing carried out for establishing, complying with, exercising, or defending legal claims, or for legal compliance.
    • The data subject objects to processing for direct marketing purposes.
    • The processing of personal data is unlawful. However, the data controller may refuse a deletion request if the continued retention, use, or disclosure of the data is demonstrably necessary for research or statistical purposes, or for the establishment, implementation, exercise, or defense of legal claims, or to comply with legal obligations. In such cases, data retention is justified, and rejecting the request is permissible based on research or statistical grounds.

  • 6. Right to Restrict Processing

    Data subjects have the right to request the restriction of the processing of their personal data. Situations where this right may be exercised include:

    • The data subject disputes the accuracy of the personal data and the accuracy is under verification.
    • The processing is unlawful, and the data subject requests restriction instead of deletion.
    • The data controller no longer needs the personal data for processing, but the data subject requires the data controller to retain it for the establishment, exercise, or defense of their legal claims.
    • The data subject has objected to processing pending verification of whether the legitimate grounds of the data controller override the data subject’s rights.

  • 7. Right to Rectification

    The data subject has the right to request the data controller to correct, update, or complete their personal data to ensure its accuracy and prevent misunderstandings or inaccuracies.

    To exercise their rights, data subjects can contact the Data Protection Officer (DPO) to request access to their data, rectify data, withdraw consent, request deletion, or exercise other related rights as prescribed by law.

Grounds for Denial of Data Subject Requests

Yamaha reserves the right to deny a data subject’s request under the following circumstances:

  • When the denial is required by law or a court order.
  • When granting access or providing a copy of the personal data would adversely affect the rights or freedoms of others, such as disclosing trade secrets or proprietary information of third parties.

If a data subject submits a request deemed excessive or unnecessary, a reasonable fee may be charged for processing such requests. The data controller may also deny the request and must record the reasons for the denial.

Note: Personal data collected before the enforcement of the Personal Data Protection Act B.E. 2562 (2019) may still be used for the purposes originally communicated. However, if the data subject objects to the use of such data for its original purpose, they may exercise their right to object as provided by law.

7. Security Measures

Yamaha, as the data controller, has implemented appropriate security measures to safeguard personal data from loss, unauthorized access, use, alteration, or disclosure. These measures encompass the following three main areas:

  • Organizational Measures
  • Technical Measures
  • Physical Measures

Yamaha conducts risk assessments and considers the nature of the personal data collected, used, or disclosed. This includes access control, user rights management, and audit trails. The organization also promotes awareness among employees regarding the importance of data security and continuously updates its security measures to align with technological advancements and in response to any data breaches.

8. Contacting the Company

If you have any concerns or suspect a violation regarding the collection, use, or disclosure of personal data, or if you wish to file a complaint or exercise your rights under this policy or the Personal Data Protection Act B.E. 2562 (2019), you may contact Yamaha’s Data Protection Officer through the contact information provided below:

Siam Music Yamaha Co., Ltd. (Head Office)

414 Siam Pathumwan House, Floors 3, 5, and 12, Phaya Thai Road,

Wang Mai Sub-district, Pathum Wan District, Bangkok 10330

Email: dpo@yamaha.co.th

Phone: (02) 215-2626

  1. Home