Job Applicant Privacy Notice

Data Controller

Fields Analytics Ltd. is the data controller for the purposes of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). The Company determines the purposes and means of processing personal data relating to job applicants. Registered address: 110/8 Moo 5, Nandakwang Garden Mall, T. Suthep, A. Muang, Chiang Mai 50200.

Purpose

Fields Analytics Ltd. (the “Company”) recognises the importance of protecting personal data of all job applicants. This Job Applicant Privacy Notice explains how the Company collects, uses, retains, discloses, and deletes personal data of unsuccessful applicants and applicants whose data is retained for future employment opportunities. The purpose of this notice is to ensure that personal data is processed lawfully, fairly, and transparently, retained only for recruitment related purposes and the protection of the Company’s legitimate interests, and securely deleted or anonymised in compliance with the PDPA.

Scope

This notice applies to all personal data collected during the recruitment process relating to unsuccessful applicants and applicants retained on file, including data submitted through the Company website, interviews, assessments, and recruitment related communications.

Collection and Processing of Personal Data

Job application data is submitted directly by applicants through the Company website and stored within a secure cloud based recruitment database. Access to this data is restricted to authorised personnel only and is used solely for recruitment and hiring decision making.

For recruitment decision making purposes, applicant personal data may be accessed by management or authorised personnel located outside of Thailand. Where personal data is transferred outside Thailand, the Company ensures that appropriate data protection safeguards are in place in accordance with PDPA requirements, including contractual obligations, confidentiality measures, and appropriate technical and organisational security controls.

Categories of Personal Data

During the recruitment process, the Company may collect the following personal data.

1.1 Identification data

  • Full name
  • Nationality
  • Current location

1.2 Contact details

  • Email address

1.3 Application related information

  • Curriculum vitae
  • Cover letters and career certificates
  • Education details

1.4 Recruitment records

  • Position applied for
  • Application date
  • Interview notes
  • Evaluation results and selection outcomes

1.5 Communications related to the application

  • Recruitment emails
  • Live chat communications

The Company does not intentionally collect sensitive personal data as defined under the PDPA and applicants are requested not to submit such data as part of their application unless specifically required by law.

2. Data Retention and Legal Basis

2.1 Unsuccessful Applicants

Where an applicant is unsuccessful and the Company does not intend to retain the data for future opportunities, personal data will be retained for a period of six months from completion of the recruitment process.

The purposes of retention are to document and demonstrate fair and non discriminatory recruitment practices, to address potential complaints, disputes, or legal claims arising from the recruitment process, and to comply with internal audit and compliance requirements.

The Company relies on legitimate interest as the legal basis for this processing. The Company has balanced its legitimate interests against the rights and freedoms of applicants and determined that such processing is proportionate, necessary, and does not override the fundamental rights of the data subjects.

2.2 Applicants Kept on File

Where an applicant is unsuccessful but has explicitly consented to the Company retaining their personal data for future job opportunities, such data will be retained for a period of up to one year from the date consent is given or until consent is withdrawn, whichever occurs first.

The purposes of retention are to consider applicants for future job opportunities, reduce repetitive recruitment processes, and support workforce planning and talent management activities.

Processing in this case is based on the applicant’s explicit consent, which may be withdrawn at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.

At the end of the applicable retention period, or where personal data is no longer necessary, the Company will review the data and securely delete, destroy, or anonymise it unless further retention is permitted or required by law or necessary for the establishment or defence of legal claims.

Consequences of Failure to Provide Personal Data

Where applicants do not provide the personal data requested during the recruitment process, the Company may be unable to assess, progress, or consider the application.

Automated Decision Making

The Company does not use automated decision making or profiling in the recruitment process. All recruitment decisions involve human assessment and review.

Disclosure of Personal Data

The Company may disclose applicant personal data on a need to know basis to Human Resources personnel, hiring managers involved in the recruitment process, and cloud service providers supporting recruitment data storage and management, subject to contractual confidentiality and data protection obligations. The Company will not disclose applicant personal data to third parties for unrelated purposes.

Data Subject Rights

Under the PDPA, applicants have the right to request access to their personal data, request rectification of inaccurate or incomplete data, request erasure or destruction of personal data, request restriction of processing, object to processing based on legitimate interest, withdraw consent at any time where processing is based on consent, and lodge a complaint with the Personal Data Protection Committee.

Requests to exercise data subject rights will be handled within the timeframes prescribed by the PDPA. Requests may be submitted by contacting dataprivacy@fieldsanalytics.com.

Data Security

The Company has implemented appropriate technical and organisational measures to protect applicant personal data against unauthorised access, use, disclosure, alteration, or destruction.

Updates to This Notice

The Company may update this Job Applicant Privacy Notice from time to time. The most recent version will be published on the Company website and will apply from the date of publication.

Personal Data Protection Act (PDPA)

What the PDPA is

The Personal Data Protection Act (PDPA) regulates how organisations collect, use, disclose, and store personal data relating to identifiable individuals in Thailand.

It fully came into force on 1 June 2022.

Who it applies to

The PDPA applies to:

  • Organisations based in Thailand, including companies, NGOs and government bodies
  • Foreign companies that process personal data of people in Thailand for business purposes, such as:
    • Offering goods or services
    • Monitoring behaviour (e.g. call monitoring, CCTV, productivity tools)

This means companies like Fields Analytics in Chiang Mai must comply, particularly in HR, recruitment, call handling and monitoring activities.

What counts as personal data

Personal data includes any information that can identify a person, directly or indirectly, such as:

  • Name, address, email, phone number
  • ID numbers, employee numbers
  • Call recordings and voice data
  • CCTV footage
  • IP addresses and device data

Sensitive personal data (which has stricter rules) includes:

  • Health data
  • Biometric data
  • Criminal records
  • Religious beliefs

Key PDPA principles

Organisations must ensure personal data is:

  • Collected lawfully (with consent or another legal basis)
  • Used for a specific, clear purpose
  • Adequate and not excessive
  • Accurate and up to date
  • Kept secure
  • Not retained longer than necessary

Legal bases for processing

Under PDPA, personal data can be processed if one of the following applies:

  • Consent from the data subject
  • Contractual necessity (e.g. employment contracts)
  • Legal obligation
  • Legitimate interest (commonly used for monitoring, security, and operational oversight)

Consent must be:

  • Clear and specific
  • Freely given
  • Easy to withdraw

Individual rights

People whose data is processed have rights to:

  • Be informed about data use
  • Access their personal data
  • Request correction or deletion
  • Object to processing
  • Withdraw consent
  • Request data portability

Employer obligations (very relevant for call centres)

Employers must:

  • Provide privacy notices to staff
  • Limit monitoring to legitimate business purposes
  • Secure employee data (access controls, encryption where appropriate)
  • Have data processing agreements with third-party software providers
  • Appoint a Data Protection Officer (DPO) where required

Penalties for non-compliance

Penalties can include:

  • Civil liability (compensation claims)
  • Administrative fines (up to THB 5 million)
  • Criminal penalties in serious cases

In simple terms

The PDPA is Thailand’s version of data protection law that ensures:

  • People know how their data is used
  • Businesses only use data fairly and securely
  • Employers do not over-monitor or misuse personal information
Published Date: 21/01/2026

LEARN MORE

More about Fields Analytics

Vacancies

Vacancies

Our Team

Our Team

Training

Training

Apply Now