Raintree Privacy Policy

1.  Definitions

Personal Data refers to any information which identifies you or can be used to identify a data subject when used in conjunction with other information.  

Data Subject describes the person about whom the personal data is about.  

Data Controller will be regarded as Raintree International School

PDPA describes Personal Data Protection Act B.E. 2562 of Thailand..  

Personal Data refers to any information which identifies you or can be used to identify a data subject when used in conjunction with other information.  

Data Protection Officer or DPO refers to the assigned person in the school whose responsibility is to ensure processes and procedures are in compliance with PDPA.

Process describes how we collect, use, store or disclose personal data directly from the data subject concerned (or often in the case of students, from their parents).  In some cases, we collect data from third parties (e.g. referees/references, previous schools) or from publicly available resources.

2.  Purpose

Raintree International School (hereafter referred to as “Raintree” or “the school”) cares about the data privacy of all members of the community; staff, students, and parents.  We therefore provide this data privacy policy to inform in relation to the individual (“you” or “Data Subject”) in accordance with the PDPA.

The purpose of this data privacy policy is to provide detailed information about how we process personal data. The personal data we process takes different forms (as described in item 5 of this document).  For example, we use the data:

  • To assess and manage applications for students’ admission.
  • To facilitate provision of education and enrichment to our students, including the administration of our curriculum; monitoring student progress and educational needs, reporting to parents, and providing references for students (including after a student had left the school).
  • To provide the provision of after school activities and related services to students.
  • To provide safeguarding of students’ welfare and provision of pastoral care, health care services and other support.
  • To provide a safe and secure environment for students, staff, and visitors to the school.
  • To communicate with parents/legal guardians regarding student wellbeing and other relevant matters.
  • To contact parents/guardians/employers (as applicable) for billing and other billing-related purposes.
  • To share school newsletters, updates, and other marketing-related information.
  • To facilitate parents’ participation, we share data with the class representative.
  • To assess and improve the quality of our educational services.
  • To meet the compliance with legal and regulatory requirements.
  • To meet the school’s operational management, including the compilation of student records; the administration of invoices, fees and accounts; the management of school property; the management of security and safety arrangements and monitoring of the school’s IT and communication systems; the administration and implementation of our school’s rules and policies for students and staff; and the maintenance of historic archives.
  • To meet staff administration, including the recruitment of staff/engagement of contractors; administration of payroll, staff benefits, and sick leave; review and appraisal of staff performance; conduct any grievance, capability or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff; and providing references.
  • To analyse website traffic, demographic, and behaviour using analytical tools and cookies.
  • To promote the school through our website, our prospectus and other publications and communications, including through our social media accounts.
  • To maintain relationships with our alumni and former employees.
  • For keeping a record of historical and memorable events relevant to the maintenance of historical records.

On a regular basis we take photographs and videos of students and their learning.  Our lawful basis for processing this information is consent and/or legitimate interests. Our legitimate interest in using this digital media is to celebrate student achievement and to promote the school through our school publications and media channels.

3.  Scope

This data privacy policy applies to:

  • Staff or individuals employed by Raintree in any capacity.
  • Students that are current, prospective, or prior students enrolled at the school.
  • Parents that are current, prospective, or prior parents, and/or legal guardians, of a student(s) at Raintree.
  • Third parties that are referred as individuals or organisations that are not affiliated with or employed by the school.

Please note that some of the web links on our platforms may lead to third party platforms (such as Tapestry, Youtube, etc). If you access these platforms your personal data will then be processed under the third party’s terms & condition policy.  Please make sure that you have read those related data privacy notices when accessing such platforms.

4.  Policy

This data privacy policy informs you of how we collect, use, store or disclose your personal data, what and why we collect, use, or disclose your personal data, how long we retain it, who we disclose it to, your rights, what steps we will take to make sure that your personal data stays private and secure, and how you can contact us regarding to questions that you may have about your data.

4.1. Our lawful bases for processing your personal data

We process your personal data where it is necessary and there is a lawful basis for collecting or disclosing it.  This includes where we collect, use, or disclose your personal data based on the legitimate grounds of our legal obligations, performance of a contract you have with us, our legitimate interests, performance under your consent and other lawful basis. 

Reasons for collecting, using, or disclosing are provided below.

4.1.1. Legal obligation

We are regulated by laws, rules, regulations, and government regulatory authorities.  To fulfil our legal and regulatory requirements with these authorities such as the police, court or Ministry of Education, it is necessary to collect, use or disclose your personal data

4.1.2. Necessary for contract

We will process personal data in order to perform our obligations under our contract with you and for you to perform your obligation.  For example, we will need your contact details to contact you if there is a concern about you or your child.

4.1.3. Legitimate interests

We rely on our legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in personal data in which we will collect, use, or disclose for the following purposes, which include but are not limited to:

  • Conduct our school operations (e.g. to audit, to conduct risk management, to monitor, prevent, and investigate misconduct, or other crimes, including but not limited to carrying out the criminal record checks of any persons related to our school).
  • Conduct our management relationships (e.g. to serve parents and students, to conduct parent/student surveys, to handle complaints).
  • Ensure our standard security services (e.g. to maintain body temperature checks, CCTV footage records, to register, to monitor network activity logs and security incidents).
  • Ensure the school provides medical services to students and staff.
  • Develop and improve our school communication, services, and systems to enhance our service standards.
  • Use your personal data for the greatest benefits in fulfilling your needs, including to conduct research, analyse data and benefits suitable to you by considering the fundamental rights of your personal data.
  • Record images and/or videos in relation to meetings, teaching, training, seminars, or marketing activities.

Legitimate interest of others, for example, another school will have legitimate interest in knowing if there is unpaid balance due to us.

4.1.4. Consent

Under PDPA, the rights belong to the individual to whom the data relates (”Data subject”). However, where consent is required as the lawful basis for processing personal data relating to students, we rely on parental consent.

In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximise your benefits and/or to enable us to provide services to fulfil your needs.

4.1.5. Other lawful basis

Apart from the lawful basis mentioned above, we may collect, use, or disclose your personal data based on the following lawful basis:

  • Prepare historical documents or archives for the public interest, or for purposes relating to research statistics.
  • Protect your vital interest or the vital interest of someone else (e.g to prevent or suppress a danger to you or another person’s life, bodily harm, or physical/mental health).
  • Necessary to carry out a public task, or for exercising official authority.

We may not be able to provide (or continue to provide) some or all the school’s products or services to you if you do not provide such personal data.

5. What personal data we collect, use, or disclose

The type of personal data, namely personal data, and sensitive personal data, in which we collect, use, or disclose, varies on the scope of products and/or services that you may have used or had an interest in. The type of personal data shall include but is not limited to:

Type of dataExample of personal data
Personal detailsGiven name, middle name, surname, nickname (if any), Gender, Date of birth, Age, Educational background, Nationality
Contact detailsMailing address, E-mail address, Phone number, Name of representatives or authorised persons acting on your behalf
Identification and authentication detailsID card photo, Identification number, Passport information, Birth Certificate/Alien ID information, Driving licence, Signatures
Employment detailsOccupation, Employer’s details and workplace, Position, Salary/ income/ remuneration
Financial detailsInformation about your Banking transactions
IT informationYour GPS location, IP address, Computer Name, Hostname, MAC Address, Other IT Technical details that are uniquely identifying data
Investigation dataData for due diligence checks
Marketing research informationParents, Student, Health & Safety survey, Information and opinions expressed when participating in the school’s market research, Details of services you receive and your preferences
User login and subscription dataLogin information for using the school website, Other applications used by the school. Other subscriptions used by the school.
Information concerning securityCCTV images, Video or Audio recordings, Visual images, Personal appearance
Sensitive Personal DataRacial or Ethnic Origin, Political Opinions, CultReligious or Philosophical Beliefs, Sexual Behaviour, Health Data, Disability, Trade Union Information, Genetic Data, Biometric Data, Child Safeguarding Records, Criminal Records
Other informationRecords of correspondence and other communications between you and us, Information that you provide us through any other channels, Information about insurance policy and claim for your compensation

6. Sources of your personal data

Normally, we will collect your personal data directly from you including but not limited to application form and visitor form, but sometimes we may get it from other sources, in such cases we will ensure the compliance with the PDPA.  Personal data we collect from other sources may include but is not limited to:

  • Information obtained by us from other school, financial institution, business partners, and/or any other persons who we have relationship with;
  • Information obtained by us from persons related to you (e.g. your family, friends, referees);
  • Information obtained by us from corporate customers as you are a director, authorised person, attorney, representative or contact person;
  • Information obtained by us from governmental authorities, regulatory authorities, financial institutions, credit bureau and/or third-party service providers;
  • Information obtained by us from insurance companies and/or other persons in relation to insurance policy or claim for compensation;
  • Information obtained by us from publicly available resources.

7. Your rights

You can exercise your rights under the PDPA as specified below, through the channels prescribed by us at our contact details.

7.1 Right to access and obtain copy

You have the right to access and obtain a copy of your personal data held by us, unless we are entitled to reject your request under the law or a court order, or if such request will adversely affect the rights and freedoms of other individuals.

7.2 Right to rectification 

You have the right to rectify your inaccurate personal data and to update incomplete personal data related to you.

7.3 Right to erasure

You have the right to request us to delete, destroy or anonymise your personal data, unless there are circumstances where we have the legal grounds to reject your request.

7.4 Right to restrict

You have the right to request us to restrict the use of your personal data under certain circumstances.  For example, during the investigation of your request to rectify your personal data; or to object to the collection, use or disclosure of your personal data, you can request to restrict the use of personal data.

7.5 Right to object

You have the right to object to the collection, use or disclosure of your personal data in case we proceed with legitimate interests’ basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistical research, unless we have legitimate grounds to reject your request.  For example, we have compelling legitimate grounds to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise of legal claims, or for the reason of our public interests.

7.6 Right to data portability

You have the right to receive your personal data in a format which is readable or commonly used by means of automatic tools or equipment and can be used or disclosed by automated means.  Additionally, you have the right to request us to send or transfer your personal data to a third party, or to receive your personal data which we sent or transferred to a third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.

7.7 Right to withdraw consent

You have the right to withdraw your consent that has been given to us at any time pursuant to the methods and means prescribed by us unless the nature of consent does not allow such withdrawal.  The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.  You can review and change your consent to use or disclose your personal data for marketing purposes through channels as specified in Section 14 below.

7.8 Right to lodge a complaint

You have the right to make a complaint to the competent authority where you believe that the collection, use and disclosure of your personal data is unlawful or non-compliant with the PDPA.

8. How we share your personal data

We may disclose your personal data to the following parties under the provisions of the PDPA:

1. Our business partners and/or other persons that we have a legal relationship with, including our staff, contractors, representatives, advisors.

2. Government authorities and/or supervisory or regulatory authorities.

3. Suppliers, agents and other entities (e.g. professional associations to which we belong, external auditors, depositories, document warehouses, overseas financial institutions) where the disclosure of your personal data has a specific purpose and under lawful basis, as well as having appropriate IT security measures.

4. Special requests from legal authorities such police, lawyers, courts, authorities or any persons whom we are required or permitted by law, regulations, or orders to share such personal data.

5. Social media service providers (in a secure format) or so they can display relevant messages to you and others on our behalf about our products and/or services.

6. Third-party security service providers.

7. Other persons that provide you with benefits or services associated with your services.  For example, insurance agents or insurance companies who provide insurance coverage for the school.

8. Our attorney, sub-attorney, your authorised persons, or legal representatives who have lawfully authorised power.

9. Financial institutions on payment details to facilitate payment transactions.

10. External health or medical providers on health data.

11. Safeguarding information can be shared with external safeguarding professionals where necessary.

12. Parental requests to provide references, recommendations, reports or transcripts to a new school.

13. Enabling the performance of the contract between parents and the school.

14. Data Processors assisting with the provision of education and support services.

15. Other schools or organisations for references or educational information.

9. International transfer of personal data

When it is necessary for us to send or transfer your personal data internationally, we will always exercise our best effort to have your personal data transferred to our reliable business partners, service providers or other recipients by the safest method to maintain and protect the security of your personal data, which includes the following circumstances:

  • Comply with our legal obligation.
  • Inform you of the inadequate personal data protection standards of the destination country and obtain your consent in compliance with the PDPA.
  • Perform the agreement made by you with us or your request before entering into an agreement.
  • Comply with an agreement between us and other parties for your own interest.
  • Prevent or suppress a danger to your or other persons’ life, bodily harm or your health if you are incapable of giving consent at such time.
  • Carry out activities relating to the substantial public interest in compliance with the PDPA.[1] [2] 

10. Retention period of personal data

All personal data is securely stored in accordance with the PDPA requirements.  We retain your personal data only for legitimate purposes, relying on one or more of the lawful bases as set out above, and only for so long as necessary for those purposes, or as required by law.

Personal data that is no longer needed will be disposed of securely.

11. Use of Cookies

We may collect and use cookies and similar technologies when you use our products and/or services. This includes when you use our website.  The collection of such cookies and similar technologies helps us recognise you, remember your preferences and customise how we provide our products and/or services to you. We may use cookies for several purposes. For example, enabling and operating basic functions, helping us understand how you interact with our websites or emails, or enabling us to improve your online experiences or our communications with you. 

12. Use of personal data for original purposes

We are entitled to continue collecting and using your personal data, which has previously been collected by us before the enactment of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes.

13. Security

We endeavour to ensure the security of your personal data through our internal data security measures. We also require our staff and third-party contractors to follow our applicable data security standards and policies and to exercise due care and measures when using, sending, or transferring your personal data.

14.  CCTV

CCTVs are in use in various locations in common areas around the school to ensure safety of our community. We do not need to ask individuals’ permission to use CCTV, but security cameras are clearly visible.

15. Subject Access Requests

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them. This includes: 

  • Confirmation that their personal data is being processed. 
  • Access to a copy of the data. 
  • The purposes of the data processing. 
  • The categories of personal data concerned. 
  • Who the data has been, or will be, shared with.  How long the data will be stored for, or the criteria used to determine this period. 
  • The source of the data, if not the individual. 
  • Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.

Personal data about a child belongs to that child, and not the child’s parents or carers. However, due to the age of the children, subject access requests from parents relating to their child will be considered without the permission of the child.

16. How to contact us

If you wish to exercise any of your rights under the PDPA for which we are the data controller, please make your request by emailing our PDPA team and follow-up with written request with your identification documents at the school as detailed below:

PDPA Team

Raintree International School

126 Nanglinchi Road, Sathorn, Bangkok, 10120

Please note that these rights are not absolute, and we may be entitled to or required additional personal identification as required by the school.  We will respond to any such written requests as soon as is reasonably practicable and within statutory time limits. 

17. Changes to this Data Privacy Notice

We will update this Data Privacy Notice from time to time.   Any substantial changes that affect how we process your personal data will be displayed on our website and sent to you directly when deemed necessary.