VERSO International School:
    Data Protection Policy


    Purpose of this policy

    This policy sets out the expectations of how VERSO International School (VERSO) will collect, process, secure and protect personal data. It also outlines the standards that must be adhered to for compliance with data protection legislation.


    At VERSO International School (VERSO), we acknowledge the importance of data protection and recognize that individuals have rights in respect of the Personal Data we handle, in accordance with the Personal Data Protection Act ("PDPA").

    During the course of our business activities, we will collect, store and process personal data. We will endeavor to treat this data in accordance with legal safeguards and in a manner consistent with the high standards individuals have come to expect from our organization.

    All our staff members are required to comply with this Data Protection Policy when processing Personal Data as part of their role. Failure to comply with this policy may lead to disciplinary action. 

    The School Leadership Team is responsible for ensuring compliance with this policy in their respective areas of responsibility.

    This policy is overseen by our Data Protection Officer who may be contacted at this email address

    2. SCOPE

    This Data Protection Policy applies in respect of all the Personal Data we process about our current, past and prospective students (and their parents/carers), our current and former staff members, our suppliers and any third parties we communicate with.

    This policy sets out how we will process Personal Data. The following policies and notices are also relevant for this purpose:

      • Incident Management Policy
      • Information Rights Policy 
      • Our General Website Privacy Notice 
      • Retention Schedule / Policy
      • CCTV Policy
      • Roles and Responsibilities Policy
      • Employee Privacy Policy
      • Digital and Social Media Policy


    For the purposes of this policy, the following terms apply:

    Data Controller means the organization which determines the purposes for processing Personal Data and the manner in which that processing will be carried out. In most cases, VERSO will be the Data Controller of the Personal Data it collects and uses as part of its business activities.

    Data Processor means the organization or person that processes Personal Data on our behalf and in accordance with our instructions, such as suppliers and contractors. Our staff members are not Data Processors.

    Data Subjects are all living individuals about whom we hold Personal Data.

    Personal Data means any information relating to a living individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behavior.  Personal Data may be held on paper, in a computer or any other media whether it is owned by the organization or a personal device.

    Sensitive Personal Data is special category data that is more sensitive, and includes information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. It will also include data concerning health (physical and/or mental health), criminal records data concerning a person’s sex life or sexual orientation, and genetic and biometric information where that data is used to uniquely identify a person. 

    Processing means any activity which is performed on Personal Data or Sensitive Personal Data. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data.


    VERSO is responsible for and must be able to demonstrate that Personal Data is being processed in accordance with the principles of VERSO International School and the Thai Personal Data Protection Act ("PDPA"). 

    The principles of data protection under which we operate are:

    Principle One: Lawfulness, Fairness & Transparency
    Personal Data must be processed lawfully, fairly and in a transparent manner. 

    In order to comply with this principle, we will ensure that we only process Personal Data where we are lawfully permitted to do so. We will be open and honest with individuals about the data we collect, why we use it, and which lawful basis justifies that use. We will do this via privacy notices, whether or not we collect information directly from the individuals concerned. 

    In addition, for each processing activity that we undertake, we will consider how that processing affects the individuals concerned. 

    In order to process personal data lawfully, we will ensure that at least one of the following lawful bases applies:

      • The Data Subject has provided consent. This consent will be a freely given, specific, informed and clear indication of the individual’s wishes. 
      • The processing is necessary for the performance of a contract with the Data Subject such as  the provision of education for a student under the parental contract).
      • The processing is necessary for us to comply with a legal obligation (not a contractual obligation).
      • The processing is necessary for the prevention or suppression of a danger to the data subject's life, body, or health, or to protect an individual’s vital interests as in the management of a medical emergency.
      • The processing is necessary for our legitimate interests, or those of a third party, so long as those interests are not overridden by the interests, rights or freedoms of the Data Subject.
      • The processing is necessary for purposes relating to the preparation of the historical documents or archives for public interest, or for purposes relating to research or statistics.

    In order to process sensitive personal data lawfully, we will ensure that one of the following exemptions applies: 

      • The processing is to prevent harm to the life or health of a person.
      • The processing is a legitimate activity of a foundation or non-profit organization with religious, philosophical or political interests.
      • The processing is necessary to establish a legal claim or necessary to comply with a legal obligation.
      • The processing relates to data that is publicly available with the explicit consent of the individual.
      • The processing is for the purposes of preventive or occupational medicine, health or social services, or management of medical claims.
      • The processing is in the interest of public health.
      • The processing is necessary for employment protection, social security, national health security, or social health welfare.
      • The processing is necessary for scientific, historical, or statistical research purposes, or other public interests (which are carried out only to the extent necessary to achieve such purposes, and the suitable measures have been provided to protect the fundamental rights and interest of the data subject).
      • The processing is necessary for substantial public interest, by providing the suitable measures to protect the fundamental rights and interest of the data subject.

    Principle Two:  Purpose Limitation
    Personal Data should be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

    In order to comply with this principle we will only process Personal Data for the specific lawful purposes set out in our Record of Processing Activity and Privacy Notices, unless we are specifically permitted to process the data by law.

    Principle Three:  Data Minimization
    Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    In order to comply with this principle, the data we collect will be sufficient to fulfil the purpose of collection (adequate), there will be a rational link between that data and the purpose (relevant) and we will only collect the Personal Data we need to fulfil the specific purpose we have collected the data for.

    Principle Four:  Accuracy
    Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.

    In order to comply with this principle, we will ensure that all Personal Data is kept up to date and is accurate. We have appropriate processes in place to check the accuracy of the data we collect and the sources of data are always recorded. We will also comply with an individual’s right to rectification (see below) and we will carefully consider any challenges to the accuracy of the Personal Data. 

    Principle Five: Storage limitation
    Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed. 

    In order to comply with this principle, we will only keep Personal Data for as long as we need it and we will take all reasonable steps to destroy or erase all data which is no longer required. Personal Data will be kept in accordance with our Retention Policy to ensure that data is not kept any longer than necessary and we will ensure that individuals understand the duration for which their Personal Data will be held.

    Principle Six - Integrity and confidentiality
    Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

    In order to comply with this principle, we will ensure that we have appropriate organizational and technical measures in place to safeguard the security of the Personal Data we process. This includes ensuring the confidentiality, integrity and availability of the systems and services used to process the Personal Data.


    We will ensure that we have appropriate security measures in place to protect Personal Data against unlawful or unauthorized processing, and accidental loss or destruction. 

    In accordance with Principle Six (Integrity and Confidentiality, above):

      • We will ensure the confidentiality of Personal Data by protecting it against unintentional, unlawful or unauthorized access, disclosure or theft. 
      • We will ensure the integrity of Personal Data by maintaining its accuracy and protecting it against accidental or unlawful alteration. 
      • We will ensure the availability of Personal Data by regularly testing, assessing and evaluating the effectiveness of our technical and organizational measures to ensure our systems and services can be restored and accessed in a timely manner in the event of a physical or technical incident.

    Our security measures include:

      • Keeping Personal Data in paper records or on removable devices in lockable rooms, desks or cupboards and disposing of these records securely when required.
      • Keeping digital Personal Data in line with our agreed policies.
      • Ensuring staff members only share Personal Data they use in the course of their work with authorized personnel.
      • Maintaining up to date firewalls and other IT security measures, with regular audits of our IT systems.
      • Training staff on the importance of data protection to ensure compliance with safe handling of data.
      • Regularly auditing our governance and information management processes.


    Where we collect Personal Data directly from individuals or via a third party source, we will inform those individuals about the use of their data through our Privacy Notices, which will include the following details:

    • The name and address of our school, as the Data Controller.
    • The contact details of our Data Protection Officer.
    • The categories of Personal Data we are processing. 
    • The purpose or purposes we intend to use the Personal Data for.
    • The recipients of any Personal Data we share or disclose.
    • Details of any transfers to other countries and what safeguards are in place.
    • The length of time we will retain the Personal Data for.
    • The rights Data Subjects have to access their data, or limit its use or disclosure.
    • The right of Data Subjects to complain to the Regulatory Authority about our use of their Personal Data.
    • The source of the Personal Data (where we receive it from a third party).
    • The existence of any automated decision making (including profiling).


    We recognize that Data Subjects have a number of rights regarding our use of their Personal Data, some of which are subject to conditions. All requests will be dealt with by our Data Protection Officer in accordance with our Information Rights Policy.

    Right of access (commonly referred to as a subject access request)

    This gives individuals the right to ask us about the Personal Data we use about them. This can include what we use it for, who we share it with, how long we store it and where we have obtained it from. Individuals can also ask for a copy of their personal data.

    Right to rectification

    This gives individuals the right to ask for inaccurate Personal Data to be corrected or for incomplete Personal Data to be completed.

    Right to erasure (‘right to be forgotten’)

    This gives individuals the right to ask for their Personal Data to be erased but the obligation for us to erase Personal Data only applies in certain circumstances. 

    Right to object

    This gives individuals the right to ask us not to use their Personal Data. This will include the use of their data for direct marketing, or where automated decisions have been made about them .

    Right to data portability

    This gives individuals the right to ask us to transfer any personal data held in a structured electronic format to another data controller where the personal data has been provided to us by the data subject, and if we are processing such data on the basis of consent or to perform a contract with the data subject.

    If we are unable to comply with a request then we will clearly inform Data Subjects about the reasons why. We will keep a record of reasons why access to records have been denied.


    We will only transfer Personal Data to a Data Processor where they have provided us with sufficient guarantees that they will protect the data in compliance with data protection legislation and in line with our expectations. We will also ensure that these requirements are governed by contract or other legally binding agreement.

    We will also enter into Data Sharing Agreements with other Data Controllers, where this is considered appropriate.


    We do not encourage the retention of any Personal Data for any longer than necessary, in accordance with Principle Five (Storage Limitation, above). We will ensure that all Personal and Sensitive Personal Data is disposed of in a way that protects the privacy of Data Subjects.

    We will retain a Retention Schedule that details the specific types of information we handle and the appropriate periods for retention.


    We will manage data protection incidents in accordance with the process set out in our Incident Management Policy. As part of this process, we require all our staff members to follow specific guidelines on reporting data incidents, including completing a data incident form which we will investigate and log.


    We may carry out a Data Protection Impact Assessment when the processing of Personal Data is likely to result in a high risk to the rights and freedoms of individuals. This process is designed to identify the nature of the risks so that mitigating actions can be taken to reduce or eliminate these risks.

    12. USE OF CCTV

    We use CCTV in accordance with our CCTV Policy to ensure any images we collect and use are handled appropriately.


    The name and address of our school, as the Data Controller:
    VERSO International School
    198 Moo 4, Soi Sarasetthasiri Suvarnabhumi 3 Road
    Bangchalong Bang Plee, Samut Prakan 10540 
    Phone: +66 02 080 6200

    The contact details of our Data Protection Officer: