Privacy Notice

Document Version

ภาษาไทย | English


Privacy Notice​​ of Morchana Application


This​​ privacy notice​​ (“the Notice”)​​ was made for you as the user of Morchana application (hereinafter called​​ processing activity) to learn and understand the forms​​ of collecting, using and disclosing​​ (“processing”)​​ personal data operated by​​ National Telecom Public Company Limited​​ (hereinafter called​​ NT”, “we”, “us)​​ as the data processor of the personal data collected from you to operate under this processing activity.

“Morchana” Application is a tool to​​ help monitoring the pandemic of coronavirus disease 2019 (“COVID-19”) more extensively by collecting the user’s travel data via​​ Global Positioning System​​ (GPS)​​ and​​ Bluetooth​​ technologies for data processing and​​ alerting the people when they are near of in contact with COVID-19 patients to monitor their own symptoms and meet the concerned authorities​​ in time. ​​ 

Department of Disease Control​​ (DDC)​​ is the main agency to collect and analyze Thailand’s dispersion situation information​​ as a result of​​ COVID-19 infection​​ under the Order of​​ Department of Disease Control​​ No.​​ 397/2564​​ on the Appointment of COVID-19​​ Data Governance​​ Commission​​ which needs​​ the data analysis and data synthesis from​​ Department of Disease Control​​ before disclosing to the public​​ as well as the request of using and accessing data from the​​ authorities​​ outside of​​ Department of Disease Control​​ with​​ the​​ Ministry of Digital Economy and Society​​ (“MDES”)​​ as the application administrator and​​ MDES​​ assigning such administration to be under the responsibility of NT while NT would operate the data processing as per the request of​​ Department of Disease Control​​ and send the notifications to the group of “Morchana” application users who used to stay in​​ the​​ infection-risk areas​​ as well as the correct self-regulation guideline.

We​​ will​​ operate the work of collecting, using or disclosing your personal data as follows:


  • The​​ Legal Basis for the Processing of Personal Data

We​​ will​​ operate the processing and disclosing of personal data with related​​ authorities​​ under the legal basis for the processing of personal data as follows:​​ 

  • In case it is necessary in our operation as stated by the law,​​ that is,​​ Emergency Decree on Public Administration in Emergency Situations B.E. 2558 (2015) and Communication Disease Act B.E. 2558 (2015)

  • In case it is necessary​​ to prevent or​​ suppress​​ a danger​​ to life, body or health​​ of the person​​ as well as to​​ monitor, prevent and control​​ COVID-19​​ dispersion.

  • In case it is necessary​​ to perform the duty of operating the mission for public benefits or using the granted power or perform the duty of using the assigned​​ state power​​ under the power of​​ COVID-19 Situation Administration​​ Commission,​​ Department of Disease Control, Ministry of Health​​ and under the policy of or being assigned by​​ Ministry of Digital Economy and Society​​ which includes the data submission for the related government authorities to give advices or​​ determine the self-care and prevention measures e.g. seeing the doctors, being quarantined, self-monitoring and behavior observation​​ and to give information to doctors, nurses or​​ healthcare personnel​​ concerning the records of accessing risk areas or COVID-19 infection possibilities as well as the symptoms within the scope of COVID-19 disease.

  • In case it is necessary​​ for our legal benefits without excessively affecting​​ your​​ fundamental rights​​ to​​ personal data while such benefit​​ has no lesser importance than the data owner’s fundamental rights to personal data in order to analyze and process data as well as to link the data received from a person, legal person or government authority​​ in the monitoring, prevention and control of COVID-19 dispersion.


We​​ will​​ collect personal data according to​​ Section​​ 26​​ which falls​​ within the condition of not necessary to request explicit consent for the following​​ purposes:

    • The necessity for​​ public health​​ benefits by collecting the user’s travel data​​ to comply with​​ the​​ Emergency Decree on Public Administration in Emergency Situations B.E. 2558 (2015) and Communication Disease Act B.E. 2558 (2015)​​ in​​ the operation of​​ the public mission on the prevention of danger from epidemic​​ diseases.

    • The necessity for​​ important​​ public benefits​​ by determining appropriate measures to protect the basic rights and benefits of the personal data owner.​​ 


  • The​​ Purposes​​ of Collecting Your Personal Data

We​​ will​​ directly collect data from you by collecting your data since the day you start using and all the time that you use the app. However, we will not​​ collect your personal data from other sources​​ apart from other related authorities according to the​​ legally-operated​​ regulations and missions​​ only.​​ The​​ purposes​​ of our data collection are as follow:

    • To monitor, suppress and​​ restrain​​ COVID-19 dispersion by processing from the data of Anonymous ID to find the activities with the risk or the possibility of contact with​​ COVID-19​​ diseases.

    • To​​ alert​​ the users considered as a risk group as well as to​​ support the public health officials and related authorities to quickly analyze the situations in each area.

    • To be the information​​ facilitating​​ the observation of one’s own behavior​​ concerning the access to the risk area as well as the public areas with many people coming in and out such as department stores, shops or markets so that they can watch out for themselves and take care of the people around them.​​ Moreover, there will be the information to help screening the patients or risked persons and taking care of​​ others​​ entering the same places.

    • To help the doctors, nurses and​​ healthcare personnel​​ in the history taking in order to take history and give medical treatment faster.

    • To alert the risked person as soon as the patient is found without wasting the time searching and give appropriate advices in time, for example, to come to the hospital to see the doctor as soon as possible.​​ 

    • For the benefits in economics, tourism or other activities according to the government policies, for example,​​ Phuket Sandbox, Samui Plus Model. However,​​ once you​​ receive​​ the permission to enter the areas designated as pilot provinces for tourism, there will be the data for monitoring or tracking you while staying in the area.


  • The Personal Data We Collect and Use

We will collect and use your personal data for the​​ purposes​​ as mentioned in Item 2. However, we will collect and use the personal data as per necessity by mainly using the Anonymous ID​​ in the data processing of the app according to their​​ purposes.​​ 

In case of the necessity to collect your personal data, we will collect your personal data as follows:


3.1.​​ The data sources and list of personal data to be collected are as follow:




    • The​​ data sources and list of personal data to be collected are as follow:



Sources/Methods of Collection

List of Personal Data

1.​​ Directly collect data from you​​ via​​ registration and while using the application (Camera)

In​​ case of all users:

    • The photo of yourself by selfie without sending out from your smartphone.​​ 

    • QR Code that you prefer to scan.

In case of​​ general users:

 ​​ ​​​​ -​​ Mobile number​​ (within Thailand)​​ which is
 ​​ ​​ ​​​​ ​​ registered through the​​ application.

In​​ case of​​ the users entering the areas designated as pilot provinces for tourism by air:

    • Thailand Pass ID

    • Name-surname related to Thailand Pass system.

    • Passport number (for​​ ID verification only)

2.​​ Collect via GPS/Bluetooth​​ tracking technology

    • Your check-in​​ or location data

    • Data of being physically close to​​ others​​ collected and calculated by the application

3. Collect via Physical Activity

    • Classification of user’s activities.


    • The Purposes of Using Personal Data


Purposes of Using Data

List of Personal Data Used

1.​​ To register and​​ verify​​ identity for the application log-in in case of the travelers

    • Thailand Pass ID

    • Name-surname related to Thailand Pass system.

    • Passport number (for​​ ID verification only)

2. To register and verify identity for the application log-in in case of general users

    • Mobile number​​ (within Thailand)​​ which is registered through the​​ application.

3.​​ To build the participation and ownership of the application

    • The photo of yourself by selfie without sending out from your smartphone.​​ 

    • QR Code that you prefer to scan.

4.​​ To analyze the risk or possibility of​​ being in contact with COVID-19 disease

    • Your check-in​​ or location data

    • Data of being physically close to​​ others​​ collected and calculated by the application

5. To​​ preserve battery life

    • Classification of user’s activities.


  • Disclosing Your Personal Data

In general case, we will not​​ publicize, sell, share, exchange or transfer any of your personal data we collect to the outsiders or non-related authorities except being granted permission from​​ Department of Disease Control​​ only. By this sharing of data, we will discreetly send out the data as per necessity only to achieve the purposes of those asking for the shared data and​​ such purposes must fall within the purpose framework being granted consent by the user.​​ We​​ disclose your personal data to the person(s)​​ or legal person(s)​​ as follow:​​ 

    • The Geo-Informatics and Space Technology Development Agency​​ (Public Organization)​​ to integrate data with​​ COVID-19​​ iMAP​​ Platform​​ according to the Order from the Daily​​ Briefing​​ of​​ Operation Center,​​ Covid-19​​ Situation Administration Center​​ on January 14, 2021.4

    • The government authorities whose duty is related with the​​ management of coronavirus disease​​ 2019​​ pandemic situation as regulated by​​ Department of Disease Control.

  • Your Rights according to​​ Personal Data Protection Act B.E.​​ 2562 (2019)

Since​​ Morchana​​ Application highly values the importance of​​ keeping your personal data security and determines to follow the​​ Personal Data Protection Act B.E.​​ 2562 (2019)​​ which regulates the personal data protection measures for efficiently gathering, collecting, using or disclosing personal data.

5.1​​ The right to access,​​ obtain​​ copy and request​​ the disclosure of the​​ sources of your personal data we​​ obtained, except​​ for the​​ case that we have the right to​​ reject​​ your request​​ where it is permitted by law or pursuant to a court order, or the case that your request might affect the rights and freedoms of others.

5.2​​ The right to​​ edit your incorrect or incomplete personal data to be correct, updated, complete and causing no misunderstanding.​​ 

5.3​​ The right to request to suppress the use of your personal data in any of the following cases:

5.3.1While we are in the process of checking as per your request to edit your personal data to be correct, complete and updated.

5.3.2When your personal data is illegally collected, used or disclosed.

5.3.3When your personal data is no longer necessary to be kept according to the purposes we previously informed for data collection but you want us to continue keeping the data to support​​ your legal​​ use of rights.

5.3.4While we are in the process of proving the legal causes of collecting your personal data or determining the necessity of collecting, using or disclosing your personal data for public benefits​​ caused by your use of the right to​​ object​​ the collection, use or disclosure of your personal data.

5.4​​ The right to​​ object​​ the collection, use or disclosure of your personal data, except for the case that we have the causes to legally​​ reject​​ your request​​ (for example, we can prove that the collection, use or disclosure of your personal data is for a more​​ legal​​ cause; or for establishing, following or using the legal of claim; or for the public benefits according to our missions)

5.5​​ The right to revoke the consent to the collection, use and processing of your personal data while the consent revocation may cause you to use the application less conveniently, for example, you might not get the alert when going to the places of COVID-19 dispersion. However, the consent revocation will not affect the personal data processing that has already finished before the consent revocation.


  • Sending or Transferring​​ Your Personal Data Abroad

We collect your personal data for cloud storage provider abroad for processing by using the data processing via​​ AWS’s​​ cloud system (see AWS’s Personal Data Protection Policy at​​​​ with appropriate data security measures to prevent the illegal disclosure or the abuse of data apart from the agreed purposes, except for the following cases:​​ 

    • To​​ abide by​​ the​​ law regulated that we must send or transfer personal data abroad.​​ 

    • We have informed you and received your consent in case that the destination country has insufficient personal data protection measures, in accordance with the list of countries as announced by​​ the Personal Data Protection​​ Commission.

    • To prevent or suppress a danger to life, body or health of yours or others’​​ while being incapable of​​ giving consent at the time or to operate​​ the​​ mission for​​ important​​ public benefits.


  • The Duration of Keeping Personal Data

Within 30 days upon the date of the termination of COVID-19 pandemic situation together with the annulment of the Declaration of an Emergency Situation and the termination of​​ Office of the Permanent Secretary of​​ Ministry of Digital Economy and Society’s​​ COVID-19​​ iMAP​​ Platform, we will erase and destroy when the use of personal data it is no longer necessary or make your personal data to be incapable of ID verification for the use in other purposes, for example, the statistical analysis, the performance improvement or the important public benefits, except for​​ the case of legal requirements that we need to operate in order to keep certain data and, all through the time of collecting data, we will keep and care for the data under the strict security measures.




  • Keeping the Security of Personal Data

We have the appropriate measures for the security of your personal data, both technically and administratively, to prevent the unauthorized loss, access to, destruction, use, alteration, correction or disclosure of personal data which is in accordance with our​​ Information Security Policy.

We also regulate the​​ data security​​ policy​​ by declaring it for the mutual awareness all over the organization, together with the practice guideline for the security in the collection, use and disclosure of personal data while keeping the confidentiality, integrity and availability of personal data. Such policy and requirements will be reviewed at an appropriate time.

However, you​​ may​​ be redirected to the service channels of other authorities or persons to facilitate you while visiting those channels, for example, “Thaichana” QR Code Scanning. These channels​​ may​​ collect your personal data. We accept no liability for the processing of your personal data by those channels. You should discreetly check the personal data protection standards of these channels before using their services.

Moreover, we issue the data security measures to protect personal data from misuse or unauthorized disclosure and to bring efficiency and transparency to the data collection and processing.​​ We will evaluate the use of those collected, shared and processed data whether and how it helps achieving the purposes in order to improve the collection, processing and sharing of data to be more beneficial according to the purposes while still protecting the user’s data. However, we will send the reports of data collecting, data processing, data transferring and​​ data​​ sharing with​​ external persons or authorities, including Office of Personal Data Protection Commission and Office of the Official Information Commission as being legally requested or investigated.​​ The report is, at the very least, composed of the types of collected data, the amount of collected data, the types of shared data, the amount of shared data, the purposes of sharing, the authorities being shared with, the one-time sharing or the continuous sharing (for example,​​ by pulling data via an API), the date and time of starting sharing, the date and time of stopping sharing, the reasons for stopping sharing, the report summary concerning the use of data received from those we shared data with, the​​ data violation and complaints, and the case​​ concerning the misuse of data from the application. We will publicize the reports through the website of Morchana application as well as the online social media administrated by us and the application controllers plus the hyperlink to the reports from inside the application.



  • Participation of Personal Data Owner

We may disclose the personal data when being requested from the owner of personal data, the successor, the​​ heir, the legal representative or the legal guardian by filing the request through the​​ Department of Disease Control​​ at​​ 88/21​​ Tiwanon Road, Talat Kwan, Muang Nonthaburi, Nonthaburi 11000.​​ Contact Center: (+66) 0 2590 3000​​ E-mail:​​

In case the owner of personal data, the successor, the heir, the legal representative or the legal guardian​​ object the collection, the accuracy or any other actions, for example, reporting to revise the personal data, we will record the objection as an evidence.

However, we may reject the right in Paragraph 2 as it is stated by the law or in case that your personal data​​ was made to reveal no names or characteristics that can be used for personal identification.


  • Liability of the Person Doing the Personal Data Processing

We​​ assign that only the staffs with the duty relating to the collection, use and disclosure of personal data of this processing activity can access to your personal data and we will manage to make sure that our staffs follow this regulation​​ strictly.


  • Changes of the Privacy Requirements

These requirements may be revised or improved occasionally. You should come to check these requirements regularly to make sure that you acknowledge the latest version. We will also inform you through Morchana application by stating the name of the latest version at the end of the message.

By logging in to use the product or service​​ under this​​ processing activity, you acknowledge the terms of these requirements. Please refrain from using if you disagree with the​​ terms of these requirements. If you continue using after these requirements have been revised and posted in the afro-mentioned channels, it is regarded that you acknowledge the changes.


  • Contact for Information 

If you have any doubts or inquiries about personal data, please contact:

Data Controller

  • Department of Disease Control

88/21 Tiwanon Road, Talat Kwan, Muang Nonthaburi, Nonthaburi 11000

  • Contact Center (+66) 0 2590 3000; or



  • Terms and Conditions of Morchana Application

The terms and conditions of Morchana application shall be in accordance with this Privacy Notice. ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 

Document Version: 2564.10