This summary Privacy Policy (“Summary Policy”) will provide you with a summary of the accompanied, detailed Privacy Policy (hereafter “Full Policy”, together "Summary and Full Policy") on Henley & Partners Group Holdings Ltd, Level 4, Aragon House, Dragonara Road, Saint Julian’s, Malta STJ 3140 ("H&P" or "We", "Us", "Our") data processing activities with respect to individually identifiable information ("Personal Data") about users of Our site ("Site") in order to participate in Our visa application program ("Membership Program").

Scope of applicability
This Summary and Full Policy applies to you if you are a user of Our Site and/or a (future) member of Our Membership Program.

Processing of your Personal Data (categories of Personal Data)
We process the following of your Personal Data collected during your registration process on Our Site and the application process of the Membership Program: Your name, email address, mobile number, information necessary for your visa application any other information relating to any individuals which you have provided Us in any forms you may have submitted to Us, or via other forms of interaction with you. For more details see 1. of the Full Policy or click here.

Processing purposes
We process your Personal Data for the following purposes: registering you on Our Site and maintaining your account, administering your online visa application within the Membership Program, security and fraud prevention, conducting market research and/or analysis for statistical, profiling or other purposes for Us to review, develop and improve the quality of Our products and service. For more details see 2. of the Full Policy or click here.

Legal justifications for the processing of your Personal Data
One of the key privacy law requirements is that any processing of Personal Data has to have a legal justification. We generally use the following legal justifications: The processing is necessary for (i) the performance of a contract to participate in the Membership Program (Art. 6(1)(b) GDPR; “Contract Justification”), (ii) compliance with a legal obligation (Art. 6(1)(c) GDPR; “Legal Obligation Justification”), and (iii) realizing a legitimate interest (Art. 6(1)(f) GDPR; “Legitimate Interest Justification”). For more details and the matching of purposes and corresponding legal justifications see 3. of the Full Policy or click here.

Data transfers and recipients and legal justification for such transfers
We transfer your Personal Data to other H&P entities, the Tourism Authority of Thailand, Our IT service provider, and, in accordance with applicable law, other governmental authorities, courts, external advisors, and similar third parties, some of the aforementioned recipients located in jurisdictions outside the EU. For more details see 4. of the Full Policy or click here.

Retention periods for and deletion of your Personal Data
Your Personal Data will be deleted once they are not any longer needed for the purposes motivating their original collection or as required by applicable law. For more details see 5. of the Full Policy or click here.

Your statutory rights
You have a number of rights with regard to the processing of your Personal Data, each as per the conditions defined in applicable law, such as the right to have access to your data, to have them corrected, erased or handed over. Please refer any of your questions to For more details see 6. of the Full Policy or click here.

Changes of this Summary and Full Policy as well as further notices
This Summary and Full Policy are subject to change. You will be notified adequately of any such changes. Further, you will be notified adequately through further relevant privacy notices (e.g., for specific purposes) in case such is not covered by this Summary and the Full Policy.

How to contact Us
If you wish to exercise your data subject rights or if you have any other questions concerning this Summary and/or Full Policy, please address your request to Us and/or Our data protection officer, as applicable, who can be contacted at

Mr Sorin Brici
Henley & Partners Austria GmbH
Linke Wienzeile 8/14
1060 Vienna


  1. Categories of Personal Data

    We collect Personal Data about you via Our Site in two steps of your visa application process (collectively “Your Data”).

    1.1 When you register on Our Site

    We process the following Personal Data about you: Your first name, last name, mobile number, email address (hereinafter "Registration Data").

    1.2 When you apply for a visa via Our Site

    The Personal Data categories that We process consist of normal Personal Data about you (hereinafter jointly "Visa Data") and certain special categories of Personal Data about you (i.e., data that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation - hereinafter jointly "Sensitive Visa Data").

    We process the following Visa Data about you: Your selected program within the Membership Program, your nationality, your passport number and confirmation of at least three blank pages and a six month validity of your passport, the application form for the respective program populated by you (containing e.g. your address and contact information), a copy of your passport, a passport photo of you, a copy of your marriage certificate (as applicable), a copy of your birth certificate, copies of any other visas for Thailand (as applicable), a proof of payment for the Membership Program.

    In addition, We process the following Sensitive Visa Data about you:

    • Blood type;
    • Marital status;
    • Religious affiliation;
    • Allergies; and
    • Fingerprints (of minors).

    1.3 Generally, we collect Your Data in the following ways:

    (i) when you submit an application form or other forms relating to the Membership Program;

    (ii) when you enter into any agreement or provide other documentation or information in respect of your interactions with Us, or when you use Our Site;

    (iii) when you interact with Our customer service representatives, for example, via telephone calls and emails;

    (iv) when you use Our electronic services, or interact with Us via Our Site;

    (v) when you request that We contact you or request that you be included in an email or other mailing list;

    (vi) when you respond to any request for additional Personal Data;

    (vii) when you are contacted by, and respond to, Our customer service officers;

    (viii) when We receive references from business partners, relevant government agencies and third parties, for example, where you have been referred by them;

    (ix) when you fill up surveys administered by Our third party surveying service providers;

    (x) when We seek information from third parties about you in connection with the services you have applied for; and/or

    (xi) when you submit Your Data to Us for any other reason.

  2. Processing purposes

    We process Your Data to the extent permitted or required under applicable law, for the following purposes in each of the two steps:

    2.1 When you register on Our Site

    (i) Registering you on Our Site, (ii) responding to your queries, feedback, complaints and requests, and (iii) managing your account on Our Site, such as verifying your email address (hereinafter jointly "Site Registration Purposes").

    2.2 When you apply for a visa via Our Site

    • Processing your online visa application within the Membership Program (hereinafter "Visa Application Purposes"); and

    • (i) Requesting feedback or participation in surveys, (ii) conducting market research and/or analysis for statistical, profiling or other purposes for Us to review, develop and improve the quality of Our products and services, and (iii) testing and improving Our systems, and preventing the misuse or improper use of Our services (hereinafter "Quality Enhancement Purposes").

  3. Legal justification for the processing of Your Data

    In general, you are required to provide Your Data (e.g. due to visa requirements), except in limited instances when we indicate that certain information is voluntary and their processing is based on your consent (e.g. in connection with user satisfaction surveys). However, if you do not provide Your Data, your visa application might be delayed or impossible.

    Furthermore, We rely on the following legal justifications for the processing of Your Data:


    Processing purposes

    Categories of Your Data involved

    Legal basis

    When you register on Our Site

    Site Registration Purposes

    Registration Data

    Contract Justification

    When you apply for a visa via Our Site

    Visa Application Purposes

    Visa Data
    Sensitive Visa Data

    Contract Justification

    Quality Enhancement

    Registration Data
    Visa Data

    Legitimate Interest

  4. Data transfers and recipients and legal justification for such transfers

    4.1 Recipients

    (i) Other group companies: We transfer Your Data to other H&P group companies, as permitted under applicable data privacy law pursuant to Legitimate Interest Obligation for the legitimate interests of H&P to facilitate your visa application within the Membership Program. These recipients are most likely our offices in Austria, United Arab Emirates, Thailand and South Africa. More offices may only be involved case- by-case on a need-to-know basis and in accordance with applicable data protection law.

    (ii) Third parties: We may transfer Your Data to governmental agencies and regulators, courts, and government authorities, all in accordance with applicable law based on Legal Obligation Justification and to external advisors acting as controllers (e.g., lawyers, accountants, auditors etc.) based on Legitimate Interest Obligation.

    (iii) Service providers: We contract with third party service providers as part of Our normal business operations to carry out your visa application process (i.e., Our IT provider TOWA in Austria and the Thailand Privilege Card Company Limited in Thailand being a subsidiary of the Immigration Bureau of Thailand).

    (iv) A list of data recipients containing the identity, short description of the processing activity and location of the relevant data recipients can be requested from Us under the contact details further below.

    4.2 Cross-Border Data Transfers

    (i) We may transfer Your Data outside of the country you are located. Some recipients of Your Data are located in another country for which the European Commission has not issued a decision that this country ensures an adequate level of data protection, namely: Thailand, South Africa, United Arab Emirates.

    (ii) By way of entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC) as referred to in Art. 46(5) GDPR or other adequate means, which are accessible at, We have established that all recipients located outside the EEA will provide an adequate level of data protection for Your Data and that appropriate technical and organizational security measures are in place to protect Your Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer is subject to appropriate onward transfer requirements as required by applicable law.

  5. Retention periods for and deletion of Your Data

    5.1 Your Data processed for the purposes hereunder will be stored only to the extent necessary during the term of your participation in the Membership Program with Us, during a transition period (e.g. for the compliance of Our obligations regarding data retention as established in applicable laws). If a judicial or disciplinary action is initiated, Your Data may be stored until the end of such action, including any potential periods for appeal, and will then be deleted or archived as permitted by applicable law.

    5.2 In principle we will retain Your Data as long as required or permitted by applicable law. Afterwards, we will remove Your Data from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it.

  6. Your statutory rights

    Under the conditions set out under applicable law (i.e., the GDPR), you have the following rights:

    6.1 Right of access: You have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, to request access to the Personal Data. The access information includes – inter alia – the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data have been or will be disclosed. You have the right to obtain a copy of the Personal Data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on administrative costs.

    6.2 Right to rectification: You have the right to obtain from us the rectification of inaccurate Personal Data concerning you. Depending on the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

    6.3 Right to erasure (right to be forgotten): You have the right to ask us to erase your Personal Data.

    6.4 Right to restriction of processing: You have the right to request the restriction of processing your Personal Data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

    6.5 Right to data portability: You have the right to receive the Personal Data concerning you which you have provided to us in a structured, commonly used and machine- readable format and you have the right to transmit those Personal Data to another entity without hindrance from us.

    6.6 Right to object:

    You have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data by us and we can be required to no longer process your Personal Data. If you have a right to object and you exercise this right, your Personal Data will no longer be processed for such purposes by us. Exercising this right will not incur any costs. Such a right to object may not exist, in particular, if the processing of your Personal Data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.

    Please note that the aforementioned rights might be limited under the applicable national data protection law. We remain the universal point of contact for your execution of these rights.

    Please refer any of your questions to

    In case of complaints you also have the right to lodge a complaint with the competent supervisory authority, in particular in the member state of your habitual residence or alleged infringement of the GDPR.