Scopes and objectives of this Notice
Krungthai Card Public Company Limited (the “Company”) realizes the importance of personal data protection of data subjects according to the Personal Data Protection Act, B.E. 2562 and the Company’s Personal Data Protection Policy. The Company has provided this Notice, which covers groups of data subjects as stated in the definitions, in order to inform about how the Company collects, uses, and discloses personal data of the data subjects in relevant to any services provided by the Company or entering into any contracts with the Company. Please read this Notice to acknowledge and understand the Company’s objectives in collecting, using, and disclosing personal data of the data subjects.
refers to any data relating to the data subject that can be used to directly or indirectly identify the data subject excluding the data of deceased persons, data of juristic persons, or data that has been anonymized to be unable to identify the data subject.
refers to natural persons who contact or conduct any transaction with the Company such as sales representatives of financial products, partners, alliances, creditors, service support operators, securities holders, government sector, director, etc., which do not include applicants for financial products who are referred to as customers or merchant members, as well as the Company’s employees which shall be subject to the other Personal Data Protection Notice separated from this Notice.
Sensitive personal data
refers to refers to any personal data pertaining to ethnic, racial origins, political opinions, beliefs in doctrines, religions, or philosophies, sexual behaviors, criminal records, or any other data which affects the data subjects in the same way as notified by the Personal Data Protection Committee. The Company shall collect, use, and/or disclose sensitive personal data after the Company has received your explicit consent or in the case of necessity to the extent permitted by laws. The Company may collect, use, and/or disclose biometric personal data for examples, facial recognition data, fingerprint recognition data, retina recognition data, voice recognition data, in order to verify and identify the identity of the service users applying and/or performing any transactions through any channels.
Processing of personal data
refers to any Company’s processing on personal data of the data subjects including collecting, using, disclosing, and deleting of personal data.
Channels for obtaining personal data for personal data collection
The Company may collect personal data via the following channels:
Personal data that the data subjects provide directly to the Company or is obtained by the Company via correspondence, entering into the contracts, rendering and/or using the services, investing in the Company’s assets, participating in activities through the Company’s service and/or communication channels such as website, application, the Company’s online social media, e-mails, investor’s book closure, member service centers, SMSs, telephone calls, questionnaires, meetings, seminars, events, name cards, etc.
Personal data that the Company obtains or access from other sources such as companies in financial business groups, merchants accepting cards, other banks or financial institutions, securities registrars, securities depositories, underwriters, business alliances, companies issuing products with the Company, online platforms of third parties, National Credit Bureau, public data sources, persons having legal authority or legal rights, persons or organizations that the Company has legal relations with, etc.
Personal data of the data subjects that the Company may collect, use, or disclose
In order to process personal data pursuant to the objectives, the Company has to collect, use, or disclose personal data for the purpose of enabling the data subjects to use the services and/or conduct the transactions as well as to contact the Company. The aforementioned personal data includes:
3.1 Personal data: such as
- personal data and identification documents used for the establishment of the contracts or transactions with the Company, or those related to the establishment of the contracts or transactions with the Company such as names, surnames, current addresses, telephone numbers, national identification card numbers, signatures, tax identification number, other supporting documents for the establishment of the contracts or transactions with the Company, etc.
- technical data, tool or equipment such as username or user account for electronic or online social media communication, application usage data, computer IP Address or Mac Address, cookies, system login data, location data, computer traffic data according to Computer-Related Crimes Act, or other data from usage of the website, or application, or operating system.
- other data such as complaints, requests for services or privileges, records of communication or correspondence between the data subjects and the Company, voice recording clips, registration data to participate in any Company’s activities, data of the Company’s securities holders, photos, videos, CCTV footages, records of building/venue entrance and exit, court orders, or government gazettes, or government authority’s orders related to the Company’s compliance with the laws such as orders for submission of documentary evidence or physical evidence, receivership orders, etc.
3.2 Sensitive personal data
The Company may have to use any sensitive personal data in order to provide services by mean of using techniques or technologies relating to the usage of physical or behavioral uniqueness to identify and differentiate the person from others or the Company may process sensitive personal data for providing services
The Company may process personal data, which enables the identification of the data subjects, in the form of document and/or pictures and/or electronic form.
4. Why the Company has to collect, use, or disclose personal data of the data subjects?
The Company collects, uses, or discloses the personal data of the data subjects for the Company’s objectives of providing or using services. Furthermore, the Company may transfer your personal data to third parties or other organizations to process on behalf of the Company as the “personal data processor”. The Company shall process personal data of the data subjects based on reason(s) (basis for data processing), which may consist of one or more of the following reasons:
4.1 Because the Company has to perform its duties according to the contracts – processing on contractual basis
To enable the Company to perform its duties according to the contracts or process transactions pursuant to the objectives in which the data subjects are the contractual parties to the Company such as:
(1) Applications to be financial product advisors, renumerations, entering into the contracts or performing transaction with the Company for the purpose of becoming the Company’s business alliances or partners, receipt issuance, etc.
(2) Any procedures in order to provide services prescribed in the contract such as receipt of complaints, risk management, etc.
(3) The arrangement of annual general meeting for shareholders, meeting of bondholders, and any procedures for the benefit of shareholders and bondholders such as dividend payment, procedures according to terms and conditions, etc.
4.2 Because the Company has to perform according to the Company’s legitimate interests – processing on legitimate interest basis
The Company may process personal data of the data subjects for management, assessment and provision of the Company’s internal reports, system maintenance to maintain and develop service standards, as well as the Company’s risk management and usual operations within the Company, which are considered legitimate interests, such as:
(1) Voice recordings via member service centers to improve the service qualities, or to assure the correction of services, etc.
(2) Exchanging identification cards before entering into the office or CCTV footage recordings.
(3) Maintaining relations with personal data owners such as managing complaints, evaluating service satisfactory.
(4) Managing the organizational risks, auditing, managing within the organization.
(5) Controlling, preventing, mitigating, or transferring risks that may be caused by frauds, cyber threats, defaults or breaches of contracts, any illegal acts (such as anti-money laundering, combating the financing of terrorism and controlling weapons of mass destruction, offences against property, life, body, freedom or reputation, etc.), which includes personal data sharing to develop the standard of operations for companies in financial industry in controlling, preventing, mitigating, or transferring such risks.
(6) Collecting, using, and/or disclosing personal data of directors, authorized representatives, agents of juristic persons.
(7) Contacting, recording videos and voices from meetings, seminars, recreational activities, or exhibition booths.
4.3 Because the Company has to comply with the laws – processing on legal obligation basis
The Company may process personal data of the data subjects in order to comply with the laws of the authorities governing the Company’s course of business such as Bank of Thailand, The Securities and Exchange Commission, Stock Exchange of Thailand, Office of the Consumer Protection Board, Anti-Money Laundering Office, Fiscal Policy Office, Office of the National Anti-Corruption Commission, Personal Data Protection Committee Office, etc. as well as laws governing transactions such as Cyber Security Maintenance Act, B.E. 2562, Money Laundering Control Act, B.E. 2542, or other laws in which the Company must comply with in delivering data both in Thailand and foreign countries, as well as announcements and regulations under such laws such as the Civil Procedure Code which gives power to the court to order the parties to deliver documents or data to be used in trials, etc.
4.4 Because the Company has received consents from the data subjects – processing on consent basis
The Company shall request for data subjects’ consents in processing their personal data subject to the informed purposes only. In some case, the Company may consider to process personal data for other purposes which are relevant to and not contradict or beyond the original purposes. However, in the case that the Company has to process the data for other purposes, which are irrelevant to the original purposes, the Company shall request for new consents to process the data for such new purposes.
In the case that the data subjects wish to withdraw consents for such data processing, the data subjects can contact the Company and submit their request according to clause 11.In this regard, the withdrawals of consent may affect the performance according to the objectives, therefore, for benefits of data subjects, the data subjects shall consider or inquire on the effects before withdrawing the consents.
5. Disclosing personal data to third parties
The Company may disclose personal data of the data subjects to third parties only for necessity to process data as per the duties and responsibilities stated in the contracts or by laws or by the consents of the data subjects. The Company may disclose personal data of the data subjects to third parties as follows:
(1) Representatives and contractors or service providers who are third parties in order for such persons and/or juristic persons to provide services to the Company and personal data owners such as financial business groups, banks or financial institutions, partners, advisors, specialists, and service providers such as auditors, external/internal auditors, tax consultants, credit rating agencies, research service companies, information technology service providers, Cloud Computing service providers, online social media providers, companies coordinating for seminar arrangements, meeting arrangers, securities depositories, persons working related to securities issuances and offerings, etc.
(2) Governing authorities or government authorities such as Bank of Thailand, the Securities and Exchange Commission, Office of the Consumer Protection Board, Fiscal Policy Office, Anti-Money Laundering Office, the Revenue Department, Office of the National Anti-Corruption Commission, Legal Execution Department, Ministry of Justice, Royal Thai Police, any persons that the Company must disclose data as stated in any laws or regulations, or in any specific cases such as court orders.
(3) In order for the Company to establish rights to claim according to the contracts or the legislations or to defense any legal claims.
(4) The Company may send or transfer personal data of the data subjects to foreign countries to comply with the contracts between the Company and other persons or juristic persons for the benefits of the data subjects or for its compliance with the laws. In this regard, the destination countries receiving the data shall be considered by the Personal Data Protection Committee to provide adequate personal data protection, or the organizations receiving the data must have been audited and certified by the Personal Data Protection Committee Office to have appropriate personal data protection measures.
7. Data Subjects’ rights on their personal data
(1) Right to be informed - Data subjects shall be informed on their personal data processing, methods of collections, persons receiving the data, objectives and durations of personal data retention.
(2) Right to access –Data subjects can request for the copy of their personal data under the Company’s possession and examine whether the Company has legally processed such data.
(3) Right to data portability – The Company has provided personal data in the format that is readable and commonly used by ways of automatic tools or equipment and can be processed by automated means. Data subjects may request the Company to send or transfer the personal data to third parties by automated means or request to directly obtain the personal data that the Company sends or transfers to third parties, unless it cannot be fulfilled due to technical conditions.
(4) Right to object personal data processing – Data subjects can object the processing of their personal data by the Company.
(5) Right to erase or destroy, or anonymize the personal data – Data subjects can request for their personal data to be erased or destroyed or anonymized to become anonymous data which unable to identify the data subject.
(6) Right to restrict personal data processing – Data subjects can request to restrict personal data processing while the Company is pending examination process as per data subjects’ request to rectify personal data or while the Company is pending verification or pending examination, as per data subjects’ request for the right to object.
(7) Right to rectify personal data – Data subjects can request to rectify data to be correct, complete and up-to-date if data subjects found that their data is incorrect, incomplete, or outdated.
Data subjects have rights to submit their requests to the Company. In some case the Company may reject the exercise of data subjects’ rights due to the reasons stated below. Data subjects are entitled to file a complaint to the Personal Data Protection Committee Office in the event that the data subjects do not agree with the explanations for rejects by the Company. The aforementioned requests submitted by the data subjects for the exercise of rights must be done in writing or by means as specified by the Company. In this regard, the Company shall, with its best effort, proceed or inform the data subjects within 30 days or no longer than the duration prescribed by laws. The Company shall comply with the laws pertaining to data the rights of as the data subjects.
In the case where the data subjects request the Company to delete, destroy, eliminate personal data processing, temporarily suspend, anonymize, or withdraw their consent, those may constitute the limitation for the Company to process transactions or provide services to the data subjects. In addition, the Company reserves the right to charge any relevant and necessary expenses in processing personal data as per the data subjects’ requests.
8. Retention period of personal data
According to the principle of necessity in retaining personal data, the Company shall retain personal data for period necessary to fulfil the objectives of data collection as prescribed by laws. Personal data of the data subjects shall be retained throughout the period of being the contractual parties or having transactions with the Company and no more than 10 years after the cessation date of the contracts or transactions or as per prescribed by laws.
9. Methods that the Company uses to protect personal data of personal data owners
The Company provides personal data protection as per “Standard for Information Security Management Systems (ISO/IEC 27001:2013)” and “Standard for Privacy Information Management (ISO/IEC 27701:2019)”.
10. Amendment of personal data protection policy
The Company may review this Data Subjects’ Personal Data Protection Notice. If there is any change, the Company shall notify on its website and via channels that will be notified as appropriate.
11. How to contact the Company
In the case where the data subjects wish to exercise the rights, or withdraw the consents for personal data processing, or have inquiries on the Company’s data processing, the data subjects can contact the Company at:
Member Service Center: Tel 02 123 5000
Address: Krungthai Card Public Company Limited, No. 591, UBC II Building, 14 Floor, Sukhumvit 33 Road, North Klongton, Wattana, Bangkok 10110 Thailand
E-mail Address of Personal Data Protection Officer: DataProtectionOfficer@ktc.co.th
In the case where personal data owners consider that the personal data processing violates Personal Data Protection Act, B.E. 2562, the personal data owners have the right to petition to the Personal Data Protection Committee Office.
This Notice shall be effective from the date of 10th November 2022 onwards.