1. Scope and Purpose of this Notice
Krungthai Card Public Company Limited (“Company") has recognised the importance of protecting the personal data of the data subject in accordance with the Personal Data Protection Act, B.E. 2562 (2019). The Board of Directors has approved the Company's personal data protection policy. The Company has prepared this Privacy Notice to inform about the Company’s collection, use, and disclosure of personal data of the data subject related to the Company’s services. Please kindly read this document to be informed and understand the purposes behind the Company’s collection, usage, and disclosure of personal data of the data subject according to this notice.
“Personal Data” means any information, whether direct or indirect, related to an identifiable individual, excluding the information of the deceased, corporate information, or information that has been processed into non-personally identifiable data of the data subject.
"Data Subject" means a natural person that has made contact or conducted various transactions with the Company, such as financial product sales representatives, business partners, alliances, creditors, support service providers, shareholders, the Government, Company directors, etc. The term excludes those applying for financial products, which means customers, merchants, and employees of the Company, which have their own personal data protection notice separate from this notice.
“Sensitive Data” means personal data related to race, ethnicity, political opinions, creed, religion or philosophy, sexual behaviour, and criminal record that affects the data subject in the same manner as specified by the Commission. The Company will collect, use, and/or disclose sensitive data only when the Company has obtained your explicit consent, or where necessary, as permitted by law. The Company may be required to collect, use, and/or disclose personal biometric data, such as facial, fingerprint, and iris recognition data, and sound identity data for the purpose of confirming and verifying the identity of the individual applying for and/or conducting transactions through various channels.
"Processing of Personal Data" means any actions of the Company on personal data of the data subject, including collection, use, disclosure, and deletion of personal data.
2. User of Personal Data of the Data Subject
The Company is the "Data Controller" of all data subjects. Therefore, it has duties and responsibilities for the processing, safeguard, and security of personal data of the data subject. Personal data is processed to the extent necessary for the purposes, scope, and method of use as required by law.
In addition, the Company may send your personal data to agencies or third parties to process on the basis of a "Personal Data Processor" acting on behalf of the Company.
3. Types of Personal Data of the Data Subject that the Company May Collect
In order to process personal data for the intended purposes, the Company is required to collect, use, or disclose personal data on a case-by-case basis. Such personal data, such as personal data specified in the application, contract, supporting documents for the transaction, or other personal data obtained during processing, shall be processed in accordance with legal purposes, rights or compliance.
In addition, the Company also processes personal data related to usage via information technology systems, including surveillance cameras, building access systems, and network traffic data in accordance with the Computer Crime Act.
Generally, the Company collects most of the personal data directly from the data subject, by means of a contract or transaction process. However, the Company may collect additional data from other sources, such as external service providers, securities registrar, etc. Data obtained from other sources will be verified or certified to be able to be used for the purposes outlined in this notice.
The Company may process the personally identifiable data of the data subject in a documented and/or image and/or electronic format.
4. Why the Company Needs to Collect Personal Data of the Data Subject
The Company uses the personal data of the data subject to process in accordance with the purposes of the Company related to the provision or use of services. The Company processes the personal data of the data subject with reasoning (basis for data processing) which may be based on one or more reasons combined as follows:
4.1 Because the Company Has a Contract Obligation : Processing According to the Contract
For the performance of a contract or a transaction according to the purpose of which the data subject is a party with the Company, such as:
(1) Applying to be a financial product advisor, compensation, etc.
(2) Performing any other action for the purpose of providing service under the contract, such as receiving complaints and risk management.
(3) Arranging the Annual General Meeting of Shareholders and organising bondholders’ meetings, including various processes for the benefit of shareholders or bondholders, such as dividends, execution of terms of rights, etc.
4.2 Because the Company Has an Obligation to Process in its Legitimate Interests: Processing According to Legitimate Interests
For the performance of a contract or a transaction according to the purpose of which the data subject is a party with the Company, such as:
The Company may use the personal data of the data subject for the processing, verification, and preparation of an internal report within the Company, performing system maintenance to maintain service standards and the Company’s risk management, and conducting normal operations within the Company which are legitimate interests such as:
(1) CCTV recording.
(2) Performing enterprise risk management and internal management audit.
(3) Controlling, preventing, mitigating or transferring risks that may arise from corrupt acts, cyber threats, default payments or breach of contract, violations of various laws (such as the prevention and suppression of money laundering; financial support for terrorism; the proliferation of weapons of mass destruction; offences related to property, life, body, liberty, or reputation), including the sharing of personal data in order to raise the standards of work of Companies within the financial business group to control, prevent, mitigate or transfer the above risks.
(4) The collection, use, and/or disclosure of the personal data of Company directors' whom are representatives of the legal entity.
(5) Contacting and making image and sound recordings resulting from the organisation of conferences, training sessions, recreation activities, or booth exhibitions.
4.3 Because the Company Has a Legal Obligation: Processing According to a Legal Obligation
The Company may process the personal data of the data subject for the legal compliance of the agency that oversees the Company’s business operations, such as the Bank of Thailand, Securities and Exchange Commission, The Stock Exchange of Thailand, Office of the Consumer Protection Board, Anti-Money Laundering Office, Fiscal Policy Office, Ministry of Finance Office, The National Anti-Corruption Commission, and The Office of the Personal Data Protection Commission, etc., including laws governing transactions, such as the Cybersecurity Act, B.E. 2562 (2019), Anti-Money Laundering Act, B.E. 2542 (1999) or other laws that the Company is subject to that require the transmission of information both in Thailand and from abroad. This also includes notices and regulations issued under such laws, such as The Code of Civil Procedure, which gives the court power to order the parties to submit documents or information in the trial, etc.
4.4 Because the Company Has Obtained Consent from the Data Subject: Processing According to Consent
The Company will ask for consent for the processing of personal data of the data subject solely for the specified purposes. In some cases, the Company may consider it able to process personal data for other related relevant purposes that do not conflict or are in addition to the original purposes. In the case that the Company is required to process data for a purpose other than the original, the Company will ask for new consent to use the data to process according to the new purpose.
If the data subject wishes to withdraw consent to such processing, the subject may contact the Company and make a request by following Article 11. Please kindly note that the withdrawal of consent may affect the processing in accordance with the purpose, therefore, the effect should be studied or inquired about before withdrawing consent for the benefit of the data subject.
5. Disclosure of Personal Data to Third Parties
The Company may disclose the personal data of the data subject to third parties as necessary for the processing of the data in accordance with their contractual or legal obligations, or with the consent of the data subject. The Company may submit personal data of the data subject to the following third parties:
1) Agents and contractors or third party service providers to enable these individuals and/or entities to provide services to the Company and data subjects, such as financial business groups, consultants, experts and service providers in different areas, including information technology and communication, travel coordinator companies for seminars, meeting organizers, Thailand Securities Depository Company Limited, and person performing duties related to the issuance and offering of securities, etc.
2) Federal regulatory agencies or agencies with regulating duties such as The Bank of Thailand, Securities and Exchange Commission, Office of the Consumer Protection Board, Fiscal Policy Office, Ministry of Finance, Anti-Money Laundering Office, The Revenue Department, National Anti-Corruption Office, Legal Execution Department, Ministry of Justice Royal Thai Police, any person to whom the Company is required to disclose information as required by applicable laws or regulations, or in other specific cases, such as in accordance with a court order.
3) For the establishment of Comany contractual or legal claims, or to contest to fight legal claims.
4) The Company may transmit or transfer the personal data of the data subject to foreign countries in order to comply with the contract between the Company and other persons or entities for the benefit of the data subject, or to meet legal requirements. The country where the data is received must be ruled by the Personal Data Protection Committee that there is adequate protection of personal data, or the agency or organization where the data is received must be verified and certified by the Office of the Personal Data Protection Commission that there are appropriate established personal data protection measures.
6. Automation of Data Processing
With the explicit consent of the data subject, the Company may use the personal data of the data subject for automatic processing to collect other data. If the data subject wishes to withdraw consent to such processing, the subject may contact the Company and make a request by following Article 11.
7. Personal Data Rights of Data Subjects
Data subjects have personal data rights which they can exercise. Data subjects can exercise their rights under the terms of the law and in accordance with the notice outlined herein or notices that will be amended in the future as follows:
1) Right to be informed by being informed about the processing of personal data, collection method, the recipient of data, reason, and period for which personal data is stored.
2) Right of access by obtaining a copy of the personal data of the data subject under the Company's accountability, and checking whether the Company has processed the data in accordance with the law.
3) Right to data portability check whether the Company has made personal data in a format that is legible or compatible for general use with automated tools or devices, and that the data is automatically processed. Data subjects can submit a request to the Company to send or transfer personal data to other individuals by automated means or obtain personal data that the Company sends or transfers directly to other individuals unless limited by by technical conditions.
4) Right to object data subjects can object in the event that the Company processes the personal data of the data subject.
5) Right to erasure and right to be forgotten data subjects can request erasure, destruction, or render the personal data of the data subject anonymous.
6) Right to restrict processing data subjects may request to suspend the use of the personal data when the Company is in the process of investigating the subject’s request to correct the personal data, or when the Company is in the process of verifying or investigating the subject's request to exercise the right of objection.
7) Right of rectification data subjects can request to correct data to make it complete and up-to-date. If data subjects find that the personal data of the data subject is inaccurate, incomplete and not up-to-date, the data subjects have the right to file an application to exercise their rights to the Company. In some cases, the Company may refuse the exercise of such rights of data subjects for the reasons that will be provided for further notice.
Data subjects can file a complaint to the Office of the Personal Data Protection Commission if they do not agree with the reasons that the Company provides.
Any request for the exercise of the data subject's rights outlined above must be done in writing. The Company in the best of its ability will process or clarify the request within 30 days or not more than the time limit stipulated by law. The Company will comply with legal requirements related to the rights of data subjects as data subjects. In the event that data subjects request the Company to erase, destroy or eliminate the processing of personal data, temporarily suspend the use, convert personal data into non-personally identifiable data, or withdraw consent, such events may lead to restrictions on the Company to perform transactions or provide services to data subjects. To exercise the rights outlined above, the Company reserves the right to charge relevant and necessary costs for the processing of personal data as requested by data subjects.
8. Retention Period of Personal Data
In principle, personal data is kept as necessary. The Company will collect personal data for the duration of a period necessary according to the purposes for which the data were collected by law. Personal data of the data subject will be collected for the duration of the contracting party or a person who conducts transactions with the Company. The data will be collected not more than 10 years from the date of expiration of the counterparty period, or the person who conducts the transaction, or as required by law.
9. Methods Used by the Company to Protect the Personal Data of Data Subjects
The Company has protected personal data in accordance with the "Information Security Management System Standard (ISO / IEC 27001: 2013)”.
10. Amendments to the Privacy Protection Policy
The Company may review the privacy notice of data subjects. In the case of any changes, the Company will notify subjects on the Company's website and on channels that will be notified as appropriate.
11. Company’s Contact Details
Should the data subject wishes to exercise their rights, withdraw consent for the processing of personal data of the data subject, or have questions about the Company's processing of personal information, please kindly contact:
Customer Service: Dial 02 123 5000
Location: Krungthai Card Public Company Limited, Address 591 UBC II Building, 14th Floor Sukhumvit 33 Road, North Klongton Wattana, Bangkok 10110 Thailand. Tel. 02 123 5000.
Email Address: Data Protection Officer DataProtectionOfficer@ktc.co.th
If the data subject is of the opinion that the processing of the personal data of the data subject is not in accordance with the Personal Data Protection Act, B.E. 2562 (2019), the data subject has the right to lodge a complaint to the Office of the Personal Data Protection Committee.
This notice is effective from May 27, 2020, onwards. In the case that the effective date of the enforcement of personal data protection under the Personal Data Protection Act B.E. 2562 (2019) becomes postponed, the effective date of this notice will be postponed to the same day the legal protection of personal data becomes effective.