Personal Data Protection Policy
Last updated June, 2021
KASIKORN GLOBAL PAYMENT COMPANY LIMITED ("the Company”) operates a payment service business in strict adherence to ethical standards, with respect for customers’ right to privacy. The Company has always placed importance on personal data protection and security. You can be assured that your personal data will be used in compliance with stated objectives and applicable laws. The Company has therefore established the personal data protection policy (the “Policy”) to inform you, as the Data Subject, of the objectives and details of collection, use and/or disclosure of personal data including your legal rights.
Who does the Policy apply to?
This Policy shall apply to you if you are classified as one of the following:
- The Company’s natural person customer such as a natural person who is using or has used products and/or services, or who has inquired about data of products and/or services, or who is informed of data of products and/or services via various channels, or who is offered or persuaded by the Company to use products and/or services.
- A natural person who has involvement with transactions of the Company or the Company’s customers such as shareholder, director who is authorized to undertake operations on the Company’s behalf, partner, agent, assignee, contact person, employee, staff, officer, personnel, family member, friend, a person recommended or referred by the Company’s customer, investor, guarantor, provider of securities, ultimate beneficiary, trade partner, creditor, debtor, lessor, lessee, payer or payee of the Company’s customer, visitor of the Company’s website or the person using services at KBank branches as determined by the Company, professional advisor and other natural persons of the like.
- Any other natural person with whom the Company has a relationship, interaction or contact by other means, or who provides personal data to the Company, regardless of the channel.
What kinds of personal data are to be collected, used and/or disclosed?
- Personal data refers to the information that can be used to identify you, either directly or indirectly, including personal data which you have directly provided to the Company or via the Company or held by the Company, including that derived from the use of products and/or services and contacts, visits, participation in activities, searches conducted via service or contact channels of the Company such as KBank branches, websites, Call Center, online social media, email, customer service center, telephone, facsimile, post, questionnaire, name card, meeting, training, seminar, events, marketing promotional campaign or any other channel.
- Personal data which the Company has obtained or gained access to from other sources, including government agencies, companies within KASIKORNBANK FINANCIAL CONGLOMERATE, service providers which are companies within the group, subsidiaries of KBank, financial institutions, financial service providers, and other service providers of the Company, business partners, companies jointly launching products and/or services with the Company, credit information companies and data service providers, a person or juristic person conducting transactions with the Company (wherein you are a natural person who has involvement with said transactions), online social media, external online platform, public data sources, competent authorities, or any other person or agencies with which the Company has a legal relationship, etc.
On the contrary, if you provide to the Company the personal data of a third party who has a relationship with you such as a family member, a referee, a guarantor, a beneficiary, executor of an estate, contact person in case of emergencies and/or any other person per your transaction documents, you are to request their consent, if required, for the Company, and must notify those persons of details about the Policy.
Personal data that the Company collects/uses and/or discloses shall include:
- Private information such as title, name, middle name, surname, alias (if any), age, gender, occupation, date, month and year of birth, job position, educational level, nationality, country of residence, signature, data on the documents issued by government agencies (such as copy of national ID card, copy of passport, copy of visa, copy of alien certificate, copy of work permit, copy of government/state enterprise official ID card, copy of house registration, copy of name change certificate, copy of death certificate, copy of driving license or identity documents of the like), etc.
- Contact information such as address per important documents, current address and address in the country of nationality, workplace, telephone number, mobile phone number, fax number, email or account for electronic communication or other online social media (such as Facebook User Name, Meta ID, LINE ID or other online merchant User Name), etc.
- Work information such as occupation and occupational fields, position, current years of work, job details, business types, shareholding ratio, and/or any other document for confirmation of business operation (such as lease contract of business establishment) etc.
- Financial information such as income data, bank account number for receiving payment, credit/debit card data, sources of income, taxpayer ID, etc.
- Information on transactions such as application data, channels and use of products and/or services, account type, card type, details and objectives of transactions, payment details and history, etc.,
- Information related to the use of services and/or products such as details of application for use of products and/or services, data per Know Your Customer (KYC) form, and other data requested by the Company as required by law (such as relationship with a person holding a political status) etc.
- Technical information on equipment or devices such as IP address or MAC address, log, data for logging in to the system, access time, use of and time spent on website, request data and other technologies on your device used for accessing the platform and other technical data from use on the platform and operating system.
- Other information such as data on registration for activities of the Company, supplemental documents for application for products and/or services, ownership documents, other data from business partners, data from special joint project, confirmation letter of ultimate beneficiary, feedback and opinion for use of products and/or services, data on customer assessment scoring, behavioral data, opinion, preference on online social media, complaints and exercise of rights, notification, request for documents issued by government agencies, data on fraudulent behavior and record of communication or conversation between you and the Company, voice record, photos, animations/videos, clips, photos or video from CCTV and any other data regarded as personal data under the Personal Data Protection Act.
- “Sensitive personal data” refers to personal information which is specifically determined by law. The Company has no intention to collect your sensitive personal data. In certain cases, the Company may be required to request your sensitive personal data to support the provision of services or products to you. Such data shall include religion and race per copy of national ID card or passport of some countries, criminal record, etc. The Company shall collect, use and/or disclose the sensitive personal data provided that the Company has been given explicit consent from you or as required by law. The collection of your sensitive personal data shall be undertaken on a case-by-case basis.
(Unless specifically stated otherwise, personal data and sensitive personal data in connection with you as aforementioned shall hereinafter be referred to as “Personal Data”.)
What are the purposes of collection, use and/or disclosure of your Personal Data?
The Company will collect, use and/or disclose your Personal Data only as required under the Company’s legitimate objectives which shall include the collection, use and/or disclosure of Personal Data for compliance with the contract in which you are a contract party, for performance of duty under the law, for legal benefits, for operations per your consent and/or for operations under other legal bases. The objectives for collection, use and/or disclosure of Personal Data per this Policy are as follows:
- Objectives based on consent
- Collection, use and/or disclosure of sensitive Personal Data for which the Company cannot use other legal bases but must request consent for such objectives shall include:
- Data on religion and race (per copy of national ID card or passport of certain countries) which the Company shall not use but collect as part of documents for your identity verification only.
- Criminal record which the Company shall collect, use or disclose only as required for the provision of the Company’s services or products.
- Data analysis and research, analyses, research, statistics and development, improvement of products and/or services; these actions allow you to receive the products and/or services that require your consent in accordance with law.
- Marketing operations, submission of offers for products and/or services, privileges for attending activities held by the Company, including news, useful advice and appropriately selected promotions and launch of marketing strategies that require your consent in accordance with law.
The Company may request your consent directly or via the Company, KASIKORNBANK FINANCIAL CONGLOMERATE, the Company’s subsidiaries, business partners and/or other juristic persons.
If the legal bases involve request for consent, you may revoke your consent at any time via the channels as determined by the Company. The consent revocation shall not affect the collection, use and disclosure of Personal Data, and sensitive Personal Data for which you previously gave consent before such consent is revoked.
- Collection, use and/or disclosure of sensitive Personal Data for which the Company cannot use other legal bases but must request consent for such objectives shall include:
- Objectives for which the Company uses other legal bases in addition to request for consent
- Operations before entering into a contract with the Company such as giving consultation, advice and/or any other data related to products and/or services, verification of qualification, check of data or document accuracy, identity authentication and confirmation, examination and preparation of Sanction List, White List, Initial List and Approve List, customer classification, data analysis and study of customer demand. Any operation related to delivery of products and/or services per the contract that you have entered into with the Company such as acceptance of payment for goods/services via website/application or other channels through which the Company has provided services such as communication, receipt/delivery of documents or parcels, processing of request and operation per the request approval procedure, entering into a contract, agreement and/or any other related juristic act, registration for use of products and/or services for participating in the Company’s activities.
- Delivery of products and/or services such as any operation related to the provision of products and/or services (such as application for use of services, change in data, amendment to contract in accordance with customer’s benefits and rights, customer relationship management, management service, after-sale transaction operation and customer facilitation, provision of advice or customer risk management guidelines, complaint management, problem solving, operation per customer’s request, acceptance of payment in the form of money or any asset, monitoring of performance per conditions for use of products and/or services, and termination of services.
- Marketing operation: Submission of the offering of products and/or services, privileges for attending activities held by the Company, acceptance of application for products, services and/or privileges that you have requested, including news, useful advice and appropriately selected promotion, and the launch of marketing strategies that do not require your consent under the law such as operations per the sales promotion strategies, contact in case of delivery/return of the products and/or services in order to offer additional products and/or services that may be of your interest or to facilitate your reapplication for the same products and/or services with the Company.
- Data analysis and research: Analysis, research, statistics and development, improvement of products and/or services to allow you to receive products and/or services without your consent under the law.
- Any operation for the Company’s legitimate benefit such as preparation of customer database, record of data in the system or database, study, analysis, notification of debt payment or renewal of products and/or services, debt collection, satisfaction assessment, document management, assessment, marketing research, analysis, preparation of models and improvement and development of products and/or services, report preparation, litigation or related legal procedures, monitoring of performance per the Company’s internal operational procedures, participation, coordination and/or assignment of work to another person to perform on behalf of, or with the Company to support the delivery of products and/or services, assignment of rights and/or duties, management of operations of the Company and KASIKORNBANK FINANCIAL CONGLOMERATE, operational planning, preparation and/or internal management of the Company, the use of CCTV, control of entry/exit of the Company’s premises, management of illegal incidents (such as fraud, money laundering, terrorism and mass destruction weapon proliferation, crime, intellectual property infringement including management planning, examination, surveillance, evidence collection, reporting, and/or detection), the Company’s risk management, compliance and audit, examination and record of assets and database of business risk incurred to the Company, internal organization management, preparation, management, examination/audit and improvement of the Company’s platform and/or payment service channels, IT operation, communication system management, and prevention, response, and mitigation of IT risk and cyber threats of the Company.
- Performance per the order of competent authorities and/or compliance with laws such as compliance with the order of court, the government agencies, agencies with authority to supervise the Company, competent officers under the Personal Data Protection Act, payment system law, tax law, anti-money laundering law, law pertaining to Anti-Money Laundering, Combating the Financing of Terrorism and the Proliferation of Weapons of Mass Destruction Act, computer law, bankruptcy law and other laws with which the Company is required to comply, either in Thailand or other countries, including announcements and procedures issued under these laws, which are now being enforced, to be amended or to be enforced in the future.
- Prevention or cessation of danger to a person’s life, body or health
If the Company is required to collect, use and/or disclose your Personal Data for performance under the contract that you have entered into with the Company and/or for the Company’s performance of duty under the law, the Company may not be able to approve or deliver/provide products and/or services, either partly or wholly, to you unless you provide such Personal Data to the Company, upon request.
To whom will your Personal Data be disclosed?
Under your consent or other legal bases in accordance with the objectives specified in this Policy, the Company may disclose your Personal Data to a third party, including companies within KASIKORNBANK FINANCIAL CONGLOMERATE, personal data processors, business partners, external service providers, the Company’s representatives, sub-contractors, financial institutions, auditors, external inspectors, credit ratings companies, asset management companies, credit information companies, competent authorities, potential assignee and/or assignee of rights to transactions or mergers of the Company, any juristic person/individual who has established a relationship or entered into an agreement with the Company including executives, employees, staff, contractors, agents, advisors of the Company and of persons or entities which are recipients of said data.
In cases where your Personal Data is disclosed to a person or other organizations for marketing purposes of the data recipient such as for sales promotion, public relations or offering of products and/or services by the data recipient to you, the Company shall notify you of the data recipient’s name for your decision in giving consent.
Will the Company send or transfer your Personal Data to other countries?
The Company may find it necessary to send or transfer your Personal Data to companies within the same business group in other countries, or to other data recipients, as part of its normal business operation. For instance, Personal Data may be sent or transferred for storage on cloud platforms or servers in other countries, to business partners who jointly provide products and/or services and who jointly launch products, and service providers on online social media.
If the destination country fails to meet the given standards for data protection, the Company must ensure that Personal Data will be sent or transferred in accordance with legal requirements while personal data protection measures will be put in place, as required, appropriate for and consistent with the confidentiality standards. For instance, an agreement on confidentiality must be entered into with data recipients in the relevant country to confirm that your Personal Data will be equally protected under the personal data protection standard as it is in Thailand. If data recipients are companies within KASIKORNBANK FINANCIAL CONGLOMERATE, the Company may ensure that a personal data protection policy (Binding Corporate Rules) verified and certified by relevant competent authorities is in place, and shall send or transfer Personal Data to companies within KASIKORNBANK FINANCIAL CONGLOMERATE abroad in accordance with the personal data protection policy.
How long does the Company keep your Personal Data?
The Company will safeguard your Personal Data while you are the Company’s customer or have a relationship with the Company, or during the period required in order to achieve the related objectives of this Policy. After your relationship with the Company ends, your Personal Data shall be retained for an additional period thereafter, per the period required in accordance with the statute of limitations or as required or permitted by law. For instance,
- Personal Data shall be retained in accordance with the anti-money laundering law for 5-10 years after the end of relationship, as the case may be.
- Personal Data shall be retained in accordance with payment system law, accounting law, and tax law for 10 years after the end of the relationship.
The Company shall proceed through appropriate steps in order to delete/destroy or make anonymous the Personal Data on a regular basis once it is not required or after the end of the aforementioned period. In case you have already provided your Personal Data to the Company but later you are no longer the Company’s customer or no longer have a relationship with the Company, the Company shall delete/destroy the Personal Data or make it anonymous within not more than 30 days after the application date.
How does the Company protect your Personal Data?
The Company shall apply technical measures and administrative and physical safeguards for maintaining confidentiality, accuracy, completeness and availability of Personal Data to prevent unauthorized or illegitimate access, collection, revision, rectification, use and/or disclosure of Personal Data in accordance with legal requirements. The Company has put in place measures that are appropriate and safeguard against Personal Data breaches. The Company has therefore established policy, procedures and criteria on Personal Data protection.
The Company’s executives, employees, personnel, contractors, representatives, advisors, and recipients of data from the Company shall maintain the Personal Data confidentiality and security in accordance with the confidentiality measures determined by the Company.
What are your rights in connection with your Personal Data?
Your rights under this item are legal rights that you should be aware of. You may exercise your rights under legal requirements and policies currently available or to be amended in the future, including criteria determined by the Company. If you are less than 20 years old, or have limited capacity to perform juristic acts under the law, you may have your father or mother, guardian or authorized person express the intention to exercise the right on your behalf.
- Right to revoke consent: You are entitled to revoke the consent that you have given to the Company to collect, use and/or disclose your Personal Data (whether such consent is given prior to or after the Personal Data Protection Law is enforced), at any time during which your Personal Data is held by the Company, unless there is right restriction by law or there is a contract which is beneficial to you. The revocation of your consent shall not affect the collection, use and/or disclosure of your Personal Data that is undertaken before the consent is revoked.
Your use of products and/or services may be adversely affected by the revocation of your consent. For instance, you may not receive special offers on products and/or services, benefits, promotions or new offers, or may not receive products or services which are more satisfying and correspond to, or are in line with your needs, or may not receive news or advice beneficial to you. For your own benefit, you should determine the potential impacts before deciding to revoke your consent.
- Right to access: You are entitled to have access to your Personal Data under the Company’s responsibility and to request that the Company provide you duplication of said Personal Data and inform you of how your Personal Data has been obtained.
- Right to data portability: You are entitled to request your Personal Data which has been processed by the Company to be in a format that can be read or used in general with an automated device or equipment, and can be used or disclosed with automated methods. You are also entitled to request the Company to send or transfer your Personal Data of said format to the Data Controller if it can be processed via automated method, and to receive your Personal Data which is directly sent or transferred by the Company via said format to the Data Controller, unless it cannot be processed due to technical difficulties.
Your aforementioned Personal Data must be that which is under your consent granted to the Company to collect, use and/or disclose, or must be Personal Data that the Company is required to collect, use and/or disclose to allow you to use products and/or services of the Company in accordance with your intention wherein you are a contract party with the Company, or to undertake operations per your request before using the Company’s products and/or services, or must be other Personal Data determined by competent authorities.
- Right to object: You are entitled to lodge an objection against the collection, use and/or disclosure of your Personal Data, at any time, even if the collection, use and/or disclosure of your Personal Data is undertaken for the legitimate benefit of the Company or a person or any juristic person, or for undertaking operations for public benefit. If you lodge an objection, the Company shall continue to collect, use and/or disclose your Personal Data only if the Company can provide legal reasons that the collection, use and/or disclosure of your Personal Data is deemed more important, or is undertaken for the establishment, defense, use of, or compliance with, the rights to claim in accordance with applicable law, as the case may be.
In addition, you are entitled to lodge an objection if the collection, use and/or disclosure of your Personal Data is undertaken in accordance with objectives related to direct marketing or for the purpose of scientific, historical or statistical studies and research.
- Right to erasure or right to be forgotten: You are entitled to delete or destroy your Personal Data or make it anonymous if you believe that your Personal Data has been collected, used and/or disclosed illegitimately, which is not in compliance with relevant laws, or if you deem that it is no longer necessary for the Company to retain the data per the objectives of this Policy, or when you exercise your right to revoke consent or your right to object as aforementioned.
- Right to restrict processing: You are entitled to restrict the processing of Personal Data if the Company is conducting an investigation per your request to exercise your right to rectification or right to object, or for any other case wherein it is no longer necessary for the Company to retain your Personal Data, and the Company must delete or destroy the data in accordance with relevant laws, but you have sought to request that the Company restrict the data processing, instead.
- Right to rectification: You are entitled to rectify your Personal Data to keep it accurate, up-to-date, complete and not misleading.
- Right to lodge complaint: You are entitled to lodge a complaint to relevant competent authorities if you believe that the collection, use and/or disclosure of your Personal Data violates or does not comply with applicable laws.
Your exercising of the aforementioned rights may be restricted by applicable laws and, in certain cases, there may be compelling reasons that may cause the Company to deny your request or may prevent the Company from complying with your request. For instance, the Company may have to comply with laws or court orders for the public benefit, or your request may potentially violate other persons’ rights or freedoms. If the Company opts to deny said request, the Company shall give you the reason(s) for such denial.
You may submit your request to exercise your rights with a processing period of 30 days (from the date you have submitted the request with complete documents) via channels and KBank branches, as determined by the Company; Branch details can be viewed atwww.kasikornglobalpayment.com.
Will the Company add to, rectify or revise the Personal Data Protection Policy?
The Company may consider adding to, rectifying or revising this Policy from time to time, as deemed appropriate and permitted by law. In case of addition to, rectification or revision of this Policy, the Company will announce the current policy on the Company’s website atwww.kasikornglobalpayment.com/th/privacy-policy.
How can you contact the Company and the Personal Data Controller?
If you have any suggestions or want to inquire regarding details of the collection, use and/or disclosure of Personal Data, or want to exercise your rights under this Notice, you may contact the Company and/or the Personal Data Controller via the following channels:
- Personal Data Controller, email: DataProtectionOfficer@kasikornglobalpayment.com
Contact address: KASIKORN GLOBAL PAYMENT CO., LTD. No.87/1 Capital Tower, All Seasons Place, 10th Floor, Witthayu Road Lumphini Sub-district, Pathumwan District, Bangkok 10330