TMB Bank Public Company Limited (the “Bank”) acknowledges the importance of personal data protection of a customer (“the Customer”). Therefore, the Bank uses the high standard and strict process for data protection of the Customer’s personal data from unauthorized access, use, change or disclosure or not in good faith. The Customer can examine information on personal data protection of the Customer as follows;
- Scope of application
The Bank may review, amend this policy from time to time in compliance with applicable laws and/or subordinate legislation, regulations, announcement of any government authority which will be newly issued. If there is any amendment on this policy, the Bank will publish the updated version as early as possible to be up-to-date and in accordance with the new legislation.
- What kind of personal data where the Bank collects, uses and/or discloses?
Personal data under applicable means any data of an individual which can identify such Customer whether directly or directly (except for the deceased) and irrespective of whether is provided by the Customer or in possession of the Bank or received by the Bank and/or accessed from other reliable sources (as set forth herein). Personal data of the Customer that is collected by, used by and/or disclosed by the Bank is general personal data and sensitive data.
- General Personal Data includes as follows;
- Identification Information such as first name/last name, identity card number, passport number, birth date, address, e-mail address, telephone number etc.
- Transaction Information such as account number for deposits, investment fund, credit card number, debit card number, statement of credit/debit account etc.
- Financial Information such as income information, history of credit information with the Bank or repayment records, information from the Execution Department etc.
- Marital Status such as single, married etc.
- Favorite behavior of the Customer to search information through the internet (Online Behavior Information) such as Website Browsing or connection to other website of the Customer etc.
- Audio / Visual Information when the Customer contacts the Bank at the address of the Bank or does transactions through the Video Call or telephone number of the Bank through TMB Contact Center.
- Sensitive Data
Sensitive Data means personal data about race, religion, politic opinion, criminal record, labor union, biometric data, health information, credit information, biometric data used for verification of the Customer such as fingerprint, face recognition, eye scan, voice recognition etc. The Bank has no policy to collect sensitive data of the Customer except for receiving prior consent from the Customer or necessity basis for the purpose of (a) identity authentication and/or (b) as electronic signature with the Bank when doing transactions with the Bank through digital channel, branch or website of the Bank.
Hereinafter referred to both types of personal data as the “Data”.
The Bank may collect personal data of the Customer from reliable sources such as the Development Business Department, Department of Provincial Administration, Department of Consular Affairs, the Ministry of Foreign Affairs, Credit Bureau Company, the Legal Execution Department including without limited to financial institutions, financial group and/or the Bank’s business partners and/or financial advisors etc.
- General Personal Data includes as follows;
- What is the basis/purpose and rights of the Bank to collect/use and/or disclose personal data?
Basis/purpose and rights of the Bank to collect/use and/or disclose personal data as follows;
- Contractual basis between the Customer and the Bank includes;
- To use products and/or services of the Bank by the Customer such as opening accounts, receiving loan facility, using various service through mobile application etc.
- To comply with the Bank’s internal procedure when the Customer wishes to open an account or carries out transactions with the Bank, the Bank shall authenticate the identity of a Customer and uses the Customer’s address or telephone number to contact the Customer.
- To insure collateral, life insurance of the Customer whereby the Bank is identified as the beneficiary or debtor’s portfolio insurance such as requesting guarantee facility from Thai Credit Guarantee Corporation or with Exim Bank for exporters etc.
- To sell loan portfolio to a third party such as transferring to an asset management company etc.
- To send, receive documents between the Customer and the Bank.
- To demand for payment on outstanding debts from a debtor under any facility agreement with the Bank.
- Complying with applicable laws includes;
- To prevent and detect any irregular activities which lead to money laundering, terrorisms, public fraud, reporting information of the Customer’s Information to the Revenue Department etc.
- To report personal data to government authorities such as the Bank of Thailand, the Anti-Money Laundering Office or the Revenue Department or when receiving summons, foreclosure or attachment orders from competent courts or regulators etc.
- Legitimate interest of the Bank includes;
- To record video of the Customer when doing transaction with the Bank’s branch or office onto CCTV for safety purpose within the building of the Bank.
- To manage risks/auditing/ internal management including delivering data to subsidiaries for the said matters but excluding sending data abroad.
- To check sending/receiving E-mail or internet between the Bank’s employees and the Bank to prevent disclosure of the Bank’s confidential information to a third party.
- To contact the Customer with marketing and offers similar products and services suitable for the need of the Customer and/or marketing research for developing and improving products and services through data analytics or market and product analysis or preserve relationship with the Customer such as claim process management etc.
If the Customer does not provide personal data to the Bank, such failure may impact to the Customer such that he/she cannot subscribe product/service or cause inconvenience or causes the Bank to be unable to comply with the Bank’s contractual obligation and the Customer may sustain damages, loss opportunity, not comply with applicable laws by the Bank or the Customer and may be subject to punishment under applicable laws.
- Contractual basis between the Customer and the Bank includes;
- Who will the Bank share the Customer’s Information with a legitimate interest in doing that?
The Bank will not share or disclose the Customer’s personal data to a third party who is not within the Bank’s financial group except for (i) receiving the Customer’s consent (ii) do transactions in compliance with the Customer’s intention (iii) disclosure as required by laws or the orders of any regulatory bodies (iv) disclosure to the credit bureau company or any similar organization. The Bank discloses personal data of the Customer to the following recipients;
- The Bank’s financial group which consists of Thanachart Bank Public Company Limited, Thanachart Broker Company Limited and Phahonyothin Asset Management Company Limited.
- Outsource service providers whether located in Thailand or abroad such as software developers, marketing events service providers, data research service provider, cloud service provider, debt collection provider etc.
- Other financial institutions whether located in Thailand or abroad where the Customer asks the Bank to deal such as for making payment on behalf of the Customer etc.
- Assets insurance/life insurance companies.
- Debt portfolio purchasers such as an asset management company etc.
- Government authorities and/or regulators such as the Bank of Thailand, Anti-Money Laundering Office, the Revenue Department, Office of Insurance Commission, Securities and Exchange Commission, courts, police or any government agencies that issue summons, seizure orders or reporting personal data such as the Legal Execution Department etc.
- How does the Bank protect the Customer’s personal data?
The Bank has implemented policies, manual and minimum standard to manage the Customer’s personal data both technical measure and organizational measure such as information technology safety standard or the policy on confidential information of customers etc. The Bank has improved such policies, manual and minimum standard from time to time in accordance with requirement under applicable laws.
In addition, officers, employees and contractors of the Bank have duty to protect personal data of customers in accordance with confidentiality agreement signed with the Bank.
If the Bank needs to send or transfer personal data of the Customer abroad that has less standard of customers’ data protection, the Bank will take action as necessary at least equal to the standard of confidentiality of that country such as having confidential agreement with a party in that country etc.
- What are the rights of a Customer about his/her personal data?
The Bank acknowledges the importance of the Customer’s rights under the Personal Data Protection Act where the Customer should know as follows;
- Right to Withdraw or Cancel Consent
The Customer shall have the right to withdraw or cancel consent previously given to the Bank for collection, use and/or disclosure of the Customer’s personal data at any time except that such right of withdrawal or cancellation is limited under applicable laws or contracts which give benefit to the Customer such as the Customer still uses service or product(s) of the Bank or the Customer still has contingent liability with the Bank.
- Right to Access Information
The Customer shall have the right to access and receive his/her personal data which is in possession of the Bank or request the Bank to disclose acquisition of such information under which the Customer does not give consent.
- Right to Data Portability
The Customer shall have the right to access his/her persona data with the Bank in the event where the Bank has made such personal data in readable format or usable by any automatic equipment or device and capable of using or disclosing automatically including (a) right to request the Bank to send or transfer personal data to another data controller when capable of doing so or (b) right to receive data where the Bank send or transfer data in such format to another data controller directly except for that it is technically impossible.
- Right to Object Profiling
The Customer shall have the right to object collection/using or disclosing personal data of the Customer as follows;
- For information collected from necessity for public interest of the Bank or necessity for legitimate interest of the Bank except for that the Bank can show more importance of legitimate interest or establishing legal claim, complying with or raising legal excuse under applicable laws.
- For collection, use or disclosure of personal data on direct marketing purpose.
- For collection, use or disclosure of personal data for the purpose of scientific, historical, statistic area except for necessity to accomplish public interest tasks of the Bank.
- Right to Erasure
The Customer shall have the right to request the Bank to erase or destroy or anonymize personal data of the Customer in the following events;
- When the personal data is unnecessary for retention in accordance with the purpose of collection, use or disclosure.
- When the Customer as the data subject has cancelled consent for collection/use or disclosure of personal data and the Bank has no legitimate interest to collect, use or disclose personal data.
- When the Customer argues on the collection/use or disclosure of personal data as the personal data is no longer necessary for collection/use or disclosure under the purpose given or for direct marketing.
- When the personal data is collected, used or disclosed unlawfully.
- Right to Restrict Processing
The Customer shall have the right to restrict the use of personal data in the following events;
- During the investigation pursuant to the Customer’s request.
- Personal data which must be erased or destroyed because it is illegitimate collection/use or disclosure by the Customer requests to suspend the use instead.
- When the personal data is no longer necessary to retain information in accordance with the purpose of collection on such customer’s personal data but the Bank must retain for establishing legal claim, complying with or legal enforcement or legal argument under applicable laws.
- When the Bank is proving that the Bank’s legitimate interest is more important or establishing legal claim, complying with or raising excuse against legal claim after the Customer objects to the collection/use/disclosure by the Bank.
- Right to Rectification
The Customer shall have the right to request the Bank to amend information to be up-to-date, correct and not misleading.
- Right to Complaint
The Customer shall have the right to file a complaint to the specialist committee if the Bank or any data processor is in breach of the Personal Data Protection Act and/or any ministry regulations or announcement issued under the said Act.
Rights of the Customer set forth above limit to the data where the Customer provided to the Bank but excludes data where the Bank has prepared such as credit opinion whether to grant credit facility or otherwise and depend on relevant factors where the Bank may not proceed in accordance with the Customer’s request such as legitimate interest of the Bank and the Personal Data Protection Act becomes effective and in accordance with the requirements promulgated by the Office of the Personal Data Protection Committee. For example,
- The Customer still has deposit account(s) or credit facility with the Bank or continues to use certain service with the Bank or the Bank must keep personal data of the Customer in accordance with data retention period under applicable laws even though the Customer ceases to be the Bank’s customer any more.
- Rejection pursuant to applicable laws and access and obtaining copy of personal data will cause damages to a third party’s right and freedom such as when information requested includes another person’s information or information whose the Bank shall receive permission from the police, courts or competent authorities or requested information includes the Bank internal information or requested information is transaction information between the Customer and the Bank which can not be erased etc.
- Right to Withdraw or Cancel Consent
- What is the Customer’s duty to provide personal data?
The Bank will be able to provide service to the Customer on contractual basis when the Bank receives personal data of the Customer in accordance with Know Your Customer and Customer Due Diligence (Anti-Money Laundering regulations) to be up-to-date. Consequently, it is necessary that the Customer shall co-operate with the Bank on this action as well.
- How long does the Bank keep personal data of the Customer?
If the Customer ceases to be customer of the Bank or has terminated relationship with the Bank, the Bank will retain personal data for back-up purpose as required by applicable laws and in accordance with policy, manual on data retention of the Bank such as the Anti-money laundering requires to retain information for 10 years etc.
- How can the Customer contact the Bank?
If the Customer wishes to contact or has inquiry about information on collection/use/disclosure of personal data and/or rights of the Customer hereunder or to withdraw or cancel consent on marketing purpose or informs the Bank on illegitimate use of his/her personal data, the Customer can contact the Bank through;
- TMB Contact Center : Tel 1558
- Address: TMB Bank Public Company Limited, 3000 Phahonyothin Road, Kwaeng Chompon, Chatuchak, Bangkok 10900
- E-mail: DPO@tmbbank.com.