4. To whom will the Bank disclose your Personal Data?
The Bank may disclose your Personal Data for the purposes mentioned above to other persons or organizations as follows.
- Companies in the Bank's financial business group, including its other group of companies (CIMB group) (for more details, please visit: https://www.cimbthai.com/en/personal/who-we-are/about-us.html).
- Subcontractors, agents, contractors, brokers, and outside service providers to conduct business on behalf of the Bank or to help support the Bank's services both in Thailand and abroad including employees subcontractor service providers, directors, and officers of the said service providers.
- Assigned to manage properties or any benefits, official receivers or enforcement officers.
- Guarantors or deposits in lieu of performance in the amount that you are obliged to the Bank.
- Any person to whom you have paid and/or received payment.
- Representative, representatives of the Bank, payment systems, business partners, vendors, and other companies in which you invest through the Bank.
- Other financial institutions, lenders, collateral holders, Revenue Department officers, trade associations, credit information collection agencies, service providers related to payment systems, and debt collection agents.
- Database system providers for exchanging information between financial institutions, including digital identity verification service providers
(i.e. National Digital ID (NDID)), third-party agencies engaging in identification and verification, and service provider of payment infrastructures and international money transfers (i.e. National Interbank Transaction Management and Exchange (NITMX)).
- Service providers for delivering messages (SMS) or emails.
- Service providers for information technology, technology support, and technological security.
- Fund managers providing you with asset management services and any financial advisors, or brokers introducing you to the Bank, Stock Exchange of Thailand, Thai Bond Market Association Securities, Depository Service Center dealer Registrars appointed by a bond distributor.
- Any person or companies involved in a company restructuring, merger or acquisition that occurs or may occur, including the transfer of any rights or obligations under the contract between the Bank and you.
- Law enforcement agencies, government, courts, court procedures, dispute resolution agencies, the Bank’s regulartory bodies, auditors, and persons appointed or requested by the Bank’s regulartory bodies to examine the Bank's operating activities.
- Other person involved in any dispute that arises, including disputes related to transactions.
- Anti-corruption and/or fraud agencies which use such information to investigate and prevent corruption, fraud, and other financial crimes and to verify your identity.
- Persons who order or manage your account, products, or services on your behalf (e.g. attorney, lawyer).
- Persons to whom the Bank discloses your Personal Data as per your instruction.
- Consultants or experts in various fields of the Bank.
- Business partners or service providers with whom the Bank is a counterparty, established in Thailand and abroad.
- Debt collection service providers.
- Providers for document storages and/or warehouses, card production, printed media documents, or parcel delivery services.
- Business partners, marketing service providers, social media service providers in a secure format, or any external advertising companies for any marketing purposes. and/or
- Third parties and/or other agencies to meet the purposes specified in this Privacy Notice.
In some cases, the Bank may disclose your non-personally identifiable information to designated third parties for the purpose of targeted advertising.
The Bank will not use Personal Data for purposes other than those specified in this Privacy Notice. If the Bank collects, uses, and/or discloses additional information, it will inform you and request your consent before doing so. You have the right to provide your consent or decline the collection, use, and/or disclosure of your Personal Data, except in cases where the Bank is legally permitted to do so without your consent.
The Bank will strictly treat Personal Data related to customers under its responsibility as the Personal Data Controller in accordance with this Privacy Notice.
5. Sending or Transferring your Personal Data to other Countries
Your Personal Data may be sent or transferred to other countries and collected and/or used by other countries (such as Malaysia which is a country in CIMB Group) and by cloud service providers (Cloud Computing) where the Bank has business operations or the Bank is required to comply with various laws to achieve the business objectives or for your benefits.
However, the destination country receiving your Personal Data may have been not yet recognized an adequacy decision for Personal Data protection under the Personal Data Protection Law as announced by the Thailand Personal Data Protection Commission. In such cases, the Bank will ensure that such sending or transferring has appropriate levels of Personal Data protection measures and that such sending or transfer of information is in accordance with the law. This may involve entering into relevant standard contractual contracts (or any available appropriate safeguards that have equivalent safeguards) with counterparties outside Thailand. For example, your Personal Data may be disclosed to other companies in CIMB Group under Binding Corporate Rules (BCRs), acceptable contractual terms, and/or other appropriate Personal Data protection safegaurds. The Bank may need to send or transfer Personal Data to comply with a contract, to which you are a contracting party or to fulfill your request before entering into the contract, to comply with the law, to protect the public interest for fulfilling your request according to the contract between the Bank and the recipient of your Personal Data and/or with your consent which the Bank has informed you that the destination country receiving your Personal Data has inadequate level of Personal Data protection safeguards. However, the laws of some countries may require the Bank to disclose certain types of Personal Data (e.g., disclose to tax authorities). In such case, the Bank will disclose Personal Data only to those entitled to access such Personal Data.
6. Use of cookies and/or similar technologies
The Bank may collect and use cookies and/or other similar technologies when you use the Bank's websites and/or applications. You can learn more details from Cookies Notice on the Bank's website.
7. Retention of your Personal Data
The Bank will keep your Personal Data as long as necessary to achieve the purpose of collecting Personal Data.
The Bank will retain your Personal Data while you are a customer, or have a relationship with the Bank or for the necessary period to achieve objectives related to this Privacy Notice. When you end your relationship with the Bank, it will further retain your Personal Data for the necessary or legally-required or permitted period. For example, the Bank may keep it for 5 to 10 years after your relationship with the Bank ends (as the case may be) for the interest of the Bank to address any contractual disputes that may arise during that period. However, if the Bank is required by law or has technical reasons, it may retain your Personal Data longer than the expected retention period. If the Bank no longer needs to retain your Personal Data or when the retention period ends, the Bank will destroy, delete, or make Personal Data to be de-identifiable to the person who are data subject (so it is no longer linked to you).
In the event that you access third-party websites and/or applications via the Bank’s channels including being contacted by or using the products and/or services from third parties, such as insurance companies introduced to you by the Bank, those third parties may process your Personal Data in accordance with their own Privacy Notices and additional terms and conditions applied to their products and/or services. You can also learn more details from those third parties.
8. How do you keep your Personal Data up-to-date
You can update your Personal Data which is under the responsibility of the Bank as the Personal Data Controller to ensure its currency, completeness, and accuracy. You need to inform the Bank of any changes to your Personal Data by contacting the following channels:
- Contact the Bank’s representative at bank branches or CIMB Thai Care CenterTel. 0 2626 7777
- Update your Personal Data at bank branches or CIMB Thai Care Center Tel. 0 2626 7777
In addition, the Bank will occasionally contact you to review and update your Personal Data to ensure it remains current, complete, and accurate.
9. How does the Bank protect your Personal Data?
Under certain circumstances, you have entitled rights in your Personal Data in accordance with the Personal Data Protection Law. The Bank will respect your rights and proceed according to laws, rules or regulations related to the collection, use and/or disclosure your Personal Data in a timely manner.
Details of your rights are determined as below:
- Right to withdraw consent: In cases where the Bank collects, uses, and/or discloses your Personal Data relied on your consent, you have the right to withdraw such consent provided to the Bank to collect, use, and/or disclose your Personal Data at any time. The Bank may continue to collect, use, and/or disclose your Personal Data when the Bank has other lawful bases for doing so.
You have the right to adjust your consent provided to the Bank at any time through the channels specified in this Privacy Notice and/or other Privacy Notice of the Bank which are notified to you, unless there are limitations on legal rights and/or, a contract which results in benefits to the data subject. The change to your consent will be processed within 30 days from the date the Bank receives the notification of the change to the consent through the channels determined by the Bank.
In the event that you withdraw your consent provided to the Bank for the purpose of offering products and/or financial services by other service providers authorized by the Bank, it will no longer disclose your Personal Data to those service providers.
- Right to access to Personal Data: You have the right to access and request a copy of your Personal Data from the Bank.
- Right to rectification of Personal Data: You have the right to request rectification of your Personal Data to be accurate, up-to-date and complete. Please refer to Section 8 (How do you keep your Personal Data up-to-date).
- Right to erasure of Personal Data: You have the right to request the Bank to delete, destroy or anonymize your Personal Data when there is no reasonable ground for the Bank to collect, use, and/or disclose your Personal Data. You can exercise your right to request the Bank to delete this Personal Data, along with your right to object to the use of personal data, in other paragraph. However, this right does not entitle you to request the deletion of all Personal Data. The Bank will carefully consider each request in accordance with any legal requirements regarding the collection, use, and/or disclosure of your Personal Data.
- Right to suspension of using Personal Data : You have the right to request the Bank to temporarily stop collecting, using, and/or disclosing your Personal Data, such as when you request correction of your Personal Data or when you request the Bank to justify the reason or lawful basis for collecting, using, and/or disclosing your Personal Data.
- Right to portability of Personal Data: In some cases, you may request a generally available electronic copy of your Personal Data. This right applies only to Personal Data that you have submitted to the Bank, and when the collection, use, and/or disclosure of such data relies on your consent, or in case where such Personal Data needs to be collected, used, and/or disclosed for the performance of obligations under a contract.
- Right to object to the use of Personal Data: You have the right to object to the collection, use, and/or disclosure of your Personal Data under legitimate interests of the Bank and/or other persons or juristic persons. In addition, you have the right to object to the collection, use, and/or disclosure of your Personal Data if the Bank has done so for the purposes of direct marketing and historical documents or archives for public benefit or related to research studies or statistics.
- Right to lodge a complaint: You can contact the Bank to complain about how it collects, uses, and/or discloses your Personal Data at bank branches or CIMB Thai Care Center, Tel. 0 2626 7777, and the Bank will consider your request as soon as possible. However, lodging a complaint to the Bank does not affect your right to complain to a governmental officer or the Thailand Personal Data Protection Commission.
In this regard, you have the right to be informed of details in relation to the processing of Personal Data from the Bank. Such details are as per this Privacy Notice.
Additionally, you can file a complaint with the relevant governmental agencies, including the Thailand Personal Data Protection Commission, in case where you consider that the Bank, its employees or service providers violate or do not comply with the Personal Data Protection Law or other announcements issued by virtue of Personal Data Protection Law.
You may exercise any of your rights under the Personal Data Protection Law at any time by contacting the Bank through the channels specified in Section 12 (Bank Contact Channels) below. The Bank may charge a reasonable additional fee if your requests have no ground, are redundant, or excessive, or it may refuse to exercise your request in those situations.
You can exercise your rights above according to the Personal Data Protection Law through the following channels: