Privacy Notice

 

 

Last Updated: 17 November 2021

 

Dear Customers,

 

    CIMB Thai Bank Public Company Limited (“Bank”) values a privacy and strives for protecting your personal data or personal data relating to individuals connected to your business (“Personal Data”) based on the laws of Thailand.

 

    This Privacy Notice explains: -

 

  • What kind of Personal Data does the Bank collect? This includes what you tell the Bank about yourself or the individuals connected to your business (“you”, “your” or “yourself”) which shall include employees, staff members, directors representatives, shareholders or ultimate beneficial owners of you if you are a juristic person and what the Bank learns by having you as the customer, and the choice you give the Bank about what marketing materials you want the Bank to send to you
  • How does the Bank use your Personal Data?
  • Who does the Bank disclose the Personal Data to?
  • What are the choices the Bank offer, including how to access and update your Personal Data?
  • What are your privacy rights and how does the law protect you?

 

1.    Collection of Personal Data

 

    The Bank collects many different kinds of Personal Data, depending on various circumstances and nature of requested products, services and/or transactions performed.

 

    The Bank collects the Personal Data about you from a variety of sources, including but not limited to: -

 

  • When you apply for the Bank’s products and/or services
  • When you talk to the Bank on the phone or in branch, including recorded calls, e-mails, notes and other means
  • When you use the Bank’s websites or mobile device applications. This includes cookies and other internet tracking software to collect the Personal Data. Please refer to the Bank’s Cookies Policy for more information
  • Information received from insurance claims or other documents
  • Any financial reviews and explanations
  • Customer surveys
  • When you take part in the Bank’s marketing activities
  • When you manifestly publish your Personal Data, including via social media, in this case, the Bank will collect your Personal Data from your social media profile(s), to the extent that you choose to make your profile publicly visible
  • When the Bank receives your Personal Data from third parties, e.g., your employer, the Bank’s customers, credit reference agencies, law enforcement authorities or any governmental agencies, etc.

 

    The Bank sometimes collect the Personal Data from additional online and offline sources including commercially available third-party sources, such as credit reporting agencies (including the National Credit Bureau). The Bank may combine this information with the Personal Data the Bank has collected about you under this Privacy Notice.

 

    In some instances, the Bank may engage unaffiliated third parties to collect the Personal Data about your online activities when you visit the Bank’s online sources. The Bank may also use the Personal Data collected across non-affiliated websites for the purpose of serving you advertisements related to your browsing behaviour. While the Bank engages in this practice, the Bank will provide an appropriate notice and choice so that you can opt-out such collection.

 

The categories of Personal Data about you that the Bank collects, subject to the applicable law, include but not limited to: -

 

  • Personal details: Name(s), last name, gender, date of birth, marital status, personal identification number, passport number, other government issued identification number(s) or Personal Data provided in any documents issued by government or authorities, tax identification number; nationality, image of passport, driving license, signatures, authentication data, information provided by you as answer to the Bank’s authentication question (e.g., passwords, password recovery answers, PINs, facial and voice recognition data, etc.), photographs and CCTV images
  • Family details: Names and contact details of family members and dependents
  • Contact details: Address, telephone number, email address and social media profile details
  • Education history: Details of your education and qualifications
  • Financial details: Billing address, details of bank account, credit card numbers, cardholder’s or account holder’s name and details, instruction records, transaction details and counterparty details
  • Transactional data: Full beneficiary names, address and other details including communications on bank transfers of the underlying transaction
  • Electronic data: IP addresses, cookies, activity logs, online identifiers, unique device identifiers and geolocation data
  • CCTV data and geolocation data: Data showing locations of withdrawals or payments for security reasons, or to identify the location of the nearest branch or service suppliers for you
  • Sensitive Personal Data: The Personal Data that the law specifically prescribes, including Personal Data in relation to race, ethnic, political opinion, doctrinal, religious or philosophical beliefs, sexual behaviour, criminal records, health records, disability, labour union data, genetic or biometric data or any other data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee of Thailand.

2. Use of Personal Data

 

    The Bank may collect use and/or disclose your Personal Data only if the Bank have proper reasons to do so. This includes sharing it outside the Bank.

 

    The Bank will rely on one or more of the following lawful grounds when collecting, using and/or disclosing your Personal Data: -

 

  • When it is to fulfil a contract the Bank has with you (contractual basis) – that is when the Bank needs your Personal Data to deliver a contractual service to you or before entering into a contract with you;
  • When it is the Bank’s legal obligation (legal obligation) – that is when the Bank needs to collect, use and/or disclose your Personal Data to comply with the law or statutory obligation;
  • When it is in the Bank’s legitimate interest (legitimate interest) – that is when the Bank collects, uses and/or discloses your Personal Data for the Bank’s legitimate interest as permitted under the law, so long as your fundamental rights are not overridden by the Bank’s legitimate interest; and/or
  • When you consent to it (consent) – that is when you allow the Bank to collect, use and/or disclose your Personal Data for certain purposes.

 

    The purposes and legal basis for which the Bank may collect, use and/or disclose your Personal Data are as follows: - 

Purposes of data collection, use and/or disclosure

Lawful basis for collection, use and/or disclosure

Provision of products and services

  • To manage the Bank’s relationship with you or your business
  • To communicate with you via email, telephone, text message, social media, post or in person about the Bank’s products and/or services, information, notification (non-marketing purposes), e.g., notification of branch closure. 
  • To facilitate insurance and financial services
  • As part of the Bank’s privilege/wealth banking services, the Bank’s relationship manager may contact you about the relevant privilege/wealth products and services that are available to you
  • To analyze your credit and repayment behavior scoring as part of a lending process

 

 

  • Contractual basis 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • To collect, use and/or disclose the sensitive Personal Data which are religious, health record or biometric data, e.g., facial simulation, fingerprint simulation, iris simulation, voice identification, etc., for the purpose of identity proof and verification and/or transactions via digital means, branches, websites or any other modes, etc.
  • Consent
  • Legal obligation

 

 

 

Fulfilling legal obligations
  • To submit regulatory reports to relevant authorities
  • To prevent and detect money laundering or financing of terrorism and comply with regulation relating to sanctions and embargoes through the Bank’s Know Your Customer (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile) and perform a Client Due Diligence (CDD) as prescribed by anti-money laundering law and other relevant law
  • To comply with applicable laws and regulations
  • Legal obligation

 

 

 

 

 

 

 

 

Provision of customer support
  • To ensure customer satisfaction and provide professional customer support
  • To communicate with you through various channels
  • To respond to inquiries and keep records of interactions, comments and/or complaints
  • To process your orders or requests such as data correction, request of document, etc.  
  • Contractual basis

 

 

 

 

 

Business operation
  • To identify issues with products and services
  • To carry out and improve business activities
  • To do statistical reports, market research, analytic report (non-marketing/promoting product and services)
  • To plan the improvements to the existing products and services
  • To carry out and improve a business performance
  • Contractual basis
  • Legitimate interest

 

 

 

 

 

 

Security and risk management
  • To prevent crimes and manage security (for example, use of CCTV which may collect / record your photos, videos or voice)
  • To investigate, report and seek for a financial crime prevention
  • To manage risk 
  • To do internal audits 
  • To seek and/or provide legal advisory within the Bank
  • Legal obligation
  • Legitimate interest
  • Contractual basis

 

 

 

 

Marketing
  • To develop and carry out any marketing activities
  • To communicate with you via email, telephone, text message, social media, post or in person about the Bank’s, CIMB group and/or trusted partners’ products and/or services that you may be interested in
  • To personalize the marketing messages and send to you 
  • To let the Bank’s trusted partners send you the information regarding the products and/or services that you may be interested in
  • To study how you use the products and/or services (analysis for promoting product/service)
  • To test, research, analyze and develop new products/ new features of products and/or services
  • Consent
  • Legitimate interest 

 

 

 

 

 

 

 

 

 

 

 

 

    When the Bank relies on the legitimate interests as the reason for collecting, using and/or disclosing the Personal Data, it has considered whether your fundamental rights are overridden by the Banks legitimate interests and has concluded that they are not.

 

If you fail to provide your Personal Data to the Bank

 

    Where the Bank is required by law to collect your Personal Data or need to collect your Personal Data under the terms of a contract the Bank has with you and you fail to provide your Personal Data when requested, the Bank may not be able to perform obligation under the contract the Bank has with you or plan to enter into with you (for example, to provide you with the Banks account opening services). In this case, the Bank may have to decline to provide the relevant services, but the Bank will notify you if this is the case at the time your Personal Data is collected.

3. Disclosure of Personal Data

 

    The Bank may share your Personal Data with others where it is lawful to do so, including where the Bank or other person: -

 

  • needs to perform obligations under a contract regarding the products or services (e.g., to fulfil a payment request, etc.)
  • has legal duties to do so (e.g., to assist with detecting and preventing fraud, tax evasion, financial crime and money laundering)
  • needs to, in connection with a regulatory reporting, litigation, asserting or defending legal rights
  • has legitimate interest to do so (e.g., to manage risk, verify identity, enable another company to provide you with the services you have requested or assess your suitability for the products and/or services) and/or
  • asks for your consent to share it, and you agree.

 

    The Bank may share your Personal Data for the above purposes with others, including: -

 

  • other CIMB group companies and any sub-contractors, agents or service providers who work for the Bank or provide the services to the Bank or other CIMB group companies, including their employees, sub-contractors, service providers, directors and officers
  • any trustees, beneficiaries, administrators or executors
  • people who give guarantee or other securities for any amount you owe the Bank
  • people you make the payment to and/or receive the payment from
  • your intermediaries, correspondent and agent bank, clearing houses, clearing or settlement systems, market counterparties and any company you carry out investment services through the Bank
  • other financial institutions, lenders and holders of securities, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents
  • any fund managers who provide asset management services to you and any brokers who introduce you to the Bank
  • any people or companies where required in connection with a potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of the Bank’s rights or duties under the Bank’s agreement with you
  • law enforcement, government, courts, court procedures, dispute resolution bodies, the Bank’s regulators, auditors and any parties appointed or requested by the Bank’s regulators to carry out investigations or audits of the Bank’s activities
  • other parties involved in any disputes, including disputed transactions
  • fraud prevention agencies who will also use it to detect and prevent fraud and other financial crime and to verify your identity
  • anyone who provides instructions or operates any of your accounts, products or services on your behalf (e.g., Power of Attorney, solicitors, etc.)
  • anybody else that the Bank has been instructed by you to share your Personal Data with and/or
  • other parties involved in any marketing purposes

 

 

    There may be instances which the Bank may share non-personally identifiable information about you to third parties, such as advertising identifiers or one-way coding (cryptographic hash) of a common account identifier, such as a contact number or e-mail address, to enable the conduct targeted advertising.

 

    Except as described in this Privacy Notice, the Bank will not use the Personal Data for any purposes other than the purposes as described to you in this Privacy Notice. Should the Bank intend to collect, use or transfer additional information which are not described in this Privacy Notice, the Bank will notify you and obtain your consent prior to the collection, use and disclosure unless the Bank is permitted to do so without your consent under the law. You will also be given the opportunity to consent or to decline approval of such collection, use and/or transfer of your Personal Data.

    

    The Bank will continue to adhere to this Privacy Notice with respect to the information the Bank has in its possession relating to prospective, existing and former clients and investors.

 

Cross-border Transfer of Personal Data

 

    Your Personal Data may be transferred to and collected and/or used in other countries, including Malaysia.

 

    Such countries may not have adequate level of protection for the Personal Data as will be prescribed by the Personal Data Protection Committee of Thailand. When the Bank do this, the Bank will ensure that the transfer has an appropriate level of protection and that the transfer is lawful. For example, your Personal Data may be shared to other CIMB group companies in accordance with the Bank’s Binding Corporate Rules (BCRs) or other relevant contractual arrangements, which require all CIMB group companies to follow the same rules or terms when collecting, using and/or disclosing your Personal Data. If you wish to request for a copy of the Bank’s BCRs, you can do so by contacting the Bank at dpo@cimbthai.com.

 

    The Bank may need to transfer the Personal Data in this way to carry out the Bank’s contract with you, fulfill the legal obligations, protect the public interests and/or for the Bank’s legitimate interests. In some countries, the law might compel the Bank to share certain Personal Data, e.g., with tax authorities or National Bank. Even in these cases, the Bank will only share the Personal Data with people who have the right to see it.

4. Retention of Personal Data

 

    The Bank will only retain your Personal Data for as long as it is necessary to carry out the purposes for which it was collected, that is, for the purpose of satisfying any regulatory reporting requirements, carrying out the Bank’s service per your request or compliance with the applicable laws.

 

    The Bank will keep your Personal Data for up to 10 years after you stop being the Bank’s customer to ensure that any contractual dispute that may arise can be processed within that time. However, in the event of regulatory or technical reasons, the Bank may keep your Personal Data for more than 10 years. If the Bank does not need to retain your Personal Data for longer than it is legally necessary, the Bank will destroy, delete or anonymize it (so that it can no longer be associated with you).

 

    Where you receive the products and/or services from third party, e.g., insurance company, who has been introduced to you by the Bank, such third party may keep your Personal Data in accordance with additional terms and conditions applying to their product and/or services.

5.       Accuracy of your Personal Data

 

    The Bank need your help to ensure that your Personal Data is current, complete and accurate. Please inform the Bank of any changes to your Personal Data by: -

 

  • contacting the Bank’s representative at our branches or CIMB Thai Care Center Tel. 0 2626 7777
  • updating your information at/via our branches or CIMB Thai Care Center Tel. 0 2626 7777

 

    The Bank will occasionally request the updates from you to ensure the Personal Data the Bank uses to fulfill the purposes of collection, use and/or disclosure are current, accurate and complete.

6. Your rights as data subject

 

    Under certain circumstances, you have rights under data protection law in relation to your Personal Data. It is the Bank’s policy to respect your rights and the Bank will act promptly and in accordance with any applicable law, rule or regulation relating to the collection, use and/or disclosure of your information.

 

    Details of your rights are set out below: -

 

  • Right to withdraw consent: When the Bank collects, uses and/or discloses your Personal Data under your consent, this right enables you to withdraw your consent to the Bank’s collection, use and/or disclosure of your Personal Data, which you can do at any time. The Bank may continue to collect, use and/or disclose your Personal Data if the Bank has another legitimate reason to do so.
  • Right of Access: This enables you to access and obtain a copy of your Personal Data from the Bank.
  • Right to rectification or correction: This enables you to have any inaccurate, outdated and/or incomplete Personal Data corrected. Please see above in 5. (Accuracy of your Personal Data) for detail of how you can request to have your Personal Data corrected.
  • Right to erasure or deletion: This enables you to ask the Bank to delete, destroy or anonymize your Personal Data where there is no good reason for the Bank to continue collecting, using and/or disclosing it. You also have the right to ask the Bank to delete your Personal Data where you have exercised your right to object to collection, use and/or disclosure (see below). This is not a blanket right to require all Personal Data to be deleted. The Bank will consider each request carefully in accordance with the requirements of any laws relating to the collection, use and/or disclosure of your Personal Data.
  • Right to restriction of processing: This enables you to ask the Bank to suspend the collection, use and/or disclosure of your Personal Data, for example, if you want the Bank to establish its accuracy or the reason for collecting, using and/or disclosing it.
  • Right to data portability: In certain circumstances, you can request to receive a copy of your Personal Data in a commonly used electronic format. This right only applies to your Personal Data that you have provided to the Bank. The right to data portability only applies if the collection, use and/or disclosure is based on your consent or if the Personal Data must be collected, used and/or disclosed for the performance of obligation under a contract.
  • Right to object the collection, use, or disclosure: This enables you to object to the collection, use and/or disclosure of your Personal Data where the Bank is relying on the legitimate interest. You also have the right to object where the Bank is collecting, using and/or disclosing your Personal Data for direct marketing purposes and profiling activities.

 

    Customers are able to file the complaint with a related government authority, including but not limited to, the Personal Data Protection Committee of Thailand in the case where, in your view, the Bank, the Banks employee or contractor violates or fails to comply with the Personal Data Protection Act of Thailand B.E. 2562 (2019) or notifications issued thereunder.

 

    You may exercise any of your rights at any time using the contact details set out in 10. (Contact us) below. The Bank may charge an additional reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, the Bank may refuse to comply with your request in these circumstances.

 

    The Bank may need to request specific information from you to help the Bank confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that your Personal Data is not disclosed to any person who has no right to receive it. 

 

    The Bank may also contact you to ask you for further information in relation to your request to speed up the Bank’s response.

 

    The Bank tries to respond to all legitimate requests within 30 days. Occasionally, it may take the Bank longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, the Bank will notify you and keep you updated.

 

Handling of complaints

 

    In the event that you wish to make the complaint about how the Bank collects, uses and/or discloses your Personal Data,

please contact the Bank at our branches or CIMB Thai Care Center Tel. 0 2626 7777 and the Bank will try to consider your request as soon as possible.

This does not prejudice your right to file the complaint with a government authority that has a data protection authority.

7. Security of your Personal Data

 

    Information is the Bank’s asset and therefore the Bank places a great importance on ensuring the security of your Personal Data. The Bank regularly reviews and implements up-to-date physical, technical and organizational security measures when collecting, using and/or disclosing your Personal Data. The Bank has internal policies and controls in place to ensure that your Personal Data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by the Banks employees in the performance of their duties. The Bank’s employees are trained to handle the Personal Data securely and with utmost respect, failing which they may be subject to a disciplinary action.

 

8. Your responsibilities

 

    You are responsible for making sure that the Personal Data you give the Bank or provided on your behalf, is accurate and up to date, and you must tell the Bank as soon as possible if there are any updates.

 

    You have some responsibilities under your contract to provide the Bank with the Personal Data. You may also have to provide the Bank with the Personal Data in order to exercise your statutory rights. Failing to provide the Personal Data may mean that you are unable to exercise your statutory rights.

 

    Certain Personal Data, such as contact details and payment details, must be provided to the Bank in order to enable the Bank to enter into the contract with you. If you do not provide such Personal Data, this will hinder the Bank’s ability to administer the rights and obligations arising as a result of contract efficiently.

 

9. Revision of the Bank’s Privacy Notice

 

    The Bank keeps the Privacy Notice under a regular review and thus the Privacy Notice may be subject to change. The date of the last revision of the Privacy Notice can be found on the top of the page.

 

10. Contact us

 

    If you have any questions in regard to the protection of your Personal Data or if you wish to exercise your rights, please contact: -

 

  • Any Customer Service Officer at any of the Bank’s branches
  • CIMB THAI Care Center Tel. 0 2626 7777
  • Data Protection Officer: E-mail dpo@cimbthai.com
  • CIMB THAI Bank Public Company Limited Head Office, 44 Lang Suan Road, Lumpini, Pathumwan, Bangkok 10330
  • CIMB THAI Digital Banking Application*

 

    Remark: This Privacy Notice shall be effective on the date on which the relevant provisions of Personal Data Protection Act B.E 2562 (2019) (as amended) becomes effective against the Bank.

 

 

* Right to withdraw consent only

 

 

Privacy notice for vendors