This Privacy Notice relates to the treatment of personal data, including sensitive personal data, by any member companies of TISCO Financial Group (hereinafter collectively called “TISCO”) when the data subject (hereinafter referred to as “data subject”, “you” or “your”) enters into legal relationship, makes contact with TISCO or acquires TISCO’s services and/or products through TISCO’s designated channels in accordance with the Personal Data Protection Act B.E. 2562 (hereinafter referred to as “PDPA”), relevant laws and regulations.
Respecting your privacy rights is important to TISCO. Therefore, TISCO uses the high standard and strict process for data protection of your personal data. This Privacy Notice is to inform you of the purposes for which TISCO process your personal data, who it may be shared with, data retention period, data destruction and rights of the data subject. You can examine information on personal data protection as follows:
Personal data that is collected, used and/or disclosed by TISCO is the data relating to a natural person, in particular as listed below, which directly or indirectly enables the identification of such person, but not including the data of deceased persons. TISCO might collect your personal data in a variety of ways either directly from you or indirectly from other sources e.g. any member companies of TISCO Financial Group, Department of Business Development Ministry of Commerce, Department of Provincial Administration Ministry of Interior, Department of Consular Affairs Ministry of Foreign Affairs, Legal Execution Department Ministry of Justice, any government agencies, international organizations, TISCO’s consultants, business partners and contracting parties, including any person appointed by the data subject or other available public sources.
1. Identification information relating to the data subject, such as first name/last name, national identification number, passport number, date of birth, marital status, workplace, work position, education information, portrait, picture, signature including sensitive personal data e.g. biometric data (fingerprint recognition data, facial recognition data), criminal records, health data, religious beliefs or race.
2. Contact information of the data subject, such as address, email address, telephone number, and other similar contact information;
3. Financial information of the data subject or transaction records which the data subject engages with TISCO, such as account number, order number, credit card and ATM/debit card number, payment and transaction records relating to your accounts or assets, balance, income and expenses statements, financial history or background;
4. User behavior of the data subject through internet search engine (Online Behavior Information) such as cookies, Website Browsing or connection to other website of the data subject;
5. Any information relevant to the data subject’s interaction with TISCO, such as information collected by automatic recordings through the use of TISCO Contact Center which may include still or moving pictures and voices.
6. Personal information obtained by TISCO from corporate customer, when such corporate customer is a counterparty of TISCO or has a legal relationship with TISCO and discloses personal information of their related person such as employee, personnel, officers, representatives, shareholders, authorized persons, members of the board of directors, contact persons, agents, and other natural persons in connection with such corporate customer. The corporate customer shall ensure that it has the authority to disclose and to permit TISCO to use the personal data in accordance with this Privacy Notice.
1. To enable TISCO to fulfil the contract between data subject and TISCO for the products or services the data subject has requested or acquired, for instance,
- to conduct identity verification and due diligence checks e.g. know-your-customer (KYC) or customer due diligence (CDD);
- to take any steps in relation to providing of any products and/or services;
- to comply with TISCO’s internal procedure for operational purposes;
- to send, receive documents between you and TISCO;
- to collect payment on outstanding debts from a debtor under any facility agreement with TISCO; or,
- to provide insurance for collaterals.
2. To comply with applicable laws and regulations, for instance,
- to prevent, detect and investigate any irregular activities which lead to unlawful activities or suspicious transactions; or,
- to report information to the Revenue Department and to report personal data to relevant government authorities or regulatory bodies, such as the Anti-Money Laundering Office, the Revenue Department, the Bank of Thailand, the Securities and Exchange Commission or the Office of Insurance Commission or when receiving summons, foreclosure or attachment orders from competent courts or government authorities.
3. To perform actions under consent obtained from data subject, such as marketing or promotional communication and offers of TISCO’s or any third party’s products and/or services provided that such actions cannot be conducted by relying on any other lawful basis.
4. To take necessary steps for legitimate interests of TISCO or other individual or juristic person, for instance,
- to prevent, deal with, and reduce risks of any violation of laws and regulations including to share personal data with other financial institution in order to improve operational efficiency in financial industry regarding the said matters;
- to record video of the data subject at TISCO’s branch or office onto CCTV or visitor’s building access process before entering TISCO’s premises for safety purpose;
- to manage risks/ to conduct audits/ to perform internal management including to deliver data to any member companies of TISCO Financial Group for such purposes which is subject to this Privacy Notice;
- to examine an E-mail or internet using of TISCO’s personnel and data subject for preventing unauthorized disclosure of TISCO’s confidential information;
- to assess suitability for products and services offering to data subject and/or conduct marketing research for developing and improving products and services through data analytics or market and product analysis;
- to fulfill TISCO’s contractual obligations or obligations under legal relationship between TISCO and third party, i.e. TISCO’s business partner;
- to collect, use and/or disclose personal data of related person in relation to juristic person such as its members of the board of directors, authorized persons, agents, employee; or,
- to maintain relationship with data subject such as complaint handling, satisfaction survey, notification or offer on any products and/or services of the same types of which such data subject is using for the data subject’s benefits.
If the personal data TISCO collects from you is required to meet our legal obligations or enter into an agreement with you, TISCO may not be able to provide (or continue to provide) the products and/or services to you if TISCO cannot collect your personal data when requested.
For any of the purposes specified above, TISCO may send, transfer and/or disclose personal data to third party which may be located in or outside Thailand, provided, however, that the destination country that receives personal data might not have adequate data protection standard.
TISCO including our officers, employees, agents and advisers, may disclose your personal data to any of the following parties:
- Any member companies of TISCO Financial Group which consists of TISCO Financial Group Public Company Limited, TISCO Bank Public Company Limited, TISCO Securities Company Limited, TISCO Asset Management Company Limited, TISCO Insurance Solution Company Limited, TISCO Information Technology Company Limited, Hi-Way Company Limited and All-Ways Company Limited;
- TISCO’s business partners (see list of the business partner companies on TISCO website);
- National Credit Bureau and credit information company including its members under the Credit Information Business law;
- Any third party upon your consent;
- Your parent, guardian, curator, heir, administrator of an estate or your legal representative for the purpose of allowing him/her to organise your assets and accounts when you are classified as a minor, incompetent, quasi-incompetent or deceased (as the case maybe);
- TISCO’s outsource service providers whether located in or outside Thailand such as cloud service/computing provider, software developers, marketing events service providers, data research service provider, card association;
- Government authorities and/or regulators such as the Bank of Thailand, Anti-Money Laundering Office, the Revenue Department, Office of Insurance Commission, Securities and Exchange Commission, courts, police or auditor;
- Debt portfolio purchasers such as an asset management company, etc.;
- Any relevant persons as a result of activities relating to selling rights of claims and/or assets, restructuring or acquisition of any of TISCO’s entities including their officer, employee, agent or director; and/or,
- Other persons having legal relationship or contract with TISCO and TISCO considers necessary to disclose personal data in order to provide products and/or services.
Subject to applicable law, regulations and/or banking industry guidelines, data subject may have the following rights:
1. Right to withdraw consent
You have the right to withdraw consent that has been given to TISCO for collection, use and/or disclose of your personal data at any time, unless it is restricted by applicable laws or you are still under beneficial contract.
TISCO is entitled to continue collecting and using data subject’s personal data, which has previously been collected by TISCO before the effectiveness of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes. If data subject does not wish TISCO to continue collecting and using your personal data, you may notify TISCO to withdraw your consent at any time.
Withdrawal of your consent may affect your use of products and/or services. For example, you may not receive privileges, promotions or new offers, products and/or services that are enhanced and consistent with your needs, or not receive beneficial information. For your benefits, you are advised to learn and ask for consequences before withdrawing your consent.
2. Right to access
You have the right to request access to and obtain copy of your personal data holding by us and to request the disclosure of the acquisition of your personal data obtained without your consent.
3. Right to rectification
You have the right to instruct TISCO to rectify your personal data to be updated, complete and not misleading.
4. Right to data portability
You have the right to receive your personal data in case TISCO can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request TISCO to send or transfer your personal data in the aforementioned format to third party, or to request to directly obtain your personal data in such format which TISCO sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or TISCO is entitled to legally reject your request.
Your personal da ta mentioned above must be under your consent given to TISCO to collect, use, and/or disclose; or those TISCO deems necessary to collect, use and/or disclose to allow you to use products and/or services that meet your need under your contract with TISCO; or to take steps at your requests before using products and/or services; or as legally required by competent authority.
5. Right to erasure
You have the right to request TISCO to delete, destroy or anonymise your personal data if you believe that the collection, use and/or disclosure of your personal data is against relevant laws; or retention of your personal data by TISCO is no longer necessary in connection with related purposes for which it was collected under this Privacy Notice; or when you exercise your consent withdrawal right or object to the processing of your personal data.
6. Right to restrict
You have the right to request TISCO to restrict the use of your personal data when TISCO is pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary.
7. Right to object
You have the right to object the collection, use or disclosure of your personal data under certain circumstances descripted in this Privacy Notice.
8. Right to lodge a complaint
You have the right to make a complaint with competent authorities in the event that you believe that the collection, use or disclosure of your personal data is violating or not in compliance with any applicable laws or PDPA.
The exercise of data subject rights mentioned above may be restricted under relevant laws and it may be necessary for TISCO to deny or not be able to carry out your requests for some reasons, e.g. to comply with laws or court orders, public tasks, your request in breach of rights or freedom of other persons.
TISCO has implemented policies, guidelines and minimum standards to manage data subject’s personal data, such as information technology safety standard, to protect your personal data from unauthorized access or personal data breaches. TISCO has improved such policies, guidelines and minimum standards from time to time in accordance with requirements under applicable laws.
In addition, officers, employees, agents and contractors of TISCO have duties to protect personal data of data subject in accordance with confidentiality agreement signed with TISCO.
If TISCO needs to send or transfer personal data of data subject to other country that has less standard of personal data protection, TISCO will take actions as we deem necessary at least equal to the standard of confidentiality of that country such as having confidential agreement with a counterparty in that country.
In the event that the data subject is no longer the customer of TISCO or has ended relationship with TISCO, TISCO will consider retaining the personal data of data subject for a certain period required by relevant laws, TISCO’s policies and guidelines in connection with retention period of personal data. For example, retention period under Anti-Money Laundering Act of B.E. 2542 is at least 10 years after the relationship between customer and TISCO has ended. TISCO will erase or destroy your personal data when it is no longer necessary or when the retention period lapses.
We may change or update this privacy notice from time to time and we will inform the updated Privacy Notice at TISCO website.
If you have any questions or would like more details about the collection, use and/or disclosure of your personal data or would like to exercise your rights or file compliant, please contact TISCO through any of the provided service contact channels.