The Bank has created awareness among employees at all levels, executives, customers and people related to the Bank's business to ensure the protection of personal data, the confidentiality of information, cautious disclosure and usage and the utmost security of the information.
Related to personal information such as data storage channels, types and format of data storage, the Bank's purpose for using personal information as well as the methods used by the Bank to secure personal information, etc.
3. The Bank respects the right to privacy of customers
Business partners, employees and related parties to the utmost.
4. The Bank will collect, use or disclose personal information only
As necessary for its use or as required by law. The Bank will inform the purpose of collection, use, disclosure of information and the rights to data subjects for acknowledgement and consent (unless it can be done under the law without prior consent). Furthermore, the Bank will collect and use such information only for the necessary period in accordance with the purposes for which the data subject has been notified or as required by law.
5. The Bank appoints a data protection officer to ensure that personal data is used for its intended purpose
In the event that it is necessary to collect, use or disclose sensitive personal information
Namely ethnicity, political opinion, religious beliefs, health information, criminal records, disabilities, etc., the Bank shall distinctly request prior consent from the data subject (unless it can be done under the law without prior consent), circumspectly use the data and maintain its confidentiality.
7. In the event that the Bank has a necessity to disclose personal information to a third party
such as an affiliated company or government agency in accordance with the law, by court order or the order of the competent authority, the personal information shall be kept confidential both in the form of documents and in the form of electronic data including during every process of data transfer. The Bank has arranged an agreement with the external agency or destination country to provide appropriate and sufficient protection or as required by law for the transfer of personal data to external agencies or international transfer.
8. The Bank shall treat personal information collected and used as its own property.
The Bank shall take action to prevent anyone from infringing, disclosing, accessing, exploiting for personal gain or sabotaging the information without the approval from the Data Controller. Violators will be penalized in accordance with the Bank’s regulations and subject to legal action as well as to compensate for damages incurred as required by law.
-Employees must strictly obey the country’s personal data protection laws and regulations as well as the rules set by the Bank. Any violation or failure to comply with these will result in disciplinary action according to the Operating Regulations Sector 3 Human Resources Regulations Division 1 Work Rules. Also, the Bank has established rules for disciplinary action against personal data breaches including five penalties: probation, salary cut, suspension of salary increase, salary reduction, discharge and dismissal.
-The Risk Management Department recognises the importance of personal data protection in bank-wide operations and is responsible for the assessment of personal data risks by preparing the data protection impact assessment manual. This Personal Data Protection Impact Assessment helps the Bank to monitor its compliance with the PDPA. It also creates trust and confidence among personal data subjects who use the Bank's services as well as reducing risks that may affect the bank's reputation and risk treatment.
-The Data Protection Committee, consisting of C-Level executives and acting as an independent Data Protection Officer (DPO) is responsible for approving and providing recommendations to ensure that the Bank's data protection management is fully aligned with the PDPA requirements. In addition, this committee also leads investigations into the collection, use and disclosure of personal data in line with the law.
-The Bank has a Data Protection Department to ensure the Bank processes the personal data of its staff, customers, providers or any other individuals in line with the PDPA. They also provide advice on privacy issues.
-The Bank’s Internal Audit Team has conducted internal auditing on data governance and privacy protection since 2021, including topics like readiness for the PDPA and data processing for opening a bank account. Also, once a year, the Bank of Thailand checks the Bank's readiness, operations process, data rights and data breach procedures in line with the PDPA.
-The Bank stores personal data for as long as is necessary to carry out the purposes for which the Bank received the data. However, the Bank may have to retain the personal data for a longer time in any cases that are prescribed by law.