The Bank attaches great importance to legal compliance and recognizes the importance of data privacy protection, which is a significant fundamental right to privacy that must be protected by organizing a system for rigorous and circumspect control. In order to keep personal data secure and for data processing to be transparent and subject to the Personal Data Protection Act B.E. 2562 (2019), the Bank’s Privacy Policy was announced. In order for personal data of customers, suppliers, employees and/or visitors or all concerned with the Bank's business and affiliated companies to be safely collected, used and disclosed as well as being used in accordance with the purposes for which the data subject has given consent and the objectives stated in the Bank's Privacy Policy, the Bank has established the privacy policy guidelines as follows:

The Bank has created awareness among employees at all levels, executives, customers and people related to the Bank's business to ensure the protection of personal data, the confidentiality of information, cautious disclosure and usage and the utmost security of the information.

Related to personal information such as data storage channels, types and format of data storage, the Bank's purpose for using personal information as well as the methods used by the Bank to secure personal information, etc.

Business partners, employees and related parties to the utmost.

As necessary for its use or as required by law. The Bank will inform the purpose of collection, use, disclosure of information and the rights to data subjects for acknowledgement and consent (unless it can be done under the law without prior consent). Furthermore, the Bank will collect and use such information only for the necessary period in accordance with the purposes for which the data subject has been notified or as required by law.

Is not used beyond its consent and is used in accordance with the purposes specified by the Bank in the Privacy Policy announced by the Bank or does not cause any damage to the data subject.

Namely ethnicity, political opinion, religious beliefs, health information, criminal records, disabilities, etc., the Bank shall distinctly request prior consent from the data subject (unless it can be done under the law without prior consent), circumspectly use the data and maintain its confidentiality.

such as an affiliated company or government agency in accordance with the law, by court order or the order of the competent authority, the personal information shall be kept confidential both in the form of documents and in the form of electronic data including during every process of data transfer. The Bank has arranged an agreement with the external agency or destination country to provide appropriate and sufficient protection or as required by law for the transfer of personal data to external agencies or international transfer.

The Bank shall take action to prevent anyone from infringing, disclosing, accessing, exploiting for personal gain or sabotaging the information without the approval from the Data Controller. Violators will be penalized in accordance with the Bank’s regulations and subject to legal action as well as to compensate for damages incurred as required by law.

-The Bank’s privacy policy also applies to business partners covering all operations and suppliers. It describes how the Bank collects, uses, discloses and/or transfers personal data of individuals (in Thailand and abroad) to business partners in the procurement process of goods and/or services (such as vendors, sales representatives and third-party service providers), in line with the Personal Data Protection Act (PDPA).

-The Bank also has a privacy policy for its employees and personal data subjects which applies to, but isn’t limited to: job applicants and job interviewers, current employees based in Thailand or abroad, other organisations, former employees, retired employees, temporary employees, contractors, outsourced services, scholarship students and other relevant individuals.

-Employees must strictly obey the country’s personal data protection laws and regulations as well as the rules set by the Bank. Any violation or failure to comply with these will result in disciplinary action according to the Operating Regulations Sector 3 Human Resources Regulations Division 1 Work Rules. Also, the Bank has established rules for disciplinary action against personal data breaches including five penalties: probation, salary cut, suspension of salary increase, salary reduction, discharge and dismissal.

-The Risk Management Department recognises the importance of personal data protection in bank-wide operations and is responsible for the assessment of personal data risks by preparing the data protection impact assessment manual. This Personal Data Protection Impact Assessment helps the Bank to monitor its compliance with the PDPA. It also creates trust and confidence among personal data subjects who use the Bank's services as well as reducing risks that may affect the bank's reputation and risk treatment.

-The Data Protection Committee, consisting of C-Level executives and acting as an independent Data Protection Officer (DPO) is responsible for approving and providing recommendations to ensure that the Bank's data protection management is fully aligned with the PDPA requirements. In addition, this committee also leads investigations into the collection, use and disclosure of personal data in line with the law.

-The Bank has a Data Protection Department to ensure the Bank processes the personal data of its staff, customers, providers or any other individuals in line with the PDPA. They also provide advice on privacy issues.

-The Bank’s Internal Audit Team has conducted internal auditing on data governance and privacy protection since 2021, including topics like readiness for the PDPA and data processing for opening a bank account. Also, once a year, the Bank of Thailand checks the Bank's readiness, operations process, data rights and data breach procedures in line with the PDPA.

-The Bank stores personal data for as long as is necessary to carry out the purposes for which the Bank received the data. However, the Bank may have to retain the personal data for a longer time in any cases that are prescribed by law.