The Personal Data Protection Act B.E. 2562 (2019) mandates guidelines for the use, collection, disclosure, and/or transfer of personal data, both within and outside of Thailand. In compliance with this Act, Krungthai Bank has established a privacy policy as a comprehensive guideline for employees on handling customer information. This policy outlines the types of data collected, purpose for collecting data, data disclosure, international transfer of personal data, storage time, owner rights, and guidelines for corporate customers. To ensure effective compliance with the Act, the Bank has also established a privacy policy for business partners and internal operations. For more information, please visit the Privacy Policy page.

The Bank's CEO approves the Master Plan and Action Plan on Data Governance, along with the data governance budget presented by the Data Committee. The Data Committee sets goals, directions, strategies, and approves policies and guidelines to promote and support data governance. The Bank has established separate privacy policies to address the varied contexts of data transactions between the Bank and each relevant stakeholder group, including customers, business partners, and employees. The Data Protection Committee will serve as the Data Protection Officer (DPO) and will be responsible for developing and approving guidelines to ensure compliance with the Personal Data Protection Act. It will report directly to the CEO, reviewing and analyzing relevant issues before submitting them to the Data Committee for final approval. Additionally, the Data Protection Committee will oversee all operations related to personal data, including managing incidents of personal data breaches. It will also be responsible for approving guidelines, processes, and consent forms related to the protection of personal data within the Bank. The Data Protection Department will support the activities of the Bank's Personal Data Protection Officer (DPO) and manage all tasks related to the protection and management of personal information. At the Group level, representatives will serve as Data Privacy Champions and will provide support for all personal data protection operations.

The Bank complies with the Personal Data Protection Act by conducting a Data Privacy Impact Assessment (DIPA) as part of its Privacy Risk Assessment Methodology. This process helps the Bank to identify and reduce the risk associated with processing personal data, thereby promoting efficient business operations. Specifically, the DIPA process achieves the following

• Identifies and assesses the risks and impacts of personal data in the implementation of various projects or operational processes.
• Enables the Bank to develop plans and measures to remedy, manage, or reduce personal data risks or improve operational processes for each department involved. By conducting a DIPA, the Bank is better able to understand the risks and impacts associated with personal data processing and can take steps to improve the efficiency of its operations while also complying with legal requirements.

The Bank has created a comprehensive set of guidelines, processes, and procedures for addressing incidents of personal data breaches or leaks, whether in electronic or paper formats. This includes defining the roles and responsibilities of relevant personnel, establishing protocols for handling and remedying breaches or leaks of personal information, and providing guidelines for communicating with and notifying affected parties both internally and externally. By following these guidelines, the Bank can effectively manage any incidents of data breaches or leaks while adhering to its policy of preventing significant information leakage.

The Bank has implemented several measures to increase awareness and promote strict adherence to personal Data Protection policies among all employees. This includes providing online training and communication about the Personal Data Protection Act, promoting correct practices through various activities and newsletters delivered via email and the One Krungthai application, and sharing video clips of executive interviews to reinforce the importance of data protection.

• The Bank has successfully promoted awareness and understanding of the Personal Data Protection Act (PDPA) through a quiz on the One Krungthai application, the Bank's internal communication channel. Approximately 70% of all Bank employees have participated in this initiative, demonstrating the Bank's commitment to upholding data protection standards.
• CEO Talk: Message from the President to stress the need for all employees to prepare for compliance with the Personal Data Protection Act
• PDPA Week: Awareness raising activities aimed at branch operators via YouTube Live Channels intensely during the week before the Act becomes in full force.
• PDPA Chatbot: The Chatbot serves as a round-the-clock consulting channel for questions related to the Personal Data Protection Act (PDPA). It offers up-to-date information on the Act and can provide answers to any doubts or uncertainties our employees may have regarding its various provisions.
• PDPA Google Site: As part of our commitment to compliance with the Personal Data Protection Act (PDPA), the Bank has developed a collection of knowledge channels that includes announcements, circulars, and other resources related to the Act. These channels provide our employees with the information they need to ensure our organization meets all PDPA requirements.

As part of our commitment to protecting our customers' privacy, all Bank employees are required to strictly adhere to our privacy policy. Any violation of this policy will result in disciplinary penalties, including probation, salary reductions, lack of salary increases, or termination of employment. Once a year, the Bank of Thailand checks the Bank's readiness, operations process, data rights and data breach procedures in line with the Personal Data Protection Act (PDPA). In addition, the Bank’s Internal Audit Team has conducted internal auditing on data governance and privacy protection since 2021, including topics like readiness for the PDPA and data processing for opening a bank account.