Personal Data Protection Policy of KASIKORN SECURITIES PUBLIC COMPANY LIMITED
KASIKORN SECURITIES PUBLIC COMPANY LIMITED (the “Company”) operates its business in adherence with ethical standards and respect for your privacy. The Company has always placed importance on personal data protection and security to ensure that your personal data obtained by the Company will be used in accordance with the objectives and in compliance with law. The Company has formulated this personal data protection policy (this “Policy”) to inform you, as a data subject, of the objectives and details for collection, use and/or disclosure of personal data, including your legal rights.
1.1 To whom will this Policy apply?
This Policy shall apply to you if you are classified as one or several types of the following persons.
|Type of person under the Policy||Details and examples|
1. Individual customer of the Company
The Company’s individual customer such as
Individual having involvement with a juristic person which is a customer of, or conducts transactions with The Company
("Personnel of Juristic Person")
Individual having involvement with a juristic person which is a customer of, or conducts transactions with, The Company such as
|3. Individual having involvement with transactions of the Company or the Company’s customers||
Individual having involvement with transactions of the Company or the Company’s customers such as
|4. General individual||General individual such as
1.2 Channel for collection of personal data
The Company may collect your personal data via the following channels:
(1) The personal data that you give directly to or through the Company, or held by the Company by your use of products and/or services, contact, visit, joining activities, search via service channels and/or the Company’s contact channels such as branch, head office, website, KS Customer Service, assigned person, application, online social media account of the Company, email, telephone, facsimile, postal mail, short message service (SMS), questionnaire, name card, meeting, training, seminar, event, recreation, marketing promotion activity, contact or any other channel;
(2) The personal data received or accessed by the Company from other sources, such as government agencies, other companies within the Company Financial Conglomerate, other banks or financial institutions, financial service providers and other service providers of the Company, business partners and service providers of business partners, companies that jointly issue products and/or services with the Company, the National Credit Bureau, information service providers, the Company’s customers, individuals or juristic persons conducting a transaction with the Company (as you having involvement with such transactions as mentioned above), registrar, securities issuer, SET, SEC, Thailand Securities Depository Co., Ltd. (TSD), online social media, online platform of third party, public data sources (such as Government Gazette), a person having legal authority or legal right, any other person or agency with which the Company has a legal relationship, etc.
2.1 Personal data is the data that can directly or indirectly identify you, i.e.
2.1.1 Individual means Individual Customer, individual having involvement with transactions of the Company or the Company’s customers and general individual.
|Type of data||Examples of data that the Company collects, uses and/or discloses|
|Education and work information||
|Financial data and transaction||
|Technical data, devices or equipment||
2.1.2 Personnel of Juristic Person means individual having involvement with a juristic person which is a customer of, or conducts transactions with, the Company.
|Type of data||Examples of data that the Company collects, uses and/or discloses|
|Information in documents supporting transaction||
2.2 Sensitive Personal Data
“Sensitive Personal Data” means personal data which is specifically determined by law. The Company has no intention to collect Sensitive Personal Data from you.
In certain cases, however, the Company may need to collect Sensitive Personal Data from you for providing services or products to you, for example, religion (displayed on a copy of national ID card) or race (displayed on a copy of passport of some countries), biometric data (such as facial recognition data, fingerprint recognition data, electronic signature data which uses technology extracting specific behavior of such signing for identification and authentication of the person who writes such signature), data on criminal record, health data, data on disability, sexual behavior, etc. the Company shall collect, use and/or disclose the Sensitive Personal Data provided that the Company has been given explicit consent by you or permitted by law. This shall be undertaken on a case-by-case basis when the Company is required to collect Sensitive Personal Data from you.
(Unless specifically stated otherwise, personal data and Sensitive Personal Data as earlier mentioned shall hereinafter be collectively referred to as Personal Data”.)
2.3 Personal Data of minors, incompetent or quasi-incompetent persons
The Company has no intention to collect, use and/or disclose Personal Data of minors, the incompetent or quasi-incompetent persons, unless consent from the guardian, the appointed guardian or the appointed curator (as the case may be) is given to the Company. If the Company discovers that the collection, use and/or disclosure of Personal Data of minors, the incompetent or quasi-incompetent persons is undertaken without consent from the guardian, the appointed guardian or the appointed curator (as the case may be), the Company shall delete or destroy such Personal Data, or collect, use and/or disclose such Personal Data only for the cases where the Company has other lawful bases that required no consent.
2.4 Personal Data of any other third party
If you provide Personal Data of any other third party who is a Personnel of Juristic Person and/or who has involvement with you to the Company such as shareholders, directors, authorized persons, family members, reference persons, trade partners, beneficiaries, administrator of an estate, emergency contact persons and/or any other person per document of your transaction, etc., please inform those persons of the details under this Policy and request their consent, if necessary, or apply other lawful bases to ensure that the Company can collect, use and/or disclose Personal Data of the aforementioned third party.
The Company will collect, use and/or disclose your Personal Data only as necessary under the Company’s legitimate objectives which include the collection, use and/or disclosure of Personal Data for compliance with the contract in which you are a contract party, for performance of duties as required by law, for legitimate interest, for operations according to your consent and/or for operations under other lawful bases. Objectives for collection, use and/or disclosure of Personal Data under this Policy are as follows.
Some of the following objectives may or may not apply to you. Please consider the objectives in accordance with your relationship with the Company on a case-by-case basis.
3.1 Objectives requiring consent
The Company shall collect, use and/or disclose your Personal Data based on consent for the following objectives.
3.1.1 Collection, use and/or disclosure of Sensitive Personal Data for which the Company cannot apply other lawful bases but must request explicit consent. Such objectives shall be:
(1) Data on religion and race (such data collected from a copy of national ID card or passport of some countries which the Company needs to use as evidence of identification and authentication only.)
(2) Biometric data for signing, identification and authentication, electronic know your customer service of the Company and for support of the Company’s business partners
(3) Health record data, disability data, criminal record, and sexual behavior which the Company shall collect, use and/or disclose only when necessary for the use of certain products and/or services of the Company only. Criminal record shall be used for examination and confiscation of related property
3.1.2 Marketing operations, submission of offers for products and/or services, privileges for attending activities held by the Company, other companies within KBank Financial Conglomerate, a person represented by the Company, selling agent, or business partners and/or other juristic persons including news, useful advice and appropriately selected promotions and launch of marketing strategies that require your consent in accordance with law.
The Company may request your consent directly or via other companies within KBank Financial Conglomerate, business partners and/or other juristic persons on a case-by-case basis.
3.2 Objectives requiring other lawful bases other than consent
The Company will collect, use and/or disclose your Personal Data based on other lawful bases as necessary under the Company’s legitimate objectives, such as, for compliance with the contract in which you are a contract party or your request, for performance of duties as required by law, for the legitimate interest and/or for operations under other lawful bases for the following objectives:
3.2.1 Operations before entering into a contract with the Company such as giving consultation, advice and/or any other data related to products and/or services, analysis and assessment of customer demand, verification of qualification, verification of juristic person customer’s status, check of data or document accuracy, identification and authentication, including know-your-customer (KYC) and customer due diligence (CDD) procedure, examination of Sanction List of competent authorities and/or government agencies which are generally disclosed as required by law, examination of receivership or insolvency, customer risk classification, and pre-filling of customer’s personal information/contact information for facilitation in applying for products and/or services of the Company.
3.2.2 Any operation related to consideration of products and/or service provision such as communication, receipt/delivery of documents or parcels, processing of request and operation per the application approval, establishment of credit limit, entering into a contract, agreement and/or any other related juristic act, registration for use of products, services and/or for participation in the Company’s activities.
3.2.3 Delivery of products and/or services under the contract you have entered into with the Company such as
- Investment, deposit, withdrawal, transfer
- Any operation related to the provision of products and/or services (such as opening of account, change in data, establishment of, use of or change in credit line or account update, payment of dividend and interest, return of money collateral,, acceptance of payments, amendment to securities brokerage agreement or other agreements having with the Company, account suspension, account balance check, conducting transaction report, operation related to relationship between credit limit in credit balance account for securities and derivative trading and collateral, operation related to collateral, KS Amazing point accumulation and redeeming accumulated points, reconciliation, change or increase in credit limit for securities and derivative trading, check of accumulated KS Amazing points, preparation of customer data documents used for customer’s transaction (such as document certification))
- Examination, confirmation and improvement of transactions (including transaction conducted via website and/or the Company’s application and/or SET’s application)
- Provision of benefits and operation in accordance with customers’ benefits
- Customer relationship management, post transaction operation, customer facilitation and/or management of complimentary gifts for customers
- Provision of advice or risk management guidelines
- Complaint management, solving problem, operation per customer request
- Acceptance of payment or any asset
- Monitoring compliance with conditions for use of products and/or services, termination of services.
3.2.4 Marketing operation which does not require your consent under the law such as
- Consideration of customer groups for sending them invitation to join activities or sales promotion as appropriate
- Submission of the offering of products and/or services, privileges for attending activities, events or meeting held by the Company, including facilitation for joining activities (such as registration for event)
- Offering of products, services and/or privileges that you have requested or notification of your benefits
- Offering of products and/or services of the same type/close to those of the Company or other companies within KBank Financial Conglomerate which you are using
- Contact in case where you have dropped off the application for products and/or services to facilitate you in case you wish to reapply for the products and/or services of the same type with the Company, or offering other products and/or services that you may have an interest in
- Organization of sales promotional activities (such as provision of benefits and gifts).
3.2.5 Analysis, research and/or conducting statistical data which does not require your consent under the law for development, improvement of products and/or services within the Company such as
- Analysis, research, marketing research, conducting statistical data analysis of your financial data and/or conducting report for the Company’s internal use
- Analysis, conducting model (such as credit scoring)
- Studying, analyzing and monitoring the proportion of portfolio.
3.2.6 Other operations of the Company such as
- Management, risk management, internal audit within the Company
- Maintain legitimate benefits
- Conducting customer database or recording data in the system or database
- Consideration and review of customer credit limit
- Notification of debt payment or renewal of products and/or services
- Debt collection or placing of collateral according to relevant regulations
- Satisfaction survey and assessment after use of products and/or services
- Litigation or other legal processes
- Participation, coordination and/or assignment of work to another person to perform on behalf of or in collaboration with the Company (such as for design of products or services, design of customer service experience, design of process or support of the delivery of products and/or services)
- Assignment of rights and/or duties, management of operations of the Company and other companies within KBank Financial Conglomerate
- Use of CCTV, control of entry/exit of the Company’s premises
- Management of complaints or management of illegal incidents or suspicious incidents (such as fraud, money laundering, terrorism and mass destruction weapon proliferation, crime, intellectual property infringement including management planning, examination, surveillance, evidence collection, reporting, and/or detection)
- Prevention and assessment of risk, which may be incurred from granting financial accommodations, of financial institution system
- Conducting database on business risk to the Company
- IT operation, communication system management and prevention, response and mitigation of IT risk and cyber threats
3.2.7 Compliance with the order of competent authorities and/or compliance with laws such as
- Compliance with the order of court, the government agencies, supervisory agencies, competent officers under the personal data protection law, financial institution business law, securities and stock exchange law, payment system law, exchange control law, taxation law, anti-money laundering law, counter-terrorism and proliferation of weapons of mass destruction financing law, computer crime law, bankruptcy law and other laws with which the Company is required to comply, either in Thailand or other countries, including regulations and rules issued under these laws, which are now being enforced, to be amended or to be enforced in the future.
3.2.8 Prevention or cessation of danger to a person’s life, body or health
3.2.9 Conducting historical documents or annals for public benefit or related to study, research or statistics
3.2.10 The Company’s operation of public benefit or performance of duties in using the government’s authority granted to the Company
If the Company needs to collect, use and/or disclose your Personal Data for execution of or compliance with a contract that you have entered into with the Company and/or for the Company‘s performance of duties under the law and you, upon request, do not provide such necessary Personal Data to the Company or you have chosen to delete your user account from the application of the Company, the Company may not be able to approve or deliver/provide products and/or services, either partly or wholly, for you and it may impact on the Company’s performance of duties under the law or your relationship with the Company.
Under your consent or criteria permitted by law, the Company may disclose your Personal Data to a third party. Persons or agencies receiving such Personal Data will collect, use and/or disclose your Personal Data within the scope for which you have given consent, or within the scope related to this Policy. In certain cases, you may be under the personal data protection policy of such recipient of your Personal Data. The recipient of your Personal Data may be in Thailand or other countries.
The Company may disclose your Personal Data to persons or agencies based on your relationship and transaction as follows:
|Type of Personal Data||Details|
|Companies within KBank Financial Conglomerate||
The Company may disclose your Personal Data to the companies within KBank Financial Conglomerate for the determined purposes or according to your consent under this Policy. Companies within KBank Financial Conglomerate can rely on the consent that the Company obtains.
|The Company’s service providers||
The Company may use another company, trade partner, the Company’s agent, sub-contractor or external service provider to conduct business operation on behalf of the Company or to support the provision of the Company‘s products and/or services to you. Therefore, the Company may disclose your Personal Data to the Company’s service provider, including but not limited to:
|The Company’s business partners||
The Company may disclose your personal data to
In cases where your Personal Data is disclosed to business partners for their marketing purposes such as for sales promotion, public relations or offering of products and/or services by business partners to you, the Company will notify you of the names of business partners for supporting your decision in giving consent. Business partners can rely on the consent that the Company obtains.
|Persons determined by law||
In some cases, the Company may be required to disclose your personal data for compliance with the order of persons having legal authority or legal rights and/or for compliance with law. The recipients of your Personal Data include:
For the benefit of the Company’s business operation, the Company may disclose your Personal Data to
|Prospective assignee and/or assignee of rights in any transaction or merger of the Company||
In cases where the Company engages in organizational restructuring, debt restructuring, merger, business acquisition, transfer of rights, business dissolution or any other incidents of the same nature, the Company may need to disclose your Personal Data to:
|Any other third party||
The Company may disclose your Personal Data to any other third party for the objectives as specified in this Policy. Any other third party receiving your Personal Data may include but are not limited to
The Company may need to send or transfer your Personal Data to other companies within KBank Financial Conglomerate located in other countries, or to other recipients of data, as part of the Company’s normal business operation. For instance, sending or transferring Personal Data for storage on cloud platforms or servers located in other countries, business partners including those jointly providing products and/or services and co-branding business partners, online social media service providers, government agencies in other countries and/or a person having connection with your transaction in other countries, etc.
If the destination country has insufficient standards of Personal Data protection, the Company shall ensure that Personal Data will be sent or transferred in accordance with law and shall set standards of Personal Data protection as deemed necessary, and appropriate for and consistent with the confidentiality standards. For instance, an agreement must be entered into with the data recipient in that country to ensure that your Personal Data will be protected under the Personal Data protection standards equivalent to that in Thailand. If the data recipients are other companies within KBank Financial Conglomerate, the Company may decide to conduct binding corporate rules verified and certified by relevant competent authorities and will send or transfer Personal Data to other companies within KBank Financial Conglomerate located in other countries in accordance with said binding corporate rules.
Moreover, the Company may disclose the data that cannot identify you to data analysis service providers such as Google, both in Thailand and other countries. Google will use technologies and tools for data analysis such as cookies and/or the Software Development Kit (SDK) to monitor and conduct reports of data analysis related to your use of the Company’s website and/or application. You can learn details of Google’s data analysis under the heading “How Google uses data when you use your partner’s sites or apps” at www.google.com/policies/privacy/partners or other URL as determined by Google.
The Company will keep your Personal Data during the period you are the Company’s customer or have a relationship with the Company, or throughout the period required in order to achieve the related objectives of this Policy. Once your relationship with the Company ends, the Company will further keep your Personal Data for a period as necessary according to the statute of limitations or for a period as required or permitted by law, for instance:
- Personal Data shall be kept in accordance with the anti-money laundering law for 10 years after the end of the relationship
- Personal Data shall be kept in accordance with financial institution business law, securities and stock exchange law, accounting law, and taxation law, for 10 years after the end of the relationship.
The Company will undertake operations through appropriate steps to delete or destroy the Personal Data or make it anonymous when it is no longer necessary or said period ends.
The Company shall apply technical, administrative and physical safeguard measures for safekeeping of your Personal Data in order to maintain confidentiality, accuracy, completeness, and availability of Personal Data to prevent unauthorized or illegitimate access, collection, revision, rectification, use and/or disclosure of Personal Data in accordance with legal requirements.
The Company has put in place appropriate measures to prevent the infringement of Personal Data. The Company has therefore established policies, procedures and criteria for Personal Data protection such as measures to control access to Personal Data and use of secure and proper devices for storing and processing Personal Data, restriction of access to Personal Data, determination of users’right to access Personal Data, right to permit assigned employees to access Personal Data and users’ responsibilities in order to prevent unauthorized access to Personal Data, unauthorized disclosure, unauthorized knowledge or unauthorized copy of Personal Data, or theft of devices used for storing or processing Personal Data. Measures have thus been put in place for tracking back of access to, change in, deletion or transfer of Personal Data, which are consistent with and appropriate for the methods and tools for collection, use or disclosure of Personal Data, including examination for assessing the effectiveness of compliance with policies, procedures and criteria for Personal Data protection.
The Company’s executives, employees, personnel, contractors, representatives, advisors, and recipients of data from the Company shall maintain the confidentiality of Personal Data in accordance with the confidentiality measures determined by the Company.
Your rights under this item are legal rights that you should be aware of. You can exercise your rights as stipulated by law and this Policies currently available or to be amended in the future, including criteria determined by the Company. If you are less than 20 years old, or have limited capacity to perform juristic acts under the law, you may request your father and/or mother, appointed guardian or authorized person to express the intention to exercise these rights on your behalf.
Right to withdraw consent (opt-out): You are entitled to withdraw the consent that you have previously given to the Company to collect, use and disclose your Personal Data (whether such consent has been given prior to or after the personal data protection law is enforced), at any time during which your Personal Data is held by the Company, unless there is right restriction by law or there is a contract which is beneficial to you which remains valid. The collection, use and/or disclosure of your Personal Data which was undertaken before the withdrawal of your consent shall not be affected.
However, the withdrawal of your consent related to and required for the service request may prevent the Company from complying with the contract or providing services to you, or may cause the transaction or any other related activities to be suspended or temporarily discontinued, or may affect your knowledge of products and/or services, for instance, you may not receive the offer of products and/or services, benefits, promotions or other new offers, or may not receive alternative products or services which are more in line with your needs, or may not receive news and recommendations that are beneficial to you, etc. For your own benefit, you should determine and inquire about the potential impacts before deciding to withdraw your consent.
- Right to access: You are entitled to have access to your Personal Data under the Company’s responsibility and to request the Company to provide you duplication of your Personal Data and inform you of how your Personal Data has been obtained.
Right to data portability: You are entitled to request your Personal Data which has been processed by the Company to be in a format that can be read or used in general with an automated device or equipment, and can be used or disclosed via automated methods. You are also entitled to request the Company to send or transfer your Personal Data of said format to other data controllers if it can be processed via automated method, and to request Personal Data of said format which is directly sent or transferred by the Company to other data controllers, unless it cannot be processed due to technical difficulties.
Your aforementioned Personal Data must be Personal Data that you have granted consent to the Company to collect, use and/or disclose or must be Personal Data that the Company needs to collect, use and/or disclose for your use of the Company’s products and/or services in accordance with your intention wherein you are a contract party with the Company or for undertaking operations per your request before using the Company’s products and/or services or must be other Personal Data as determined by competent authorities.
Right to object: You are entitled to lodge an objection to the collection, use or disclosure of your Personal Data at any time. If the collection, use or disclosure of your Personal Data, to which you lodge an objection, is undertaken under legitimate interest of the Company or any person or any juristic person, or for public benefit, the Company shall continue to collect, use and/or disclose your Personal Data only if the Company can provide legal reasons that the collection, use and/or disclosure of your Personal Data is sufficiently important, or is undertaken for the establishment, defense, use of, or compliance with, the rights to claim in accordance with applicable law, as the case may be.
In addition, you are entitled to lodge an objection to the collection, use and/or disclosure of your Personal Data which is undertaken for objectives related to direct marketing or for the purpose of scientific, historical or statistical studies and research.
- Right to deletion or destruction: You are entitled to request the Company to delete or destroy your Personal Data or make it anonymous if you believe that your Personal Data has been collected, used and/or disclosed illegitimately, which is not in compliance with applicable laws or if you deem that it is no longer necessary for the Company to keep your Personal Data under the objectives of this Policy or when you exercise your right to withdraw consent or your right to object as mentioned earlier.
- Right to suspension: You are entitled to request the Company to suspend the use of Personal Data if the Company is conducting an investigation per your request to exercise your right to rectification or right to object, or for any other case wherein it is no longer necessary for the Company to keep your Personal Data and the Company must delete or destroy your Personal Data in accordance with applicable laws, but you have sought to request the Company to suspend the use of your Personal Data instead.
- Right to rectification: You are entitled to rectify your Personal Data to keep it accurate, up-to-date, complete and not misleading.
- Right to lodge complaint: You are entitled to lodge a complaint to relevant competent authorities if you believe that the collection, use and disclosure of your Personal Data violates or does not comply with applicable laws.
Exercising the aforementioned rights may be restricted by applicable laws, and, in certain cases, there may be compelling reasons that may cause the Company to deny your request or may prevent the Company from complying with your request such as for in compliance with laws or court orders, for the public benefit, exercising the aforementioned rights may potentially violate other persons’ rights or freedoms, etc. If the Company denies aforementioned request, the Company shall give you the reason(s) for such denial.
You can submit your request to exercise your rights via the following channels:
|Rights||Channels to exercise the rights||Operation period*|
|KS Customer Service||KS Website||Equity Wealth Manager|
|Right to withdraw consent (opt-out)||-||√||√||7 business days|
|Right to access||-||√||√||30 days|
|Right to data portability||-||-||√|
|Right to object||-||-||√|
|Right to deletion or destruction||-||-||√|
|Right to suspension||-||-||√|
|Right to rectification||-||√||√||Immediately|
|Right to lodge complaint||√||-||-||30 days|
*From the day the Company has verified and confirmed your identity. In the case that the Company requires you to submit and/or deliver documents for verification and identification, the operation period will begin on the day that the Company has received all relevant documents and evidences.