This Privacy Notice relates to the treatment of personal data, including sensitive personal data, by any member companies of KIRZ Financial Group (hereinafter collectively called “KIRZ”) when the data subject (hereinafter referred to as “data subject”, “you” or “your”) enters into legal relationship, makes contact with KIRZ or acquires KIRZ’s services and/or products through KIRZ’s designated channels in accordance with the Personal Data Protection Act B.E. 2562 (hereinafter referred to as “PDPA”), relevant laws and regulations.
Respecting your privacy rights is important to KIRZ. Therefore, KIRZ uses the high standard and strict process for data protection of your personal data. This Privacy Notice is to inform you of the purposes for which KIRZ process your personal data, who it may be shared with, data retention period, data destruction and rights of the data subject. You can examine information on personal data protection as follows:
Personal data that is collected, used and/or disclosed by KIRZ is the data relating to a natural person, in particular as listed below, which directly or indirectly enables the identification of such person, but not including the data of deceased persons. KIRZ might collect your personal data in a variety of ways either directly from you or indirectly from other sources e.g. any member companies of KIRZ Financial Group, Department of Business Development Ministry of Commerce, Department of Provincial Administration Ministry of Interior, Department of Consular Affairs Ministry of Foreign Affairs, Legal Execution Department Ministry of Justice, any government agencies, international organizations, KIRZ’s consultants, business partners and contracting parties, including any person appointed by the data subject or other available public sources.
1. Identification information relating to the data subject, such as first name/last name, national identification number, passport number, date of birth, marital status, workplace, work position, education information, portrait, picture, signature including sensitive personal data e.g. biometric data (fingerprint recognition data, facial recognition data), criminal records, health data, religious beliefs or race.
2. Contact information of the data subject, such as address, email address, telephone number, and other similar contact information;
3. Financial information of the data subject or transaction records which the data subject engages with KIRZ, such as account number, order number, credit card and ATM/debit card number, payment and transaction records relating to your accounts or assets, balance, income and expenses statements, financial history or background;
4. User behavior of the data subject through internet search engine (Online Behavior Information) such as cookies, Website Browsing or connection to other website of the data subject;
5. Any information relevant to the data subject’s interaction with KIRZ, such as information collected by automatic recordings through the use of KIRZ Contact Center which may include still or moving pictures and voices.
6. Personal information obtained by KIRZ from corporate customer, when such corporate customer is a counterparty of KIRZ or has a legal relationship with KIRZ and discloses personal information of their related person such as employee, personnel, officers, representatives, shareholders, authorized persons, members of the board of directors, contact persons, agents, and other natural persons in connection with such corporate customer. The corporate customer shall ensure that it has the authority to disclose and to permit KIRZ to use the personal data in accordance with this Privacy Notice.
KIRZ may collect, use or disclose your personal data based on the legitimate grounds of legal obligation, performance of contract made by you with KIRZ, legitimate interests of KIRZ or other individual or juristic person and performance under your consent. Reasons for collecting, using or disclosing are provided below:
1. To enable KIRZ to fulfil the contract between data subject and KIRZ for the products or services the data subject has requested or acquired, for instance,
- to conduct identity verification and due diligence checks e.g. know-your-customer (KYC) or customer due diligence (CDD);
- to take any steps in relation to providing of any products and/or services;
- to comply with KIRZ’s internal procedure for operational purposes;
- to send, receive documents between you and KIRZ;
- to collect payment on outstanding debts from a debtor under any facility agreement with KIRZ; or,
- to provide insurance for collaterals.
2. To comply with applicable laws and regulations, for instance,
- to prevent, detect and investigate any irregular activities which lead to unlawful activities or suspicious transactions; or,
- to report information to the Revenue Department and to report personal data to relevant government authorities or regulatory bodies, such as the Anti-Money Laundering Office, the Revenue Department, the Bank of Thailand, the Securities and Exchange Commission or the Office of Insurance Commission or when receiving summons, foreclosure or attachment orders from competent courts or government authorities.
3. To perform actions under consent obtained from data subject, such as marketing or promotional communication and offers of KIRZ’s or any third party’s products and/or services provided that such actions cannot be conducted by relying on any other lawful basis.
4. To take necessary steps for legitimate interests of KIRZ or other individual or juristic person, for instance,
- to prevent, deal with, and reduce risks of any violation of laws and regulations including to share personal data with other financial institution in order to improve operational efficiency in financial industry regarding the said matters;
- to record video of the data subject at KIRZ’s branch or office onto CCTV or visitor’s building access process before entering KIRZ’s premises for safety purpose;
- to manage risks/ to conduct audits/ to perform internal management including to deliver data to any member companies of KIRZ Financial Group for such purposes which is subject to this Privacy Notice;
- to examine an E-mail or internet using of KIRZ’s personnel and data subject for preventing unauthorized disclosure of KIRZ’s confidential information;
- to assess suitability for products and services offering to data subject and/or conduct marketing research for developing and improving products and services through data analytics or market and product analysis;
- to fulfill KIRZ’s contractual obligations or obligations under legal relationship between KIRZ and third party, i.e. KIRZ’s business partner;
- to collect, use and/or disclose personal data of related person in relation to juristic person such as its members of the board of directors, authorized persons, agents, employee; or,
- to maintain relationship with data subject such as complaint handling, satisfaction survey, notification or offer on any products and/or services of the same types of which such data subject is using for the data subject’s benefits.
If the personal data KIRZ collects from you is required to meet our legal obligations or enter into an agreement with you, KIRZ may not be able to provide (or continue to provide) the products and/or services to you if KIRZ cannot collect your personal data when requested.
For any of the purposes specified above, KIRZ may send, transfer and/or disclose personal data to third party which may be located in or outside Thailand, provided, however, that the destination country that receives personal data might not have adequate data protection standard.
KIRZ including our officers, employees, agents and advisers, may disclose your personal data to any of the following parties:
- Any member companies of KIRZ Financial Group which consists of KIRZ Financial Group Public Company Limited, KIRZ Bank Public Company Limited, KIRZ Securities Company Limited, KIRZ Asset Management Company Limited, KIRZ Insurance Solution Company Limited, KIRZ Information Technology Company Limited, Hi-Way Company Limited and All-Ways Company Limited;
- KIRZ’s business partners (see list of the business partner companies on KIRZ website);
- National Credit Bureau and credit information company including its members under the Credit Information Business law;
- Any third party upon your consent;
- Your parent, guardian, curator, heir, administrator of an estate or your legal representative for the purpose of allowing him/her to organise your assets and accounts when you are classified as a minor, incompetent, quasi-incompetent or deceased (as the case maybe);
- KIRZ’s outsource service providers whether located in or outside Thailand such as cloud service/computing provider, software developers, marketing events service providers, data research service provider, card association;
- Government authorities and/or regulators such as the Bank of Thailand, Anti-Money Laundering Office, the Revenue Department, Office of Insurance Commission, Securities and Exchange Commission, courts, police or auditor;
- Debt portfolio purchasers such as an asset management company, etc.;
- Any relevant persons as a result of activities relating to selling rights of claims and/or assets, restructuring or acquisition of any of KIRZ’s entities including their officer, employee, agent or director; and/or,
- Other persons having legal relationship or contract with KIRZ and KIRZ considers necessary to disclose personal data in order to provide products and/or services.
Subject to applicable law, regulations and/or banking industry guidelines, data subject may have the following rights:
1. Right to withdraw consent
You have the right to withdraw consent that has been given to KIRZ for collection, use and/or disclose of your personal data at any time, unless it is restricted by applicable laws or you are still under beneficial contract.
KIRZ is entitled to continue collecting and using data subject’s personal data, which has previously been collected by KIRZ before the effectiveness of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes. If data subject does not wish KIRZ to continue collecting and using your personal data, you may notify KIRZ to withdraw your consent at any time.
Withdrawal of your consent may affect your use of products and/or services. For example, you may not receive privileges, promotions or new offers, products and/or services that are enhanced and consistent with your needs, or not receive beneficial information. For your benefits, you are advised to learn and ask for consequences before withdrawing your consent.
2. Right to access
You have the right to request access to and obtain copy of your personal data holding by us and to request the disclosure of the acquisition of your personal data obtained without your consent.
3. Right to rectification
You have the right to instruct KIRZ to rectify your personal data to be updated, complete and not misleading.
4. Right to data portability
You have the right to receive your personal data in case KIRZ can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request KIRZ to send or transfer your personal data in the aforementioned format to third party, or to request to directly obtain your personal data in such format which KIRZ sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or KIRZ is entitled to legally reject your request.
Your personal da ta mentioned above must be under your consent given to KIRZ to collect, use, and/or disclose; or those KIRZ deems necessary to collect, use and/or disclose to allow you to use products and/or services that meet your need under your contract with KIRZ; or to take steps at your requests before using products and/or services; or as legally required by competent authority.
5. Right to erasure
You have the right to request KIRZ to delete, destroy or anonymise your personal data if you believe that the collection, use and/or disclosure of your personal data is against relevant laws; or retention of your personal data by KIRZ is no longer necessary in connection with related purposes for which it was collected under this Privacy Notice; or when you exercise your consent withdrawal right or object to the processing of your personal data.
6. Right to restrict
You have the right to request KIRZ to restrict the use of your personal data when KIRZ is pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary.
7. Right to object
You have the right to object the collection, use or disclosure of your personal data under certain circumstances descripted in this Privacy Notice.
8. Right to lodge a complaint
You have the right to make a complaint with competent authorities in the event that you believe that the collection, use or disclosure of your personal data is violating or not in compliance with any applicable laws or PDPA.
The exercise of data subject rights mentioned above may be restricted under relevant laws and it may be necessary for KIRZ to deny or not be able to carry out your requests for some reasons, e.g. to comply with laws or court orders, public tasks, your request in breach of rights or freedom of other persons.
KIRZ has implemented policies, guidelines and minimum standards to manage data subject’s personal data, such as information technology safety standard, to protect your personal data from unauthorized access or personal data breaches. KIRZ has improved such policies, guidelines and minimum standards from time to time in accordance with requirements under applicable laws.
In addition, officers, employees, agents and contractors of KIRZ have duties to protect personal data of data subject in accordance with confidentiality agreement signed with KIRZ.
If KIRZ needs to send or transfer personal data of data subject to other country that has less standard of personal data protection, KIRZ will take actions as we deem necessary at least equal to the standard of confidentiality of that country such as having confidential agreement with a counterparty in that country.
In the event that the data subject is no longer the customer of KIRZ or has ended relationship with KIRZ, KIRZ will consider retaining the personal data of data subject for a certain period required by relevant laws, KIRZ’s policies and guidelines in connection with retention period of personal data. For example, retention period under Anti-Money Laundering Act of B.E. 2542 is at least 10 years after the relationship between customer and KIRZ has ended. KIRZ will erase or destroy your personal data when it is no longer necessary or when the retention period lapses.
Change to this Privacy Notice
We may change or update this privacy notice from time to time and we will inform the updated Privacy Notice at KIRZ website.
How to Contact KIRZ
If you have any questions or would like more details about the collection, use and/or disclosure of your personal data or would like to exercise your rights or file compliant, please contact KIRZ through any of the provided service contact channels.