This Privacy Notice relates to the treatment of personal data, including sensitive personal data, by any member companies of KIRZ Group (hereinafter collectively called “KIRZ”) when the data subject (hereinafter referred to as “data subject”, “you” or “your”) enters into legal relationship, makes contact with KIRZ or acquires KIRZ’s services and/or products through KIRZ’s designated channels in accordance with the Personal Data Protection Act B.E. 2562 (hereinafter referred to as “PDPA”), relevant laws and regulations.
Respecting your privacy rights is important to KIRZ. Therefore, KIRZ uses the high standard and strict process for data protection of your personal data. This Privacy Notice is to inform you of the purposes for which KIRZ process your personal data, who it may be shared with, data retention period, data destruction and rights of the data subject. You can examine information on personal data protection as follows:
Personal data that is collected, used and/or disclosed by KIRZ is the data relating to a natural person, in particular as listed below, which directly or indirectly enables the identification of such person, but not including the data of deceased persons. KIRZ might collect your personal data in a variety of ways either directly from you or indirectly from other sources e.g. Department of Business Development Ministry of Commerce, Department of Provincial Administration Ministry of Interior, Department of Consular Affairs Ministry of Foreign Affairs, Legal Execution Department Ministry of Justice, any government agencies, international organizations, KIRZ’s consultants, business partners and contracting parties, including any person appointed by the data subject or other available public sources.
1. Identification information relating to the data subject, such as first name/last name, national identification number, passport number, date of birth, marital status, workplace, work position, education information, portrait, picture, signature including sensitive personal data e.g. biometric data (fingerprint recognition data, facial recognition data), criminal records, health data, religious beliefs or race.
2. Contact information of the data subject, such as address, email address, telephone number, and other similar contact information;
3. Financial information of the data subject or transaction records which the data subject engages with KIRZ, such as account number, order number, credit card and ATM/debit card number, payment and transaction records relating to your accounts or assets, balance, income and expenses statements, financial history or background;
4. User behavior of the data subject through internet search engine (Online Behavior Information) such as cookies, Website Browsing or connection to other website of the data subject;
5. Any information relevant to the data subject’s interaction with KIRZ, such as information collected by automatic recordings through the use of KIRZ Contact Center which may include still or moving pictures and voices.
6. Personal information obtained by KIRZ from corporate customer, when such corporate customer is a counterparty of KIRZ or has a legal relationship with KIRZ and discloses personal information of their related person such as employee, personnel, officers, representatives, shareholders, authorized persons, members of the board of directors, contact persons, agents, and other natural persons in connection with such corporate customer. The corporate customer shall ensure that it has the authority to disclose and to permit KIRZ to use the personal data in accordance with this Privacy Notice.
KIRZ may collect, use or disclose your personal data based on the legitimate grounds of legal obligation, performance of contract made by you with KIRZ, legitimate interests of KIRZ or other individual or juristic person and performance under your consent. Reasons for collecting, using or disclosing are provided below:
1. To enable KIRZ to fulfil the contract between data subject and KIRZ for the products or services the data subject has requested or acquired, for instance,
2. To comply with applicable laws and regulations, for instance,
3. To perform actions under consent obtained from data subject, such as marketing or promotional communication and offers of KIRZ’s or any third party’s products and/or services provided that such actions cannot be conducted by relying on any other lawful basis.
4. To take necessary steps for legitimate interests of KIRZ or other individual or juristic person, for instance,
For any of the purposes specified above, KIRZ may send, transfer and/or disclose personal data to third party which may be located in or outside Thailand, provided, however, that the destination country that receives personal data might not have adequate data protection standard.
KIRZ including our officers, employees, agents and advisers, may disclose your personal data to any of the following parties:
Subject to applicable law, regulations and/or banking industry guidelines, data subject may have the following rights:
1. Right to withdraw consent
You have the right to withdraw consent that has been given to KIRZ for collection, use and/or disclose of your personal data at any time, unless it is restricted by applicable laws or you are still under beneficial contract.
KIRZ is entitled to continue collecting and using data subject’s personal data, which has previously been collected by KIRZ before the effectiveness of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes. If data subject does not wish KIRZ to continue collecting and using your personal data, you may notify KIRZ to withdraw your consent at any time.
Withdrawal of your consent may affect your use of products and/or services. For example, you may not receive privileges, promotions or new offers, products and/or services that are enhanced and consistent with your needs, or not receive beneficial information. For your benefits, you are advised to learn and ask for consequences before withdrawing your consent.
2. Right to access
You have the right to request access to and obtain copy of your personal data holding by us and to request the disclosure of the acquisition of your personal data obtained without your consent.
3. Right to rectification
You have the right to instruct KIRZ to rectify your personal data to be updated, complete and not misleading.
4. Right to data portability
You have the right to receive your personal data in case KIRZ can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request KIRZ to send or transfer your personal data in the aforementioned format to third party, or to request to directly obtain your personal data in such format which KIRZ sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or KIRZ is entitled to legally reject your request.
Your personal da ta mentioned above must be under your consent given to KIRZ to collect, use, and/or disclose; or those KIRZ deems necessary to collect, use and/or disclose to allow you to use products and/or services that meet your need under your contract with KIRZ; or to take steps at your requests before using products and/or services; or as legally required by competent authority.
5. Right to erasure
You have the right to request KIRZ to delete, destroy or anonymise your personal data if you believe that the collection, use and/or disclosure of your personal data is against relevant laws; or retention of your personal data by KIRZ is no longer necessary in connection with related purposes for which it was collected under this Privacy Notice; or when you exercise your consent withdrawal right or object to the processing of your personal data.
6. Right to restrict
You have the right to request KIRZ to restrict the use of your personal data when KIRZ is pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary.
7. Right to object
You have the right to object the collection, use or disclosure of your personal data under certain circumstances descripted in this Privacy Notice.
8. Right to lodge a complaint
You have the right to make a complaint with competent authorities in the event that you believe that the collection, use or disclosure of your personal data is violating or not in compliance with any applicable laws or PDPA.
The exercise of data subject rights mentioned above may be restricted under relevant laws and it may be necessary for KIRZ to deny or not be able to carry out your requests for some reasons, e.g. to comply with laws or court orders, public tasks, your request in breach of rights or freedom of other persons.
KIRZ has implemented policies, guidelines and minimum standards to manage data subject’s personal data, such as information technology safety standard, to protect your personal data from unauthorized access or personal data breaches. KIRZ has improved such policies, guidelines and minimum standards from time to time in accordance with requirements under applicable laws.
In addition, officers, employees, agents and contractors of KIRZ have duties to protect personal data of data subject in accordance with confidentiality agreement signed with KIRZ.
If KIRZ needs to send or transfer personal data of data subject to other country that has less standard of personal data protection, KIRZ will take actions as we deem necessary at least equal to the standard of confidentiality of that country such as having confidential agreement with a counterparty in that country.
In the event that the data subject is no longer the customer of KIRZ or has ended relationship with KIRZ, KIRZ will consider retaining the personal data of data subject for a certain period required by relevant laws, KIRZ’s policies and guidelines in connection with retention period of personal data. For example, retention period under Anti-Money Laundering Act of B.E. 2542 is at least 10 years after the relationship between customer and KIRZ has ended. KIRZ will erase or destroy your personal data when it is no longer necessary or when the retention period lapses.
Change to this Privacy Notice
We may change or update this privacy notice from time to time and we will inform the updated Privacy Notice at KIRZ website.
How to Contact KIRZ
If you have any questions or would like more details about the collection, use and/or disclosure of your personal data or would like to exercise your rights or file compliant, please contact KIRZ through any of the provided service contact channels.