1. COLLECTED PERSONAL DATA

For the purpose of this Policy, “Personal Data” means any identified or identifiable information about you and relate to you as listed below. Any reference to Personal Data in the text of this Policy also includes Sensitive Data. Certain information about you is necessary for the provision of products or services. Failure to provide such information may result in us not being able to provide such products or services to you.

“Sensitive Data” means Personal Data classified by law as sensitive data.

1.1 YOUR PERSONAL DATA 

1.1.1 PERSONAL BANKING PRODUCTS OR SERVICES

For personal banking and financial products or services and its related products and services (“Personal Banking”), we may collect the following Personal Data about you:

a) General Information: such as your title; first name; last name; gender; date of birth; age; nationality; signature; picture; stills and moving images; voice records from CCTV footage or telephone call records with call center, the Bank or other telephone communication Channels; government issued documents (e.g., national identification card, government official identification card, household registration, tax identification number, passport, visa, work permits, foreigner certificate, and/or other similarly identifiable documents); blood type; marital status; education level; employment information (e.g., job title, employment status, employment background, employer

name, employer address, nature of business designation, and length of current service); occupation; and relationship with any specified person of the Bank;

b) Contact Information: such as your home address; office/business address; personal email address; office/business email address; telephone number; and mobile number;

c) Financial related Information: such as your current-used debit/credit card information (e.g., credit card number, transaction records, and payment amount); housing situation; assets and income and its supporting documents (e.g., basic monthly salary, salary certificate, bank statement); information obtained from the National Credit Bureau (NCB) (e.g., credit limit, credit use, and original loan amount); credit history; and source of funds;

d) Products or Service related Information: such as for your loan/security request and other information as filled in the application form (e.g., if the loan is for the purchase of property - details of such property, purchased price, date, person(s) who will be the owner, copy of agreement/contract to buy/sell, and copy of Aor.Chor. Form (ownership of condominium)); outstanding loans; account opening purpose; reasons for opening account in Thailand (in case of foreign data subjects); anticipated account activity; type of account to be opened; existing account; account number; card type; channel for receiving report; purpose of fund transfer; and details of insurance related products or services;

e) Business related Information: if you are a business owner or self-employed, we may also collect the company registration issued by the Ministry of Commerce (MOC), for which, it may contain name of authorized signatory; and

f) Sensitive Data: such as sensitive data as shown in the identification documents (e.g., religion, racial or ethnic origin) and biometric data (e.g., fingerprints and facial recognition).

1.1.2 CORPORATE BANKING PRODUCTS OR SERVICES

For corporate banking and financial products or services and its related products or services (“Corporate Banking”), we may collect the following Personal Data about you:

a) General Information: such as your title; first name; last name; gender; date of birth; age; nationality; signature; picture; stills and moving images; voice records from CCTV footage or telephone call records with call center; government issued documents (e.g., national identification card, passport, and work permits, and/or other similarly identifiable documents); and blood type;

b) Contact Information: such as your email address; address and postal address; and telephone number;

c) Business related Information: such as name of business; and details of company

registration; and

d) Sensitive Data: such as sensitive data as shown in the identification documents (e.g., religion, racial or ethnic origin).

1.1.3 OTHER ADDITIONAL INFORMATION FOR ALL PRODUCTS AND SERVICES (AS APPLICABLE)

a) Behavior information: such as your marketing preferences; feedback; interest in participating in a contest or prize draw or other sales promotions, or response to a voluntary customer satisfaction survey;

b) Social media account and information from Online Channels: such as your social media account ID and profile picture, including other information that is part of your profile relating to those accounts; and

c) Technical information: such as your display name; password on our system; browser and electronic device information; app usage data; information collected through cookies, pixel tags, and other technologies; demographic information and other information provided by you, aggregated information, and any other technical information from the use of our online Channels (e.g. website).

1.2 PERSONAL DATA OF OTHER DATA SUBJECTS

We may also collect the Personal Data of other persons, including but not limited to: your spouses, dependencies, beneficiaries, reference persons, and/or conflict of interest persons, in the course of the provision of our services and products. By providing other personnel's Personal Data to us, you will ensure that they have seen and/or understand the information in this Policy about how we may use their Personal Data, and that you have the authority to do so and to permit us to use such Personal Data in accordance to this Policy and applicable laws.

1.3 PERSONAL DATA OF MINORS, QUASI-INCOMPETENT, AND INCOMPETENT PERSONS

We only collect the information of minors under the age of 16, quasi-incompetent persons, and incompetent persons where their parents or guardians have given their consents as required under the personal data protection law. We do not knowingly collect information from minors under the age of 16 without their parental consent when it is required by applicable laws, or from quasi-incompetent persons and incompetent persons without their legal guardian consents. In the event we learn that we have unintentionally collected Personal Data from minors under the age of 16 without parental consent when it is required by applicable laws, or from quasiincompetent persons and incompetent persons without their legal guardian's consent, we will delete it in a timely manner or process only if we can rely on other legal bases apart from consent. 

2. THE PURPOSE OF WHICH WE COLLECT, USE, AND/OR DISCLOSE PERSONAL DATA 

Except in limited instances when we indicate that certain information is based on your consent, we collect, use, and/or disclose your Personal Data on the legal basis of processing of (1) contractual basis, for performance of activity in relation to the service or product you requested; (2) legal obligation, for fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties, proportionate to your interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for the prevention or suppression of danger to a person's life, body, or health; (5) public interest, for the performance of task carried out in the public interest or for exercising of official authorities or duties; and/or (6) the reason for an establishment and defenses of legal claims in the future. 

We may collect, use, and/or disclose your Personal Data for the following purposes: 

2.1 CONSENT/EXPLICIT CONSENT REQUIRING PURPOSES: 

a) Activities related to sensitive data:  

o Sensitive data as shown in the identification documents (e.g., religion, racial or ethnic origin) to authenticate and verify identity of a person; and/or to perform KnowYour-Customer (KYC) process;

o Biometric data (such as fingerprints and facial recognitions) to authenticate and verify identity of a person and/or to perform Know-Your-Customer (KYC) process; and/or  

b) Marketing communication: to provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services from us and business partners where we cannot rely on other legal bases.

Consent refusal or withdrawal may result in us not being able to perform or continue to perform our contractual obligation with you.

2.2 THE PURPOSES THAT WE RELY ON OTHER LEGAL BASIS 

a) Provision of our products or service to you: to assess the merits and suitability of the data subjects as actual or potential applicants for financial and banking products or services; to conduct credit check or historical payment record when appropriate or required by applicable laws; to process and/or approve their applications, variation, renewals, cancellations, reinstatements, and claims; to execute relevant contract with you; to provide our products and services to you; to facilitate the daily operation of the services; to open a bank account; to assign appropriate credit limit to the data subjects; to review your behavior in consideration of loan approval procedure; to perform loan approval procedure, including credit and credit card approval; to conduct business and credit analysis; to evaluate business and financial needs; to structure credit product in line with data subjects' need and risk appetite; to transfer/ remit funds; to deliver award to data subjects under the loyalty program; to print and to send bill statements; to generate report in certain circumstances such as for settlements purpose; to update payment information and/or transfer of money; to determine or collect outstanding balance owed to or by the data subjects; to perform debt collection procedure; to deliver outstanding debt to data subjects; to provide reference; and to execute global market products transaction with you or your counterparties;

b) Managing our relationship with you: to contact and communicate with you as requested by you or in relation to the products and services you obtain from us or as part of our business; to send you important information regarding changes to our financial and banking terms and conditions, renewal of policies and other administrative information; to handle any queries or compliant from you such as via call center; to contact your reference persons in order to confirm the facts and information given to us; to carry on business communication (e.g. to send indicative term sheet); to detect our own errors; to deal with technical issues encountered by you; and to provide you with update on recent development, commercial terms or work progress;

c) Authentication and verification of your identity: to perform Know-Your-Customer (KYC) and signature process; to conduct name screening; and to verify and authenticate a person via call center;

d) Provisions of marketing communications to you: to provide you with marketing communications, tele-marketing, re-marketing, advertisement, privileges, sales, special offers, notice, newsletter, updates, announcements, promotions, campaigns, news and information, relating to the products or services from us and business partners in accordance with preferences you have expressed directly or indirectly; to personalize, profile and analyze your Personal Data; to target and retarget potential customers; to manage campaigns and analysis; and to personalize your experience when using our online Channels or visiting third-party websites by presenting information and advertisements tailored to you, relating to the products or services offered by us and business partners in accordance with preferences you have expressed directly or indirectly; to allow you to access to or be a part of our sale offers, promotions, privileges, campaign, events, seminar, contests, sweepstakes, competitions, event or booth setting together with our branch for interaction with you, including to promote or advertise the related sales and services; and to facilitate you in our activities participation;  

e) Business operation and development of the Bank: to manage our infrastructure and business operations; to comply with our internal policies and procedures, relating to auditing, finance and accounting, billing and collections, business continuity, reporting and general servicing and maintenance of our products or services; to maintain customer records, documents and credit history as evidence or for future reference; to manage internal flow of information; to perform our functions related to our businesses; to create report in order to assess and improve the Bank's performance; to develop products and/or service; to create and maintain Company's scoring models; to analyze competition in the market; to carry out surveys, data analytics, and market research, including analysis of data subjects base; to record your stills and moving footage, images, and/or voice for creation of public relations and marketing materials, such as for post on social medial or for live video; to conduct internal analysis for improvement; to assess and manage risks; to calculate commissions and service fees to our business partners or service providers; to distribute information to our business partners, including related industry associations; and to engage, manage, monitor and assess the business relationship with the suppliers, contractors, service providers, business partners and their staffs who provide services to the Bank;

f) Fraud detection: to authenticate and verify your identity in order to prevent risk of money laundering; to check the information provided; to carry out due diligence or other screening activities to comply with our legal or regulatory obligations or risk management procedures required by law or put in place by us; to assign customer risk level based on their behavior; and to detect, prevent and investigate fraud in relation to our products or services;  

g) Protection of our interest: to establish, protect or defend our legal rights; to perform risk mitigation procedure; to ensure ongoing credit worthiness of data subjects; to take legal action against relevant data subjects; to protect our, parent company, affiliates and subsidiaries' operations, privacy, safety or property, and/or that of ours, you or others; to allow us to pursue available remedies or limit our damages; and to assess compliance with applicable laws, rule, regulations, and internal policies and procedures;  

h) IT management: to manage our internal and external IT operations and communication system including IT security, IT security audit, and IT record keeping; and to set system access authority;  i) Compliance with legal obligation: to collect, use, and/or disclose your Personal Data in compliance with our legal obligations, rights or duties and/or legal proceeding under the applicable laws (e.g., those in relation to financial and banking, anti-money laundering, and sanction screening), including laws outside your country of residence; and to respond to investigation requests from public and governmental authorities;

j) Merger and/or acquisition of business: to sale; transfer; merge; reorganize or conduct similar activity which may involve transferring/disclosing of your Personal Data as part of business transaction; and

k) Life: to prevent or suppress a danger to a person's life, body, or health.

3. DISCLOSURE OF YOUR PERSONAL DATA 

We may disclose your Personal Data to the following parties, for the purposes as described above:  

3.1 Parent Company: The Bank is a wholly-owned subsidiary of Bank of China (Hong Kong) Limited (“BOCHK”) which is one of the most important commercial banks in Hong Kong, we may disclose your Personal Data to BOCHK, for the purposes set forth in the Policy. BOCHK will rely on the consent obtained by us to use your Personal Data.

3.2 Business Partners: We may disclose your Personal Data to our business partners to provide our products or services to you, including but not limited to:

a) Card scheme operators: such as MasterCard Card and UnionPay;

b) Payment services providers: such as SWIFT; National ITMX Company Limited and Counter Service Company Limited;

c) Other banks and financial institutions

d) Insurance companies and insurance brokers

e) Appraisal Companies

f) Co-branded partners

3.3 Service Providers: We also use outsourcing companies to provide service on our behalf and to support us in our business operations. We may disclose your Personal Data to these service providers, or they may collect your Personal Data on our behalf. These third parties service providers include, but are not limited to: (1) card production companies; (2) printing service providers; (3) outsourcing data warehouse storage and/or cloud service provider; (4) infrastructure and/or IT systems, support and hosting service providers, including e-token service providers; (5) event organizers; (6) courier and/or delivery services; (7) digital security and/or connectivity service provider; (8) Affiliates shared service providers; (9) advertising, marketing and market research and analysis service providers; and (10) similar third-party vendors and other outsourced service providers that assist us in carrying out business activities.

3.4 Professional Advisors: We may use the service of the professional advisors whom we may disclose your Personal Data to. The professional advisors we use include, but are not limited to, legal advisors and/or lawyers; auditors; and professional consultants (such as human resources, expert in actuarial science, accounting, finance, business analytics, statistics, risk management and/or computer engineering).

3.5 Governmental Authorities and/or Other Third Parties required by law: We may disclose your Personal Data to governmental, regulatory or other public authorities (including but is not limited to, Bank of Thailand (BOT), Anti-Money Laundering Office (AMLO), Securities and Exchange Commission (SEC), the Revenue Department (RD), Deposit Protection Agency, and Office of Insurance Commission (OIC)), and/or any law enforcement authorities and courts); third party participants in legal procedures or other third party as we believe to be necessary or appropriate to comply with our legal obligation, defend legal rights or position of us and parent company and affiliates, or otherwise the rights of any third party or individuals' personal safety, and allow us to pursue available remedies or limit our damages.

3.6 Credit Bureau: We may disclose your Personal Data to the credit reference agencies, including the National Credit Bureau (NCB), to report or learn about your financial circumstances and for other lawful purposes.

3.7 Assignee of Rights and/or Obligation: In the event of any reorganization, merger, business transfer, whether in whole or in part, sale, purchase, joint venture, assignment, transfer of other disposition of all or any portion of our business, assets or stock or similar transaction, we may transfer/disclose your Personal Data to such third party.

When we share your Personal Data, you may be governed by the privacy policies of those third parties as they may also act as a data controller of your Personal Data. We suggest that you read their respective privacy policies to understand how they collect, use, and/or disclose your Personal Data. Where you wish to exercise the rights relating to your Personal Data held by those third parties, please directly contact them through their available channels. 

4. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA 

Due to the global nature of our business, your Personal Data may be transferred to third parties, such as our parent company, affiliates Bank of China Limited, service providers, business partners, governmental or public authorities located in other countries (including, but not limited to China, Hong Kong, and Singapore) for the purpose set forth in this Policy. Where there is a cross-border transfer of your Personal Data, it will be done based on your consent or other bases in compliance with the applicable laws. 

Please note that, some recipients of your Personal Data may be located in countries which may not have the same adequate data protection standard as Thailand. When we transfer your Personal Data outside Thailand, we will put in place appropriate safeguards in accordance with our legal obligations to ensure that your Personal Data will be adequately protected irrespective of the country to which it is transferred. 

5. RETENTION PERIOD OF YOUR PERSONAL DATA 

We will store your Personal Data while you are our customer and once you have ended the relationship with us for as long as it is necessary for the purposes for which it was collected, and in accordance with the applicable laws. 

We will store your Personal Data for as long as the prescription period or as required by applicable laws and to comply with our legal obligations. However, we may need to retain your Personal Data for a longer duration, as required and/or permitted by applicable laws.

6. YOUR RIGHTS

The rights listed in this section are your legal rights, where you may request to exercise these rights under the condition as prescribed by law and our right management procedure. These rights are as follows:

• Right to Access: you may request the access, or obtain a copy of your Personal Data, or to disclose the source of acquisition of your Personal Data that is obtained without your consent.

• Right to Rectify: in the case where your Personal Data may be inaccurate, not up-to-date or is incomplete, you may request to have such Personal Data be amended or modified accordingly.

• Right to Erasure or Right to be forgotten: you may request the deletion, destruction or anonymization of your Personal Data to the extent permitted by law.

• Right to Restrict Processing: you may request the restriction to processing of your Personal Data.

• Right to Object: you may object to the processing of your Personal Data in particular situation.

• Right to Withdraw Consent: where you have given your consent for the processing of Personal Data, you have the right to withdraw such consent at any time. However, if the right to withdraw consent is exercised, we may not be to perform or continue to perform our contractual obligation with you.

• Right to Portability: where legally applicable, you have the right to request us to provide your Personal Data in a structured, commonly used and machine-readable format, and transmit it to another organizations; and

• Right to Lodge a Complaint in case you notice that the Bank does not comply with the data protection laws: you may lodge a complaint with the competent authority, if you believe that our processing of your Personal Data is not done in accordance to the applicable data protection law. 

7. THIRD PARTY WEBSITES 

This Policy does not address, and we are not responsible for, content, information or privacy practices employed by any of the third parties. The inclusion of link on our website does not imply endorsement of the linked site or service by us or by our parent company or affiliates.  

Unless otherwise stated, any Personal Data provided to any such third party websites will be collected by that party, and not by us, and will be subject to that party's privacy policy (if any), rather than this Policy. In such situation, we have no control over, and shall not be responsible for that party's use of the Personal Data you provided to them.  

8. DATA SECURITY 

As a way to protect personal privacy, the Bank maintains appropriate security measures, which includes administrative, technical and physical safeguards in relation to access control, to protect the confidentiality, integrity, and availability of Personal Data against any accidental or unlawful or unauthorized loss, alteration, correction, use, disclosure or access, in compliance with the applicable laws. 

In particular, the Bank has implemented access control measures which are secured and suitable for our collection, use, and disclosure of Personal Data. The Bank restricts access to Personal Data as well as storage and processing equipment by imposing access rights or permission, user, access management to limit access to Personal Data to only authorized person, and implement user responsibilities to prevent unauthorized access, disclosure, perception or unlawful duplication of Personal Data. This also includes methods that enabling the re-examination of unauthorized access, alteration, erasure, or transfer of Personal Data which is suitable for the method and means of the Processing of Personal Data.

9. CHANGES TO THE POLICY 

This Policy was last updated on March 22, 2023. In order to ensure this Policy effectively reflects our business operation and/or in compliance of any legal requirement, the Bank reserves the right, in our sole discretion, to make changes or amend this Policy at any time we deem appropriate. In the case where significant modification was made to this Policy, the Bank will use reasonable efforts in order to notify you (e.g., by posting the update on our sites and/or emailing you the revised policy). If any changes made to this Policy requires your consent under the applicable laws, we will notify you and obtain your consent again.   

10. CONTACT DETAILS 

If you wish to exercise your rights as set out above, or if you have any questions or comments about your Personal Data, you may reach us or our Data Protection Officer (DPO) at:

Bank of China (Thai) Public Company Limited

• Address: 179/4 Bangkok City Tower, South Sathorn Road, Tungmahamek, Sathorn, Bangkok 10120, Thailand

• Contact Details:

o Phone number: 02 679 5566 (Monday – Friday (excluding public holidays) at 8:30 AM – 5:30 PM)

o Email address: callcenter.th@bankofchina.com

Data Protection Officer (DPO)

• Address: 179/4 Bangkok City Tower, South Sathorn Road, Tungmahamek, Sathorn, Bangkok 10120, Thailand

• Email address: dpo.th@bankofchina.co.th