Personal Data Protection Policy
Muangthai Captial Public Company Limited and the subsidiaries the "Company" are aware of the importance of data protection issues. This policy explains how the Company handles personal data of data subjects, including the collection, storage, use, disclosure, and rights of data subjects, to ensure that data subjects are aware of the Company’s policy on personal data protection. The Company therefore declares the policy regarding the Personal Data Protection Act B.E.2562 (2019) as follows
1. Respect for the Privacy Rights of Service Users
The Company respects and emphasizes the rights, personal data, and data protection of data subjects. The Company understands that data subjects desire to have their personal data securely managed by the Company.
2. Legal Basis for Personal Data Collection
The Company will collect personal data of data subjects based on the legal processing of personal data as follows
- Necessary for the protection or prevention of danger to life, body, or health of individuals.
- For the performance of a contract.
- For the execution of tasks for the public interest.
- Necessary for the legitimate interests pursued by the Company.
- For compliance with legal obligations.
- With the consent of the data subject.
- For the preparation of historical documents, research, or significant statistics.
3. Sources of Personal Data
- The Company will collect and compile data as provided by the data subject to the Company or that which exists with the Company, including information from product or service registrations, participation in various company activities online, or data usage through the Company’s website as well as information obtained when the data subject contacts the Company.
- The Company may collect and compile personal data of the data subject with the personal data of the data subject received from other sources, only in cases where it is necessary and with the consent of the data subject. This is done for the purpose of updating the personal data of the data subject to ensure accuracy and to improve the quality and efficiency of the Company’s services.
4. Collected Personal Data
- Personal information such as name, title, surname, date of birth, age, national identification number, occupation information, workplace, salary information, signature, political affiliation.
- Contact information such as address, phone number, email, Line ID, land title deed number, residence location map.
- Transaction and financial data that is salary information.
- Any other information that the data subject consents to provide to the Company, such as suggestions, vehicle information.
The Company will not collect sensitive personal data of the data subject, such as genetic characteristics, sexual behavior, or data possibly causing harm, damaging reputation, or leading to discriminatory treatment, unless the Company collects such data under the lawful processing of personal data as prescribed by law.
5. Purposes of Personal Data Collection
The Company will collect personal data in a lawful and fair manner for the benefit of the data subject in using products and/or services, as well as to comply with any applicable law. The data will also be collected for any other purposes as specified in this policy.
1. To enable the data subject to use the products and/or services of the Company according to their desires, as the data subject is in a contractual relationship with the Company, or to use for processing requests of the data subject before using the products and/or services of the Company, for example:
1.1 Consideration for approval of various products and/or services, such as loan applications, insurance, payments, or any property.
1.2 Any operations related to the provision of various products and/or services such as processing, contacting, notifying, complaints, outsourcing to external service providers, transferring rights and/or duties, debt notification or product/service renewal reminders, debt collection monitoring.
In cases where the Company needs to collect personal data for contract performance, legal compliance, or necessity in contracting, if the data subject refuses to provide personal data or objects to the processing activities’ purposes, it may result in the Company being unable to fully or partially proceed with or provide the requested services.
2. To fulfill legal obligations or enforce compliance, such as:
2.1 Compliance with orders from legally empowered authorities.
2.2 Compliance with laws under the supervision of the Bank of Thailand, securities laws, insurance laws, tax laws, anti-money laundering laws, laws preventing and combating terrorism financing, laws preventing and combating financial support for terrorism and proliferation of weapons of mass destruction, bankruptcy laws, and other laws that the Company must comply with, both domestically and internationally, including announcements and regulations issued in accordance with the aforementioned laws.
In cases where the Company needs to use and/or disclose personal data for legal compliance purposes of the Company or to enter into contracts with the data subject, the Company may not be able to deliver products and/or services to the data subject (or may not be able to provide products and/or services to the data subject in the future) if the Company cannot collect personal data when requested.
3. To carry out necessary operations under the Company’s legitimate interests or of another person or legal entity without exceeding the extent that the data subject can reasonably expect (Legitimate Interest) such as:
3.1 Recording calls at Call Centers, CCTV surveillance, exchanging cards before entering buildings.
3.2 Maintaining relationships with data subjects, such as managing complaints, assessing satisfaction, taking care of data subjects by the Company’s employees, notifying or presenting products and/or services similar to those the data subjects have with the Company, which are beneficial to the data subjects.
3.3 Risk management, auditing, internal management within the organization, including transferring to companies within the same business group for the mentioned purposes, under the Company’s personal data protection policy.
3.4 Making personal data unidentifiable.
3.5 Preventing, addressing, and reducing risks of fraudulent activities, breaches of payment obligations or contracts, violations of various laws, including disclosing personal data to elevate the working standards of the Company within the same business group/business to prevent, address, and reduce risks.
3.6 Collecting, using, and/or disclosing personal data of directors, authorized persons acting on behalf, representatives of corporate clients.
Sending parcels or letters.
4. To benefit from using products and/or services as chosen by the data subject’s consent, such as:
4.1 To ensure that the data subject receives products and/or services that meet their needs and preferences.
4.2 To provide the data subject with offers, special privileges, recommendations, and various information, including the right to participate in special activities. In all cases, whether it is product and/or service, privileges, information, or special activities offered by the Company or by individuals represented by the Company, agents, distributors, or business partners, or by external individuals associated with the Company, it depends on the specific consent given by the data subject.
6. Cookie Policy
The Company’s website uses cookies to enhance user experience and improve functionality. Cookies are text files stored by the Company on the user’s hard drive via the web page server. Cookies cannot be used to open programs or deliver viruses to the user’s computer. They are chosen to identify users and can be read by the domain’s web server where the cookies are used with the users.
The Company may use cookies to collect and track data for statistical purposes to operate the website and services. Users can choose to accept or reject cookies. Most web browsers accept cookies automatically, but users can typically modify their browser settings to reject cookies if desired. If users choose to reject cookies, they may not be able to use or access certain features of the website and services.
7. Individuals who disclose the information and provide services to third parties
The Company may disclose personal data to external parties, including companies within the same business group, data processors, business partners, and related individuals. This includes managers, employees, contractors, agents, consultants of the Company, and individuals or entities who are recipients of such data.
The Company may disclose personal data to individuals as required by law, such as government agencies or authorities to fulfill legal obligations or significant purposes. This includes relevant committees involved in Company’s legal operations, regulatory bodies, or in cases where disclosure is requested by legal authority, such as for legal proceedings or requests from private organizations or other external parties related to legal processes.
In cases where personal data is disclosed to other individuals for marketing purposes of the data recipient, such as for sales promotion, public relations, or offering products and/or services from the data recipient to the data subject, the Company will notify the data subject of the recipient’s name to facilitate informed consent decisions.
8. Sending or Transferring Data Abroad
The Company may find it necessary to send or transfer personal data to affiliates of the same entity/business located abroad or to other data recipients as part of regular business operations. This could involve sending or transferring personal data to be stored on servers or clouds in various countries.
In cases where the destination country does not have sufficient standards, the Company will ensure that the sending or transferring of personal data complies with the law. The measures will also be implemented to protect personal data deemed necessary and appropriate in line with confidentiality standards. For example, the Company may enter into a confidentiality agreement with the data recipient in the destination country. Alternatively, if the recipient is a subsidiary of the same entity/business, the Company may choose to follow a method where the personal data protection policy has been audited and certified by relevant legal authorities. In such cases, the sending or transferring of personal data to affiliates of the same entity/business located abroad may adhere to the certified personal data protection policy instead of strictly following legal requirements.
9. Data Retention Period
The Company will retain personal data for as long as necessary and reasonable to achieve the purposes specified in this personal data protection policy. If legal proceedings are initiated, personal data may be retained until the conclusion of such proceedings, including the possible period for filing appeals and/or legal claims. Afterward, personal data will be deleted or kept permanently as permitted by applicable law.
10. Security Measures
- The Company recognizes the importance of safeguarding the security of the data subject’s personal information. Therefore, the Company establishes appropriate security measures to ensure the confidentiality of personal data to prevent loss, unauthorized access, destruction, use, alteration, or disclosure of personal data without authorization or in violation of the law. This is in accordance with the policies and practices for maintaining information security technology of the Company.
- The Company appoints a Data Protection Officer responsible for providing guidance on practices, ensuring proper conduct, coordinating when issues arise, and maintaining the confidentiality of personal data obtained through their duties.
- If there is a breach of personal data, the Company will notify the Personal Data Protection Office within 72 hours from the awareness of the incident. If the breach poses a high risk to the rights and freedoms of the data subject, the Company will promptly inform the data subject of the breach along with mitigation measures.
11. Rights of the Data Subject
- Right to Withdraw Consent: The data subject has the right to withdraw consent previously given for data processing. However, withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Right to Object to Data Processing: The data subject has the right to object to data processing based on legal grounds apart from consent.
- Right to Notification: The data subject has the right to be informed of data processed by the Company, including copies of such data.
- Right to Rectification: The data subject has the right to verify the accuracy of their data and request corrections to ensure that it is accurate and up-to-date.
- Right to Suspend Data Processing: The data subject has the right to suspend data processing. In such case, the Company will not process the data of the data subject apart from just storing the data.
- Right to Request Data Deletion: The data subject has the right to request the deletion of their personal data from the Company’s records.
- Right to Receive and Transfer Data: The data subject has the right to request their personal data in a readable format or used by a working tool or device. The Company is allowed to send or transfer personal data in such form to another data controller when able to do so by such means. This right is achieved if personal data is processed in an automated and consent-based manner with the base of contract to which the data subject is a party or before entering into a contract.
- Right to Lodge a Complaint: The data subject has the right to lodge a complaint with the relevant authority if the data subject believes that the collection, use, or disclosure of personal data is done in a manner that violates or does not comply with relevant legal principles.
- Right to Access, Copy, or Disclose Data: You have the right to access, request copies, or disclose your personal data, including requesting disclosure of the sources of your personal data.
12. Changes to the Privacy Policy
The Company may periodically update this privacy policy to align with changes in service provision, company operations, and feedback from data subjects. Clear notification of any changes will be provided by the Company before implementing them, either through explicit announcements or direct notification to the data subjects.
13. Contact for Inquiries or Exercise of Rights
Muangthai Capital Public Company Limited 332/1 Jaransanitwong Road, Bangplad Sub-district, Bangplad District, Bangkok 10700 Telephone: 02-4838888 This policy has been reviewed and approved by the Board effective 9th November, 2021.