Privacy Notice for Service User
The Bank for Agriculture and Agricultural Cooperatives
The Bank for Agriculture and Agricultural Cooperatives (“Bank”) recognized the privacy rights of the data subject (“Service User”). Due to the rapid development of information technology and communication, Personal Data is now easy, convenient, and fast to access which could potentially cause damage to the data subject. The Bank, therefore, has set out a Privacy Notice for Service User to comply with Personal Data Protection Act B.E. 2562 as a security measure of Personal Data protection, in order to ensure the Service User that the Personal Data will be used under the purpose and comply with the laws.
This Privacy Notice aims to inform the Service User the purposes of collecting, using, and/or disclosing Personal Data along with the legal rights of the services with the following context;
1. Definitions
Personal Data means any person-related data which can be identified as a natural person directly or indirectly. Whereby the Bank may collect the Service User’s Personal Data including sensitive data. Nonetheless, the Bank shall collect Personal Data only to what is necessary to fulfill the purposes under the contractual relationship between the Bank and the Service User, or perform at the Service User’s request prior to using the Bank’s products or services. The detail of the types of Personal Data and Sensitive Data that the Bank will collect are as follows:
1.1 General Personal Data such as:
(1) Personal Information such as name- surname, gender, date of birth, age, nationality, residence, birthplace, signature, marital status, children, education background, degrees, personal information which issued by the government official (such as national identification card, passport, taxpayer identification number, driver license, certificate of name changes, work permit, title deed, documents related to VISA, etc.) pictures, voice recording, video audio from CCTV, and other personal information or legal documents.
(2) Contact information such as phone number, fax number, email, LINE ID, Facebook account and other social media accounts that can identify the Service User, address on national identification card or house registration document, current residence, or location.
(3) Work information such as occupation, position, job descriptions, workplace, type of business, type of organization, working experience, social security information, personal information that issued in the document such as company certificate, income tax payment certificate and commercial registration, and so on.
(4) Financial information such as income level, sources of income and investment, salary certification, income statement, pay slip, financial status information, name, and bank account number, ATM number, personal identification number of ATM/Debit, loan information, assurance, debt, credit card number, deposit information, funds and stocks, burden-free property, expense, credit information, financial statement, financial information and so on.
(5) Transaction information such as bank transaction information, balance of payment, money transaction information, reason for the transaction on bank’s products and services, information and detail on the contract and agreement, personal information of the transaction (such as a copy of national identification card, a copy of house certificate, photo, title deed and pictures of the real estate) transaction records and so on.
(6) Technology information such as computer traffic data (Log), internet protocol address number (IP), location information (Location) identified by location technology, type of internet browser (Browser), website log data, history data, login data history (Login Log), transaction data, browser statistic, access time data (Access Time) search engine or site visiting, social media information, the use of various functions on the website, and the Bank’s information by using cookie and the same technology and so on.
(7) Behavioral information such as detail on the behavior and livelihood, attitude, opinion and fact on the Service User’s behavior related to experiences on products and services, feedback information of the Service User on the products and services, preference data of the Service User on the marketing of the Bank, complaint data, and data for establishing legal claims of the Service User.
1.2 Sensitive Data
means data as stipulated in Section 26 of Personal Data Protection Act B.E. 2562 (“PDPA”). In which the Bank collects Sensitive Data pertaining to race, religious belief, criminal record, health data, disability data, biometric data (such as fingerprint or facial recognition.)
2. Purposes of Processing of Personal Data
The Bank collects, uses, and/or discloses Personal Data of Service User by relying on lawful basis to collect, use, and/or disclose, for the following purposes:
(1) Where it is necessary for the performance of a contract.
(2) Where it is necessary for a purpose which required consent.
(3) Where it is necessary to comply with the related laws.
(4) Where it is necessary for the legitimate interest of the Bank or other third persons and such interests are as important as the Service User’s fundamental rights in Personal Data.
(5) Where it is necessary for preventing or suppressing a danger to a person’s life, body, or health.
(6) Where it is necessary for the performance of a task carried out in the public interest or the exercise of official authority.
Aforesaid, the Bank shall rely on lawful basis for processing the Personal Data listed in (1) to (6) to collect, use, and/or disclose for the following purposes:
2.1 For the performance of the contract to which the Service User is a party or for the execution of the Service User 's request or other related activities under laws.
2.2 For processing, managing, and proceeding with a loan request, banking transactions, insurance, as well as any services the Service User performs with the Bank, its network or its business partners.
2.3 For analytical purposes or to improve the Bank’s products/services.
2.4 To comply with relevant or applicable laws, regulations, orders.
2.5 To monitor or verify the Personal Data of the Service User.
2.6 To provide information about the Bank’s new financial services, loans, other services, or improve products/services, or used in coordination.
2.7 To verify or identify the Service User’s authentication when using the services.
2.8 For any purposes necessary for the legitimate interest of the Bank, other persons, or other third parties under laws.
2.9 For maximizing the Service User’s benefit in using products and/or services of the Bank, Bank agent, or business partner, according to their given consent.
3. Source of Personal Data
Method of collection of Personal Data: The Bank shall collect Personal Data from different sources which include:
3.1 Personal Data obtained directly from the Service User through applications and any related documents such as a copy of identification card and copy of house registration in paper or electronic format.
3.2 Personal Data obtained from other sources, other agencies, or business partners for the benefit to the Service User regarding financial services. The Bank shall only collect data after the Service User provides consent as required by the laws unless there is any exception under the laws.
4. Retention Period in Storing Personal Data
In the event where the Service User terminates the contractual relationship or withdraw the consent for collecting, using, and/or disclosing Personal Data, the Bank will continue to store the Personal Data in accordance with the regulations, orders, or guideline for data retention and data disposal in compliance with the laws.
5. Disclosure of Personal Data
The Bank shall retain the Personal Data strictly confidential set forth by laws and only to the extent necessary for the abovementioned purposes. Nonetheless, the Bank may disclose Personal Data to other agencies authorities under laws. For example, disclosing Personal Data to Government agencies or authorized organization under laws whose operations relate to financial sectors / authorized third parties under laws or business alliances of the Bank whose operations relate to the contract for the fulfillment of the request of the Service User or the benefit of the performance in accordance with the purpose of the service.
6. Cross-Border Personal Data Transfer
The Bank may send or transfer Personal Data which the Bank collects, uses, and/or discloses abroad necessary for the performance of a contract in which the data subject is a contractual party, or for the fulfillment of the data subject request, or necessary for business operation of the Bank, or in accordance with the purposes to process Personal Data. The destination country or international organization receiving Personal Data must have adequate Personal Data protection standards set forth by laws.
7. Rights of the Data Subject
7.1 The right to access or request for a copy of their Personal Data controlled by the Bank or requests the Bank to inform any acquisitions of Personal Data in which consent has not been given.
7.2 The right to request the Bank to rectify, correct, add, or update their Personal Data.
7.3 The right to receive their Personal Data from the Bank in which the Bank shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means.
7.4 The right to object to the collection, use, and/or disclosure of their Personal Data.
7.5 The right to request the Bank to restrict the use of Personal Data, erase, destroy, or anonymize Personal Data to be non-identifiable as the Service User as permitted by laws.
7.6 The right to revoke or withdraw consent for the collection, use, and/or disclosure of their Personal Data at any reasonable time by written notice in accordance with the Bank’s conditions and procedures.
8. Effect of Withdrawal of Consent
8.1 The withdrawal of consent shall not affect the collection, use, and/or disclosure of the Personal Data for which the Service User previously consented.
8.2 In case, the Service User wishes to exercise the right to revoke or withdraw consent for the collection, use, and/or disclosure of Personal Data with the Bank, the Service User may not be able to receive services or conduct transactions with the Bank, or the Bank’s ability to provide services to the Service User may be limited. As well as the withdrawal of consent may affect the use of products and/or services listed in Clause 9.1
8.3 After the consent has been withdrawn, the Bank will store your Personal Data for a period of time that is appropriate and necessary as specified by Personal Data Protection Act B.E. 2562, or as specified by prescription period, or the period under the relevant laws and regulations.
9. Data Subject Rights Procedure
Data subject rights are legal rights that can be exercised within the legal requirements and policies at the present or as amended in the future as well as regulations set out by the Bank. In case the Service User is under 20 years old or legal contractual capacity is restricted, the Service User may request their parents or legal guardians or representatives to exercise the rights on their behalf.
9.1 Right to Withdraw Consent. In case of collecting, using, and/or disclosing Personal Data which consent is required by law, if the Service User has lawfully given consent for the Bank to collect, use, and/or disclose Personal Data either the consent has been previously given before the effective date of PDPA or thereafter, the Service User has the right to withdraw consent at any reasonable time unless there is a restriction of the withdrawal of consent by law, or there is contractual obligation that benefits the Service User.
Nonetheless, withdrawal of consent may affect the use of products and/or services. For example, the Service User may not receive privileges, promotions, or new offers, products, and/or services that are enhanced and consistent with the needs, or not receive beneficial information, etc. Therefore, the Service User is advised to learn and ask for consequences before withdrawing consent.
9.2 Right to Access. The Service User has the right to access their Personal Data and the right to request for a copy of the Personal Data controlled by the Bank or request the Bank to inform any acquisitions of Personal Data in which consent has not been given.
9.3 Right to Data Portability. The Service User has the right to receive their Personal Data. In which the Bank shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. Including the right to request the Bank to send or transfer the Personal Data in such formats to other data controllers if it can be done by the automatic means, and the right to request to Personal Data in such formats that the Bank sends or transfers to other data controllers directly unless it is unable to do so due to technical circumstances.
Nonetheless, the Personal Data abovementioned must be the Personal Data that the Service User has given consent for the collection, use, and/or disclosure of such Personal Data, or the Personal Data that the Bank is required to collect, use, and/or disclose for the Service User to use products and/or services according to the wishes under a contractual basis, or for processing a request of the Service User before using the Bank's products and/or services, or any other Personal Data as prescribed by laws.
9.4 Right to Objection. The Service User has the right to object to the collection, use, and/or disclosure of their Personal Data at any reasonable time if the collection, use, and/or disclosure of Personal Data is necessary for the legitimate interest of the Bank, or for the performance of a task carried out in the public interest by the Bank. If the Service User requests an objection, the Bank may continue to collect, use, and/or disclose the Service User's Personal Data if the Bank can prove that there is a compelling legitimate ground, or it is necessary for the establishment, compliance, or exercise of legal claims, or defense of legal claims; as the case may be.
Furthermore, the Service User has the right to object to the collection, use, and/or disclosure of their Personal Data for the purpose of direct marketing or for the purpose relating to scientific or historical research or statistics.
9.5 Right to Erasure. The Service User has the rights to request the Bank to erase or destroy or anonymize Personal Data to be non-identifiable as the Service User. If the Service User has a reason to believe that the Personal Data have been unlawfully collected, used, and/or disclosed, or the Personal Data is no longer necessary in relation to the purposes listed in this Privacy Notice, or when the Service User withdraws consent or exercises the right to objection as abovementioned.
9.6 Right to Restrict Processing. The Service User has the right to request the Bank to temporarily restrict the use of their Personal Data in case the Bank is in the process of investigating in accordance with the Service User’s request to amend or object their Personal Data, or where it is no longer necessary to retain such Personal Data, or where it is the Personal Data which shall be erased or destroyed because it has been unlawfully collected, used, and/or disclosed, but the Service User requests for restriction of the use instead.
9.7 Right to Rectification. The Service User has the right to amend their Personal Data to make the information accurate, up-to-date, and not misleading.
9.8 Right to Complain. The Service User has the right to complain to the relevant legal authority in accordance with PDPA in case the Service User has reasonable grounds to believe that their Personal Data have been unlawfully collected, used, and/or disclosed.
Nonetheless, the exercise of rights as abovementioned depends on various factors and circumstances. In some cases where there are reasonable grounds, the Bank may reject the requests of the Service User where it is permitted by law or court’s order, or there is compelling legitimate ground for the public interest, or where the exercise of rights may violate the rights and freedom of others. If the Bank rejects the above request, the Bank will inform the Service User of the reason for the refusal.
The Service User can exercise the rights via the channels listed below.
|
Rights |
Channels for exercising the rights |
Duration* |
|||
|
|||||
|
Right to Withdraw Consent |
|
30 days |
|||
|
Right to Access |
|
||||
|
Right to Data Portability |
|
||||
|
Right to Objection |
|
||||
|
Right to Erasure |
|
||||
|
Right to Restrict Processing |
|
||||
|
Right to Rectification |
|
* From the date the Service User submits the application and all supporting documentation.
The Bank may extend the response of the Service User’s request timescale by up to sixty (60) days from the end of the specified period. If the Bank considers that there is a reasonable necessity that the Bank is unable to carry out the rights of the Service User within the specified period. Furthermore, in cases where the Service User requests for copies which are manifestly unfounded or excessive, the Bank will charge a reasonable fee for such request.
The Service User can exercise their rights or withdraw your consent for the processing of your personal data that has been provided to the Bank, you can request an application for the exercise of rights of data subject at any branch.
10. Improvement or Revision of Privacy Notice
The Bank may reserve its right to improve or amend this Privacy Notice, in which the Bank shall inform any material changes. Furthermore, the Bank may provide other privacy details such as the purpose of collecting Personal Data other than what is listed in this Privacy Notice.
Nonetheless, the amendment or improvement of this Privacy Notice or additional privacy details will become effective as soon as the Bank notifies you in the manner that the Bank deems appropriate. Except where the Bank is required by laws to obtain your consent. In that case, any changes to this Privacy Notice or any other details pertaining to this Privacy Notice will become effective upon receiving your consent.
11. Security Measures for Storing Personal Data
The Bank implements a Personal Data storage system with appropriate mechanisms and techniques, as well as security measures in accordance with the PDPA and other applicable laws, includes restricting access to Personal Data of the Service User from the Bank’s employees and agencies to prevent the Service User's Personal Data from being used, disclosed, destroyed, or accessed without authorization.
12. Responsibility of the Data Owner
BAAC requires relevant officials to strictly adhere to the BAAC's Personal Data protection policies and practices.
13. Log Files
BAAC's website includes an automatic entry and exit record that can be associated with personally identifiable information such as IP addresses, previously visited websites, and type of browser etc. Aforesaid, such record shall be in accordance with the Computer Crime Act B.E. 2550
14. Contact Information
If the Service User has any suggestions or inquiries regarding the collection, use, and/or disclosure of Personal Data or the exercise of rights, the Service User can contact the Bank or the Bank’s Data Protection Officer via the following channels:
(1) To contact BAAC (Data Controller): BAAC branches nationwide in business hours
(2) To contact Data Protection Officer: BAAC’s Headquarter Office
- Address: No.2346 Phahon Yothin Road, Sena Nikom Sub District, Chatuchak District, Bangkok, 10900
- E-mail: dpo@baac.or.th
- Call-center: 02-555-0555
Download_Privacy Notice
