| Privacy Notice
Dear Vendors,
Industrial and Commercial Bank of China (Thai) Public Company Limited (“Bank”, “we” or “our”) values your privacy and strives to protect your personal data or personal data relating to the individuals connected to your business (collectively referred to as “Personal Data”) based on Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”).
Terms used herein shall have the same meaning prescribed in the PDPA.
This Privacy Notice explains:
• What kind of Personal Data do we collect? This includes what you tell us about yourself or the individuals connected to your business (collectively referred to as “you”, “your” or “yourself”) and what we learn by having you as a vendor.
• How do we use your Personal Data?
• Who do we disclose the Personal Data to?
• What are the choices we offer? This includes how to access and update your Personal Data.
• What are your privacy rights and how does the law protect you?
1. What kind of Personal Data do we collect?
We collect many different kinds of Personal Data, depending on various circumstances that are relevant to procuring goods and/or services, and making payments.
We may collect the Personal Data related to you from a variety of sources including, but not limited to:
• From you directly as part of the process of becoming our vendor;
• From third parties as part of the process of becoming our vendor (e.g., credit checks, trade references, our customers, law enforcement authorities, etc.);
• The information obtained related to you in the course of our working relationship, including when you talk to us (e.g., recorded calls, posts, emails, notes or any other means);
• In insurance claims or other documents;
• Financial reviews; and/or
• When you manifestly publish your Personal Data, including via social media (e.g., we may collect your Personal Data from your social media profile(s), to the extent that you choose to make your profile publicly visible).
We sometimes collect your Personal Data from additional online and offline sources including commercially available third-party sources such as credit reporting agencies (including the National Credit Bureau). We may combine this information with the Personal Data we have collected related to you under this Privacy Notice. The categories of Personal Data related to you that we process, subject to the applicable law, includes the followings, but is not limited to:
• Personal details: Given name(s), preferred name(s), surname(s), gender, date of birth, marital status, personal identification number, passport number, other government issued number(s), tax identification number; nationality, image of passport, driving license, signatures, authentication data (e.g., passwords, mother’s maiden name, PINs, facial and voice recognition data), photographs, visual images and CCTV images;
• Financial details: The details of your bank account(s), billing address, credit card numbers, and cardholder’s name and details;
• Contact details: Address, telephone number, email address and social media profile details; and/or
• Electronic data: IP address, cookies, activity logs, online identifiers, unique device identifiers and geolocation data.
2. How do we use your Personal Data?
We may collect, use and disclose your Personal Data only if we have proper reasons and it is lawful to do so. This includes sharing it outside the Bank.
We will rely on one or more of the following lawful grounds when processing/holding the Personal Data:
• When it is to fulfill the contract we have with you or will enter into it with you;
• When it is our legal duty;
• When it is in our legitimate interest; or
• When you consent to it.
The purposes for which we may process your Personal Data, subject to the applicable law, and the legal basis on which we may perform such processing, are:
| Purposes of data processing |
Legal basis |
| Procurement of goods and/or services |
• To make a decision about procuring goods and/or services with you
• To make and manage payments
• To manage charges and interests due
• To collect and recover the goods and/or services that are owed to us
• To deal with legal disputes |
• Fulfilment of contract
• Our legitimate interests
• Our legal duties |
| Business relationship |
• To manage our relationship with you or your business
• To communicate with you about the goods and/or services |
• Your consents
• Fulfilment of contract
• Our legitimate interests |
| Business improvement |
• or services and goods existing To with issues identify
• To plan the improvements to the existing goods and/or services |
• Fulfilment of contract
• Our legitimate interests
• Our legal duties |
| Security and risk management |
• To detect, investigate, report, and seek for a financial crime prevention
• To manage risk for us
• To comply with the laws and regulations that apply to us |
• Fulfilment of contract
• Our legitimate interests
• Our legal duties |
When we rely on the legitimate interest as the reason for processing your Personal Data, this means that we have considered whether or not your rights and freedom are overridden by our interests and have concluded that they are not.
3. Who do we disclose the Personal Data to?
• need to provide you with the requirement under a contract;
• have a public or legal duty to do so (e.g., assist with detecting and preventing fraud, tax evasion, financial crime, etc.);
• need to, in connection with a regulatory reporting, litigation, asserting or defending legal rights and interests;
• have legitimate business reasons to do so (e.g., manage risk, verify identity, enable another company to provide you with the services you’ve requested, or assess your suitability for the goods and/or services, etc.); and/or
• ask for your permission to share it and you have agreed to it.
We may share your Personal Data for these purposes with others, including:
• other Bank group companies and any sub-contractors, agents or service providers who work for us or provide the services to us, including their employees, representative, sub-contractors, service providers, directors and officers;
• any trustees, beneficiaries, administrators or executors;
• people you make payments to and receive payments from;
• your intermediaries, correspondent and agent bank, clearing houses, clearing or settlement system, market counterparties and any company you carry out investment services through us;
• other financial institutions, tax authorities, trade associations, credit reference agencies, and debt recovery agents;
• any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
• law enforcement, government, courts, court procedure, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
• other parties involved in any disputes, including disputed transactions;
• fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity;
• anyone who provides instructions or operates any of your accounts, goods or services on your behalf (e.g., power of attorney, solicitors, intermediaries, etc.); and/or
• anybody else that we have been instructed to share your Personal Data with by you.
Except as described in this Privacy Notice, we will not use your Personal Data for any purposes other than the purposes described to you in this Privacy Notice. Should we intend to collect, use or disclose additional information which is not described in this Privacy Notice, we will notify you and obtain your consent prior to the collection, use and disclosure unless we are permitted to do so without your consent under the law. You will also be given the opportunity to consent or to decline approval of such collection, use and/or disclosure of your Personal Data.
We will continue to adhere to this Privacy Notice with respect to the information we have in our possession relating to prospective, existing and former vendors.
Cross-border Transfer of Personal Data
Your personal data may be transferred to and stored/processed in other countries. Such countries may not have the same level of protection of Personal Data. When we do this, we will ensure it has an appropriate level of protection and that the transfer is lawful. We may need to transfer your Personal Data in this way to carry out our contract with you, fulfill the legal obligations, protect the public interests and/or for our legitimate interests. In some countries, the law may compel us to share certain Personal Data (e.g., with tax authorities). Even in this case, we will only share your Personal Data with people who have the right to see it.
4. Retention of your Personal Data
We retain your Personal Data for as long as it is necessary to carry out the purpose for which it was collected i.e., for business and legal reasons or compliance with the applicable laws.
We may keep your Personal Data for up to 10 years after you stop being our vendor in order to ensure that any contractual disputes that may arise can be processed within such time. However, in the event of regulatory or technical reasons, we may keep your Personal Data for longer than 10 years. If we do not need to retain your Personal Data for longer than it is legally necessary, we will destroy, delete or anonymize it.
5. Accuracy of your Personal Data
We need your help to ensure that your Personal Data is current, complete and accurate. Please inform us of any changes to your Personal Data by contacting us through a channel prescribed in Clause 10 of this Privacy Notice.
We will occasionally request the updates from you to ensure the Personal Data we use to fulfill the purposes of collection, use and/or disclosure are current, accurate and complete.
6. What are your privacy rights and how does the law protect you?
• Right to Withdraw: This enables you to withdraw your consent to our processing of your Personal Data, which you can do at any time. We may continue to process your Personal Data if we have another legitimate reason to do so;
• Right to Access: This enables you to receive a copy of the Personal Data we hold, that is related to you, and to check whether or not we are lawfully processing it;
• Right to Correct: This enables you to have any incomplete or inaccurate information we hold related to you corrected;
• Right to Erasure: This enables you to ask us to delete or remove, destroy or anonymize your Personal Data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below);
• Right to Object: This enables you to object to the processing of your Personal Data where we are relying on the legitimate interest and there is something about your particular situation which makes you want to object to the processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes and profiling activities;
• Right to Restrict Processing: This enables you to ask us to suspend the processing of your Personal Data. For example, if you want us to establish its accuracy or the reason for processing it;
• Right to Portability: In some cases, you will be able to obtain a copy of your Personal Data that is generally available in electronic form. This right can only be used in the case of Personal Data you submit to us and the processing of such Personal Data is done with your consent or in the event that such Personal Data needs to be processed in order to be able to fulfil obligations under the contract;
• Right to Lodge a Complaint: This enables you to file a complaint with a related government authority, including but not limited to, the Thailand Personal Data Protection Committee in the event you see that the Bank, our staff or service provider violates or fails to comply with the PDPA or other announcements issued by virtue of the PDPA.
The exercise of rights above may be restricted under relevant laws and it may be necessary for the Bank to deny or not be liable to carry out your requests, and the Bank will inform you of the reason. You could exercise your rights above on 1 June 2021 onwards.
Handling of Complaints
In the event that you wish to make the complaint about how we process your Personal Data, please contact us and we will try to consider your request as soon as possible. This does not prejudice your right to file the complaint with a government authority that has a data protection authority.
7. Security of your Personal Data
Information is our asset and, therefore, we place a great importance on ensuring the security of your Personal Data. We regularly review and implement up-to-date physical, technical and organizational security measures when processing your Personal Data. We have internal policies and controls in place to ensure that your Personal Data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties. Our employees are trained to handle the Personal Data securely and with utmost respect, failing which they may be subject to a disciplinary action.
8. Your Responsibilities
You are responsible for making sure that the Personal Data you have given us or provided on your behalf, is accurate and up to date and you must tell us as soon as possible if there are any updates.
You have some responsibilities under your contract to provide us with the Personal Data. You may also have to provide us with your Personal Data in order to exercise your statutory rights. Failing to provide the Personal Data may means that you are unable to exercise your statutory rights.
Certain Personal Data, such as contact details and payment details, must be provided to us in order to enable us to enter into the contract with you. If you do not provide such Personal Data, this will hinder our ability to administer the rights and obligations arising as a result of contract efficiently.
9. Revision of Our Privacy Notice
We keep our Privacy Notice under regular review and thus the Privacy Notice may be subject to change at the Bank’s sole discretion.
We keep our Privacy Notice under regular review and thus the Privacy Notice may be subject to change at the Bank’s sole discretion.
10. Contact us
If you have any questions in regard to the protection of your Personal Data or if you wish to exercise your rights, please contact our Data Protection Officer: E-mail DPOICBCT@th.icbc.com.cn. |