Data Protection Notice
Last updated August 2020
The protection of your personal data is important to the BNP Paribas Group (the “Group”), which has adopted strong principles in that respect.
This Data Protection Notice provides you with information relating to the use and protection of your personal data by BNP Paribas Bangkok Branch (“we”).
We are responsible, as a controller, for collecting, using and/or disclosing (“Processing”) your personal data, in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we collect about you, the reasons why we Process such data, how long we keep it and what your rights are and how you can exercise them.
References in this Notice to “you” or “your” are references to individuals whose information is Processed by us or on our behalf in connection with our activities or as transaction counterparties or litigants in legal proceedings involving us.
Further information may be provided where necessary when you apply for a specific product or service.
1. WHICH PERSONAL DATA DO WE PROCESS ABOUT YOU?
We collect, use and/or disclose (“Process”) your personal data, meaning any information that identifies or allows to identify you, to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.
Depending on the type of products or services we offer or provide, we may Process various types of personal data about you, including:
- identification information (e.g. your specimen signature, information in your ID card, passport, driving license, work permit, utility bill, rental agreement, certification for change of name or business card which contains your details including nationality, address, place and date of birth, gender, photograph);
- contact information private or professional (e.g. postal and e-mail address, phone number and social media account);
- family situation and family life(e.g. marital status in marriage certificate, number and age of children, number of persons composing the household in household registration, etc.);
- economic, financial and tax information (e.g. tax ID, tax status, income and others revenues, value of your assets);
- employment information (e.g. employment, employer’s name);
- banking and financial information (e.g. bank account details, product and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, payment incident);
- transaction data (e.g. full name, criminal record, political opinion and address of our corporate client’s ultimate beneficiary owners, senior managing officials, directors and authorised signatories and details including communications on bank transfers of the underlying transaction);
- data relating to your habits and preferences (data which relate to your use of our products and services);
- data from your interactions with us, our branches (contact reports), our internet websites, our apps, our social media pages, (connection and tracking data such as cookies, connection to online services, IP address) meeting, call, chat, email, interview, phone conversation, Wi-Fi connection at our office;
- security protection (including CCTV and access control information) and geolocation data (e.g. showing locations of withdrawals or payments for security reasons, or to identify the location of the nearest branch or service suppliers for you);
- information about your device (IP address, technical specifications and uniquely identifying data);
- login credentials used to connect to BNP Paribas’ website and apps.
We will not ask for any other sensitive personal data such as data related to your racial or ethnic origins, religious or philosophical beliefs, health data, disability, labour union membership, criminal convictions, political opinion, genetic data, biometric data or data concerning your sex life or sexual orientation, unless it is necessary for our operation (including provision of service to you) and we have a lawful basis to do so. Please note that before our Processing, we may permanently mask, remove, black out or hide any of your information which is considered sensitive personal data and not necessary for our operation, and in no intention to alter, fabricate or forge the document or information received from you.
2. WHO IS CONCERNED BY THIS NOTICE AND FROM WHOM DO WE COLLECT PERSONAL DATA?
We collect data directly from you as shareholder, director, representative or personnel of our client, prospect client (when you contact us, visit us, our website or our apps, use our products and services, participate to a survey or an event with us), contractor or regulator. We may also indirectly collect personal data about other individuals from you whereas they have no direct relationship with us but are related to our client, prospect client, or contractor, such as for instance the following persons of our client, prospect client or contractor:
- Successors and right holders;
- Co-borrowers / guarantors;
- Legal representatives (power of attorney);
- Beneficiaries of your payment transactions;
- Beneficiaries of your insurance contracts or policies and trusts;
- Ultimate beneficial owners;
- Debtors or creditors (e.g. in case of bankruptcy);
- Agent, personnels, employees or staffs;
- Third-party service provider’s personnels, employees or staffs;
- Company shareholders;
- Company’s directors;
- Relevant parties in transactions with our corporate clients;
- Senior managing officials;
- Professional advisors such as auditors or consultants;
When you provide us with third party personal data like the examples listed above, please remember to inform the individuals providing the data that we Process their personal data and direct them to our present Data Protection Notice.
We may also obtain personal data from:
- other BNP Paribas entities (such as other branches, subsidiaries or affiliates);
- our clients (bodies corporate or individuals);
- our business partners;
- payment initiation service providers and aggregators (account information service providers);
- third parties such as credit reference agencies, fraud prevention agencies including regulators, Royal Thai Police or data brokers which are responsible for making sure that they gather the relevant information lawfully;
- publications/databases made available by official authorities or third parties (e.g. fact sheet or prospectus available in public sources, databases operated by financial supervisory authorities);
- websites/social media pages of legal entities or professional clients or those containing information made public by you (e.g. your own website or social media);
- public information such as information from the press.
If you fail to provide your personal data to us
Where we are required by law to Process your personal data or need to Process your personal data under the terms of a contract we have with you (or take steps at your request before entering into a contract) and you fail to provide your personal data when requested, we may not be able to perform obligation under the contract we have with you or plan to enter into with you. In this case, we may have to decline to provide the relevant services, but we will notify you if this is the case.
3. WHY AND ON WHICH BASIS DO WE PROCESS YOUR PERSONAL DATA?
a. To comply with our various legal and regulatory obligations and substantial public interest
We Process your personal data to comply with various legal and regulatory obligations in particular with the banking and financial ones:
- monitor transactions to identify those which deviate from the normal routine/patterns;
- manage, prevent and detect fraud;
- monitor and report risks (financial, credit, legal, money laundering, compliance or reputational risks, default risks etc.) that we and/or the Group could incur;
- record, when necessary, phone calls, chats, emails, etc. notwithstanding other usages described hereafter;
- prevent and detect money laundering and financing of terrorism and comply with regulation relating to sanctions and embargoes through our Know Your Customer (KYC) and Customer Due Diligence (CDD) process (to identify you, verify your identity, screen your details against sanctions lists, collect your criminal record and political opinion and determine your profile);
- detect and manage suspicious orders and transactions;
- carry out an assessment of appropriateness or suitability to provide investment services to each client in compliance with Markets in Financial Instruments regulations (MiFid);
- contribute to the fight against tax fraud and fulfil tax control and notification obligations;
- record transactions for accounting purpose;
- detect and prevent bribery;
- make disclosure under the requirements of any law to the extent applicable binding on us or any of our branchdes including exchange and report different operations, transactions or orders or reply to an official request from a duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies;
- record necessary information that could identify the identity of the Wi-Fi service user as required under the Computer Crimes Act B.E. 2550 (2007), as amended and regulations issued thereunder.
b. To perform a contract with you or to take steps at your request before entering into a contract
We Process your personal data to enter into and perform our contracts as well as to manage our relationship with you, including to:
- conduct credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;
- define your credit risk score and your reimbursement capacity;
- evaluate (e.g. based on your credit risk score) if we can offer you a product or service or can receive collateral from you and under which conditions (including price);
- ensure your ongoing credit worthiness;
- assist you in particular by answering your requests;
- perform our daily operations to provide you with products or services;
- manage outstanding debts (identification and exclusion of clients with outstanding debts) including determining amounts owed to or by you;
- conduct a Know Your Supplier (KYS) prior to entering into a contract with our contractor, vendor or suppliler.
c. To fulfil our legitimate interest
We Process your personal data for:
- Performance of a contract with our corporate clients or corporate contractors or to take steps at our corporate clients or corporate contractors request before entering into a contract including to:
- define our corporate client’s credit risk score and their reimbursement capacity;
- evaluate (e.g. based on our corporate client’s credit risk score) if we can offer our corporate client a product or service or can receive collateral from our corporate client and under which conditions (including price);
- ensure ongoing credit worthiness of our corporate clients;
- assist our corporate clients in particular by answering their requests;
- perform our daily operations to provide our corporate clients with products or services;
- manage outstanding debts (identification and exclusion of clients with outstanding debts) including determining amounts owed to or by our corporate clients;
- conduct a Know Your Supplier (KYS) prior to entering into a contract with our contractor, vendor or suppliler;
- as a data processor, provide our corporate clients who are your employers with our payroll service per our clients’ instruction.
- Risk management purpose including to:
- prevent, detect and report risks related to Corporate Social Responsibilities and sustainable development;
- conduct credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;
- proof of transactions including electronic evidence;
- manage, prevent and detect fraud;
- monitor transactions to identify those which deviate from the normal routine (e.g. when you receive a large withdrawal from a large amount deposited into your bank account in a country where you do not live);
- perform debt collection from the client and those providing security or guarantee for the client’s obligation;
- assist other financial institutions to conduct credit checks and collect debts;
- assert legal claims and defend in case of legal disputes;
- create and maintain our credit scoring models to help defining our corporate client’s creditworthiness;
- consultation and exchange of data with credit agencies to identify credit risks;
- enable an actual or proposed assignee of BNPP, or participant or sub-participant of BNPP’s rights in respect of the clients to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation.
- Personalisation of our offering to you and that of other BNP Paribas entities including to:
- improve the quality of our products or services;
- design financial services or related products for our corporate clients’ use;
- advertise products or services that match with your situation and profile;
- deduct your preferences and needs to propose you a personalised commercial offer.
- Research & Development (R&D) to help with the improvement of our existing products and services and the development of new products and services to address our clients’ needs and serve our clients better, consisting of establishing statistics and models including to:
- optimise and automate our operational processes (e.g. creating FAQ chatbot);
- offer products and services that will best meet your needs;
- adapt products and services distribution, content and pricing in accordance with your profile;
- create new offers;
- prevent potential security failures, improve client authentication and access rights management;
- enhance security management, risk and compliance management, the management, prevention et detection of fraud and the fight against money laundering and financing of terrorism;
- Security reasons and IT systems performance, including to:
- manage IT, including infrastructure management (e.g. shared platforms), business continuity and security (e.g. internet user authentication);
- prevent personal injury and damages to people and goods (for instance video protection and access control).
- More generally including to:
- verify the data or information provided to us by any client or third party for other purposes which are not covered by the Processing activities as well as your identity, authorisation or capacity to enter into a contract with use or to represent your entity which is our corporate client;
- contact you or our clients for business purposes or to comply with your request;
- deliver documents to our clients for business purposes;
- manage our database by delegating some Processing activities to our offshore branches or third-party service provider;
- ensure that you are informed of and provided with our best services we can offer globally by sharing your information with our branches having mutual relationship with you and perform client satisfaction and opinion surveys;
- keep our telephone conversation with you as our internal record for future reference and improve process efficiency (by recording phone calls in our call centres and improve our calling scenario and as our internal record for future reference);
- carry out financial operations such as debt portfolio sales, securitisations, financing or refinancing of the Group;
- organise contests and games, price competitions, lotteries or any other promotional operations;
- implement process automation of our processes such as application testing, automatic filling complaints handling, etc.
- have a global and consistent overview of our clients;
- comply with our internal policy, procedure or standard.
In any case, where relying on legitimate interest, we ensure the Processing remains proportionate and that your interests or fundamental rights are preserved. Should you wish to obtain more information about such balancing test, please contact us using the contact details provided in Section 9 (HOW TO CONTACT US?) below.
d. To respect your choice if we requested your consent for a specific Processing
- We Process your personal data to send invitation to you as representative of our existing corporate clients or prospective clients for marketing events in relation to products or services that we offer from time to time.
For certain types of personal data Processing, we will provide you with specific information and invite you to consent such Processing. Note that you may request to revoke your consent at any time.
4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
a. Sharing of information within the Group
We are part of the Group which is a group of companies working closely together all over the world to create and distribute various banking, financial, securities, insurance services and products. We may share you personal data within our organization, to other branches, subsidiaries or affiliates in the Group. Please refer to the details in Section 3 (WHY AND ON WHICH BASIS DO WE PROCESS YOUR PERSONAL DATA?) above.
b. Disclosing information outside the Group
In order to fulfil some of the purposes described in this notice, we may disclose from time to time your personal data to:
- Regulators such as the Anti-money Laundering Office (AMLO) and the Bank of Thailand to comply with our money laundering legal obligations;
- service providers which perform services for us or for the Group (e.g. document management services, postal services, cloud services, IT services, logistics, printing services, telecommunication, debt collection, advisory and consulting and distribution and marketing);
- banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
- credit reference agencies;
- local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies, public bodies, including industry or professional association and any other authorities, we or any member of the Group is required to disclose to pursuant to:
- their request;
- defending or responding to a matter, action or proceeding
- complying with regulation or guidance from authority applicable to us or any member of the Group;
- payment service provider(s) (e.g. information on your payment account(s)) or clearing house based on the authorisation granted by you to this third party;
- certain regulated professionals such as lawyers, notaries, rating agencies or auditors when needed under specific circumstances (advisory, litigation, audit, etc.) as well as to actual or proposed purchaser of the companies or businesses of the Group or our insurers.
- publication companies (e.g. magazine or newspaper) for our marketing purposes;
- insurance companies; and
- persons or entities outside of the Group to whom we may sell or transfer parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the part of our business that is (as the case may be) sold, acquired or is the merged entity may Process your personal data in the same way as set out in this Notice.
c. Sharing aggregated or anonymized information
We share aggregated or anonymised information within and outside the Group with partners such as research groups, universities or advertisers. You won’t be able to be identified from this information.
Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case your personal data will never be disclosed and those receiving these anonymised statistics will be unable to identify you.
5. INTERNATIONAL TRANSFERS OF PERSONAL DATA
In case of international transfers originating from Thailand to another country, the transfer of your personal data may take place where the Thailand Personal Data Protection Committee has recognised such country as providing an adequate level of data protection, your personal data may be transferred on this basis.
For transfers to the countries where the level of protection has not been recognised as adequate by the Thailand Personal Data Protection Committee, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:
- Standard contractual clauses;
- Binding corporate rules approved by the Office of Thailand Personal Data Protection Committee.
For more information, you can contact use via details as set out in Section 9 (HOW TO CONTACT US?).
6. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
We will retain your personal data over the period required to comply with applicable laws and regulations or another period with regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. For instance, most of information of client and/or contractor is kept for the duration of the contractual relationship and 10 years after the end of the contractual relationship, in accordance with general statute of limitation under Thai law. For prospect clients, information is kept as long as the relevant individual is working at the organisation we considered to be our propspect client or as long as we consider that such organisation is a prospect client, whichever is earlier, and normally equals to a period of approximately five (5) years.
7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
In accordance with applicable regulations and where applicable, you have the following rights:
- To access: you can obtain information relating to the Processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law. Note that this is not a blanket right to require all your personal data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the Processing of your personal data.
- To restrict: you can request the restriction of the Processing of your personal data in certain circumstances. This right arises: (a) if you are disputing the accuracy of your information; (b) if the Processing of your information is unlawful but you requested for a restriction of Processing instead of an erasure of personal data; (c) if your information is no longer necessary but you require the personal data to be retained to establish, exercise or defend a legal claim; or (d) if we require your information in assessing your request to object Processing of information;
- To object: you can object to the Processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the Processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. You also have a right to object if (a) we are Processing your personal data based on legitimate interests or for the performance of a task in the public interest; or (b) if your personal data is being Processed for scientific or historical research or statistical purposes.
- To withdraw your consent: where you have given your consent for the Processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party. The right to data portability only applies if our data Processing is based on your consent or if the personal data is Processed for the performance of a contract.
- To file a complaint: you have the right to file a complaint in the case where, in your view, we or our employees or contractors violates fails to comply with the Personal Data Protection Act B.E. 2562 (2019) or notifications issued thereunder.
If you wish to exercise the rights listed above, please submit a data subject request form which is available here through our website or send a letter or e-mail to the following address email@example.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your information (or to exercise any of your other rights). This is a security measure to ensure that your information is not disclosed to any person who has no right to receive it. Please include a scan/copy of your proof of identity for identification purpose when required.
You will not have to pay a fee to access your information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint where, in your view, we or our employees or contractors violates or fails to comply with the Personal Data Protection Act B.E. 2562 (2019) or notifications issued thereunder, with the Personal Data Protection Committee.
We try to respond to all legitimate requests within 30 days. Occasionally it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
8. HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?
In a world of constant technological changes, we may need to regularly update this Data Protection Notice.
We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.
9. HOW TO CONTACT US?
If you have any questions relating to our Processing of your personal data under this Data Protection Notice, please contact our data protection officer Tarik MOUSTAHIB, firstname.lastname@example.org, who will handle your query.