Summary of Privacy Notice for Customer

Brief Information on Personal Data Protection for Customers

Krungsri Consumer values personal data protection as a significant matter and has a strong determination to encourage awareness and understanding on customers’ personal data protection. In preparation for complying with Personal Data Protection Act B.E. 2562, which will fully become effective on June 1, 2021 (by virtue of Royal Decree Prescribing Organizations and Businesses of which Data Controllers are not Subject to Personal Data Protection Act B.E. 2562 B.E 2563). Krungsri Consumer, therefore, deems it beneficial to inform you of brief information in relation to collection, use, disclosure and transfer of personal data of customers as below.     

What is Krungsri Consumer?

Krungsri Consumer is a group of companies, consisting of Ayudhya Capital Services Company Limited (AYCAP), Krungsriayudhya Card Co., Ltd. (KCC), General Card Services Ltd. (GCS), Tesco Lotus Money Services Ltd. (TMS), Krungsri General Insurance Broker Limited (KGIB), Krungsri Life Assurance Broker Limited (KLAB), Tesco General Insurance Broker Limited (TGIB), and Tesco Life Assurance Broker Limited (TLAB).

What is a data controller?

A data controller means a person who obtains personal data directly from data subjects or from other sources and determines purposes of processing personal data. Personal Data Protection Act B.E. 2562 imposes obligations with respect to treatments and protection of personal data on data controllers.   

What is Personal Data?

Personal data is any information that relates to identified or identifiable persons, whether directly or in directly, however, excludes data of juristic persons and deceased persons; for instance, name, last name, identification number, date of birth, address, e-mail address, phone number, photograph, income data etc. 

What personal data is collected, used, disclosed and/or transferred

Data controllers may collect, use, disclose and/or transfer your personal details, or any other information relating to you or to any individuals, which you have provided, via other interactions with you or other sources.

Purposes of collection, use, disclosure and/or transfer

Data controllers may collect, use, disclose and/or transfer your personal data for various purposes, such as for offering our services to you, carrying out financial transactions and services related to the payments including transaction check, verification, and cancellation, customer care service, service improvement, managing security, data maintenance, fraud prevention and legal compliance.

Legal justifications for the collection, use, disclosure and/or transfer of your personal data

One of the key privacy law requirements is that any collection, use, disclosure and/or transfer of personal data has to have a legal justification. Data controllers generally use the following legal justifications: (1) a contractual basis, for data controllers’ initiation or fulfilment of a contract with you; (2) a legal obligation; (3) the legitimate interest of data controllers themselves and third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your personal data; and (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health.

Data disclosure and cross-border transfers and recipients  

Data controllers may transfer your personal data to other entities in a group of companies, government entities and regulatory bodies, courts, external advisors, and similar third parties, and service providers of the data controllers. Some of the aforementioned recipients may be located in foreign countries.

Retention periods for and deletion of your personal data

Your personal data will be deleted once they are not any longer needed for the purposes motivating their original collection or as required by applicable law.

Your statutory rights

You have a number of rights with regard to the collection, use, disclosure and/or transfer of your personal data, each as per the conditions defined in applicable law, such as the right to have access to your data, to have them corrected, erased or handed over. However, you may exercise your rights as from June 1, 2021 onwards.