How we collect, use or disclose your personal data
We only collect, use, or disclose your personal data where it is necessary or there is a lawful basis for collecting, using, or disclosing it. This includes where we collect, use or disclose your personal data based on the legitimate grounds of legal obligation, performance of contract made by you with us, our legitimate interests, performance under your consent and other lawful basis. Reasons for collecting, using or disclosing are provided below: 1.1 Our legal obligation We are regulated by many laws, rules, regulations, and orders of any competent governmental, supervisory or regulatory authorities, and to fulfil our legal and regulatory requirements, it is necessary to collect, use or disclose your personal data for the following purposes, which include but not limited to:
a) compliance with the PDPA and any amendment thereof, including its sub-regulations;
b) compliance with applicable laws (e.g. Financial Institutions Business Laws, Securities and Exchange Laws, Foreign Exchange Management Law, Anti-Money Laundering Laws, Prevention and Suppression of Financial Support to Terrorism and the Proliferation of Weapons of Mass Destruction Laws, Tax Laws, and other laws to which we are subject in Myanmar, Thailand and in other countries), including conducting identity verification, background checks and credit checks, Know Your Client/Customer Due Diligence (KYC/CDD) processes, other checks and screenings (including screening against publicly available database of regulatory authorities and/or official sanctions lists), and ongoing monitoring that may be required under any applicable law; and/or
c) compliance with regulatory obligations and/or orders of authorized persons (e.g. orders by any court of competent jurisdiction or of governmental, supervisory or regulatory authorities or authorized officers).
1.2 Contract made by you with us We will collect, use or disclose your personal data in accordance with the request and/or agreement made by you with us, for the following purposes, which include but not limited to:
a) through our internal approval process and approval process of SCBX Group which can be processed wholly or partly via our internal system and/or inter-companies system connected between our system and the system of our parent company and/or the system of other companies in SCBX Group, process your request prior to entering into an agreement, consider for approval and provide products and/or services, process your applications or requests for services or products, deliver our products and/or services to you (including, MMK savings accounts - individuals and corporates, MMK current accounts - individuals and corporates with cheque, MMK fixed deposit accounts - individuals and corporates, MMK call deposit accounts – corporates, FCY current accounts - individuals and corporates with cheque, FCY fixed deposit accounts - individuals and corporates, FCY call deposit accounts – corporates, E-savings account, real time fund transfer (within SCBM), Sweep account, SCBM Business Anywhere, long-term loan including project finance loans and structured finance, overdrafts (O/D), promissory notes (P/N), letters of guarantee including but not limited to bid bonds, performance bonds, retention money bonds, payment guarantees and utility bonds, standby letters of credit , supplier/dealer financing, trust receipt financing, shipping guarantee, outward remittance (domestic and international), letters of credit issuance / amendment, inward bills for collection, outward bills for collection, outward bill under letters of credit, outward bills purchase/discount under letters of credit and bills for collection, outward bills discount without recourse under letters of credit, letters of credit advising, letters of credit confirmation, letters of credit transfer, inward remittance (domestic and international), packing credits, assignments of proceeds, supply chain, SCBM Trade Club, SCBM Trade Net, payroll (MMK and USD) – individuals, supplier payment / direct credit, direct debit and bill payment), provide advice and deal with all matters relating to the products and/or services, including any activities that if we do not proceed, then our operations or our services may be affected or we may not be able to provide you with fair and ongoing services;
b) authenticate when entering into, doing or executing any transactions;
c) carry out your instructions (e.g. to facilitate us in responding to your inquiries, to open, operate and rollover deposit accounts and/or credit facilities for you, process your application and/or your transactions, fulfil a request for utilization of products and/or services, respond to your enquiries or feedbacks, or resolve your complaints, or to generally provide you with our services and products which requires your personal information);
d) provide online banking, mobile applications and other online product platforms;
e) track or record your transactions;
f) produce reports (e.g. transaction reports requested by you or our internal reports);
g) notify you with transaction alerts;
h) recover the money which you owe (e.g. when you have not paid for your loan debt and/or outstanding fees);
i) carry out account maintenance and operations relating to your financial accounts and/or user account (if any), including without limitation, processing your applications or request for services, changing relevant information, closing account, requesting for funds from account of the deceased, processing your transactions, generating your account statement, and operating and closing your accounts;
j) carry out or make transactions and/or payments (e.g. processing payments or transactions, fulfilling transactions, conducting settlement, billing and processing activities, managing your relationship with us and administration of your account with us);
k) enforce our legal or contractual rights; and/or
l) provide IT and helpdesk supports, create and maintain code and profile for you, manage your access to any systems to which we have granted you access, and remove inactive accounts.
1.3 Our legitimate interesWe rely on the basis of legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in personal data which we will collect, use or disclose for the following purposes, which include but not limited to:
a) conduct our business operation and the business operation of our parent company and companies in SCBX Group (e.g. to conduct compliance audits, to conduct risk analysis and managements, to conduct finance and accounting managements, to conduct financial audits, to conduct internal operation managements, to monitor, prevent, detect and investigate fraud, money laundering, terrorism, misconduct, or other crimes, including but not limited to carrying out the creditworthiness checks of any persons related to our corporate customer, which may not be required by any governmental or regulatory authorities, and authenticating your identity to prevent such crimes);
b) conduct our relationship managements (e.g. to serve customers, to conduct customer survey, to manage customer segmentation and to handle complaints);
c) ensure security (e.g. maintain CCTV records, to register, exchange identification card and/or take photo of visitors before entering into our building areas, including but not limited to head office, branches, electronic machines (e.g. Automatic Teller Machine (ATM), Cash Deposit/Withdrawal Machine (CDM) (if any));
d) develop and improve our products, services and systems to enhance our services standard, use your personal data for conducting credit modelling, and/or for the greatest benefits in fulfilling your needs, including to conduct research, analyse data and offer products, services and benefits suitable to you by considering the fundamental rights in your personal data;
e) record images and/or voices relating to the meetings, trainings, seminars, recreations or marketing activities;
f) in case of our corporate customer, we will collect, use and disclose personal data of directors, authorized persons or attorneys;
g) ensure business continuity;
h) handle claims and disputes, including solving disputes, initiating, exercising, defending legal claims, filing lawsuits and process the relevant legal proceedings;
i) contact you prior to your entering into a contract with us;
j) evaluate suitability and qualifications of the users of the platform of the companies in SCBX Group;
k) protect against security risks (e.g. monitoring network activity logs, detecting security incidents, conducting data security investigations, and otherwise protecting against malicious, deceptive, fraudulent, or illegal activity);
l) comply with applicable foreign laws;
m) manage our infrastructure, internal control, and business operations and comply with our policies and procedures including those relating to risk control, security, audit, finance and accounting, systems and business continuity;
n) carry out research, planning and statistical analysis (e.g. data analytics, assessments, surveys and reports on our products, services and your behavior);
o) organize our promotional campaign or events, conferences, seminars, and company visits;
p) facilitate financial audits to be performed by an auditor, or receive legal advisory services from legal counsel appointed by you or us;
q) in the event of sale, transfer, merger, reorganization, or similar event, disclose or transfer your personal data to one or more third parties as part of that transaction;
r) maintain and update lists or directories of the customers (including your personal data), and keep contracts and associated documents in which you may be referred to; and/or
s) comply with reasonable business requirements (e.g. management, training, auditing, reporting, control or risk management, statistical and trend analysis and planning or other related or similar activities, implementing business controls to enable our business to operate, enabling us to identify and resolve issues in our IT systems, keeping our systems secure, and performing our IT systems development, implementation, operation and maintenance).
1.4 Your consent In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximise your benefits and/or to enable us to provide services to fulfil your needs for the following purposes, which include but not limited to:
a) collect, use, and disclose your sensitive personal data as necessary (e.g. to use your identification card and/or passport photo (which may contain your sensitive personal data, namely religion and/or blood type) and criminal record for verification of your identity before continuing the transaction, and Know Your Client (KYC) process and/or health and disability data (e.g. physical wellbeing and soundness of mind) for evaluating your suitability, vulnerability, and qualifications for investment);
b) collect and use your personal data and any other data to conduct research and analyze for the greatest benefits in developing products and services to truly fulfil your needs and/or to contact you for offering products, services and benefits exclusively suitable to you;
c) send or transfer your personal data and sensitive personal data to any country outside Thailand, which may have inadequate personal data protection standards (unless the PDPA specifies that we may rely on other legal basis or may proceed without obtaining consent);
d) disclose your personal data and any other data to other companies in SCBX Group as shown on https://www.scb.co.th/en/about-us/affiliates-financial-business-group.html and our trusted business partners for the following purposes: (1) researching, conducting statistical data, developing, analyzing products, services, and benefits to fulfil your needs; and (2) contacting you for offering products, services and benefits exclusively suitable for you; and/or
e) other activities which we may require your consent.
1.5 Other lawful basis Apart from the lawful basis which we mentioned earlier, we may collect, use or disclose your personal data based on the following lawful basis:
a) prepare historical documents or archives for the public interest, or for purposes relating to research or statistics;
b) prevent or suppress a danger to a person’s life, body or health; and/or
c) necessary to carry out a public task, or for exercising official authority.
If the personal data we collect from you is required to meet our legal obligations or to enter into an agreement with you, we may not be able to provide (or continue to provide) some or all of our products and services to you if you do not provide your personal data when requested.
How we share your personal data
We may disclose your personal data to the following parties under the provisions of the PDPA:a) our parent company and other companies in SCBX Group, business partners and/or other persons that we have the legal relationship, including our directors, executives, employees, staffs, contractors, representatives, advisors and/or such persons’ directors, executives, employees, staffs, contractors, representatives and advisors;
b) governmental authorities and/or supervisory or regulatory authorities, whether they are in Myanmar or Thailand (e.g. the Bank of Thailand, Ministry of Digital Economy and Society, Anti-Money Laundering Office, Thai Revenue Department, Central Bank of Myanmar, Myanmar Financial Intelligence Unit, Myanmar Credit Bureau and Ministry of Planning and Finance of Myanmar);
c) suppliers, agents and other entities (e.g. professional associations to which we are member, external auditors, depositories, document warehouses, overseas financial institutions and clearing houses, where the disclosure of your personal data has a specific purpose and under lawful basis, as well as appropriate security measures);
d) any relevant persons as a result of activities relating to selling rights of claims and/or assets, restructuring or acquisition of any of our entities, where we may transfer our rights to; any persons with whom we are required to share data for a proposed sale, reorganisation, business transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets used in our business operation;
e) other banks, financial institutions and third parties where required by law to help recover funds that have entered your account due to misdirected payment(s) by such third parties or trace funds where you are a victim of suspected financial crime, or where suspect funds have entered your account as a result of financial crime;
f) debt collection agencies, lawyers, credit bureau, fraud prevention agencies, courts, authorities or any persons whom we are required or permitted by laws, regulations, or orders to share personal data;
g) third parties providing services to us (e.g. IT service providers, market analysis and benchmarking service providers, cloud computing service providers, including but not limited to correspondent banking, agents and subcontractors acting on our behalf, the companies which print and deliver credit card statements);
h) social media service providers (in a secure format) or other third-party advertisers so they can display relevant messages to you and others on our behalf about our products and/or services. Third-party advertisers may also use data relating to your previous online activities to tailor adverts to you;
i) third-party security providers;
j) other persons that provide you with benefits or services associated with our products or services; and/or
k) your attorney, sub-attorney, authorized persons or legal representatives who have lawfully authorized power.