KX logo

Customer Privacy Policy

Updated on 25 March 2024.

KASIKORN X Co., Ltd. (KX”) is a company that belongs to the KASIKORN Business-Technology Group (“KBTG”), which is a leader in total digital technology of the future to enable customers to have easy, convenient, fast and safe access to services and activities through every channel. Moreover, we support unlimited digital living, because KX understands that you require safety and personal data security when conducting transactions.

Thus, KX values and respects your privacy rights and the security of your data. As such, we have set strict policies, regulations and operating criteria for KX in order to maintain personal data security to ensure confidence that the personal data that KX receives from you will be used correctly and lawfully according to your intentions.

1 What is The Purpose of This Policy?

The purpose of this policy is to inform you, as a personal data owner, about the purposes and details about the collection, use and/or disclosure of your personal data along with the legal rights of the personal data owner.

“KX”

means

KASIKORN X Co., Ltd.

“Employee”

means

an employee of KX.

“Personal data owner”

means

an ordinary person identifiable by personal data (who is not a real rights holder or who is the creator of such data).

“Personal data”

means

data about a person that can be used to identify the person, whether directly or indirectly, but not including information about deceased persons.

“Sensitive data”

means

personal data which requires particularly careful handling, such as data regarding ethnicity; race; political ideology; cultural, religious or philosophical beliefs; sexual orientation; criminal history; health; disability; labor union membership status; genetics; biometrics; and others as specified by the law.

“Biometrics”

means

personal data resulting from the use of techniques or technologies related to the use of physical features or behaviors of an individual to enable the unique identification of the individual, e.g., facial recognition data, eye recognition data, or fingerprint data.

“Personal data controller”

means

A person with the authority and duty to make decisions regarding the collection, use or disclosure of personal data.

“Personal data processor”

means

a person who takes actions regarding the collection, use or disclosure of personal data under the instruction or on behalf of the personal data controller.

“data processing”

means

any action that is performed on personal data or personal data sets, whether automatic or otherwise, e.g., collection, storage, system management, storage structure management, changes or alterations, acceptance, consideration, use, or disclosure by transmission or publication or other actions that lead to usage readiness, arrangement or combination, limitation, erasure or destruction of data.

3 What Personal Data does KX collect, use and/or disclose?

3.1 Personal Data

Personal Data is data that can be used to identify a natural person, whether directly or indirectly, but which does not include data belonging to deceased persons. KX may collect and gather the Personal Data of the Data Subject through several means, including the following:

  1. Personal Data directly provided to KX or through KX or which exists with KX, whether due to use of products and/or services, contacts, visits or searches via digital, branch, website, call center, designated person or other channels.
  2. Personal Data that KX receives or has access to from other sources and not directly from the Data Subject, e.g., government agencies, other affiliated businesses/companies, financial institutes, financial service providers, business partners, credit information companies and data service providers, etc. KX will collect data from other sources only after receiving the consent of the Data Subject in accordance with the law, unless KX has a necessity as legally permitted or as supported by law.

Below are some examples of personal data that KX collects, uses and/or discloses:

  • Personal information such as first name, last name, age, date of birth, marital status, personal identification number and passport number.
  • Contact information such as home address, workplace, telephone number, email and Line ID.
  • Information about devices or tools such as IP address, MAC address, and cookie IDs.
  • Other information such as usage activity of websites, audio files, still images, videos and other information classified as personal data under personal data protection laws.

3.2 Sensitive Data

Sensitive Personal Data is Personal Data for which the law prescribes specific provisions. KX has no intention of collecting any Sensitive Personal Data from you. However, in certain circumstances, KX might be required to collect Sensitive Personal Data from you in order to prove and verify your identity or to accompany the provision of certain services or products to you. Such data may include data on religious affiliation as stated in the copy of your citizen identification card, or race as stated in the copy of the passport of some countries and biometric data (such as facial recognition data, fingerprint data and electronic signature data in which technology is used to apply the unique signing behavior of the signature to verify and confirm the identity of the signatory), criminal background information, health information, disability information, sexual orientation, etc. Accordingly, KX will collect, use and/or disclose such sensitive information only after KX receives your explicit consent or in cases where KX has a need to do so as permitted by law, in which case such actions may be carried out occasionally whenever there is a need to collect Sensitive Personal Data from you.

(Hereinafter in this policy, unless specifically mentioned, the above personal data and sensitive data pertaining to the data owner will be collectively known as “personal data”.)

4 For what purposes does KX collect, use and/or disclose your Personal Data?

KX will collect, use and/or disclose Personal Data for the benefit of the Data Subject in the use of products and/or services and in order to comply with any law which KX or the Data Subject is required to follow and in order to undertake other activities as the law permits according to the purposes specified in this policy as follows:

4.1 For Use of KX’s Products and/or Services

For allowing the data owner to use KX’s products and/or services as intended by the data owner who is party to a contract with KX or in order to carry out a request of the data owner before use of KX’s products and/or services (contractual basis), for example:

  1. In the consideration of approval of the provision of digital products and/or services, e.g., mobile applications, machine learning, blockchain, Internet of Things, Open API, UX/UI design, etc.
  2. In any activity related to the use of digital products and/or services, e.g., information technology system design and construction, infrastructure and information technology system management, system testing and operation, prototype system construction and testing, etc.

4.2 For Compliance with Relevant or Applicable Laws

For the purpose of compliance with the applicable laws (legal obligations), for example:

  1. To comply with the instructions of a legally authorized party.
  2. 2. To comply with financial institute business laws, securities and exchange laws, cyber security laws, tax laws, anti-money laundering laws, anti-terrorism financing and proliferation of weapons of mass destructions laws, computer laws, bankruptcy laws and other laws which KX is required to follow, whether in Thailand or abroad, along with announcements and regulations issued by virtue of such laws.

4.3 For Other Activities of KX

  1. For call center audio recordings, CCTV footage and building access card exchanges.
  2. For maintaining customer relations, e.g., complaint management, satisfaction survey, customer care, notifications or offers relating to products and/or services of the Data Subject as existing with KX for the benefit of the Data Subject.
  3. For managing risks, providing oversight, internal organization management and transmission to affiliated companies in order to achieve the aforementioned purposes.
  4. For anonymizing personal data.
  5. For preventing, handling or reducing risk of corruption, cyber threats, debt defaults or breaches of contract (e.g., bankruptcy information), and legal violations (e.g., money-laundering, terrorism financing and proliferation of weapons of mass destruction, offenses relating to property, life, body, freedoms or reputation), including the sharing of personal data in order to enhance the work standards of companies within the same business/company group for the prevention, handling and reduction of the aforementioned risks.
  6. For the collection, use and/or disclosure of the personal information of directors, delegated persons and representatives of juristic person clients for the purpose of identity verification, authorization and receipt of authorization and/or for use as evidence to accompany related transactions and activities.
  7. For making contacts and for making video and audio recordings relating to the organizing of meetings, lectures, recreational activities and exhibitions.
  8. For the collection, use and/or disclosure of personal data belonging to persons for whom the court has issued a receivership order in order to comply with related laws such as tax laws, protection laws, anti-money laundering laws and bankruptcy laws, etc.
  9. For sending and receiving packages.

4.4 For Receiving Benefits from Use of Products and/or Services

  1. For providing the Data Subject with better products and/or services in accordance with the needs of the Data Subject.
  2. For offering the special privileges, recommendations and various information, including rights to attend special activities.
  3. In this regard, whether it is products and/or services, benefits, promotional offers, news or special activities of KX or affiliated companies/businesses or any parties for which KX acts as a representative, agent, distributor or KX’s business partner or third parties that are associated with KX, whatever as permitted by the consent of the Data Subject.

If KX needs to collect, use and/or disclose Personal Data from Data Subject for the purpose of entering into or complying with a contract between Data Subject and KX and/or performing KX’s legal obligations, and the Data Subject fails to provide such required data to KX upon request, or in the case where Data Subject decides to delete the Data Subject’s user account from a service application of KX, KX might not be able to authorize and/or deliver/procure products and/or services either in whole or in parts to the Data Subject. Moreover, this might impact KX’s ability to comply with the law or the relationship existing between the Data Subject and KX.

5 Whose Personal Data might be disclosed by KX?

KX may disclose Personal Data to other parties with the consent of the Data Subject or rely on other legal basis as stipulated by the law to permit for such disclosures, whereby persons or agencies that receive such data will collect, use and/or disclose the Personal Data within the scope of consent granted by the Data Subject or within the relevant scope under this policy.

KX may disclose Personal Data in order to accomplish various objectives, including to provide services to the Data Subject, to analyze and improve products and/or services, to conduct research or prepare statistical data, to promote sales and to engage in KX’s public relations activities, including to facilitate business management, to prevent corruption and to allow other parties to provide supporting services to KX in order to verify customer identity. In doing so, KX might make disclosures to individuals or agencies such as affiliated businesses/companies, the Data Processor, business partners involved in the release of shared products (co-brands), third-party service providers, agents of KX, sub-contractors, financial institutes, auditors, third-party auditors, rating agencies, asset management companies, credit rating agencies, legally authorized parties, parties interested in receiving the transfer of rights and/or recipients of rights transfers in transactions or business acquisitions of KX, juristic persons or individuals that have a relationship or contract with KX, including executives, employees, workers, sub-contractors, representatives and advisors of KX and of such individuals or agencies that are recipients of the aforementioned data.

In cases where Personal Data is disclosed to a third party for the marketing purposes of the data recipient, e.g., sales promotion, public announcements or product and/or service offers from the data recipient made to the Data Subject, KX will announce the list of data recipients to inform the Data Subject to aid in decision-making and consent-granting.

6 Does KX transfer your Personal Data abroad?

KX may need to transfer Personal Data to affiliated businesses/companies located abroad or to other data recipients as part of the normal business operations of KX, such as when transferring Personal Data for storage on servers/cloud service providers in various countries.

If the destination country lacks adequate Personal Data protection measures, KX will take care to ensure that the transfer of Personal Data takes place in accordance with the law and will take action to ensure the presence of Personal Data protection measures that are deemed to be necessary, appropriate and consistent such as by making confidentiality agreements with data recipients located in such country and/or making an agreement to ensure that your Personal Data will be protected under standards equivalent to the personal data protection standards of Thailand. Otherwise, in cases where the data recipient is an affiliated business/company within the same business network, KX may adopt Binding Corporate Rules that is reviewed and approved by the relevant legal authorities and then transfer Personal Data to the affiliated business/company located abroad according to the aforementioned privacy policy in lieu of taking other actions as specified by the law.

International transfers of Personal Data must be strictly undertaken in accordance with personal data transmission or transfer policies.

7 For how long does KX store your Personal Data?

KX will store Personal Data for as long as required while the Data Subject is a client or has a relationship with KX or for as long as required in order to achieve the related purposes set out in this policy. In doing so, it may be necessary to retain Personal Data after the termination of relationship with KX until the statute of limitations has expired or for as long as prescribed or permissible by the law, for example:

  • For 5-10 years of storage according to anti-money laundering laws from the termination of the relationship, depending on the case;
  • For a period not exceeding 10 years of storage for verification purposes in cases where a dispute arises within the statute of limitations.

KX will erase or destroy Personal Data or anonymize Personal Data only after the aforementioned necessity or duration has expired.

The storage, deletion and destruction of Personal Data will be undertaken strictly according to the Personal Data Storage and Destruction Policy.

8 How does KX protect your Personal Data?

KX will provide effective protection for your Personal Data through technical measures, organizational measures and physical safeguards to ensure appropriate security in the processing of Personal Data and to prevent Personal Data breaches. KX has established policies, regulations and operational procedures for Personal Data protection, including information technology security standards and abuse of data prevention measures, and KX regularly reviews and updates the aforementioned policies, regulations and procedures.

Furthermore, executives, employees, workers, contractors, representatives, advisors and data recipients of KX are strictly obligated to maintain the confidentiality of Personal Data under the confidentiality measures established by KX.

9 What are your rights regarding your Personal Data?

The rights of Data Subject under this clause are the legal rights that the Data Subject should be aware of. The Data Subject can exercise these various rights under the relevant law and policies enacted at the time or as amended in the future, including the criteria set forth by KX, and in cases where the Data Subject is below 20 years of age or has limited legal capacity , the Data Subject may request to exercise their rights by assigning the Data Subject’s parents, custody holder or authorized representative to state their intention.

  1. Right to Withdraw Consent: If the Data Subject has given consent for KX to collect, use and/or disclose Personal Data (whether the consent was given by the Data Subject before or after the effective date of Personal Data Protection laws), the Data Subject has the right to withdraw the consent at any time for as long as the Personal Data is held by KX, unless it is subject to legal restrictions or contracts providing benefits to the Data Subject.

    Accordingly, the withdrawal of the Data Subject’s consent may impact the Data Subject’s ability to use products and/or services. For example, the Data Subject may no longer receive new privileges, offers, product or service improvements consistently according to needs or may not receive news and beneficial information, etc. Therefore, the Data Subject should review and inquire about the potential impacts before withdrawal of consent.

  2. Right to Access Data: The Data Subject has the right to access their Personal Data that is under the responsibility of KX and request copies of such data, including requesting KX to disclose how KX acquired the Data Subject’s Personal Data.

  3. Right to Data Portability: The Data Subject has the right to receive their Personal Data in cases where KX has prepared such Personal Data in a structured format that can be read or used by an automated tool or device, and which can automatically use or disclose the Personal Data. This includes the right to request for KX to transfer Personal Data in the aforementioned format to other Data Controller by automatic means and the right to directly receive Personal Data which KX has transferred in the aforementioned format to other Data Controller, except for the cases where it is impossible to do so due to technical reasons.

    Accordingly, the aforementioned Personal Data must be the Personal Data which the Data Subject has consented for KX to collect, use and/or disclose or Personal Data which KX must collect, use and/or disclose in order to enable the Data Subject to use KX’s products and/or services as a contractual party or for the purpose of carrying out the requests of the Data Subject before using KX’s products and/or services or be other Personal Data as determined by the legal authorities.

  4. Right to Objection: The Data Subject has the right to object to the collection, use and/or disclosure of your Personal Data at any time if such actions are conducted for legitimate interests Personal Data of KX or any third parties without exceeding reasonable expectations or for the purpose of fulfilling public interest missions.

    If the Data Subject objects, KX may continue to collect, use and/or disclose their Personal Data solely for the parts in which KX can demonstrate legal grounds that supersede even the fundamental rights of the Data Subject or for the establishment legal rights, compliance with laws, or defense of legal claims whatever the case may be.

    Furthermore, the Data Subject also has the right to object to the collection, use and/or disclosure of their Personal Data for the purposes related to direct marketing or conducting scientific, historical research or statistical studies.

  5. Right to Erasure: The Data Subject has the right to request for the deletion or destruction of their Personal Data or to anonymize Personal Data if the Data Subject believes that their Personal Data are collected, used and/or disclosed in violation of related laws or if KX no longer needs to retain such Personal Data according to the related purposes described in this policy or when Data Subject has exercised the aforementioned Right to Withdraw Consent or the Right to Objection.
  6. Right to Restriction: The Data Subject has the right to temporarily suspend the use of Personal Data in cases where KX is undergoing a review pursuant to the request to correct or objections or in other cases in which KX no longer needs to delete or destroy the Personal Data but the Data Subject requests to suspend the use of data instead of deletion or destruction.
  7. Right to Rectification: The Data Subject has the right to request correction of their Personal Data to ensure it is accurate, up to date, complete and not causing misunderstandings.

  8. Right to lodge complaints:The Data Subject has the right to file complaints to the relevant legal authorities if the Data Subject believes that the collection, use and/or disclosure of their Personal Data is in violation or in breach of applicable laws.

    The exercising of the Data Subject’s rights above may be subjected to limitations pursuant to related laws and there may be certain situations and necessities in which KX may refuse or be unable carry out Data Subject’s requests to exercise the aforementioned rights such as legal obligations or court order compliance, public interest, or to protect the rights and freedoms of others, etc. If KX refuses such requests, KX will inform the reason of the refusal to the Data Subject, and the Data Subject can exercise their rights through the contact channels stated in this policy.

10 Will KX Amend, Update or Revise this Policy?

KX may consider making changes, additions, updates or revisions to this policy from time to time as appropriate and as permissible by law. In the event of any changes, additions, updates or revisions to this policy, KX will announce the latest version of the policy for your information via www.KX.tech/privacypolicy.

11 How can you contact KX and the Personal Data protection officer?

If the Data Subject has any suggestions or inquiries regarding the collection, use and/or disclosure of their Personal Data, including requests to exercise their rights under this policy, the Data Subject can contact KX and/or the Data Protection Officer via the following channels:

  • KX Website: www.KX.tech
  • Data Protection Officer’s email: KX_DPO@kbtg.tech
    Address: KASIKORN Business-Technology Group: No. 46/6, Popular Road, Ban Mai Sub-district, Pak Kret Sub-district, Pak Kret District, Nonthaburi Province 11120.