SCB-Julius Baer Securities Company Limited
We, SCB-Julius Baer Securities Company Limited, care about the privacy of our customers, thus, we provide this privacy notice to inform our customers of our policy in relation to the collection, use and disclosure of personal data of individual (“you”) in accordance with the Personal Data Protection Act B.E. 2562 (“PDPA”), relevant laws and regulations. This privacy notice informs you of how we collect, use or disclose your personal data, what and why we collect, use or disclose your personal data, how long we hold it, who we disclose it to, your rights, what steps we will take to make sure your personal data stays private and secure, and how you can contact us.
This privacy notice applies to :
- Our customers
- Individual customers: Our past and present customers who are individual.
- Corporate customers: Directors, shareholders, ultimate beneficial owners, employees, guarantors, security providers, and legal representatives of our past and present corporate customers and other individuals authorised to act on their behalf. Our corporate customer shall ensure that the authorised persons and any of relevant individuals have acknowledged our privacy notice.
These include individuals who have no product or service holding with us, but we may need to collect, use or disclose your personal data (e.g. investors; anyone who makes a payment to or receives a payment from our customers; anyone that visits our website or our applications or offices; guarantors or security providers; ultimate beneficial owner; directors or legal representatives of a company that uses our services; debtors of our customers; professional advisors, including our directors, investors, shareholders and their legal representatives, and anyone involved in other transactions with us or our customers).
Please note that some of the links on our platform may lead to third party’s platforms, and if you access these platforms, your personal data will then be processed under the third party’s policies. Make sure that you have read those privacy notices when accessing such platforms.
1. How we collect, use or disclose your personal data
We only collect, use, or disclose your personal data where it is necessary or there is a lawful basis for collecting, using, -or disclosing it. This includes where we collect, use or disclose your personal data based on the legitimate grounds of legal obligation, performance of contract made by you with us, our legitimate interests, performance under your consent and other lawful basis. Reasons for collecting, using or disclosing are provided below:
1.1. Our legal obligation
We are regulated by many laws, rules, regulations, and orders of any competent governmental, supervisory or regulatory authorities, and to fulfil our legal and regulatory requirements, it is necessary to collect, use or disclose your personal data for the following purposes, which include but not limited to:
- compliance with the PDPA and any amendment thereof, including its sub-regulations;
- compliance with laws (e.g. Financial Institution Business Laws, Securities and Exchange Laws, Anti-Money Laundering Laws, Prevention and Suppression of Financial Support to Terrorism and the Proliferation of Weapons of Mass Destruction Laws, and other laws to which we are subject both in Thailand and in other countries), including conducting identity verification, background checks and credit checks, Know Your Customer (KYC) process, Customer Due Diligence (CDD) process, other checks and screenings (including screening against publicly available database of regulatory authorities and/or official sanctions lists) , and ongoing monitoring that may be required under any applicable law (e.g. transaction monitoring); and/or
- compliance with regulatory obligations (e.g. evaluate suitability) and/or orders of authorized persons (e.g. orders by any court of competent jurisdiction or of governmental, supervisory or regulatory authorities or authorized officers).
1.2. Contract made by you with us
We will collect, use or disclose your personal data in accordance with the request and/or agreement made by you with us, for the following purposes, which include but not limited
- process your request prior to entering into an agreement, consider for approval, providing products and/or services, deliver products and/or services to you, and deal with matters relating to products and/or services including any activities that if we do not proceed, then our operations or our services may be affected or may not be able to provide you with fair and ongoing services;
- authenticate when entering into, doing or executing any transactions;
- provide private fund management and brokerage services (i.e. product and securities recommendation services (PSR), investment advisory services (IAS), specific investment (SI), discretionary mandates and portfolio funds management (DPM) models);
- proceed on custodian account opening with our business partners;
- proceed on automatic transfer system (ATS) services provided by The Siam Commercial Bank Public Company Limited;
- provide online investment and mobile applications;
- track or record your transactions;
- produce reports (e.g. transaction reports requested by you or our internal reports);
- notify you with transaction alerts;
- recover the money which you owe (e.g. when you have not paid for your debt and/or outstanding fees);
- carry out account maintenance and operations relating to your user accounts and/or finacial accounts, including but not limited to processing your applications or requests for services and/or products, processing your transactions, generating statement of your user accounts and/or financial accounts, and operating and closing your user accounts and/or financial accounts;
- carry out or make transactions and/or payments (e.g. processing payments or transactions, fulfilling transactions, billing, processing activities, managing your relationship with us, and administering your account with us);
- carry out your instructions (e.g. responding to your enquiries or feedbacks, or resolving your complaints);
- enforce our legal or contractual rights;
- provide IT and helpdesk supports, create and maintain codes and user accounts for you, manage your access to any systems to which we have granted you access, and remove inactive accounts; and/or
- provide investment products to you (including investment products of third parties that you may be interested) from time to time and deal with all matters relating to the investment products.
1.3. Our legitimate interests
We rely on the basis of legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in personal data which we will collect, use or disclose for the following purposes, which include but not limited to:
- conduct our business operation and the business operation of companies in SCBX Group (e.g. to conduct compliance audit, to conduct risk managements, to conduct finance and accounting managements, to conduct financial audits, to conduct internal operation management, to monitor, prevent, detect and investigate fraud, money laundering, terrorism, misconduct, or other crimes, including but not limited to carrying out the creditworthiness checks of any persons related to our corporate customer, which may not be required by any governmental or regulatory authorities, and authenticating your identity to prevent such crimes);
- conduct our relationship managements (e.g. to serve customers, to conduct customer survey, to handle complaints);
- ensure security (e.g. to maintain CCTV records, to register, exchange identification card and/or take photo of visitors before entering into our building areas);
- develop and improve our products, services and systems to enhance our services standard and/or for the greatest benefits in fulfilling your needs including to conduct research, analyse data and offer products, services and benefits suitable to you by considering the fundamental rights in your personal data;
- record images and/or voices relating to the meetings, trainings, seminars, recreations or marketing activities;
- in case of our corporate customer, collect, use and disclose personal data of directors, authorized persons or attorneys;
- ensure business continuity;
- handle claims and disputes, file lawsuits and process the relevant legal proceedings;
- contact you prior to your entering into a contract with us;
- evaluate qualifications, issuance of request for quotation and bidding, and execution of contract with you;
- protect against security risks (e.g. monitoring network activity logs, detecting security incidents, conducting data security investigations, and otherwise protecting against malicious, deceptive, fraudulent, or illegal activity);
- comply with applicable foreign laws;
- manage our infrastructure (including data storage), internal control, and business operations and comply with our policies and procedures including those relating to risk control, security, audit, finance and accounting, systems and business continuity;
- carry out research, plan and conduct statistical analysis (e.g. your investment limit and investment behavior, data analytics, assessments, surveys and reports on our products and/or services and your behavior;
- organize our promotional campaigns or events, conferences, seminars, and company visits;
- facilitate financial audits to be performed by auditors;
- receive advisory services from legal counsels, financial advisors, and/or other advisors appointed by you or us;
- in the event of sale, transfer, merger, reorganization, or similar event, disclose and transfer your personal data to one or more third parties as part of that transaction;
- maintain and update lists or directories of the customers (including your personal data), and keep contracts and associated documents in which you may be referred to;
- comply with reasonable business requirements (e.g. management, training, auditing, reporting, control or risk management, statistical and trend analysis and planning or other related or similar activities, implementing business controls to enable our business to operate, and enabling us to identify and resolve issues in our IT systems to keep our systems secured, performing our IT systems development, implementation, operation and maintenance); and/or
- undertake fraud prevention model development, underwriting model development, collection model development, and proxy income model development, and track propensity to approve model performance.
1.4. Your consent
In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximise your benefits and/or to enable us to provide services to fulfil your needs for the following purposes, which include but not limited to:
- collect, use or disclose your sensitive personal data as necessary (e.g. to use your identification card photo or passport photo (which contains your sensitive personal data, namely religion, blood type, and/or race) criminal record and adverse news which contain criminal details for verification of your identity before continuing the transaction, and Know Your Customer/Customer Due Diligence (KYC/CDD) processes and/or health and disability data (e.g. physical wellbeing and soundness of mind) for evaluating your suitability, vulnerability, and qualifications for investment);
- collect and use your personal data and any other data to conduct research and analyze for the benefits in developing products and/or services to fulfil your needs and/or to contact you for offering products, services and benefits suitable to you;
- send or transfer your personal data and sensitive personal data overseas, which may have inadequate personal data protection standards (unless the PDPA specifies that we may proceed under other lawful basis or without obtaining consent);
- when you are classified as an incompetent or quasi-incompetent whose consent must be given by your their guardian or curator (as the case may be) (unless the PDPA specifies that we may proceed without obtaining consent); and/or
- disclose your personal data and any other data to companies in SCBX Group as shown on https://www.scbx.com/en/affiliates-financial-business-group.html and our trusted business partners for the following purposes: (1) researching, conducting statistical data, developing, analyzing products, services, and benefits to fulfil your needs; and (2) contacting you for offering or providing products, services and benefits suitable to you;
- other activities which we may require your consent.
1.5. Other lawful basis
Apart from the lawful basis which we mentioned earlier, we may collect, use or disclose your personal data based on the following lawful basis:
- prepare historical documents or archives for the public interest, or for purposes relating to research or statistics;
- prevent or suppress a danger to a person’s life, body or health; and/or
- necessary to carry out a public task, or for exercising official authority.
If the personal data we collect from you is required to meet our legal obligations or to enter into an agreement with you, we may not be able to provide (or continue to provide) some or all of our products or services to you if you do not provide such personal data when requested.
2. What personal data we collect, use or disclose
The type of personal data, namely personal data and sensitive personal data, which we collect, use or disclose, varies on the scope of products and/or services that you may have used or had an interest in. The type of personal data shall include but not limited to:
|Category||Examples of personal data|
|Identification and authentication details||
|Financial details and data relating to your relationship with us||
|Market research and marketing data||
|Geographic data, data relating to your device and your software, and technical details||
|User login, subscription data, and profile details||
|Data concerning security||
|Sensitive personal data||
3. Sources of your personal data
Normally, we will collect your personal data directly from you (e.g. through our website, relationship managers, fund manager, investment advisor and call center), but sometimes we may get it indirectly from other sources, in such case we will ensure the compliance with the PDPA.
Personal data we collect from other sources may include but not limited to:
- Data obtained by us from social media, third party’s online platforms, or other publicly available sources;
- Data obtained by us from companies in SCBX Group, our affiliates, service providers, business partners;
- Data obtained by us from official authorities, or third parties (e.g. your representative, employer, sponsor and/or
- Data obtained by us from third parties that have roles in delivering services to you or someone acting on their behalf may provide us with information about you, third-party custodians, sub-custodians, brokers and from our corporate customers as you are a shareholder, director, authorised person, attorney, representative or contact person), in such case we will ensure the compliance with the PDPA.
In case you have given any personal data of any other person to us for executing transactions with us or any purposes, you shall notify such person of the details relating to the collection, use and disclosure of personal data and rights under this privacy notice. In addition, you shall obtain consent from such person (if necessary) or relied on another legal basis to provide personal data to us.
4. Your rights
The PDPA aims to give you more control of your personal data. You can exercise your rights under the PDPA, details as specified below, through the channels prescribed by us:
- Right to access and obtain copy
You have the right to access and obtain copy of your personal data holding by us, unless we are entitled to reject your request under the laws or court orders, or if such request will adversely affect the rights and freedoms of other individuals.
- Right to rectification
You have the right to rectify your inaccurate personal data and to update your incomplete personal data.
- Right to erasure
You have the right to request us to delete, destroy or anonymise your personal data, unless there are certain circumstances where we have the legal grounds to reject your request.
- Right to restrict
You have the right to request us to restrict the use of your personal data under certain circumstances (e.g. when we are pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary as you have necessity to retain it for the purposes of establishment, compliance, exercise or defense of legal claims).
- Right to object
You have the right to object the collection, use or disclosure of your personal data in case we proceed with legitimate interests basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistic research, unless we have legitimate grounds to reject your request (e.g. we have compelling legitimate ground to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise legal claims, or for the reason of our public interests).
- Right to data portability
You have the right to receive your personal data in case we can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request us to send or transfer your personal data to third party, or to receive your personal data which we sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.
- Right to withdraw consent
You have the right to withdraw your consent that has been given to us at any time pursuant to the methods and means prescribed by us, unless the nature of consent does not allow such withdrawal. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.
You can review and change your consent to use or disclose your personal data for marketing purposes through channels as specified in No. 11 below or through other channel prescribed by us in the future.
- Right to lodge a complaint
You have the right to make a complaint with the Personal Data Protection Committee or their office in the event that we do not comply with the PDPA.
5. How we share your personal data
We may disclose your personal data to the following parties under the provisions of the PDPA:
- companies in SCBX Group, business partners, intermediaries (such as third-party securities companies or asset management companies), custodians, correspondents, vendors, co-brand business partners, market counterparties, issuers of products, or global trade repositories), Bank Julius Baer & Co. Ltd. (as our shareholder) and all of its branches and group companies, and/or other persons that we have the legal relationship, including our directors, executives, employees, staffs, contractors, representatives, advisors and/or such persons’ directors, executives, employees, staffs, contractors, representatives, advisors;
- governmental authorities and/or supervisory or regulatory authorities (e.g. the Bank of Thailand, the Office of the Securities and Exchange Commission of Thailand, the Ministry of Digital Economy and Society, the Anti-Money Laundering Office, the Thai Revenue Department, the Stock Exchange of Thailand and the Thailand Clearing House);
- suppliers, agents and other entities (e.g. professional associations to which we are member, external auditors, depositories, document warehouses, overseas financial institutions and clearing houses) where the disclosure of your personal data has a specific purpose and under lawful basis, as well as appropriate security measures;
- any relevant persons as a result of activities relating to selling rights of claims and/or assets, restructuring or acquisition of any of our entities, where we may transfer their rights to; any persons with whom we are required to share data for a proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business;
- other banks, financial institutions and third parties where required by law to help recover funds that have entered your account due to misdirected payment(s) by such third parties or trace funds where you are a victim of suspected financial crime, or where suspect funds have entered your account as a result of financial crime;
- debt collection agencies, lawyers, credit bureau, fraud prevention agencies, courts, authorities or any persons whom we are required or permitted by laws, regulations, or orders to share personal data;
- third parties providing services to us (e.g. IT service providers, market analysis and benchmarking, including but not limited to agents and subcontractors acting on our behalf, the companies which print and deliver statements);
- social media service providers (in a secure format) or other third-party advertisers so they can display relevant messages to you and others on our behalf about our products and/or services. Third-party advertisers may also use data relating to your previous online activities to tailor adverts to you;
- third-party security providers;
- other persons that provide you with benefits or services associated with our products or services( e.g. an insurance company); and/or
- your attorney, sub-attorney, authorized persons or legal representatives who have lawfully authorized power.
6. International transfer of personal data
The nature of the modern investment business is global and under certain circumstances it is necessary for us to send or transfer your personal data internationally (e.g. transferring data to companies in SCBX Group or to cloud server overseas for the purpose of the provision of services). When sending or transferring your personal data, we will always exercise our best effort to have your personal data transferred to our reliable business partners, service providers or other recipients by the safest method in order to maintain and protect the security of your personal data.
If the destination countries do not have adequate data protection standard, we will proceed to transfer personal data as specified by the PDPA and will put in place the protection measures of such personal data as necessary and appropriate.
7. Retention period of personal data
We will maintain and keep your personal data while you are our customer and once you have ended the relationship with us (e.g. after you closed your account with us, or following a transaction with us, or in case of your application to use our services is disapproved, or you terminated the services provided by us), we will only keep your personal data for a period of time that is appropriate and necessary for each type of personal data and for the purposes as specified by the PDPA.
The period we keep your personal data will be linked to the prescription period or the period under the relevant laws and regulations (e.g. Financial Institutions Businesses Laws, Securities and Exchange Laws, Anti-Money Laundering Laws, Counter-Terrorism and Proliferation of Weapon of Mass Destruction Financing Laws, Accounting Laws, Tax Laws, Labour Laws and other laws to which we are subject both in Thailand and in other countries). In addition, we may need to retain records of CCTV surveillance in our head office, and/or voice records to prevent fraud and to ensure security, including investigating suspicious transactions which you or related persons may inform us.
9. Use of personal data for original purposes
We are entitled to continue collecting and using your personal data which has previously been collected by us before the effectiveness of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes. If you do not wish us to continue collecting and using your personal data, you may notify us to withdraw your consent at any time.
We endeavour to ensure the security of your personal data through our internal security measures and strict policy enforcement. The measures extend from data encryption to firewalls (e.g. VPN, Citrix, Password log-in). We also require our staff and third-party contractors to follow our applicable privacy standards and policies and to exercise due care and measures when using, sending or transferring your personal data.
11. How to contact us
If you have any questions or would like more details about our privacy notice, please contact us through the following channels
- SCB-Julius Baer Securities Company Limited
our head office located at 801, Sukhumvit Road, Khlongtan Nuea, Wattana, Bangkok, 10110
- our Data Protection Officer by writing to E-mail: firstname.lastname@example.org or our address as specified above.
If you would like to exercise your rights in accordance with PDPA, please contact us through our head office, our Data Protection Officer or Call Center Tel. +662 0989999.
12. Changes to this privacy notice
We may change or update this privacy notice from time to time and we will inform the updated privacy notice at our website www.scbjuliusbaer.com.
Version April 2022