Personal Data Privacy Policy*
Bank of Thailand

     The Bank of Thailand (BOT) as the data controller in respect of personal data under the Personal Data Protection Act, B.E. 2562 (2019) (PDPA) has full awareness of the vital importance of the protection of personal data in an efficient manner satisfying fundamental principles of data protection – viz., the necessity principle, the proportionality principle and the principle of respecting fundamental rights constitutionally afforded to data subjects – and also meeting international standards. The Bank of Thailand, therefore, formulates the Personal Data Privacy Policy with a view to establishing knowledge and understanding, amongst data subjects as well as general members of the public, as regards the purposes and principles of, and measures for, the maintenance of safety of personal data as operated by the BOT in the discharge of its duty as the national central bank and in the exercise of its supervision of financial institutions and payment systems, in the interest of upholding monetary stability as well as stability of financial institution systems and payment systems, as well as in taking action under other laws which impose duties and confer powers on the Bank of Thailand, and also facilitating internal administration of the BOT.

 

     The discharge of the BOT’s official functions entails the use of fundamental data including data related to identified or identifiable natural persons (personal data), by which such persons can be directly or indirectly identified, such as names, surnames, photographs, civic identification cards, addresses and contact details, financial data or personal records, as obtained directly from data subjects and from other sources. Such data, in effect, include information related to the BOT’s personnel, information obtained from financial institutions and juridical persons falling within the BOT’s regulatory supervision, Government agencies, State agencies, contracting parties, business operators, general members of the public and other juridical persons.  

     The collection and processing of data by the BOT are performed for the purposes of the discharge of its statutory duties as the central bank as well as the performance of its statutory regulation of financial institutions and payment systems, in order to ensure monetary and economic stability and the appropriate protection of users of financial services operated by regulated financial institutions, as well as in order to facilitate the BOT’s organisational management.

     Important purposes of the processing of personal data by the BOT are, by way of illustration, described below.

     (1) Purposes Involving the Supervision and Examination of Financial Institutions 

        The BOT performs official duties in connection with the supervision and examination of various types of business operators such as financial institutions and specialised financial institutions under the Financial Institutions Business Act, B.E. 2551 (2008) (as amended), asset management companies under the Emergency Decree on Asset Management Companies, B.E. 2541 (1998) (as amended), authorised foreign exchange businesses under the Exchange Control Act, B.E. 2485 (1942) (as amended) and payments service providers under the Payment Systems Act, B.E. 2560 (2017). In undertaking its role and responsibility, the BOT processes data including personal data of persons concerned as received from such financial institutions and financial & payments service operators to ensure safety and prudence in their operations, and thereby the BOT’s mandate to ensure economic and financial stability. In addition, the processing is for the purpose of performing BOT’s duties in relation to the protection of users of financial services. In this connection, general members of the public may seek advice on, or address complaints concerning, financial services providers via the BOT’s Financial Consumer Protection Center (FCC). This being so, the processing of users’ personal data by the BOT is essential for its co-ordination with financial institutions and for its proceeding in relation to the provision of advice or the pursuit of activities concerned.

     (2) Purposes of Conducting Monetary Policy and Formulation of Economic Policy

         The BOT’s discharge of its duties as regards the determination and implementation of monetary policies necessitates its processing of data, including personal data, for conducting assessment and forecasts of economic trends and directions to ensure monetary stability.

          In addition, the collection of personal data by the BOT such as financial information including, incomes, liabilities or business operation is carried out in order to analyse, research, and to determine policies or measures to address economic problems and facilitate economic development.

     (3) Purposes Involving the Supervision and Development of Payment Systems

         In carrying out its role and responsibility to safeguard the payments system stability and to develop the payments system, the BOT also needs to process personal data, as mandated by the Payment Systems Act, B.E. 2560 (2017). In addition, in the course of the BOT serving as a provider of critical payment infrastructure, for example, the Bank of Thailand Automated High-Value Transfer Network (BAHTNET) system, the BOT also processes personal data.

     (4) Purposes Involving the Issuance and Management of Banknotes

         Statutory responsibilities assumed by the BOT in issuing banknotes as provided by the Bank of Thailand Act, B.E. 2485 (1942) (as amended) entails its processing of personal data, in particular, data relating to criminal records for the purposes of allowing access to restricted areas and conducting authentication in transactions involving banknote management, such as the deposit, withdrawal and carriage of banknotes.

     (5) Purposes Involving the Conduct of Activities for Lawful Public Interests

         The BOT has established its Learning Center and has, through various projects, striven to create and strengthen financial literacy as well as knowledge in the interest of the public, pupils and students. Such activities also entail collection and processing of personal data by the BOT in order to serve the public efficiently.

     (6) Purposes Involving the Maintenance of Safety of the BOT’s Personnel, Premises and Property

         As an essential part of safety operations for the benefit of its personnel, premises and property, the BOT requires information for persons gaining access to its areas, such personal data include their names, surnames, agencies of affiliation, as well as photographic records, including via closed-circuit television cameras (CCTV cameras) as well.

     The BOT recognises the importance of compliance with regulations and international standards on security of personal data, and has put in place risk-based measures for protecting rights, freedoms and interests of data subjects. In this regard, data leak prevention technology is also used to protect information. All operations are conducted in accordance with the data protection principles as follows.

     The processing of personal data must be conducted lawfully, fairly and in a transparent manner in accordance with the data governance principle. Operations must be limited to what is necessary for specifically specified and explicit purposes. Also, personal data must be accurate and kept up to date. Further, personal data must be stored only for such periods as are necessary for the fulfilment of the specified purposes and, once such necessity ceases to exist, the BOT will take action in destroying or deleting such data or ensuring that identification of data subjects is no longer possible. 

     In addition, the use or disclosure of personal data to third persons such as Government agencies, hospitals or other juridical persons concerned must be carried out in accordance with the specified purposes for carrying out BOT’s missions, or for the purpose of performing its duties under other laws, or for the purposes of legitimate interests of the BOT or other persons as well as juridical persons. Moreover, measures are made available for ensuring appropriate security of personal data, with a view to protecting them against loss, access, use, alteration, modification or disclosure by unauthorised persons or unlawfully.

     The BOT has full awareness of rights of data subjects as provided in the Personal Data Protection Act. These are the right to access to personal data, the right to rectification of inaccurate personal data, the right to data portability, the right to erasure (the right to be forgotten), the right to restriction of processing and the right to object to the processing of personal data.

     In this connection, the exercise of the rights of data subjects as previously spelled out and all operations of the BOT in relation to such rights must be in accordance with the rules as provided in the Personal Data Protection Act. The BOT may refuse to take action as requested where legal grounds exist under the law. Data subjects who intend to make requests in the exercise of the aforesaid rights may contact the Data Protection Officer (DPO) through the contact channels indicated below.

     The BOT shall review its Personal Data Privacy Policy every year or whenever there arises any significant change to ensure its consistency with the laws, regulations and practices concerned. The revised version of the Policy will further be made publicly available on the BOT's website.

     BOT Head Office

     Contacting Address: 273 Samsen Road, Watsamphraya, Pranakhon District, Bangkok 10200
     Tel: 1213  
     Email: contact@bot.or.th
     Website: www.bot.or.th

     BOT Data Protection Officer (DPO)

     Contacting Address: Enterprise Risk Management Department, BOT  
                             273 Samsen Road, Watsamphraya, Pranakhon District, Bangkok 10200
     Email: DPO@bot.or.th

 

 

     For additional information about the exercise of data subject's rights, please click link.

*DISCLAIMER: This is an unofficial translation which is provided by the Bank of Thailand as the competent authority for information purposes only. Whilst the Bank of Thailand has made efforts to ensure the accuracy and correctness of the translation, the original Thai text as formally adopted and published shall in all events remain the sole authoritative text having the force of law.