Search
CUSTOMER PRIVACY POLICY
EASY BUY PUBLIC COMPANY LIMITED
[Latest updated : December 1st, 2023]
1. Purpose and Scope of the Privacy Policy
- This document is Privacy Policy applies to all customers (hereinafter referred to as "You" and “Your”) of Easy Buy Public Company Limited (hereinafter referred to as "Company"). As a personal data controller according to the Personal Data Protection Act B.E. 2562, This Privacy Policy will notify all concerned about how the company collect and process customer’s personal data in accordance with the purposes and scope of the company.
Data Controller Contact Information |
Data Protection Officer (DPO) Contact Information |
|---|---|
EASY BUY Public Company Limited |
Email : contactpdpa-dpo@easybuy.co.th |
- This Privacy Policy covers data subjects who are company’s customers, and individual being involved with company’s customers including:
- Customer, Designated persons under Article 7 of Anti-Money Laundering and Proliferation of Weapon of Mass Destruction Financing Act B.E.2559, Peps person, reference person, person who makes payment to or receives money from company’s customers, visitor
- As used in this Privacy Policy, the following terms shall have the meanings set forth below:
- “processing” means anything done with Customer’s personal data, including collection, storage, use, disclosure and deletion of personal data.
- “legal bases” means justifiable reasons to process personal data in accordance with Article 24 and Article 26 of the PDPA.
- “Personal data” means any information relating to individual or data subject that can be used to directly or indirectly identify a person, exclude the data of the deceased such as full name, phone number, address, E-mail and ID verification number etc.
- “Sensitive data” means personal data which the personal data protection act., specify that the company must process with higher security than the personal data such as ethnic origin, political opinion, religious, sexual behavior, crime history, health information, disability, union information, genetic information, biometric and other as related laws or regulations specify
- This Privacy Policy may be revised at any given time and the company may notify you through appropriate channels.
2. Personal Data the Company Process
- The company collects the following categories of your personal data;
• Identity data including, but not limited to, full name - surname, signature, customer number, ID number and photo;
• Profile data including, but not limited to, gender, date of birth, nationality, age and marital status;
• Employment data including, but not limited to, workplace, job position, department, and salary;
• Address / contact data including, but not limited to, address, email account, social media account, fax number and phone number;
• Finance data including, but not limited to, bank account number, Umay+ Card Number, income per month and bank statements;
• Transaction data including, but not limited to, contract number, voice record and complaint details;
• Family data including, but not limited to, parent (s)’ details and child’s details;
• IT data including, but not limited to, IP address; and
• Evidence including, but not limited to, copy of ID card.
3. How the Company Collect Your Personal Data
- In general, the company will directly collect your personal data through these processes (or channels) including, but not limited to;
• When directly contact customer via channels such as email, LINE application, website, fax and phone;
• When enter into agreement with Customer; and
• When Customer fills in relevant forms, such as Registration Form, Application Form, Debt Restructuring Form and Salary Update Form.
However, the company may collect additional personal data through third-party organizations which include;
• Service providers, such as law firms, recruitment agencies, training service providers, National Credit Bureau (NCB), 7-11 and World Check, etc.;
• vendors, such as Summit Queen, Iron Mountain and True Move H Universal Communication Co., Ltd (TUC), etc. ;
• bank alliances, such as Bank of Ayudhya (BAY) and Government Housing Bank (GHB), etc.;
• Associations, such as Japanese Association, etc.; and
• Government agencies, such as District Offices, Bank of Thailand (BOT), Ministry of Finance (MOF) and Anti Money Laundering Office (AMLO), etc.
- The company also collects personal data from third parties who have a relationship with you and whom you have given such data, such as a reference person, for the purposes of confirming information prior to or during the engagement of a contract, as well as to enable you to use the company's products and/or services for the purposes to which you are a party to the company or to fulfill your request before using the company's products and/or services, as well for inquiring if the company is unable to contact you. Please inform third parties about this privacy policy to ensure that they are aware of the company's customer privacy policy and to obtain consent from them for the company to collect, use, and disclose their personal data for the purposes and scope stated.
4. How the Company Process Your Personal Data
- The company will collect, use, and disclose your personal data for the following, but not limited to, purposes.
4.1 To carry out procedures prior to entering into a contract in order to enable you to use company's products and/or services for the purposes of which you are a party to the company or to fulfill your request before using the Company's products and/or services (Contractual Basis), such as
(1) Approval Providing products and/or services such as credit approval, debt restructuring obligation, etc.
(2) Any action related to the use of products and/or services, such as processing, contacting, notifying, assigning tasks to third party service providers; Assignment of rights and/or duties Notification of payment of installment purchases, including the notification of any information related to or due to the usage of the company's product or service.
- 4.2 In order to perform duties in accordance with relevant laws or applicable (Legal Obligation) such as
(1) Compliance with the order of the legal authority
(2) Compliance with Financial Institution Business Laws, life insurance law, non-life insurance law, tax law, Anti-Money Laundering Laws, Laws on the Prevention and Suppression of Terrorism Financing and the Proliferation of Weapons of Mass Destruction, computer law, bankruptcy law and other laws that the company has to comply with both in Thailand and abroad including announcements and regulations issued under such laws
- 4.3 To carry out operations necessary under the legitimate interests of the Company or of another person or entity. without exceeding the scope that you can reasonably expect (Legitimate Interest), such as
(1) Voice recording via Call Center, CCTV recording, card exchange before entering the building
(2) Maintaining relationship with customers, such as handling complaints, satisfaction assessment, Customer care by company employees, notifying or offering products and/or services that are similar to those you have with the company that is beneficial to you
(3) Debt collection in the case of default.
(4) Risk Management, supervision and internal management
(5) Making personal information as non-personally identifiable information (Anonymous Data)
(6) Prevention, coping, and reduction of risks that may occur in fraudulent actions, cyber threat, default or breach of contract (eg: bankruptcy information); illegal activities (eg: money laundering, terrorist financing and proliferation of weapons of mass destruction); offenses relating to property, life, body, liberty or reputation), which include sharing personal information to raise the standard of work of affiliated companies/businesses in preventing, coping, and reducing the aforementioned risks.
(7) Contact, video recording, audio related to marketing activities, such as booths.
(8) Collecting, using and/or disclosing personal information of persons who have been granted receivership by the court.
- The following are the groups of activities in which the company utilizes your personal data to carry out all activities in accordance with the aforementioned purposes:
Group of Activities |
Group of PIIs |
Legal Bases |
|---|---|---|
Contract Administration |
• Identity Data |
• Contract |
Making Report |
• Identity Data |
• Legitimate Interest |
Marketing Activity |
• Identity Data |
• Contract |
Data Analysis |
• Identity Data |
• Contract |
Debt Management |
• Identity Data |
• Contract |
Operations with Outside Agency |
• Identity Data |
• Contract |
Processing regarding SAM |
• Identity Data |
• Contract |
Processes with Bankrupt Customers |
• Identity Data |
• Contract |
Processes with Debtors during the Legal Processes |
• Identity Data |
• Contract |
Delivery of Documents |
• Identity Data |
• Contract |
Customer Contact and Issue and/or complaint Handling |
• Identity Data |
• Contract |
Loan Management |
• Identity Data |
• Contract |
Payment Process |
• Identity Data |
• Contract |
Operational Check |
• Identity Data |
• Contract |
Credit Bureau Check |
• Identity Data |
• Legal Obligation |
Identity Verification |
• Identity Data |
• Contract |
Compliance and Litigation |
• Identity Data |
• Legitimate Interest |
Reconciliation And Adjusting Transaction Detail |
• Identity Data |
• Contract |
Refunding |
• Identity Data |
• Contract |
Allowance for Doubtful Accounts |
• Identity Data |
• Legitimate Interest |
Importing AMLO, PEPs's Information |
• Identity Data |
• Legal Obligation |
Loan Suspension Name List |
• Identity Data |
• Legitimate Interest |
Data Management and Access Control |
• Identity Data |
• Contract |
Branch/Office Access Control |
• Identity Data |
• Legitimate Interest |
- The company will process your personal data according to the stated purposes and scope. If there came upon a case where personal data were to be processed for other purposes, and it is unlikely to rely on other legal bases, through this policy, the company will provide additional information about the processing's purpose and legal basis.
5. Usage of Personal Data with Third-Party Organizations
- The company may be required to disclose and/or transfer your personal data to third-party organizations, in order for such organizations to process personal data in accordance with agreements with the company and/or legal obligations. These organizations may include;
• Service providers, such as law firms, National Credit Bureau (NCB), Thailand Post, Data Products Toppan Forms, Docuxpert, Bluefish, Counter Service, Lotus, ShopeePay, AIS, TRUE and DTAC;
• Vendors, such as Heroleads, The Mall, Power Buy, Siam TV and Summit Queen;
• Bank alliances, such as Siam Commercial Bank (SCB), Bangkok Bank (BBL), Kasikorn Bank (KBANK), Government Savings Bank (GSB), Bank of Ayudhya (BAY), TMBThanachart Bank (TTB),
and Krungthai Bank (KTB).
• Government agencies, such as Anti Money Laundering Office (AMLO), Bank of Thailand (BOT), Department of Land Transport and Legal Execution Department; and
• Reference persons.
For the cases where personal data are being disclosed and/or transferred to third-party organizations, the company will ensure that the minimum amount of personal data are being disclosed and/or transferred, and consider anonymization and pseudonymization techniques for greater security. Nevertheless, the third-party organizations who will process Customer’s personal data for Easy Buy will be required to have in place appropriate privacy policy. Further, Easy Buy does not permit these third-party organizations to use your personal data in a way that diverge from the agreed scope and purposes.
6. Transferring of Personal Data to Foreign Countries
- The company may be required to transfer your personal data to foreign countries, such as Japan.
In this regard, the company will transfer your personal data abroad only when any of these requirements has been met. The requirements include:- - The receiving foreign country has a comprehensive personal data regulation in place;
- The receiving organization has in place a comprehensive privacy policy which has been certified by the Personal Data Committee;
- If the destination country has insufficient standards of Personal Data protection, the company shall ensure that Personal Data will be sent or transferred in accordance with law and shall set standards of Personal Data protection as deemed necessary, and appropriate for and consistent with the confidentiality standards. For instance, an agreement must be entered into with the data recipient in that country to ensure that your Personal Data will be protected under the Personal Data protection standards equivalent to that in Thailand;
- A pre-requisite to the exercise of legal rights;
- Consent has been obtained from the Customer who is well-aware of the inadequate personal data protection standards of the receiving countries or international organizations;
- A requirement for the execution of an agreement to which you are a party of, or the fulfillment of a request you made prior to entering into the agreement;
- A necessary task to carry out under a contractual agreement between Easy Buy and other persons or entities for the benefits of the Customer;
- To ensure the safety or limit further damage to an individual’s health who cannot give consent at the current time; and
- A necessary task for the good of the public.
7. Security Measures for Personal Data Protection
- The company has implemented certain security measures to ensure the security of Customer’s personal data. In this connection, third-party organizations are required to carry out the processing of personal data in accordance with company’s security policy, and to ensure the security of your personal data.
8. Period for Retention of Personal Data Storage
- The Company will collect your personal data as long as the legally basis specified and the purpose of the company to process such data still stand or/and for supervision for risk management for legal obligation, such as the Anti-Money Laundering Law, which specifies a 10-year period of data collection after the contract expires or until the account is closed or relationship has been terminated, unless the company can use a legal right or the lawsuit is still in progress. If your personal data is no longer required by the company to process, the company will either permanently delete all of your personal data from the company's data source/system or anonymize your data so that the company cannot identify you from it.
9. Customer’s Personal Data Rights
- Your personal data rights include:
- • Right to revoke consent – for the case where the company has obtained your consent in order to process your personal data;
• Right of access – you have the right to request a copy of all your personal data and assess if the company is processing your personal data in accordance with relevant laws;
• Right to data portability – for the case where Easy Buy has in place an automated platform allowing you to access your personal data automatically:
o you have the right to ask for your personal data to be transferred automatically to other organizations, and
o you have the right to request for your personal data in such a format that Easy Buy has transferred personal data to other organizations, except for the case where there is a technological limitation;
• Right to object – you have the right to object to any data processing activity of your personal data which has been relied on certain legal bases and processing purposes, including: - o Public task or legitimate interest
- o Direct marketing purposes, and
- o Scientific, historical or statistic research purposes, unless the processing is necessary for public task;
- • Right to erasure – you have the right to request for data deletion or anonymization, in accordance to the following cases:
- o Where processing required terms become expired
- o Where consent has been withheld, and the company cannot rely on other legal bases to process your personal data
- o Where there is objection raised against data processing activity, and
- o Where data processing activity is not in accordance with relevant laws;
- • Right to restrict processing – you have the right to restrict any data processing activity in accordance with the following cases:
- o During pending examination process
- o For cases related to personal data which shall initially be deleted and/or destroyed, but was followed by an additional request of processing restriction instead
- o For cases where the data processing terms have passed, but you have requested for processing restriction due to legal reasons, and
- o During the process of data processing objection verification; and
- • Right to rectification – you have the right to edit your personal data to be correct and concurrent to the present. If any mistake was detected, Easy Buy might not edit this ourself.
In case of adjusting reference person's name, the company reserves the right to limit who can request and proceed to only customers who have provided such information to the company, as the company has to verify such information with customers for confirmation and personal data security.
Kindly be informed that the company may not be able to carry out and support the exercise of your rights in particular circumstances, including but not limited to those involving legal proceedings or contractual obligation. Please be aware that the company keeps track of all inquiries to guarantee that all concerns are resolved.
In the case where you have the intention to exercise your personal data protection rights, or to file complaint against your personal data processing, please contact company’s DPO (contact details have been provided above) or you can apply the request form to the company by click : Data Subject Access Request Form.
The Company will process this request in a secure and timely manner.
10. Policy Revision
- This Privacy Policy was last updated on December 1st, 2023, and it applies to all of the company's customers. The company holds the rights to review and edit this Privacy Policy as the company see appropriate.
| Web Browser Recommended: Internet Explorer version 10 or later, Mozilla Firefox, Safari, Google Chrome |