Personal Data Protection Policy for Fundraising

The Office of the Securities and Exchange Commission (SEC Office)

0. Scope of this Policy

This Personal Data Protection Policy applies to the business operators who have been licensed by the SEC Office, the market professionals who have been approved by the SEC Office, other persons approved by the SEC Office, as well as the persons who commit offenses as prescribed by the acts/royal decrees under the power and duties of the SEC Office.

1. Personal data collected by the SEC Office:

The SEC Office collects the following personal data:

1.1 Definitions and examples of data collected by the SEC Office

Personal data:Data of a personal nature, for example, identification number/passport number, title, name, surname (Thai/English), date of birth, citizenship, sex, marital status, father’s name/mother’s name, (former) titles, (former) surnames, and name of spouse, etc.
Contact information:Information for contact purposes, including, mobile phone numbers, email addresses, addresses on the identification cards, addresses on the house registration, permanent address, home telephone numbers, and facsimile numbers.
Sensitive data:Data under Section 26 of the Personal Data Protection Act, for example, criminal record, nationality, religion.
Qualification data:Data relating to the qualifications of business operators, which include experience, for example, education, employment record, affiliation, job positions, work experience, test/training records, certification numbers of locally certified public accountants/international certified public accountants, prohibited characteristics, and qualifications used for registration, whether with authority or not, training history at the Thai Institute of Directors.
Financial data:Data relating to the financial aspect of business operators, for example, the number of shares held, shareholding proportion, trading account numbers.
Verification data:Data for verification purposes, for example, trader codes/details of the business entities whose financial statements for the latest period have been signed by an auditor in giving opinion or whose working paper has been reviewed by the SEC Office.

Work Areas Personal Data Contact Information Sensitive Data Qualification data Financial Data Verification Data
1. Information from the approval for the offer for sale and report of the results of the offer for sale of equity instruments, debt instruments, and derivative warrants;
2. Related party transactions (RPT) of the listed company that are required to obtain approval from the shareholders, and asset acquisition and disposal transactions of the listed company that are required to obtain approval from the shareholders;
3. Information regarding the consideration of complaints on wrongdoings on the issuance and offer for sale of securities and the relevant professionals, for example, appraisers, and financial advisors;
4. Information regarding any action undertaken with the company applying for approval for the offer for sale of securities, including the name of the company applying for approval or the directors of the company applying for approval on the Black List of the SEC Office.
Information on the inspection of the quality of balance sheets and action undertaken with the listed company.
1. Making of a tender offer;
2. Business takeover;
3. Report of the results of the sale of digital tokens (ICO Portal).
Form for notifying the company secretary (Form 89/15-1 and Form 89/15-2).
Training on enhancement of knowledge for the public by the SEC Network.
Any unlawful acts in other cases.
Summary of the types of auditor’s reports (Form 61-4)*
*Since 1 December 2020, this information has no longer been required.
Related party transactions (RPT) of the listed company that are required to obtain approval from the shareholders, and the asset acquisition and disposal transactions of the listed company that are required to obtain approval from the shareholders.
Form for notifying the change of document storage (Form 89/15-3).
Other information regarding the disclosure documents, letters of acknowledgement of obligations, or written certifications of qualifications.

1.2 Sources of personal data

  1. The SEC Office receives your personal data submitted via a system of a company or agent assigned by you:
    1. Information on the approval for offer for sale and report of the results of the offer for sale of equity instruments;
    2. Information on the approval for offer for sale and report of the results of the offer for sale of derivative warrants;
    3. Information on the approval for offer for sale and report of the results of the offer for sale of debt instruments;
    4. Application for approval for issuance and offer for sale of trust units of real estate investment trusts;
    5. Application for approval for issuance and offer for sale of trust units of infrastructure trusts to the general public;
    6. Approval for the establishment of infrastructure funds and application for offer for sale of investment units for capital increase;
    7. Form for report on information disclosure;
    8. Form for report on securities holding and the report on the acquisition and disposal of securities of executives, and the information disclosed on the website;
    9. Report form 246-2;
    10. Enterprise Content Management System (ECM);
    11. Making of a tender offer or a business takeover (shares + making of a tender offer);
    12. List of directors and executives;
    13. Report of the results of the sale of digital tokens via ICO Portal.
  2. The SEC Office receives the following personal data from its cooperation with government agencies:
    1. Data for consideration of approval and inspection of wrongdoings from the Bank of Thailand (BOT), the Office of the Insurance Commission (OIC). In the case where no wrongdoing is detected, the SEC Office will not store any data.
    2. Data for verification of wrongdoing from the integrated public information and governmental services database (https://linkagemgmt.bora.dopa.go.th) , for example, data from the Department of Legal Execution, the Anti-Money Laundering Office (AMLO), the Department of Special Investigation (DSI), and the Narcotics Control Board (NCB), etc. In the case where no wrongdoing is detected, the SEC Office will not store any data.
    3. Data for authentication from the Department of Administrative Affairs which will be stored on the personal data database of the SEC Office.

2. Purposes of Data Processing

Data Processing Activities Work Areas Legal Basis for Data Processing
The SEC Office collects your personal data in order to grant approval for the offer for sale, filing, report of the results of the sale of equity instruments, debt instrument, funds, report of the sale of digital tokens.
  • Information since the approval for offer for sale until the report on the results of the sale of equity instruments:
    • Directors and executives of the applicant and the directors and executives of the financial advisor;
    • Responsible directors of the experts and the experts, for example, auditors, legal advisors, appraisals (if any);
    • Directors of the listed company and/or the subsidiaries and/or related parties;
    • Shareholders of the company and/or the subsidiaries.
    • The persons who may have any conflict of interest with the company.
  • Information since the approval for the offer for sale until the report on the results of the sale of derivative warrants:
    • Directors and executives of the applicant and the directors and executives of the financial advisor;
    • Responsible directors of the experts; and the experts, for example, auditors, legal advisors, appraisals (if any);
    • Shareholders
    • Contact person of the company
  • Information since the approval for the offer for sale until the report on the results of the sale of debt instruments:
    • Buyers of securities (including the directors and executives of the company)
    • Shareholders of the company
    • Contact persons of the company
  • Application for approval for the issue and the offer for sale of trust units of real estate investment trusts:
    • The top ten unitholders;
    • Directors and executives of the applicant and the directors and executives of the financial advisor (if any);
    • Responsible directors of the experts; and the experts, for example, auditors, legal advisors, appraisals, and the REIT manager;
    • Related parties of the REIT manager and the trustee.
  • Application for approval for issue and offer for sale of trust units of infrastructure trusts to the general public;
    • Directors of the trust manager;
    • The person who holds the highest position in the function who is responsible for preparing the financial statements of the trust;
    • Directors and executives of the applicant and the executives of the financial advisor (if any);
    • Responsible directors of the experts; and the experts, for example, auditors, legal advisors, appraisals, and the trust manager;
  • Other information in the disclosing documents, letters of acknowledgement of obligations or letters for certifications of qualifications
    • Persons who certify the performance of duties of the financial advisor.
  • Report of the results of sale of digital tokens via the ICO Portal, the client information, and the assets allocated to the clients.
    • Clients
Public task basis
Approval for establishment and management of an infrastructure fund
  • The registration of a pool of assets as an infrastructure fund, the application for registration of capital increase of an infrastructure fund, and the application for registration of the capital increase of a property fund:
    • The authorized signatories of the management company.
  • Approval for the establishment of an infrastructure fund and the application for approval for the offer for sale of investment units for capital increase:
    • The top ten unitholders;
    • Directors of the management company;
    • The authorized signatories of the party that guarantees the income;
    • The independent expert on technology;
    • The legal advisor, the auditor, the concessioner;
    • Controller;
    • Main appraisals;
Public task basis
For publication or consideration of the operation or compliance with the law and regulations, rules, or the promotion of knowledge
  • Report form for disclosure of information
    • Directors of the trust management
    • the person who holds the highest executive position in the function that is responsible for preparing the financial statements of the trust;
    • Controller.
  • Report of securities holding and report of asset acquisition and disposal of executives or publication of information on the website:
    • Directors and executives.
  • Making of a tender offer:
    • Directors, executives, and controller;
    • Persons who make a tender offer;
    • Shareholders, persons filing an application, requesting a relaxation, or expressing intent.
  • Business takeover
    • Persons: shareholders of the company and/or related parties
  • Related party transactions (RPT) of the listed company for which it is required to obtain approval of the shareholders, or asset acquisition and disposal transactions of the listed company that are required to obtain approval of the shareholders.
    • Shareholders
  • Report form 246-2
    • Person who files the report.
  • Information on the inspection of the quality of balance sheets and action undertaken with the listed company:
    • Shareholders or debenture holders
    • Directors or executives of the listed company or the company filing for the IPO and related companies;
    • Auditor;
    • Controller.
  • Summary of the types of auditor’s reports (Form 61-4)*
    • Auditor.
  • Name of the company secretary;
  • Persons who participated in training and guest lecturers from other agencies.
  • *Since 1 December 2020, this information has no longer been required.
Public task basis
  • Information for consideration of complaints, wrongdoing in respect of the issue and offer for sale of securities and related professionals, for example, appraisal companies and financial advisors
  • Information regarding any action undertaken by the company applying for approval for the offer for sale of securities, including the name of the company applying for approval or the directors of the company applying for approval on the Black List of the SEC Office.
  • Consideration of wrongdoing
  • Issuing and offering securities for sale and related processionals
  • Any wrongdoing under Section 56
    • Managing Director
  • Any wrongdoing under Section 59
    • Directors and executives
  • Any wrongdoing under Section 246
    • Person who files the report.
  • Any wrongdoing in other cases
    • Wrongdoers
Public task basis

3. Disclosure of Personal Data

After the SEC Office has received personal data from other sources, the SEC Office has the responsibility to disclose your personal data on its website in accordance with its duty to disclose data to the public in the interest of investors, business operators, and all other relevant parties.

The SEC Office discloses or submits personal data for use in the personal data processing activities in accordance with its responsibilities and the relevant agencies as follows:

In disclosing your personal data to other persons, the SEC Office complies with the specified purposes or the purposes permissible by law only. In the case where it is required by law that your consent must first be obtained, the SEC Office shall request your consent.

The SEC Office complies with appropriate security measures, for example, ISO27001 standards or NIST, etc. In case of any cross-border data transfer to another country, international organizations, or recipients abroad, the SEC Office shall ensure that the destination agencies have sufficient security standards for personal data protection.

4. Retention and Retention Period of Personal Data

The SEC Office retains your personal data in the following manners:

1. Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

2. Place for Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

3. Retention Period

The retention period for personal data shall be in compliance with the Data Retention Policy.

5. Personal Data of Minors

The SEC Office does not have any specific intention or responsibility to process the personal data of minors. However, if it is necessary for the operation of the SEC Office, the SEC Office may collect and process the personal data of minors. For any activity related to the SEC Office, it is assumed that a minor cannot perform this activity on his or her own. The SEC Office will ensure that the legal representative or the person who uses the parental power has acknowledged or consented, as the case may be, in accordance with the Personal Data Protection Law.

6. Rights of Data Subjects

As a data subject, you have the following rights:

  1. Right to withdraw consent: You have the right to withdraw your consent for the SEC Office to process your personal data given to the SEC Office during the period in which your data is held by the SEC Office;
  2. Right to be informed: You have the right to be informed of the personal data that the SEC Office will process before or at the time of collection;
  3. Right of access: You have the right to access your personal data and request the SEC Office to make copies of your personal data for your own use, as well as to request the SEC Office to disclose how the SEC Office acquired any personal data to which you did not give consent to the SEC Office;
  4. Right to rectification: You have the right to request the SEC Office to rectify data or to add additional data;
  5. Right to erasure: You have the right to request the SEC Office erase your data for certain reasons;
  6. Right to restriction of processing: You have the right to restrict the use of your personal data for certain reasons;
  7. Right to data portability: You have the right to request the SEC Office to transfer your personal data that you have provided to the SEC Office to another data controllers, or to yourself for certain reasons. In this regard, the SEC Office does not yet have an automatic data transfer system;
  8. Right to object: You have the right to object the processing of your personal data for certain reasons.

You can contact the Data Protection Officer (DPO) of the SEC Office to submit a request to exercise the rights stated above (please refer to the contact details in “Contact Channels” below). You may also refer to the details, conditions, exemptions of exercising those rights, on the website of the Ministry of Digital Economy and Society http://www.mdes.go.th

In exercising any right as stated above, you are not required to make any payment. The SEC Office will consider the matter and notify you of the results within 30 days from the receipt of the request.

If your request is declined, the SEC Office will notify you of the reasons via the contact channel provided by you. If you have any further questions or any additional complaint relating to your request, you can contact the Data Protection Officer (DPO) of the SEC Office.

7. Communication and Dissemination of Information of the Capital Market

The SEC Office communicates and disseminates information relating to the capital market, as well as the services provided by the SEC Office in which you may be interested so as to effectively perform its duties and supervision. In this regard, the SEC Office will request your prior consent to receive information. You may withdraw your consent at any time by taking the following steps:

  1. Press the unsubscribe button in the email of the SEC Office;
  2. Check the email address;
  3. Press the Confirm button to withdraw your consent to receive information.

8. Changes of the Personal Data Protection Policy

The SEC Office will consider and review this Personal Data Protection Policy on a regular basis in order to comply with the relevant guidelines, laws, and regulations. In case of any change to this Personal Data Protection Policy, the SEC Office will notify you by updating its website as soon as possible. This Personal Data Protection Policy was last reviewed on 8 April 2021.

9. Contact Channels

Information of the Data Control Officer

Name of the Organization in Thai: สำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์
Name of the Organization in English: The Securities and Exchange Commission, Thailand
Address: 333/3 Vibhavadi-Rangsit Road, Chomphon, Chatuchak, Bangkok 10900
Contact Channels: Help Center: 1207
Telephone No.: 0-2033-9999
Email: info@sec.or.th
Other contact or information channels: https://www.sec.or.th/TH/Pages/Home.aspx
https://www.facebook.com/sec.or.th
https://www.youtube.com/user/insideSEC
https://twitter.com/ThaiSEC_News
Contact channel of the Data Protection Office: dpo@sec.or.th