Personal Data Protection Policy for Investment Management

The Office of the Securities and Exchange Commission (SEC Office)

0. Scope of this Policy

This Personal Data Protection Policy applies to the business operators who have been licensed by the SEC Office, the market professionals who have been approved by the SEC Office, other persons approved by the SEC Office, as well as the persons who commit offenses as prescribed by the acts/royal decrees under the power and duties of the SEC Office.

1. Personal data collected by the SEC Office:

The SEC Office collects the following personal data:

1.1 Definitions and examples of data collected by the SEC Office

Personal data:	Data of a personal nature, for example, identification number/passport number, title, name, surname (Thai/English), date of birth, citizenship, sex, marital status, father’s name/mother’s name, (former) titles, (former) surnames, name of spouse, etc.
Contact information:	Information for contact purposes, including, mobile phone numbers, email addresses, addresses on the identification cards, addresses on the house registration, permanent address, home telephone numbers, and facsimile numbers.
Sensitive data:	Data under Section 26 of the Personal Data Protection Act, for example, criminal record, nationality, religion.
Qualification data:	Data relating to the qualifications of business operators, which will include experience, for example, education, employment record, affiliation, job positions, work experience, test/training records, certification numbers of locally certified public accountants/international certified public accountants, prohibited characteristics, and qualifications used for registration, whether with authority or not, training history at the Thai Institute of Directors.
Financial data:	Data relating to the financial aspect of business operators, for example, the number of shares held, shareholding proportion, trading account numbers.
Verification data:	Data for verification purposes, for example, trader codes/details of the business entities whose financial statements for the latest period have been signed by an auditor in giving opinion or whose working paper has been reviewed by the SEC Office.

Work Areas	Personal Data	Contact Information	Qualification data	Financial Data	Sensitive Data	Verification Data
Information of unitholders (MPF7000)	✓	✓
Report on the investment position and the investment of each infrastructure fund (MF02)	✓		✓
1. Information on the results of verification; (information on the clients of business operators) 2. Information on the results of consideration of complaints (information on persons lodging complaints).	✓	✓	✓	✓	✓
1. Information on the results of verification (information of shareholders, directors, executives, and employees); 2. Information on the results of consideration of complaints (information on executives and employees); 3. Information on the consideration of wrongdoings.	✓	✓	✓	✓	✓	✓
1. Seminars (information on guest lecturers); 2. Seminars (information on persons participating in seminars); 3. Information on registered capital/paid-up capital of securities companies.	✓	✓	✓
1. Information on foreign investment of private funds and the portfolio of securities companies from the Bank of Thailand; 2. Letters seeking legal opinion and invitation letters for seminars; 3. Research, risk monitoring from Bloomberg.	✓

1.2 Sources of personal data

The SEC Office receives your personal data directly from you by collecting from:
1. Seminars;
2. The Enterprise Content Management System (ECM) of the SEC Office.)
The SEC Office receives your personal data submitted via a system by a company or agent assigned by you.
1. One For All Reporting System (OFAR) and various online systems, for example:
2. Invitation letters for seminars, information on the consideration of wrongdoing, information on the results of inspection;
3. The Enterprise Content Management System of the SEC Office (ECM)
The SEC Office receives the following personal data from its cooperation with government agencies:
1. Data for consideration of approval and inspection of wrongdoings from the Bank of Thailand (BOT) and the Office of the Insurance Commission (OIC). In the case that no wrongdoing is detected, the SEC Office will not store such data.
2. Data for verification of wrongdoing from the integrated public information and government services database (https://linkagemgmt.bora.dopa.go.th) , for example, data from the Department of Legal Execution, the Anti-Money Laundering Office (AMLO), the Department of Special Investigation (DSI), and the Narcotics Control Board (NCB), etc. In the case that no wrongdoing is detected, the SEC Office will not store such data.
3. Data for authentication from the Department of Administrative Affairs which will be stored in the personal data database of the SEC Office.
4. Data for verification from the Department of Business Development which will be stored in the personal data database of the SEC Office.

4. The SEC Office receives your personal data from other databases, namely Bloomberg/ BOL/ThaiBMA/SETSMART.

2. Purposes of Data Processing

Data Processing Activities	Operating Systems	Legal Basis for Data Processing
The SEC Office collects your personal data to use in the analysis and the inspection or research into investment behavior and overview of foreign investment by country or instrument	Information on foreign investment in private funds and the portfolio of securities companies from the Bank of Thailand Investors of foreign securities via investment agents Information on registered capital/paid-up capital of asset management companies Information on unitholders (MPF7000) Unitholders	Public task basis
Information on consideration of complaints and compliance with the law and rules and regulations/ promotion of knowledge/ consideration of wrongdoing /research and risk monitoring	Information on the results of verification: Information on the shareholders, directors, executives, and employees Information on the clients of business operators Information on the consideration of wrongdoing: Information on the shareholders, directors, executives, and employees Information on the results of consideration of complaints Information on the persons lodging complaints, information on executives and employees Information on the results of the consideration of complaints: Information on the executives and employees Research, risk monitoring from Bloomberg	Public task basis
	Seminars Information on guest lecturers, information on persons participating in seminars	Consent basis Consent basis

3. Disclosure of Personal Data

After the SEC Office has received personal data from other sources, the SEC Office has the responsibility to disclose your personal data on its website in accordance with its duty to disclose data to the public in the interest of investors, business operators, and all other relevant parties.

The SEC Office discloses or submits personal data for use in the personal data processing activities in accordance with its responsibilities and the relevant agencies as follows:

Stock Exchange of Thailand;
Finance Ministry;
Bank of Thailand;
Office of Insurance Commission;
Other agencies, for example, Damrongtham Center, the Federation of Accounting Professions, the Digital Government Development Agency (public organization) (DGA) for the Integrity and Transparency Assessment (ITA), and the National Archives of Thailand, etc.;
Audit firms;
Regulatory agencies relevant to local and foreign capital markets.

In disclosing your personal data to other persons, the SEC Office complies with the specified purposes or the purposes permissible by law only. In the case where it is required by law that your consent must first be obtained, the SEC Office shall request your consent.

In this regard, the SEC Office complies with appropriate security measures, for example, ISO27001 standards or NIST, etc. In case of any cross-border data transfer to another country, international organizations, or recipients abroad, the SEC Office shall ensure that the destination agencies have sufficient security standards for personal data protection.

4. Retention and Retention Period of Personal Data

The SEC Office retains your personal data in the following manners:

1. Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

The personal data will be retained at the central database that is safeguarded with proper security measures and access control.
Hard copies of documents and printed materials will be scanned and stored in the Enterprise Content Management System (ECM), the central document database that is safeguarded with proper security measures and access control.

2. Place for Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

The personal data from the computer system of the SEC Office is stored in the central data center with access control and stored on the Cloud provided by the Cloud Provider, whose standards are acceptable and the service is reviewed on a regular basis.
Hard copies of documents and printed materials are stored based on their use:

Documents that are currently in use will be stored in a safe place in the SEC Office, for example, central file cabinets with locks and access control and registers of document users;
Documents for completed matters will be stored at a warehouse with appropriate security measures against unauthorized access.

3. Retention Period

The retention period for personal data shall be in compliance with the Data Retention Policy.

5. Personal Data of Minors

The SEC Office does not have any specific intention or responsibility to process the personal data of minors. However, if it is necessary for the operation of the SEC Office, the SEC Office may collect and process the personal data of minors. For any activity related to the SEC Office, it is assumed that a minor cannot perform this activity on his or her own. The SEC Office will ensure that the legal representative or the person who uses the parental power has acknowledged or consented, as the case may be, in accordance with the Personal Data Protection Law.

6. Rights of Data Subjects

As a data subject, you have the following rights:

Right to withdraw consent: You have the right to withdraw your consent for the SEC Office to process your personal data given to the SEC Office during the period in which your data is held by the SEC Office;
Right to be informed: You have the right to be informed of the personal data that the SEC Office will process before or at the time of collection;
Right of access: You have the right to access your personal data and request the SEC Office to make copies of your personal data for your own use, as well as to request the SEC Office to disclose how the SEC Office acquired any personal data to which you did not give consent to the SEC Office;
Right to rectification: You have the right to request the SEC Office to rectify data or to add additional data;
Right to erasure: You have the right to request the SEC Office erase your data for certain reasons;
Right to restriction of processing: You have the right to restrict the use of your personal data for certain reasons;
Right to data portability: You have the right to request the SEC Office to transfer your personal data that you had provided to the SEC Office to another data controllers, or to yourself for certain reasons. In this regard, the SEC Office does not yet have an automatic data transfer system;
8. Right to object: You have the right to object the processing of your personal data for certain reasons.

You can contact the Data Protection Officer (DPO) of the SEC Office to submit a request to exercise the rights stated above (please refer to the contact details in “Contact Channels” below). You may also refer to the details, conditions, exemptions of exercising those rights, on the website of the Ministry of Digital Economy and Society (http://www.mdes.go.th)

In exercising any right as stated above, you are not required to make any payment. The SEC Office will consider the matter and notify you of the results within 30 days from the receipt of the request.

If your request is declined, the SEC Office will notify you of the reasons via the contact channel provided by you. If you have any further questions or any additional complaint relating to your request, you can contact the Data Protection Officer (DPO) of the SEC Office.

7. Communication and Dissemination of Information on the Capital Market

The SEC Office communicates and disseminates information relating to the capital market, as well as the services provided by the SEC Office in which you may be interested so as to effectively perform its duties and supervision. In this regard, the SEC Office will request your prior consent to receive information. You may withdraw your consent at any time by taking the following steps:

Press the unsubscribe button from the emails of the SEC Office;
Check the email address;
Press the Confirm button to withdraw your consent to receive information.

8. Changes of the Personal Data Protection Policy

The SEC Office will consider and review this Personal Data Protection Policy on a regular basis in order to comply with the relevant guidelines, laws, and regulations. In case of any change to this Personal Data Protection Policy, the SEC Office will notify you by updating its website as soon as possible. This Personal Data Protection Policy was last reviewed on 8 April 2021.

9. Contact Channels

Information of the Data Control Officer

Name of the Organization in Thai:	สำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์
Name of the Organization in English:	The Securities and Exchange Commission, Thailand
Address:	333/3 Vibhavadi-Rangsit Road, Chomphon, Chatuchak, Bangkok 10900
Contact Channels:	Help Center: 1207 Telephone No.: 0-2033-9999 Email: info@sec.or.th
Other contact or information channels:	https://www.sec.or.th/TH/Pages/Home.aspx https://www.facebook.com/sec.or.th https://www.youtube.com/user/insideSEC https://twitter.com/ThaiSEC_News
Contact channel of the Data Protection Office:	dpo@sec.or.th