Personal Data Protection Policy for Trading in Secondary Market

The Office of the Securities and Exchange Commission (SEC Office)

0. Scope of this Policy

This Personal Data Protection Policy applies to the business operators who have been licensed by the SEC Office, the market professionals who have been approved by the SEC Office, other persons approved by the SEC Office, as well as the persons who commit offenses as prescribed by the acts/royal decrees under the power and duties of the SEC Office.

1. Personal data collected by the SEC Office:

The SEC Office collects the following personal data:

1.1 Definitions and examples of data collected by the SEC Office

Personal data:Data of a personal nature, for example, identification number/passport number, title, name, surname (Thai/English), date of birth, citizenship, sex, marital status, father’s name/mother’s name, (former) titles, (former) surnames, name of spouse, etc.
Contact information:Information for contact purposes, including, mobile phone numbers, email addresses, addresses on the identification cards, addresses on the house registration, permanent address, home telephone numbers, and facsimile numbers.
Sensitive data:Data under Section 26 of the Personal Data Protection Act, for example, criminal record, nationality, religion.
Qualification data:Data relating to the qualifications of business operators, which include experience, for example, education, employment record, affiliation, job positions, work experience, test/training records, certification numbers of locally certified public accountants/international certified public accountants, prohibited characteristics, and qualifications used for registration, whether with authority or not, training history at the Thai Institute of Directors.
Financial data:Data relating to the financial aspect of business operators, for example, the number of shares held, shareholding proportion, trading account numbers.
Verification data:Data for verification purposes, for example, trader codes/details of the business entities whose financial statements for the latest financial period have been signed by an auditor in giving opinion or whose working paper has been reviewed by the SEC Office.

Work Areas Personal Data Contact Information Sensitive Data Qualification data Financial Data Verification Data
Information concerning the supervision of ThaiBMA (report on trading of debt instruments (surveillance report – on a monthly basis))
1. Database of SET Smart (the summary of trading and important statistics on debt instruments and bonds from the Stock Exchange)
3. Database of Bloomberg
2. Database of ThaiBMA (the summary on trading and the important statistics of debt instruments and bonds from the Thai Bond Market Association)
Database of TFEX (information on trading of derivative instruments on the Stock Exchange)
Information on daily trading (T - 2 months)
Information on daily trading of exchange brokers and dealers

1.2 Sources of personal data

  1. The SEC Office receives your personal data from:
    1. Information on relationships between different groups of persons from cases under investigation:
    2. The SET Group, securities companies, and commercial banks;
    3. The Thai Bond Market Association;
    4. Database Bloomberg;
    5. Digital asset business operators (exchanges, brokers, and dealers) via ICO Portal.

2. Purposes of Data Processing

Data Processing Activities Operating Systems Legal Basis for Data Processing
The SEC Office collects your personal data to conduct an analysis and inspection or research into investment behavior and an overview of foreign investment by country and instruments / and compliance with the law and the rules and regulations.
  • Information on the supervision of ThaiBMA:
    • Directors, executives of the company, and the contact persons of the company.
  • Summary on the trading and important statistics of equity instruments and derivative instruments from the Stock Exchange:
    • Boards of directors and shareholders of the public limited company.
  • Information on trading of derivative instruments from the Stock Exchange:
    • Investors who trade derivative instrument on the secondary market.
  • Information on daily trading, deposits, transfers, withdrawals, holding, and wallets of investors in digital assets:
    • Clients/traders.
  • Information from Bloomberg:
    • Directors, executives, and shareholders of the company.
  • Information on the daily trading from the SET Group:
    • Clients and traders.
Public task basis
Consideration of complaints, inspection, investigation, enquiries, administrative acts, and any act under the jurisdiction of the SEC Office in compliance with the law.
  • Every operating system
Public task basis

3. Disclosure of Personal Data

After the SEC Office has received personal data from other sources, the SEC Office has the responsibility to disclose your personal data on its website in accordance with its duty to disclose data to the public in the interest of investors, business operators, and all other relevant parties.

In disclosing your personal data to other persons, the SEC Office complies with the specified purposes or the purposes permissible by law only. In the case where it is required by law that your consent must first be obtained, the SEC Office will request your consent.

The SEC Office complies with appropriate security measures, for example, ISO27001 standards or NIST, etc. In case of any cross-border data transfer to destination country, international organizations, or recipients abroad, the SEC Office shall ensure that the destination agencies have sufficient security standards for personal data protection.

4. Retention and Retention Period of Personal Data

The SEC Office retains your personal data in the following manners:

1. Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

2. Place for Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

3. Retention Period

The retention period for personal data shall be in compliance with the Data Retention Policy.

5. Personal Data of Minors

The SEC Office does not have any specific intention or responsibility to process the personal data of minors. However, if it is necessary for the operation of the SEC Office, the SEC Office may collect and process the personal data of minors. For any activity related to the SEC Office, it is assumed that a minor cannot perform this activity on his or her own. The SEC Office will ensure that the legal representative or the person who uses the parental power has acknowledged or consented, as the case may be, in accordance with the Personal Data Protection Law.

6. Rights of Data Subjects

As a data subject, you have the following rights:

  1. Right to withdraw consent: You have the right to withdraw your consent for the SEC Office to process your personal data given to the SEC Office during the period in which your data is held by the SEC Office;
  2. Right to be informed: You have the right to be informed of the personal data that the SEC Office will process before or at the time of collection;
  3. Right of access: You have the right to access your personal data and request the SEC Office to make copies of your personal data for your own use, as well as to request the SEC Office to disclose how the SEC Office acquired any personal data to which you did not give consent to the SEC Office;
  4. Right to rectification: You have the right to request the SEC Office to rectify data or to add additional data;
  5. Right to erasure: You have the right to request the SEC Office erase your data for certain reasons;
  6. Right to restriction of processing: You have the right to restrict the use of your personal data for certain reasons;
  7. Right to data portability: You have the right to request the SEC Office to transfer your personal data that you have provided to the SEC Office to another data controllers, or to yourself for certain reasons. In this regard, the SEC Office does not yet have an automatic data transfer system;
  8. Right to object: You have the right to object the processing of your personal data for certain reasons.

You can contact the Data Protection Officer (DPO) of the SEC Office to submit a request to exercise the rights stated above (please refer to the contact details in “Contact Channels” below). You may also refer to the details, conditions, exemptions of exercising those rights, on the website of the Ministry of Digital Economy and Society (http://www.mdes.go.th)

In exercising any right as stated above, you are not required to make any payment. The SEC Office will consider the matter and notify you of the results within 30 days from the receipt of the request.

If your request is declined, the SEC Office will notify you of the reasons via the contact channel provided by you. If you have any further questions or any additional complaint relating to your request, you can contact the Data Protection Officer (DPO) of the SEC Office.

7. Communication and Dissemination of Information on the Capital Market

The SEC Office communicates and disseminates information relating to the capital market, as well as the services provided by the SEC Office in which you may be interested so as to effectively perform its duties and supervision. In this regard, the SEC Office will request your prior consent to receive information. You may withdraw your consent at any time by taking the following steps:

  1. Press the unsubscribe button in the email of the SEC Office;
  2. Check the email address;
  3. Press the Confirm button to withdraw your consent to receive information.

8. Changes of the Personal Data Protection Policy

The SEC Office will consider and review this Personal Data Protection Policy on a regular basis in order to comply with the relevant guidelines, laws, and regulations. In case of any change to this Personal Data Protection Policy, the SEC Office will notify you by updating its website as soon as possible. This Personal Data Protection Policy was last reviewed on 8 April 2021.

9. Contact Channels

Information of the Data Control Officer

Name of the Organization in Thai: สำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์
Name of the Organization in English: The Securities and Exchange Commission, Thailand
Address: 333/3 Vibhavadi-Rangsit Road, Chomphon, Chatuchak, Bangkok 10900
Contact Channels: Help Center: 1207
Telephone No.: 0-2033-9999
Email: info@sec.or.th
Other contact or information channels: https://www.sec.or.th/TH/Pages/Home.aspx
https://www.facebook.com/sec.or.th
https://www.youtube.com/user/insideSEC
https://twitter.com/ThaiSEC_News
Contact channel of the Data Protection Office: dpo@sec.or.th