Personal Data Protection Policy for Business Operators

The Office of the Securities and Exchange Commission (SEC Office)

0. Scope of this Policy

This Personal Data Protection Policy applies to the business operators who have been licensed by the SEC Office, the market professionals who have been approved by the SEC Office, other persons approved by the SEC Office, as well as the persons who commit offenses as prescribed by the acts/royal decrees under the power and duties of the SEC Office.

1. Personal data collected by the SEC Office:

The SEC Office collects the following personal data:

1.1 Definitions and examples of data collected by the SEC Office

Personal data:	Data of a personal nature, for example, identification number/passport number, title, name, surname (Thai/English), date of birth, citizenship, sex, marital status, father’s name/mother’s name, (former) titles, (former) surnames, name of spouse, etc.
Contact information:	Information for contact purposes, including mobile phone numbers, email addresses, addresses on the identification cards, addresses on the house registration, permanent address, home telephone numbers, and facsimile numbers.
Sensitive data:	Data under Section 26 of the Personal Data Protection Act, for example, criminal record, nationality, religion.
Qualification data:	Data relating to the qualifications of business operators, which include experience, for example, education, employment record/ affiliation, job positions, work experience, test/training records, certification numbers of locally certified public accountants/international certified public accountants, prohibited characteristics, and qualifications used for registration, whether with authority or not, training history at the Thai Institute of Directors.
Financial data:	Data relating to the financial aspect of business operators, for example, the number of shares held, shareholding proportion, trading account numbers.
Verification data:	Data for verification purposes, for example, trader codes/details of the business entities whose financial statements for the latest financial period have been signed by an auditor in giving opinions or whose working paper has been reviewed by the SEC Office.

Work Areas	Personal Data	Contact Information	Qualification data	Financial Data	Sensitive Data	Verification Data
1. Executives, for example, directors/managers of securities companies, asset management companies, investment unit brokerage companies; directors of the Thai BMA; directors of inter-dealer brokers (IDB); 2. Fund managers, derivatives fund managers, property fund managers, infrastructure fund managers; 3. Controllers, auditors, investment analysts/investment consultants/investment planners who have been approved to act as investment consultant for companies, including employees or agents (natural persons); 4. Financial advisors, marketing agents of private funds/credit rating agencies for mutual funds; 5. Supervisors, custodians, marketing agents of private funds/credit rating agencies for mutual funds, securities registrars; 6. Head Front/Investment (deputy managers or equivalent positions/assistant managers or equivalent positions/ departmental directors or equivalent positions/branch managers or equivalent positions)/Head Back/Compliance/Risk (deputy managers or equivalent positions/assistant managers or equivalent positions/departmental directors or equivalent positions/Head Compliance/Advisors to the RMC/CC/IC Port) Investment (IC Fund/Advisor to IC Fund/ Fund Assistant/Fund Dealer).	✓	✓	✓		✓
Directors of credit rating agencies	✓		✓		✓
1. ICO Portals	✓		✓
1. Names and telephone numbers of the Managing Directors, Head of Compliance and email addresses; 2. Data processing system for data collected from report forms; 3. Seminars, workshops, meetings among agencies.	✓	✓
1. Managers of real estate investment trusts; 2. Appraisers; 3. Consideration of complaints, inspection, investigation, enquiries, administrative acts, and any act under supervision of the SEC Office in compliance with the law; 4. Supervision and inspection of information technology risks of business operators.	✓	✓	✓	✓	✓	✓
1. Major shareholders; 2. Bondholders’ representatives.	✓	✓	✓	✓	✓
1. Licensing data on securities and derivatives business operators of all types, as follows: - broker, dealer and underwriter of investment units - broker of debt securities - dealer of debt securities - underwriter of debt securities - inter-dealer broker 2. Trustees for real estate investment trusts and trustees for other trusts that have a policy to invest in infrastructure businesses; 3. Derivatives fund managers and derivatives investment advisors.	✓	✓	✓		✓
Company profiles and reports on wealth advice service (annually).	✓
1. Data relating to operating systems and actions with intermediaries; 2. Appraisal companies.	✓	✓	✓	✓		✓
1. Changes of names or addresses of business operators; 2. Directors of listed companies (white list); 3. Executives of digital asset business operators; 4. Licensing for the SET’s group (SET/TFEX/TCH/TSD); 5. Crowdfunding portals; 6. Digital asset business licenses; 7. Data concerning approval for business operators to have branch offices in Thailand.	✓	✓	✓
Submission of applications for approval of wealth advisors.	✓	✓			✓
1. Increase/decrease of paid-up capital; 2. Foreign currency credit limit.	✓			✓
1. Data from reports of securities companies; 2. Bondholders from securities registrars.	✓	✓		✓

1.2 Sources of Personal Data

The SEC Office receives your personal data from the following three sources:

1. The SEC Office receives your personal data directly from you by collecting from:

1.1 The system for approving persons in the capital market (natural person/juristic person);

1.2 The Enterprise Content Management System (ECM) of the SEC Office.

2. The SEC Office receives your personal data submitted via a system by a company or agent assigned by you, or prepared and submitted by another company to the SEC Office:

2.1 The system for approving persons in the capital market (natural person/juristic person);

2.2 The licensing system for business operators;

2.3 One For All Reporting System (OFAR), for example, the bondholders from securities registrars;

2.4 The Enterprise Content Management System (ECM) of the SEC Office;

2.5 Data from supervision and inspection of risks related to business operations.

3. The SEC Office receives the following personal data from its cooperation with governmental agencies:

3.1 Data for consideration of approval and inspection of wrongdoings from the Bank of Thailand (BOT), the Office of the Insurance Commission (OIC), and the Revenue Department. In the case where no wrongdoing is detected, the SEC Office will not store such data.

3.2 Data for verification of wrongdoing from the integrated public information and government services database (https://linkagemgmt.bora.dopa.go.th), for example, data from the Department of Legal Execution, the Anti-Money Laundering Office (AMLO), the Department of Special Investigation (DSI), and the Narcotics Control Board (NCB), etc. In the case where no wrongdoing is detected, the SEC Office will not store such data.

3.3 Data for authentication from the Department of Administrative Affairs which will be stored in the personal data database of the SEC Office.

2. Purposes of Data Processing

Data Processing Activities	Work Areas	Legal Basis for Data Processing
The SEC Office collects your personal data in order to consider and approve personnel in the capital market businesses (natural persons)/verify the qualifications and prohibited characteristics/data from report forms.	• Executives, directors/managers of securities companies, for example, securities companies, asset management companies, investment unit brokerage companies • Directors of listed companies (white list) • Executives of digital asset business operators • Directors of ThaiBMA • Directors of credit rating agencies • Fund managers, derivative fund managers, property fund managers, infrastructure fund managers • Investment analysts/investment consultants/investment planners who have been approved to act as investment advisors for companies, including employees or agents (natural person) • Managers of real estate investment trusts • Controllers • Principal appraisers • Major shareholders (natural person)/directors of the major shareholders that are juristic persons • Head Front/Investment (deputy managers or equivalent positions/assistant managers or equivalent positions/departmental directors or equivalent positions/ branch managers or equivalent positions) Head Back/Compliance/Risk (deputy managers or equivalent positions/assistant managers or equivalent positions/departmental directors or equivalent positions/Head Compliance/Advisors to the RMC/CC/IC Port)/Investment (IC Fund/Advisors to IC Fund/Fund Assistants/Fund Dealer) • Auditors • Bondholders	Public task basis
The SEC Office collects your personal data for the approval of personnel in the capital market businesses (juristic persons).	• Licensing systems for securities / derivatives business operators • Licenses for digital asset business operators • Licenses for the SET’s group (SET/TFEX/TCH/TSD) • Trustees for real estate investment trusts and trustees for trusts that have a policy to invest in infrastructure businesses that are asset management companies • Financial advisors • Appraisal companies • Bondholders’ representatives • Securities registrars • Major shareholders (juristic person) • Supervisors, custodians • Marketing agents of private funds/credit rating agencies for mutual funds • ICO Portals • Crowdfunding portals	Public task basis
Consideration of complaints, inspection, investigation, enquiries, administrative acts, and any act under the jurisdiction of the SEC Office in compliance with the law	• Every operating system	Public task basis
Supervision and inspection of risks related to business operations	• Directors, executives, and employees, including the relevant persons of the agencies under the SEC Office supervision and inspection of the risks related to business operations	Public task basis

3. Disclosure of Personal Data

After the SEC Office has received personal data from other sources, the SEC Office has the responsibility to disclose your personal data on its website in accordance with its duty to disclose data to the public in the interest of investors, business operators, and all other relevant parties.

The SEC Office discloses or submits personal data for use in the personal data processing activities in accordance with its responsibilities and the relevant agencies as follows:

Stock Exchange of Thailand;
Finance Ministry;
Bank of Thailand;
Office of Insurance Commission;
Other agencies, for example, Damrongtham Center, the Federation of Accounting Professions, the Digital Government Development Agency (Public Organization) (DGA) for the Integrity and Transparency Assessment (ITA), the National Archives of Thailand, the Department of Legal Execution, the Anti-Money Laundering Office (AMLO), the Department of Special Investigation (DSI), and the Office of the Narcotics Control Board (ONCB), etc.;
Audit firms;
Regulatory agencies relevant to local and foreign capital markets;
Foreign regulatory agencies.

In disclosing your personal data to other persons, the SEC Office complies with the specified purposes or the purposes permissible by law only. In the case where it is required by law that your consent must first be obtained, the SEC Office shall request your consent.

In this regard, the SEC Office complies with appropriate security measures, for example, ISO27001 standards or NIST, etc. In case of any cross-border data transfer to another country, international organizations, or recipients abroad, the SEC Office shall ensure that the destination agencies have sufficient security standards for personal data protection.

4. Retention and Retention Period of Personal Data

The SEC Office retains your personal data in the following manners:

1. Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

The personal data will be retained at the central database that is safeguarded with proper security measures and access control.
Hard copies of documents and printed materials will be scanned and stored in the Enterprise Content Management System (ECM), the central document database that is safeguarded with proper security measures and access control.

2. Place for Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

The personal data from the computer system of the SEC Office is stored in the central data center with access control and stored on the Cloud provided by the Cloud Provider, whose standards are acceptable and the service is reviewed on a regular basis.
Hard copies of documents and printed materials are stored based on their use:

Documents that are currently in use will be stored in a safe place in the SEC Office, for example, central file cabinets with locks and access control and registers of document users;
Documents for completed matters will be stored at a warehouse with appropriate security measures against unauthorized access.

3. Retention Period

The retention period for personal data shall be in compliance with the Data Retention Policy.

5. Personal Data of Minors

The SEC Office does not have any specific intention or responsibility to process the personal data of minors. However, if it is necessary for the operation of the SEC Office, the SEC Office may collect and process the personal data of minors. For any activity related to the SEC Office, it is assumed that a minor cannot perform this activity on his or her own. The SEC Office will ensure that the legal representative or the person who uses the parental power has acknowledged or consented, as the case may be, in accordance with the Personal Data Protection Law.

6. Rights of Data Subjects

As a data subject, you have the following rights:

Right to withdraw consent: You have the right to withdraw your consent for the SEC Office to process your personal data given to the SEC Office during the period in which your data is held by the SEC Office;
Right to be informed: You have the right to be informed of the personal data that the SEC Office will process before or at the time of collection;
Right of access: You have the right to access your personal data and request the SEC Office to make copies of your personal data for your own use, as well as to request the SEC Office to disclose how the SEC Office acquired any personal data to which you did not give consent to the SEC Office;
Right to rectification: You have the right to request the SEC Office to rectify data or to add additional data;
Right to erasure: You have the right to request the SEC Office erase your data for certain reasons;
Right to restriction of processing: You have the right to restrict the use of your personal data for certain reasons;
Right to data portability: You have the right to request the SEC Office to transfer your personal data that you have provided to the SEC Office to another data controllers, or to yourself for certain reasons. In this regard, the SEC Office does not yet have an automatic data transfer system;
Right to object: You have the right to object the processing of your personal data for certain reasons.

You can contact the Data Protection Officer (DPO) of the SEC Office to submit a request to exercise the rights stated above (please refer to the contact details in “Contact Channels” below). You may also refer to the details, conditions, exemptions of exercising those rights, on the website of the Ministry of Digital Economy and Society (http://www.mdes.go.th).

In exercising any right as stated above, you are not required to make any payment. The SEC Office will consider the matter and notify you of the results within 30 days from the receipt of the request.

If your request is declined, the SEC Office will notify you of the reasons via the contact channel provided by you. If you have any further questions or any additional complaint relating to your request, you can contact the Data Protection Officer (DPO) of the SEC Office.

7. Communication and Dissemination of Information on the Capital Market

The SEC Office communicates and disseminates information relating to the capital market, as well as the services provided by the SEC Office in which you may be interested so as to effectively perform its duties and supervision. In this regard, the SEC Office will request your prior consent to receive information. You may withdraw your consent at any time by taking the following steps:

Press the Cancel button in the email of the SEC Office;
Check the email address;
Press the Confirm button to withdraw your consent to receive information.

8. Changes of the Personal Data Protection Policy

The SEC Office will consider and review this Personal Data Protection Policy on a regular basis in order to comply with the relevant guidelines, laws, and regulations. In case of any change to this Personal Data Protection Policy, the SEC Office will notify you by updating its website as soon as possible. This Personal Data Protection Policy has been last reviewed on 8 April 2021.

9. Contact Channels

Information of the Data Control Officer

Name of the Organization in Thai:	สำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์
Name of the Organization in English:	The Securities and Exchange Commission, Thailand
Address:	333/3 Vibhavadi-Rangsit Road, Chomphon, Chatuchak, Bangkok 10900
Contact Channels:	Help Center: 1207 Telephone No.: 0-2033-9999 Email: info@sec.or.th
Other contact or information channels:	https://www.sec.or.th/TH/Pages/Home.aspx https://www.facebook.com/sec.or.th https://www.youtube.com/user/insideSEC https://twitter.com/ThaiSEC_News
Contact channel of the Data Protection Office:	dpo@sec.or.th