Personal Data Protection Policy for Internal Administration (Website)

The Office of the Securities and Exchange Commission (SEC Office)

0. Scope of this Policy

This Personal Data Protection Policy applies to the business operators who have been licensed by the SEC Office, the market professionals who have been approved by the SEC Office, other persons approved by the SEC Office, as well as the persons who commit offenses as prescribed by the acts/royal decrees under the power and duties of the SEC Office.

1. Personal data collected by the SEC Office:

The SEC Office collects the following personal data:

1.1 Definitions and examples of data collected by the SEC Office

Personal data:	Data of a personal nature, for example, identification number/passport number, title, name, surname (Thai/English), date of birth, citizenship, sex, marital status, father’s name,/mother’s name, (former) titles, (former) surnames, name of spouse, IP numbers, behavior for visit to the website of the SEC Office, photos from closed circuit television, thermometers, etc.
Contact information:	Information for contact purposes, including, mobile phone numbers, email addresses, addresses on the identification cards, addresses on the house registration, permanent address, home telephone numbers, facsimile numbers, copies of vehicle registrations.
Sensitive data:	Data under Section 26 of the Personal Data Protection Act, for example, criminal record, nationality, religion.
Qualification data:	Data relating to the qualifications of business operators, which include experience, for example, education, employment record, affiliation, job positions, work experience, test/training records, certification numbers of locally certified public accountants/international certified public accountants, prohibited characteristics, and qualifications used for registration, whether with authority or not, and training history at the Thai Institute of Directors.
Financial data:	Data relating to the financial aspect of business operators, for example, the number of shares held, shareholding proportion, trading account numbers.
Verification data:	Data for verification purposes, for example, trader codes.

Work Areas	Personal Data	Contact Information	Sensitive Data	Qualification data	Financial Data	Verification data:
1. Information service and action under court warrants; 2. Action in criminal cases, imposition of civil sanctions, administrative orders, and administrative sanctions; 3. Information Technology Audit and Cyber Risk Supervision and inspection of information technology risk of business operators	✓	✓	✓	✓	✓	✓
1. Disclosure of information under the Official Information Act; 2. Memos / delivery notes for the operation of the relevant departments and agendas of the SEC Board, agendas of the Capital Market Supervisory Board and agendas of the Management Committee; 3. Appeals, arbitration (to be referred to other agencies); 4. Appeals (to be referred to other agencies); 5. Administrative cases (to be referred to other agencies); 6. Arbitration (to be referred to other agencies); 7. Responses to inquiries (to be referred to other agencies); 8. Contracts (to be referred to other agencies).	✓	✓	✓	✓	✓
1. Website for the Capital Market Governance Promotion Initiative in Celebration of His Majesty the King’s Coronation ("Celebration of His Majesty the King’s Coronation Initiative"); 2. Strategic plan and budget requests; 3. Hearings/seminars; 4. Online job application; 5. Acceptances and referral of cases; 6. Processes relating to security management of computer and information center and management of SEC internal security; 7. Profiles of stakeholders (ITA Project).	✓	✓		✓
SEC Press Releases	✓		✓	✓
Outsourcing of various projects, for example, EIM Project	✓
www.smarttoinvest.com www.จัดการเงินเป็น.com www.เสี่ยงสูง.com www.retirement-checkup.com www.happypvd.com Training courses on the SEC Network for the public, SEC financial education caravan, exhibitions, surveys of the business sector.		✓

1.2 Sources of personal data

The SEC Office receives your personal data directly from you by collecting from:
1. Seminars/trainings/meetings/hearings/visits to the SEC Office;
2. The Enterprise Content Management System (ECM) of the SEC Office.
The SEC Office receives your personal data submitted via a system by a company or agent assigned by you, or prepared and submitted by the company to the SEC Office:
1. Invitation letters for seminars, circulars, announcements;
2. The Enterprise Content Management System (ECM) of the SEC Office;
3. Information from action relating to the supervision and inspection of risks related to business operations.
The SEC Office receives the following personal data from its cooperation with governmental agencies:
1. Data for consideration of approval and inspection of wrongdoings from the Bank of Thailand (BOT) and the Office of the Insurance Commission (OIC). In the case where no wrongdoing is detected, the SEC Office will not store such data;
2. Data for verification of wrongdoing from the integrated public information and governmental services database (https://linkagemgmt.bora.dopa.go.th), for example, data from the Department of Legal Execution, the Anti-Money Laundering Office (AMLO), the Department of Special Investigation (DSI), and the Narcotics Control Board (NCB), etc. In the case where no wrongdoing is detected, the SEC Office will not store such data;
3. Data for authentication from the Department of Administrative Affairs which will be stored in the personal data database of the SEC Office;
4. 3.4 Data for verification from the Department of Business Development which will be stored in the personal data database of the SEC Office.

2. Purposes of Data Processing

Data Processing Activities	Work Areas	Legal Basis for Data Processing
The SEC Office collects your personal data in order to upload onto the operating system of the NACC, draft legal issues, consider policies and regular work relating to employee matters and the engagement of other parties to prepare the operating system for the SEC Office/ meetings/ seminars/ MOU/other events/exchange of knowledge, to be used as a database of the organizations that express their intention to participate in projects, and for the consideration and selection and contact of applicants for job interviews with the SEC Office.	Seeking opinions on legal matters: Persons who seek opinions/names of representatives/participants of meetings from other organizations/persons under consideration Work under the Official Information Act: Persons to whom requests for information are made/persons who request information /employees/persons who receive letters/names of officers who request information from the Office of the Permanent Secretary, the Prime Minister Meetings of the personnel management committee/meetings of the SEC Board and meetings of the Good Governance Subcommittee Relevant committees ITA Project Profiles of the stakeholders	Public task basis
	Outsourcing projects Employees of the contractors. Meetings/seminars/exchange of knowledge/MOU/other events Participants of meetings/ seminars/ employees/ executives of the SEC Office and other organizations/ respondents from questionnaires. Online job applications: Job applicants Expressing intention to participate in projects: Employees and executives of other organizations that participate in projects	Consent basis/Contract basis/ Legitimate interest basis
Promotion of knowledge and sending news via email to subscribers, preparing pictures and news of activities of the SEC and public hearings.	SEC E-Subscription Applicants; Persons who subscribe for news. Public hearings: Persons who participate in public hearings. SEC Press Releases: Wrongdoers	Consent basis/Public task basis
Consideration of complaints, inspection, investigation, enquiries, administrative acts, and any act under the jurisdiction of the SEC Office in compliance with the law.	Every work areas	Public task basis
Security of the premises.	Entering and exiting the premises of the SEC Office Visitors	Consent basis/Legitimate interest basis
Supervision and inspection of risks related to business operations.	Directors, executives, and employees, as well as related parties of the agencies under supervision, whereby the SEC Office has supervised and inspected the risks related to their business operations.	Public task basis

3. Disclosure of Personal Data

After the SEC Office has received personal data from other sources, the SEC Office has the responsibility to disclose your personal data on its website in accordance with its duty to disclose data to the public in the interest of investors, business operators, and all other relevant parties.

The SEC Office discloses or submits personal data for use in the personal data processing activities in accordance with its responsibilities and the relevant agencies as follows:

Stock Exchange of Thailand;
Finance Ministry;
Bank of Thailand;
Office of Insurance Commission;
Other agencies, for example, Damrongtham Center, the Federation of Accounting Professions, the Digital Government Development Agency (Public Organization) (DGA) for Integrity and Transparency Assessment (ITA), the National Archives of Thailand, the Department of Legal Execution, the Anti-Money Laundering Office (AMLO), the Department of Special Investigation (DSI), and the Office of the Narcotics Control Board (ONCB), etc.;
Audit firms;
Regulatory agencies relevant to local and foreign capital markets;
Foreign regulatory agencies.

In disclosing your personal data to other persons, the SEC Office complies with the specified purposes or the purposes permissible by law only. In the case where it is required by law that your consent must first be obtained, the SEC Office shall request your consent.

In this regard, the SEC Office complies with appropriate security measures, for example, ISO27001 standards or NIST, etc. In case of any cross-border data transfer to another country, international organizations, or recipients abroad, the SEC Office shall ensure that the destination agencies have sufficient security standards for personal data protection.

4. Retention and Retention Period of Personal Data

The SEC Office retains your personal data in the following manners:

1. Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

The personal data will be retained at the central database that is safeguarded with proper security measures and access control.
Hard copies of documents and printed materials will be scanned and stored in the Enterprise Content Management System (ECM), the central document database that is safeguarded with proper security measures and access control.

2. Place for Retention

The personal data will be retained in accordance with the characteristics of the personal data received:

The personal data from the computer system of the SEC Office is stored in the central data center with access control and stored on the Cloud provided by the Cloud Provider, whose standards are acceptable and the service is reviewed on a regular basis.
Hard copies of documents and printed materials are stored based on their use:

Documents that are currently in use will be stored in a safe place in the SEC Office, for example, central file cabinets with locks and access control and registers of document users;
Documents for completed matters will be stored at a warehouse with appropriate security measures against unauthorized access.

3. Retention Period

The retention period for personal data shall be in compliance with the Data Retention Policy.

5. Personal Data of Minors

The SEC Office does not have any specific intention or responsibility to process the personal data of minors. However, if it is necessary for the operation of the SEC Office, the SEC Office may collect and process the personal data of minors. For any activity related to the SEC Office, it is assumed that a minor cannot perform this activity on his or her own. The SEC Office will ensure that the legal representative or the person who uses the parental power has acknowledged or consented, as the case may be, in accordance with the Personal Data Protection Law.

6. Rights of Data Subjects

As a data subject, you have the following rights:

Right to withdraw consent: You have the right to withdraw your consent for the SEC Office to process your personal data given to the SEC Office during the period in which your data is held by the SEC Office.
Right to be informed: You have the right to be informed of the personal data that the SEC Office will process before or at the time of collection.
Right of access: You have the right to access your personal data and request the SEC Office to make copies of your personal data for your own use, as well as to request the SEC Office to disclose how the SEC Office acquired any personal data to which you did not give consent to the SEC Office.
Right to rectification: You have the right to request the SEC Office to rectify data or to add additional data.
Right to erasure: You have the right to request the SEC Office erase your data for certain reasons.
Right to restriction of processing: You have the right to restrict the use of your personal data for certain reasons.
Right to data portability*: You have the right to request the SEC Office to transfer your personal data that you have provided to the SEC Office to another data controllers, or to yourself for certain reasons. In this regard, the SEC Office does not yet have an automatic data transfer system.
Right to object: You have the right to object the processing of your personal data for certain reasons.

You can contact the Data Protection Officer (DPO) of the SEC Office to submit a request to exercise the rights stated above (please refer to the contact details in “Contact Channels” below). You may also refer to the details, conditions, exemptions of exercising those rights, on the website of the Ministry of Digital Economy and Society (http://www.mdes.go.th)

In exercising any right as stated above, you are not required to make any payment. The SEC Office will consider the matter and notify you of the results within 30 days from the receipt of the request.

If your request is declined, the SEC Office will notify you of the reasons via the contact channel provided by you. If you have any further questions or any additional complaint relating to your request, you can contact the Data Protection Officer (DPO) of the SEC Office.

7. Communication and Dissemination of Information on the Capital Market

The SEC Office communicates and disseminates information relating to the capital market, as well as the services provided by the SEC Office in which you may be interested so as to effectively perform its duties and supervision. In this regard, the SEC Office will request your consent to receive information. You may withdraw your prior consent at any time by taking the following steps:

Press the unsubscribe button from the emails of the SEC Office;
Check the email address;
Press the Confirm button to withdraw your consent to receive information.

8. Changes of the Personal Data Protection Policy

The SEC Office will consider and review this Personal Data Protection Policy on a regular basis in order to comply with the relevant guidelines, laws, and regulations. In case of any change to this Personal Data Protection Policy, the SEC Office will notify you by updating its website as soon as possible. This Personal Data Protection Policy has been last reviewed on 8 April 2021.

9. Contact Channels

Information of the Data Control Officer

Name of the Organization in Thai:	สำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์
Name of the Organization in English:	The Securities and Exchange Commission, Thailand
Address:	333/3 Vibhavadi-Rangsit Road, Chomphon, Chatuchak, Bangkok 10900
Contact Channels:	Help Center: 1207 Telephone No.: 0-2033-9999 Email: info@sec.or.th
Other contact or information channels:	https://www.sec.or.th/TH/Pages/Home.aspx https://www.facebook.com/sec.or.th https://www.youtube.com/user/insideSEC https://twitter.com/ThaiSEC_News
Contact channel of the Data Protection Office:	dpo@sec.or.th

* In case of cross-border data portability, the SEC Office complies with the joint agreements between Thailand and the destination countries, but certain rights may be restricted as specified in the framework of the agreement.