We, Cambodian Commercial Bank Limited with our parent company based in Thailand, care about the privacy of our customers who are protected by Thailand Personal Data Protection Act B.E. 2562 (“PDPA”), thus, we provide this privacy notice to inform our customers of our policy in relation to the collection, use and disclosure of personal data of individual (“you”) in accordance with the PDPA, relevant laws and regulations. This privacy notice informs you of how we collect, use or disclose your personal data, what and why we collect, use or disclose your personal data, how long we hold it, who we disclose it to, your rights, what steps we will take to make sure your personal data stays private and secure, and how you can contact us.
This privacy notice shall apply to customers and non-customers who are under the protection of PDPA, as follows:
(1) Our customers
· Individual customers: Our past and present customers who are individual.
· Corporate customers: Directors, shareholders, ultimate beneficial owners, employees, guarantors, security providers, and legal representatives of our past and present corporate customers and other individuals authorised to act on their behalf. Our corporate customer shall ensure that the authorised persons and any of relevant individuals have acknowledged our privacy notice.
These include individuals who have no product or service holding with us, but we may need to collect, use or disclose your personal data (e.g. investors; anyone who makes a payment to or receives a payment from our customers; anyone that visits our website or our applications, branches or offices; guarantors or security providers; ultimate beneficial owner; directors or legal/authorized representatives of a company that uses our services; debtors or tenants of our customers; professional advisors, including our directors, investors, shareholders and their legal representatives, and anyone involved in other transactions with us or our customers).
Please note that some of the links on our platform may lead to third party’s platforms, and if you access these platforms, your personal data will then be processed under the third party’s policies. Make sure that you have read those privacy notices when accessing such platforms.
We only collect, use, or disclose your personal data where it is necessary or there is a lawful basis for collecting, using, or disclosing it. This includes where we collect, use or disclose your personal data based on the legitimate grounds of legal obligation, performance of contract made by you with us, our legitimate interests, performance under your consent and other lawful basis. Reasons for collecting, using or disclosing are provided below:
1.1. Our legal obligation
We are regulated by many laws, rules, regulations, and orders of any competent governmental, supervisory or regulatory authorities, and to fulfil our legal and regulatory requirements, it is necessary to collect, use or disclose your personal data for the following purposes, which include but not limited to:
a) Compliance with the PDPA and any amendment thereof, including its sub-regulations;
b)Compliance with applicable laws (e.g. Financial Institutions Business Laws, Securities and Exchange Laws, Anti-Money Laundering Laws, Prevention and Suppression of Financial Support to Terrorism and the Proliferation of Weapons of Mass Destruction Laws, and other laws to which we are subject both in Thailand and in other countries), including conducting identity verification, background checks and credit checks, Know Your Client/Customer Due Diligence (KYC/CDD) processes, other checks and screenings (including screening against publicly database of regulatory authorities and/or official sanctions lists), and ongoing monitoring that may be required under any applicable law; and/or
c) Compliance with regulatory obligations and/or orders of authorized persons (e.g. orders by any court of competent jurisdiction or of governmental, supervisory or regulatory authorities or authorized officers).
1.2. Contract made by you with us
We will collect, use or disclose your personal data in accordance with the request and/or agreement made by you with us, for the following purposes, which include but not limited to:
a) process your request prior to entering into an agreement, consider for approval in relation to the provision of products and/or services, process your applications or requests for services or products, deliver our products and/or services to you (including, account opening/ATM, deposit and withdrawal, loan such as promissory note drawdown, letters of guarantee, standby letters of credit, letter of credit (issuance, amendment and transfer), outward remittance, trust receipt, packing credit, assignment of proceeds, shipping guarantee, outward bill, negotiation and discount without recourse, Business Net (Internet Banking service), inward bill for collection, manager checks, foreign - exchange booth, treasury service, fax indemnification, credit card disbursement and merchant service, payroll service, cheque issuance service, and CCB Trade Net) and deal with all matters relating to the products and/or services, including any activities that if we do not proceed, then our operations or our services may be affected or may not be able to provide you with fair and ongoing services;
b) authenticate when entering into, doing or executing any transactions;
c) carry out your instructions (e.g. to facilitate us to deal with your inquiries, to open, operate and rollover an account and/or facility for you, to generally provide you with our services and products which requires your personal information);
d) provide online banking, mobile applications and other online product platforms;
e) track or record your transactions;
f) produce reports (e.g. transaction reports requested by you or our internal reports);
g) notify you with transaction alerts;
h) recover the money which you owe (e.g. when you have not paid for your loan debt and/or outstanding fees); and/or
i) carry out account maintenance and operations relating to your accounts, including without limitation, changing relevant information, closing account, requesting for funds from account of the deceased, processing your transactions, generating your account statement, and operating and closing your accounts;
j) carry out or make transactions and/or payments (e.g. processing payments or transactions, fulfilling transactions, conducting settlement, billing and processing activities, managing your relationship with us and administration of your account with us);
k) enforce our legal or contractual rights; and/or
l) provide IT and helpdesk supports, create and maintain code and profile for you, manage your access to any systems to which we have granted you access, and remove inactive accounts.
1.3. Our legitimate interests
We rely on the basis of legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in personal data which we will collect, use or disclose for the following purposes, which include but not limited to:
a) conduct our business operation and The Siam Commercial Bank Public Company Limited’s and its financial business group companies’ business operation (e.g. to audit, to conduct risk analysis and managements, to monitor, prevent, detect and investigate fraud, money laundering, terrorism, misconduct, or other crimes, including but not limited to carrying out the creditworthiness checks of any persons related to our corporate customer, which may not be required by any governmental or regulatory authorities, and authenticate your identity to prevent such crimes);
b) conduct our relationship managements (e.g. to serve customers, to conduct customer survey, to handle complaints);
c) maintain the security of our premises (e.g. to use CCTV and its recordings, to register, exchange identification card and/or take photo of visitors before entering into our building);
d) develop and improve our products and/or services, including systems to enhance our services standard and/or for the greatest benefits in fulfilling your needs;
e) record images and/or voices relating to the meetings, trainings, seminars, recreations or marketing activities;
f) in case of our corporate customer, we will collect, use and disclose personal data of directors, authorized persons or attorneys;
g) ensure business continuity;
h) handle claims and disputes, including solving disputes, initiating, exercising or defending legal claims;
i) contact you prior to your entering into a contract with us;
j) evaluate suitability and qualifications;
k) protect against security risks (e.g. monitoring network activity logs, detecting security incidents, conducting data security investigations, and otherwise protecting against malicious, deceptive, fraudulent, or illegal activity);
l) comply with any laws other than Thai laws (e.g. Cambodian laws and regulation applicable to our parent company and FATCA);
m) manage our infrastructure, internal control, and business operations and comply with our policies and procedures including those relating to risk control, security, audit, finance and accounting, systems and business continuity;
n) carry out research, planning and statistical analysis (e.g. data analytics, assessments, surveys and reports on our products, services and your performance);
o) organize our promotional campaign or events, conferences, seminars, and company visits;
p) facilitate financial audits to be performed by an auditor, or receive legal advisory services from legal counsel appointed by you or us;
q) in the event of sale, transfer, merger, reorganization, or similar event, disclose or transfer your personal data to one or more third parties as part of that transaction;
r) maintain and update lists or directories of the customers (including your personal data), and keep contracts and associated documents in which you may be referred to; and/or
s) comply with reasonable business requirements (e.g. management, training, auditing, reporting, control or risk management, statistical and trend analysis and planning or other related or similar activities, implementing business controls to enable our business to operate, enabling us to identify and resolve issues in our IT systems, keeping our systems secure, and performing our IT systems development, implementation, operation and maintenance).
1.4. Your consent
In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximise your benefits and/or to enable us to provide services to fulfil your needs for the following purposes, which include but not limited to:
a) collect, use, and disclose your sensitive personal data as necessary (e.g. to use your identification card, residential book and/or passport photo (which may contain your sensitive personal data, namely religion and/or blood type) and criminal record for verification of your identity before continuing the transaction, and Know Your Client (KYC) process and/or health and disability data (e.g. physical wellbeing and soundness of mind) for evaluating your suitability, vulnerability, and qualifications for investment);
b) collect and use your personal data and any other data to conduct research and analyze for the greatest benefits in developing products and services to truly fulfil your needs and/or to contact you for offering products, services and benefits exclusively suitable to you;
c) send or transfer your personal data between Cambodia and Thailand and to any country outside Thailand, which may have inadequate personal data protection standards (unless the PDPA specifies that we may rely on other legal basis or may proceed without obtaining consent); and/or
d) disclose your personal data and any other data to The Siam Commercial Bank Public Company Limited for the following purposes: (1) conducting research and analyzing your personal data and any other data for the greatest benefits in developing products and services to truly fulfil your needs; and (2) contacting you for offering products, services and benefits exclusively suitable to you.
1.5. Other lawful basis
Apart from the lawful basis which we mentioned earlier, we may collect, use or disclose your personal data based on the following lawful basis:
a) prepare historical documents or archives for the public interest, or for purposes relating to research or statistics;
b) prevent or suppress a danger to a person’s life, body or health; and/or
c) necessary to carry out a public task, or for exercising official authority.
If the personal data we collect from you is required to meet our legal obligations or to enter into an agreement with you, we may not be able to provide (or continue to provide) some or all of our products and services to you if you do not provide your personal data when requested.
The type of personal data, namely personal data and sensitive personal data, which we collect, use or disclose, varies on the scope of products and/or services that you may have used or had an interest in. The type of personal data shall include but not limited to:
|Category||Examples of personal data|
● Given name, middle name, surname, hidden name (if any)
● Date of birth
● Place of birth
● Educational background
● Marital status
● Partner and children details
● Mailing address
● Residential address
● E-mail address
● Phone number
● Facsimile Number
● Name of representatives or authorised persons/directors acting on behalf of our customers
● Social media accounts/ID and other electronic communication ID
● Business address
● Business phone number
|Identification and authentication details||
● ID card photo or passport photo
● Identification number
● Passport information
● Driving licence
● Tax identification number
● House registration
● Residential book
● Employer’s details
● Salary or income
● Job title
● Work place
● Professional background
|Financial details and information about your relationship with us||
● Products and/or services you use
● Channels you use and ways you interact with us
● Your customer status, your ability to get and manage credit, your payment history, transaction records
● Information about your transactions (e.g. type, number, price and quantity, conditions (if any), payment transaction records, financial statements, taxes, revenue, default record and other information relating to your transactions)
● Credit card and debit card information
● Account number and account type
● Account history
● Current assets
● Income and expenses
● Payment details
|Market research, marketing and sales information||
● Customer survey
● Information and opinions expressed when participating in market research (e.g. responses to questionnaires, surveys, requests for feedback, and research activities)
● Details of services you receive and your preferences
● Inferences about you based on your interactions with us
● Communication preferences and details or content of your communications with us
|Geographic information, information about your device and your software, and technical details||
● Location of our branches or ATMs you use
● Your GPS location
● IP address
● Technical specifications and uniquely identifying data (e.g. web beacon, log, device ID and type, network, connection details, access details, single sign-on (SSO) details, login log, access times, time spent on our page, cookies, login data, search history, browsing details, browser type and version, time zone setting and location, language preferences, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access the platform)
● Due diligence checks (e.g. information related to Know Your Client (KYC) or Customer Due Diligence (CDD))
● Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) checks
|User login, subscription data, and profile details||
● Login information for using our system, online internet banking, and applications
● Account identifiers
● Username and password
● Interests, preferences and activities
● Information on how you use the websites, platforms, products and services
● Information on how you use and interact with our advertising (including content viewed, links clicked, and features used)
● Name of corporate/individual guarantor
● Collateral provider details and value
|Letter of guarantee and standby letters of credit details||
● Beneficiary information (e.g. name, company name, address telephone number, fax number and bank account information)
● Transaction information (e.g. SWIFT CODE and account number and amount)
|Trade finance service details||
● Applicant information (e.g. name, address, telephone number and email address)
● Beneficiary, assignee and customer information (e.g. name, address, telephone number, email address and account number)
● Name and surname of authorized person and contact person
● Signature of authorized person
● Identification documents (e.g. ID card, passport of authorized person and contact person)
● Transaction information (e.g. loan and transaction amount, guarantor name and guarantee amount, account number, cheque number, payment condition, vessel and carrier’s name, trade documents etc.)
|Information concerning security||
● Visual images
● Personal appearance
● Detection of any suspicious and unusual activity
● CCTV images or recordings
● Video recordings
|Sensitive personal data||
● Religion as shown in the identification card, residential book and/or passport
● Blood type as shown in the identification card and/or passport
● Criminal records
● Health data
● Disability data
● Records of correspondence and other communications between you and us, in whatever manner and form, including but not limited to phone, email, live chat, instant messages and social media communications
● Information that you provide to us through any channels
Normally, we will collect your personal data directly from you (e.g. through our branches, relationship managers and tradenet.ccb.com.kh.), but sometimes we may get it indirectly from other sources (e.g. social media, third party’s online platforms, or other publicly available sources) and through The Siam Commercial Bank Public Company Limited, our affiliates, service providers, business partners, official authorities, or third parties (e.g. your beneficiaries, sellers, buyers, carriers, nominated banks, representatives, employers, sponsors, our corporate customers as you are a shareholder, director, authorised person, attorney, representative or contact person and third parties that have roles in delivering services to you or someone acting on their behalf may provide us with information about you), in such case we will ensure the compliance with the PDPA.
The PDPA aims to give you more control of your personal data. You can exercise your rights under the PDPA upon the effectiveness if the provisions in relation to rights of data subjects, details are as follows:
4.1 Right to access and obtain copy
You have the right to access and obtain copy of your personal data holding by us, unless we are entitled to reject your request under the laws or court orders, or if such request will adversely affect the rights and freedoms of other individuals.
4.2 Right to rectification
You have the right to rectify your inaccurate personal data and to update your incomplete personal data.
4.3 Right to erasure
You have the right to request us to delete, destroy or anonymise your personal data, unless there are certain circumstances where we have the legal grounds to reject your request.
4.4 Right to restrict
You have the right to request us to restrict the use of your personal data under certain circumstances (e.g. when we are pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary but you ask us to restrict it instead as you have necessity to retain it for the purposes of establishment, compliance, exercise or defense of legal claims).
4.5 Right to object
You have the right to object the collection, use or disclosure of your personal data in case we proceed with legitimate interests basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistic research, unless we have legitimate grounds to reject your request (e.g. we have compelling legitimate ground to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise legal claims, or for the reason of our public interests).
4.6 Right to data portability
You have the right to receive your personal data in case we can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request us to send or transfer your personal data to third party, or to receive your personal data which we sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.
4.7 Right to withdraw consent
You have the right to withdraw your consent that has been given to us at any time pursuant to the methods and means prescribed by us, unless the nature of consent does not allow such withdrawal. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.
4.8 Right to lodge a complaint
You have the right to make a complaint with the Personal Data Protection Committee or their office in the event that we do not comply with the PDPA.
The nature of the modern banking business is global and under certain circumstances it is necessary for us to send or transfer your personal data internationally. When sending or transferring your personal data, we will always exercise our best effort to have your personal data transferred to our reliable business partners, service providers or other recipients by the safest method in order to maintain and protect the security of your personal data, which includes the following circumstances:
a) comply with a legal obligation;
b) inform you the inadequate personal data protection standards of the destination country and obtain your consent;
c) perform the agreement made by you with us or your request before entering into an agreement;
d) comply with an agreement between us and other parties for your own interest;
e) prevent or suppress a danger to your or other persons’ life, body or health and you are incapable of giving consent at such time; or
f) carry out activities relating to the substantial public interest.
We will maintain and keep your personal data while you are our customer and once you has ended the relationship with us (e.g. after you closed your account with us, or following a transaction with us, or in case of your application to use our services is disapproved, or you terminated the services provided by us), we will only keep your personal data for a period of time that is appropriate and necessary for each type of personal data and for the purposes as specified by the PDPA.
The period we keep your personal data will be linked to the prescription period or the period under the relevant laws and regulations (e.g. Financial Institution Business Laws, Anti-Money Laundering Laws, Prevention and Suppression of Financial Support to Terrorism and the Proliferation of Weapons of Mass Destruction Laws, Accounting Law, Tax Laws, Labour Laws and other laws to which we are subject in Cambodia, Thailand and in other countries). In addition, we may need to retain records of CCTV surveillance in our premises or at ATM machines and/or voice records of Call Center to prevent fraud and to ensure security, including investigating suspicious transactions which you or related persons may inform us.
We are entitled to continue collecting and using your personal data which has previously been collected by us before the effectiveness of the PDPA in relation to the collection, use and disclosure of personal data in accordance with the original purposes. If you do not wish us to continue collecting and using your personal data, you may notify us to withdraw your consent at any time.
We endeavour to ensure the security of your personal data through our internal security measures and strict policy enforcement. The measures extend from data encryption to firewalls. We also require our staff and third-party contractors to follow our applicable privacy standards and policies and to exercise due care and measures when using, sending or transferring your personal data.
If you have any questions or would like more details about our privacy notice or would like to exercise your rights, please contact us through Call Center Tel. +85523213601-2.
Alternatively, you can contact our representatives who are responsible for Data Protection Officer by writing to E-mail: firstname.lastname@example.org or contact our head office located at 26 Monivong Rd., Sangkat Phsar Thmei 2, Khan Daun Penh, Phnom Penh, Kingdom of Cambodia.
We may change or update this privacy notice from time to time and we will inform the updated privacy notice at our website www.ccb.com.kh..
Version November 2020