1 / 12 (Updated : v.7.5 06/06/2023))

In order to act in a transparent manner in relation to the activities of collection, use, disclosure and/ or overseas

transfer of personal data in compliance with PDPA, Krung Thai Bank Public Company Limited (the “Bank” or “we” or “us” or

“our”) has provided the privacy policy to the customers as follows:

Categories of the data subject under this privacy policy are as follows;

• Individual customers of the Bank include individuals who are using or have used products or services, persons

who contact for inquiry, persons who receive information about products or services through various media, and

persons who have been offered products or services or persuaded to use or receive products or services by the

Bank.

• Individuals who are associated with the Bank’s corporate customers, such as representatives of legal entity,

shareholders (individual), contact persons, authorized persons, employees, staffs, personnel, and other persons

related to the Bank’s corporate customers, including any other individuals whose personal data have been

disclosed to the Bank by the Bank’s corporate customers for the purpose of conducting transactions with the

Bank (“Persons related to corporate customers”).

• Lessors who lease property/space to the Bank for the Bank’s activities, such as an installation of automated

teller machines (ATMs), the Bank’s branches set up, whether as the lessor or the lessor’s representatives of

legal entity, the lessor’s agents, or the lessor’s employees (“Lessors of the property leased to the Bank”).

• Buyers or persons who wish to purchase the Bank’s NPA property, including representatives of legal entity,

shareholders (individual), contact persons, authorized person, employees, staffs, personnel, and other persons

related to the buyers or persons who wish to purchase the Bank’s NPA property, in case you are acting on behalf

of the buyers or persons who wish to purchase the Bank’s NPA property (“Buyers or persons who wish to

purchase the Bank’s NPA property”).

• The Bank’s investors and shareholders of the Bank, board of directors, executives, or advisors (“Persons having

relationship with the Bank”)

• Any other individuals that have any form of relationships with the Bank or give personal data to the Bank by any

means (“Persons contacting the Bank in other respects”) (collectively called “you” or “your”).

This Privacy Policy will apply to the collection, use, disclosure and/or overseas transfer of your personal data. The Bank

may collect such personal data through various channels, for example, branches, websites, internet banking (e.g.,

https://www.krungthai.com, https://www.ktbnetbank.com, https://www.moneyconnect.krungthai.com, Krungthai Corporate Online), mobile

applications (e.g., Krungthai NEXT, Krungthai Connext, Paotang), online social networks (e.g., LINE, Facebook, and Twitter), telephone, fax,

online communication channels (e.g., email), ATMs, Krungthai Contact Center, one-to-one communication, letters, questionnaires,

business cards, postcards, meetings, events, customer visits, or from other sources (e.g., online platforms or other public

sources), or through affiliated companies, subsidiaries, selected business alliances, government agencies, third parties, and

other places and/or other communication channels whereby the Bank collects your personal data. Please read this Privacy Policy

along with the terms and conditions of the services you use, which may have separate terms regarding the collection, use,

disclosure, and/or overseas transfer of your personal data.

In certain cases, the Bank will act as data processor who processes personal data under the instruction or in the name

of other agencies who are data controllers, for instance, the case where the Bank provides Paotang platform to various agencies

and organizations to provide services features on Paotang for Paotang users. However, in certain cases, the Bank will be the

data controller for the same set of data even if the Bank uses such data for other purposes. For example, as the designer,

developer, and service provider of Paotang, the Bank collects, uses, and provides identity proofing and authentication services

on various platforms as a data controller, including the use of Krungthai accounts by digital means, presenting and improving

the Bank’s products and services, notifying news and publications which you might be interested, or for any other purposes

specified in this Privacy Policy.

2/12 (Updated : v.7.5 06/06/2023)

In addition, to ensure continuous service, the Bank will rely on the consent you have given via the Bank’s service

channels, e.g. Paotang, Krungthai NEXT, the Bank’s branches, and/or any other channels, in case where the Bank could not rely

on other lawful bases. You can review your consent status, manage, or withdraw the consent you have given to the Bank via

mobile applications (Krungthai NEXT, Paotang) or contact Krungthai Contact Center (Telephone number: 02-111-1111)

Please read this Privacy Policy along with the terms and conditions of the services you use, which may have separate

terms on the collection, use, and/or disclosure of your personal data.

1. The Bank’s procedures for the collection of personal data

1.1 Personal data collected by the Bank

1) Personal data means any information related to you which can directly or indirectly identify you (excluding the

deceased’s information) as specified in Clause 1.2

2) Sensitive personal data means personal data which is classified as sensitive personal data according to the law.

The Bank may, only in case where strictly necessary and inevitable, collect sensitive personal data, including the

followings:

1) Biometric data (e.g., fingerprints, biometrics, face recognition data)

2) Sensitive personal data as appeared on identification documents or supporting documents for transaction

and/or juristic acts, contracts, or supporting documents for the use of products and/or services (e.g., religion,

race, disability)

3) Information related to health and/or disability

4) Criminal records information

In this respect, the Bank will collect, use, disclose and/or transfer your sensitive personal data overseas only

when the Bank receives an express consent or when it is legally permissible.

1.2 Categories of customers and personal data which are collected by the Bank

The Bank may collect your personal data. The types of personal data collected by the Bank depend on the

relationship between the Bank and you, the types of products or services that you want to receive from the Bank, and the

types of your personal data. The details are as follows:

(1) Individual customers, Lessors of the property leased to the Bank, Buyers or persons who wish to purchase the

Bank’s NPA property, Persons having relationship with the Bank

1) Personal information, e.g., title, first name, last name, gender, date of birth, age, weight, height, blood group,

nationality, country of birth, signature, family status, marital status, number of children, information

relating to documents issued by government agencies (e.g., ID card, passport, government employee ID card,

taxpayer identification number, details of driver’s license, etc.), information on a change of name certificate

or related documents, documents relating to foreigners, work permit, certificate of residence, land title deed,

photograph, recordings of telephone conversation, recordings and data produced by the closed-circuit

television cameras, political status, documents relating to visa, and other legal documents

2) Educational information, e.g., educational background, education degree

3) Work information, e.g., occupation, position, job description, type of business, type of organization, years of

service, workplace, social security information, personal information appearing on other related documents,

such as business documents, commercial registration, certificate of value added tax registration

(Por.Por.20), company certificate, and corporate income tax payment certificate

4) Contact information, e.g., postal address as appeared on ID card or house registration certificate, present

postal address, present office postal address, delivery details, telephone number, fax number, map, location

information, email address, LINE ID, and Facebook account, and your other IDs on online social network

websites.

5) Financial information, such as income level, source of income and investment and the country of origin,

salary certificate, bank statement, salary payment slip, financial status information, bank account’s name

and account number, ATM card number, ATM/debit PIN, credit information, reserves, collaterals, liabilities,

credit card number as well as its expiry date, rewards points, credit lines, credit card balance, type of credit

card, credit summary, deposit information, funds, stocks, unencumbered assets, expenses, daily withdrawal

or spending limit, credit information, bankruptcy status information, receipts, cash bills, invoices, bank

3/12 (Updated : v.7.5 06/06/2023)

statements, details of financial agreements, details of cheques, tax amount, balance amount, financial

statements, and other financial information

6) Information related to services provided to you, e.g., types of products or services you selected, details as

specified in the application form for using products or services of the Bank, information required for the

consideration of credit limits, information required in the credit facilities application, information required

for money transfer services, collaterals information, data created for the Bank’s internal use, information

related with insurance document, details of insurance premiums, insurance claim history from the insurance

company, insurance claim history from other insurance companies, information about the need to take

insurance in daily life, account ownership ratio, debt classification information, debt restructuring

information, debt and interest payment history, account opening information, purpose of investment,

number of funds, fund name, unitholder number, withholding tax, relationships with the company’s

employees or with other companies, details in the application form and information relating to KYC and CDD,

information about relationships with politicians or people with political status, investment experience, your

acceptable level of investment risk profile, suitability test results, data access permission , and information

in power of attorney, state welfare card number, any other information required in the application form for

using products or services of the Bank.

7) Transaction data, e.g., details of your incoming and outgoing transactions, date and/or time of fund transfer

or payment due date, methods of payments and receipt of payments, transaction amount, net amount

received, money transfer information, cheque number, transaction reasons, transaction information of

products and services of the Bank, information and details of agreements, expiry date of agreements, date

of contact, serial number of electronic machine, supporting transaction documents (e.g., house registration

certificate, land title deed, photograph and image of the place), details about request for payment refund,

receipt, the signature of the transaction’s recipient, transaction history, location, transaction status, request

and claim, evidence of security deposit for purchase of property, fee, opportunity cost (in case of requesting

an extension to the property purchasing period), details in the agreement of sale and purchase of property,

date and place of the property purchase, information you provide in the application form, buying behavior,

and other details of the purchased property (e.g., type of property, type of document of title, purchase price,

location, area, map and/or other information relating to the Bank’s NPA property), deposit slip, payment

card, and purchasing time

8) Technical information, e.g., internet protocol address and information relating to the communication devices

you use to conduct a transaction with the Bank

9) Your FATCA information, e.g., information about your status in the United States of America, including

nationality, place of birth, permanent residence, and information you provide in the FATCA self-certification

form

10) Details of behavior, e.g., details of your behavior, ways of living, attitude, information relating to other

interactions, and facts about your actions with products or services, your feedback and opinion towards the

types of products or services you receive, details of your claims and complaints

11) Details of marketing and communication, e.g., your preferences for receiving marketing information from

the Bank, affiliated companies, subsidiary companies, third parties, selected business alliances, and

communication preference

(2) Persons related to the Bank’s corporate customers and Person contacting the Bank in other respects

1) Personal information, e.g., title, first name, last name, date of birth, age, nationality, signature, marital

status, information about documents issued by government agencies (e.g., ID card, passport, etc.), details in

the application form and information related to KYC and CDD, information related to relationships with

politicians or people with political status, recordings and data produced by the closed-circuit television

cameras.

2) Work information, such as occupation, position, job description, type of business, type of organization,

years of service, workplace, data access permission level, personal information appearing on other related

documents, such as list of shareholders, power of attorney, certificate of the corporate’s authorized persons

3) Contact information, e.g., postal address on ID card or house registration certificate, present postal

address, present office postal address, telephone number, fax number, and email address

(3) Personal data of third party

If you provide the Bank with personal data, such as first name, last name, address, telephone number of

4/12 (Updated : v.7.5 06/06/2023)

emergency contact and debt collection, and income of a family member, of third parties, such as guarantors,

executives, authorities, authorized persons, directors, shareholders, staff members, employees, settlors and trustees,

representatives, persons in the control line or ownership, co-owners, and other persons who are not customers of the

Bank, and any other persons that you have relationship with respect to your relationship with the Bank, please inform

them of this Privacy Policy for acknowledgement and request consent if necessary or as required by law for disclosure

of personal data of third parties to the Bank.

(4) Personal data of minors, quasi-incompetent persons and incompetent persons

The Bank collects personal data relating to a minor, a quasi-incompetent person and an incompetent person

only when the Bank receives consent from a guardian or a curator. The Bank has no intention of collecting personal

data of a person aged under 20 years old without consent from a legal guardian, or of a quasi-incompetent and

incompetent person without consent from the curator. If it is found that the Bank has intentionally collect personal

information of such persons without consent, the Bank will immediately delete such personal data or will collect, use,

disclose, and/or transfer the personal data overseas only on other lawful basis other than a consent or to extent

permitted by law.

2. The purpose of collection, use, disclosure and/or overseas transfer of your personal data

We may collect, use, disclose and/or transfer your personal data and sensitive personal data overseas for the following

purposes:

2.1 The purposes for which your consent is obtained

We will collect, use, disclose, and/or transfer your personal data overseas by relying on the consent which you have

given us via our service channels, e.g., branches, mobile applications (e.g., Krungthai NEXT, Paotang), in case where we

could not rely on any other lawful bases listed in Clause 2.2, for the following purposes

(1) Offering of products and services: We may collect, use, disclose, and/or transfer your personal data (e.g., first

name, last name, telephone number, and/or other data as necessary) overseas, so that you do not miss any benefits,

news, product and service promotions, as well as marketing and communication activities, analytics for personalized

marketing, marketing advertisement, sales, special offers, news, press releases, promotions and presentations of the

products and services of the Bank, our financial business group, and our selected business alliances only in case where

we legally requires your consent. Please see more details on marketing communications in Clause 4.

(2) Statistical analysis, data analytics, research and development, and product or service improvement: We may

collect, use, disclose, and/or transfer your personal data (e.g., first name, last name, telephone number, and/or other

data) overseas only as necessary for our data analytics, research and development, product or service improvement,

profiling, risk management and assessment, only in case where we legally requires your consent. Please see more

details on data analytics in Clause 4.

( 3) Sensitive personal data: In certain cases where it is necessary and inevitable, we may use your sensitive personal

data for the following purposes:

1) Biometric data (e.g., fingerprints, biometrics, face recognition data) are used for KYC and CDD identity

verification, identity proofing, and providing our services to you.

2) Sensitive personal data as appeared on identification documents (e.g., religion, race, disability) are used only

for the purpose of identity verification and proofing only. We have no purposes nor policy to collect, use,

disclose, or transfer such sensitive personal data other than the purpose identity verification and proofing.

3) Sensitive personal data as appeared on transaction documents and/or juristic acts, contracts or supporting

documents for the use of products and/or services (e.g., religion, race, disabilities)

In this respect, we may, without notifying you, cross out or mask your sensitive personal data (e.g., religion, race)

which appear on identification documents or supporting transaction documents and/or juristic acts, contracts, or supporting

documents for the use of products and/or services, or we may ask you to cross out or mask such sensitive personal data yourself.

In case where we must obtain your consent for other activities relating to the collection, use, disclose, and/or transfer

of personal data, we will request your consent for such activities on a case-by-case basis.

If the lawful basis we rely on is consent, you have the right to withdraw your consent any time by contacting us via

Krungthai Contact Center Telephone number 02 111 1111 , all Krungthai branches nationwide and via mobile application (Krungthai

NEXT and Paotang) for Krungthai NEXT, go to Settings then select Data Privacy Management, for Paotang, go to Profile then

select Consent Management.

5/12 (Updated : v.7.5 06/06/2023)

The withdrawal of consent will not affect the collection, use, disclosure, and/or overseas transfer of your personal

data and sensitive personal data that you had given your consent prior to such withdrawal.

2.2 Other purpose and other lawful bases for collection, use, disclosure and/or overseas transfer of your personal data

When collecting, using, disclosing, and/or transferring your personal data overseas for the purposes listed below, the

Bank will rely on lawful bases of legitimate interest, entering into and performing the contract, legal obligations, or other

lawful bases permissible by PDPA, as the case may be, depending on the relationship between you and the Bank and the

Bank’s services you use.

(1) For registration and personal identity verification, e.g., to register you for a product or service; to proof, identify,

and verify the identity of you, your authorized person, or your representative; and to proof or verify your identity via

a digital channel

(2) For the provision of products and services and customer relations management, e.g., for entering into any

agreement or contract in connection with products or services and managing relationship related to you; for

considering your qualifications (e.g., for bankruptcy status check, for analyzing the business status of you and other

relevant persons, etc.); for supporting transactional operations and other activities in connection with products and

services provided to you, such as the services of deposit, withdrawal or payment; for approving the provision of

products or services; for delivering the details of agreements or contracts, products or services, financial transactions,

and services with respect to payment, which also includes verification, confirmation, and cancellation of transactions;

for receiving or sending letters, parcels and important documents to you; for conducting reports informing the

customers about information relating to products or services; for delivering updated news regarding products or

services; for reporting the status of debt, debt collection, and classification of debtors; for verifying documents and

collaterals, credit limit, interest and requested payment period; for processing payments of accounting activities,

accounting and balance sheets and auditing; for evaluating conflicts of interest; for providing or operating after sales

services; for managing and cancelling inactive activities (such as cancellation of services or your account)

(3) For creating a good impression with after sales services, e.g., for communicating with you in respect of products

and services provided to you by the Bank, companies within the Bank’s group, affiliates, subsidiaries, or the Bank’s

selected business alliances; for processing and updating your information as the Bank’s customer, for providing advice,

suggestions and facilitating your products and services use; for dealing with inquiries related to customer service; for

dealing with your complaints, requests, comments, and insurance claims; for dealing with technical problems; for

notifying and proceeding with the solutions to your problems, for conducting Customer relationship management

activities

(4) For conducting activities related to space lease agreements, e.g., for surveying and analyzing the area, including

surveying other automated teller machines nearby and analyzing the trends of electronic machine usage in the area;

for contract negotiation and contract preparation; for the installation of electronic machines; and for other activities

necessary for entering into the contract

(5) For conducting activities related to the purchase and sales transaction of the Bank’s NPA property and other

related operations, e.g., for entering into a contract and carrying out the obligations of the contract; for conducting

purchase and sales transactions; for the transfer of ownership; for the payment of earnest money; fir the internal

process required for approving the extension of purchasing period; facilitation of credit facility application; delivery of

work to other persons as outsourcing; and assignment of claims

(6) For communication, e.g., any communication in connection with entering into the space lease agreement, such

as request for additional information or documents, contact for payment, notice of expiration of agreement,

arrangement for the lessor to sign the agreement, and delivery of the agreements; communication related to

transactions; giving additional information of the properties you are interested in; debt payment reminder;

understanding your needs and interests

(7) For identity proofing and verification, e.g., providing services to support electronic know your customer (E-KYC)

and digital identification

(8) For marketing, sales promotion, and communication purposes, e.g., for carrying out marketing and

communication activities, research and data analytics for personalized marketing, marketing advertisement, sales,

special offers, news, press releases, promotion and presentation of the Bank’s products and services, and those of

financial business group, the Bank’s affiliates, selected business alliances, and other legal entities as specified by you

or the services that you have used, as well as information of products and services that are directly and indirectly close

6/12 (Updated : v.7.5 06/06/2023)

to your interest and history, for enabling you to participate in the sales offering, offers and privileges, campaigns,

events, seminars, contests, sweepstakes, lucky draws, booths, and events with branches in order to meet with you,

including other sales promotions and all relevant advertising services facilitating you to participate in the Bank’s

activities in cases where the Bank is not required to rely on your consent. For example, if you are a customer who uses

the Bank’s financial products, you may receive the Bank’s marketing communications offering the same products and

services, or other products and services of the Bank, the Bank’s financial business group, and selected business

alliances. (For instance, if you have a bank account, you may receive notifications on special offers, news, public

relations, relating to other savings products provided by the Bank. If you are a customer who uses the Bank’s savings

accounts or credit cards, the Bank may offer lending, funds, debentures, or insurance products, which benefits you. If

you use Paotang, you may receive marketing communications, notifications, or advertisements on Paotang (banner)

relating to the products of the Bank, financial business group, and selected business alliances). When you request any

services or inquire the details of any services, we will send such details to you as per your request, for instance, when

you request the details of loans or the Bank’s other products via the Bank’s website for the bank to contact you. You

may receive communication via branches, websites, internet banking, social media, or any other channels specified by

the Bank. Please see more details on marketing communications in Clause 4.

(9) For products and services search and recommendation, e.g., for recommending products and services that you

might find interesting, for learning about your need and adjusting products and services so that that they are suitable

for you

(10) For improving business operations, products and services, e.g., for the evaluation, marketing research, analysis,

statistical analysis, profiling, model simulation; for the development of services, products, distribution, systems,

geographic structure, conducting business for you and the Bank’s customers, the Bank, the Bank’s financial business

group, and the Bank's selected business alliances; for designing and developing products and services, launching

strategies and campaigns of the products of the Bank, the Bank’s financial business group, and the Bank's selected

business alliances, to meet the needs of the customers; for setting the efficiency of sales promotional campaigns of

the Bank, for making overview reports, for conducting staffs training programs, for improving the efficiency of

business and adjusting the content of the Bank, the Bank’s financial business group, and the Bank's selected business

alliances, to reach the higher level of the customer satisfaction; for learning about and solving problems concerning

existing products and services; and for assessing and managing risks within your expectation. The Bank may connect

your data on various platforms owned or related to the Bank (for instance, connecting Paotang with the Bank’s

banking database) in order to provide services to you continuously and seamlessly. However, this is limited to the

cases where the Bank is not required to rely on your consent. For example, the Bank may use your service usage data

to analyze the risk of approving your loan application, the Bank may analyze your service usage data and the feedback

you provide after using the Bank’s various platforms for the purpose of developing and designing new products or

services or improving existing products and services of the Bank, the Bank’s financial business group, and the Bank's

selected business alliances to meet the market’s conditions and consumer’s needs, and the Bank may analyze the

data for the purpose of forecasting market trends, etc. Please see more details on data analytics in Clause 4.

(11) For learning about and responding to customer needs to improve customer satisfaction, e.g., for learning more

information regarding the products and services you receive, as well as other products or services that you might find

interesting; for processing your personal data, e.g., considering types of products and services you receive from the

Bank, your preferred method of contact, etc.; for getting the results of customer satisfaction survey for the Bank’s

services and customer credit assessment

(12) For managing websites, mobile applications, and platforms, e.g., for the administration, operation, monitoring,

examination, maintenance, and management of websites, applications and the Bank’s platforms to ensure that they

are properly functional, efficient, and secure; for enhancing usability of the Bank’s websites and platforms; for

improving the layout and content of the Bank’s websites and platform in order to provide the service to you

(13) For management of information technology, e.g., for the purpose of business operations of the Bank,

information technology operations, communication system management, information technology security, and

information technology security monitoring, business management in compliance with internal regulations policies

and procedures

(14) For compliance with laws, e.g., to comply with laws, legal procedures or orders of government agencies, including

7/12 (Updated : v.7.5 06/06/2023)

government agencies outside Thailand, and/or cooperating with courts, authorities, government authorities, and law

enforcement agencies when the Bank has a reason to believe that the laws enforce the Bank and/or related agencies

to do so; when it is necessary to disclose your personal data to comply with laws, procedures or government orders; to

conduct VAT collection and refund services, to issue tax invoices or file taxes; to record and monitor communications,

to deal with police tickets and road taxes; to report suspicious transactions to money laundering prevention and

suppression agency; to disclose information to tax authorities, law enforcement agencies involved in financial services

and other government agencies and law enforcement agencies; to conduct crime investigation or crime prevention

(15) For protection of legitimate interests of the Bank, e.g., for security and the integrity of the Bank’s business or

that of the Bank’s affiliates; for exercising the Bank’s right and protecting the interest of the Bank’s or the Bank’s

affiliates when it is necessary and lawful, for instance, for investigation, protection, and response to complaints,

intellectual property infringement complaints, or violation of laws; for managing and preventing the loss of assets;

for ensuring the compliance with terms and conditions of the Bank; for investigation and prevention of wrongdoing

occurred at the Bank’s premises, including operating the closed- circuit television (CCTV) to monitor situations in order

to prevent and report criminal incidents or imminent crimes; for management, preparation of reports, internal policies

according to the Bank’s scope of operations

(16) For verification and prevention of the Bank business risks, e.g., for verifying your identity; for monitoring the

compliance with the law and other regulations (such as regulations regarding anti-money laundering, anti-corruption,

cyber treats, debt default/breach of contract, violation of law (such as money laundering, financing of terrorism and

proliferation of weapon of mass destruction, wrongdoings to property, life, body, liberty, and reputation), including

conducting the monitor and internal record, property management, the Bank’s business risk database, systems and

controls of other businesses, and disclosure of personal data to enhance the Bank’s operations or legal entities in the

same business group with the Bank in preventing, dealing with, reducing, or performing other similar activities in order

to eliminate such risks

(17) For risks management, e.g., to manage risks, monitor efficiency, and evaluate risks in order to set risk index,

making summary report for risks management in order to evaluate, predict, and find solutions to handle potential

risks, to evaluate product risks and provide recommendations if changes are required or finds solutions to manage

the risks

(18) For the benefits of operations regarding organizational transactions, e.g., for the purpose of business sale,

transfer, merger and acquisition, reorganization, or other similar cases, the Bank may transfer your personal data to

third parties as part of such operations.

(19) For prevention or stop of dangers to lives, bodies or health of persons

(20) For conducting other duties of the Bank in relation to your personal data, depending on the relationship

between the Bank and you, for example, you as the Bank’s shareholder who the Bank will organize the shareholders’

meeting for, you as a member of the Board of Directors, an executive, or an advisor appointed by the Bank, you as a

holder of securities or properties which are operated by the Bank as a securities registrar or a custodian of private

funds, and you as any status that the Bank shall proceed with the obligations of the relevant agreements

(21) For other purposes which the Bank will notify you when requesting your consent

In this respect, not providing your personal data to the Bank may have impact on you, for example, the Bank may not

proceed with your requests; you may experience some inconvenience or your agreements may not be fulfilled; and you

may receive damage or lose opportunities. In addition, your refusal to provide personal data may affect the Bank’s or

your compliance with the laws and may result in penalties.

2.3 Management of sensitive personal data collected by the Bank prior to the effective date of the PDPA

If you are an existing customer of the Bank prior to the effective date of the PDPA, the Bank might have collected your

sensitive personal data, such as (1) religion, (2) race, (3) disability, (4) sensitive personal data for transactions and/or

legal transactions, (5) sensitive personal data for using the products and/or other services, and (6) sensitive personal data

for insurance products (such as health, disability, religion, race, criminal records). This is for the collection of documentary

evidence only; the Bank will not use such sensitive personal data for other purposes.

3. Who does the Bank disclose or transfer your personal data to?

The Bank recognizes the importance of your personal data’s security and intentions; therefore, the Bank has measures

8/12 (Updated : v.7.5 06/06/2023)

in place to prevent other parties from misusing your personal data. Nevertheless, in the Bank’s operation, it may be necessary

for the Bank to disclose your personal data to other parties under the name or instructions of other parties, or in the Bank’s

own name. The Bank may disclose or transfer your personal data to the third parties listed below. The collection, use or disclosure

and/or overseas transfer of personal data are for the purposes under this Privacy Policy. These third parties may be located in

Thailand or abroad. You can read the privacy policies of such third parties in order to understand the details regarding how they

collect, use, disclosure, and/or transfer your personal data overseas, since you are also their data subject under their privacy

policies.

3.1 Affiliates and financial business group

The Bank may have to disclose your personal data for the purposes specified in Clause 2 herein, to the Bank’s financial

business group and the Bank’s affiliates. The disclosure of your personal data to such financial business group and affiliates

will allow them to rely on your consent obtained by the Bank.

3.2 The Bank’s Service providers

The Bank may outsource the Bank’s services to companies, representatives, or contractors or have them assist the

Bank in operating the business, providing you with products and services, and performing any activities for your benefits.

The Bank may share your personal data to third-party service providers, service provider representatives, business

facilitators, subcontractors, and service providers or suppliers that support the bank’s services, including but not limited to

(1) internet service providers, software developers, website developers, digital media, information technology service

providers and service providers of digital products, such as developers and operators of digital platforms and other

technological services (Platform as a Service), applications, any other work systems, and identity proof and authentication

services for the Bank, (2) logistics and transportation service providers, (3) payment and payment system service providers,

(4) research service providers, (5) analytics service providers, (6) survey service providers, (7) auditors, (8) customer contact

centers, (9) marketing, advertising, design, creative and communication service providers, (10) event, campaign, marketing

event, and customer relationship management service providers, (11) telecommunications service providers, (12)

administrative service providers, (13) cloud storage service providers, (14) printing service providers, (15) lawyers, legal

counsels for the Bank’s benefits, including exercising legal claims and defending against legal claims, auditors and/or other

professionals assisting in the Bank’s business operations, (16) document storage and/or disposal service providers and (17)

debt collection service providers.

During the provision of such services, the service providers may have the right to access your personal data, however

the Bank will only provide to the service providers the personal data necessary for them to provide the services. The Bank

will also ensure that the service providers protect the security of your personal data in compliance with the law.

3.3 The Bank’s selected business alliances and other agencies

The Bank may transfer your personal data to the Bank’s selected business alliances for the purposes of conducting

business and providing services to the Bank’s customers and potential customers. Such business alliances and agencies may

include but not limited to card issuers, data entry companies, credit card companies, payment service providers, data

analytics service providers, market analysis service providers, financial transaction service providers, real estate developers,

business alliances with whom the Bank launch products (such as co-branding alliances), co-developer or co-service provider

for any part of any platform, business alliances who allow the Bank to connect to their databases and systems, and provide

assistance to the platform’s users, and other supporters.

If you are interested in privileges and offers of products or services provided by the Bank’s selected business alliances

via the Bank’s channels, such as Paotang, it is necessary for the Bank to use and disclose your personal data on a need-to-

know basis to the Bank’s selected business alliances so that you can receive such offers or privileges. If required by any

relevant laws, the Bank will request your consent, and you may withdraw the consent you have given at any time by following

the steps stated in this Privacy Policy.

3.4 Third parties as specified by laws

In the cases where the Bank believes it is necessary to comply with the laws or to protect the Bank’s rights, the rights

of third parties or for the security of persons or for inspection, prevention or corruption problem solving, security, safety,

including any other risks, the Bank may have to disclose your personal data in order to comply with the laws as well as orders

issued by laws and law enforcement agencies, courts, Legal Execution Department, authorities, government agencies, or

other third parties.

In this regard, the Bank may have to disclose your personal data to the Office of Insurance Commission for the purpose

9/12 (Updated : v.7.5 06/06/2023)

of supervision and promotion of insurance business under the law of the Insurance Commission and the law governing life

insurance and non-life insurance according to the Privacy Policy of the Office at https://www.oic.or.th

3.5 Associations and clubs

In some cases, the Bank may have to disclose your personal data to relevant institutions, associations or clubs, such

as Anti-Fraud Association and Thai Bankers’ Association, to protect the Bank’s rights, the rights of third parties, and the

safety of persons, or to investigate, prevent, solve issues related to corruption, security, safety, and any other risks.

3.6 Assignees

In case of a business reorganization, merger and acquisition, business transfer, whether in entirety or in part, sale,

purchase, joint venture, grant, or transfer part or all of business, assets, shares, or other similar transactions, the Bank will

have to disclose your personal data to third parties who have been assigned or wish to be assignees of the Bank. In this

respect, the Bank will ensure that such third parties will comply with this Privacy Policy at all times when there is a collection,

use or disclosure and/or overseas transfer of your personal data.

3.7 Third parties

The Bank may have to disclose your personal data under the lawful basis according to the purposes specified in this

persons who make a transaction with you or are related to your transactions, other persons as legally referred to, members

of digital identity verification system, and service providers of digital identity verification system, as the case may be.

10/12 (Updated : v.7.5 06/06/2023)

4. Marketing communications and data analytics

4.1 Marketing communications

The Bank may collect your personal data such as first name, last name, telephone number, and/or other data only as

necessary, which may be obtained directly from you or from other sources (such as via affiliates, selected business alliances,

government agencies, or third parties), to offer the products and services of the Bank, the Bank’s financial business group, and

the Bank's selected business alliances (for details the Bank’s financial business group and the Bank's selected business

alliances, please refer to [https://krungthai.com/th/content/privacy-policy]) via various channels such as branches, websites,

internet banking, social media, etc.

Generally, the Bank conducts activities relating to marketing and communication, marketing advertisement, sales,

special offers, news, press releases, promotions and presentations of products and services of the Bank, the Bank’s financial

business group, and selected business alliances, and other legal persons by mainly relying on the lawful basis of legitimate

interests and/or entering into and performing the contract. Please note that the Bank will recognize your privacy and benefits

as priority. The Bank will select marketing activities which is appropriate for you and your interests, so that you may receive

benefits from the Bank, in the event that you have made your interests in any products or services known, or you have previously

purchased products or receive services from the Bank, the Bank’s financial business group, the Bank’s affiliates, and the Bank's

selected business alliances. For example, if you are a customer who uses the Bank’s financial products, you may receive the

Bank’s marketing communications offering the same products and services, or other products and services of the Bank, the

Bank’s financial business group, and selected business alliances. (For instance, if you have a bank account, you may receive

notifications on special offers, news, public relations, relating to other savings products provided by the Bank. If you are a

customer who uses the Bank’s savings accounts or credit cards, the Bank may offer lending, funds, debentures, or insurance

products, which benefits you. If you use Paotang, you may receive marketing communications, notifications, or advertisements

on Paotang (banner) relating to the products of the Bank, financial business group, and selected business alliances). When you

request any services or inquire the details of any services, we will send such details to you as per your request, for instance,

when you request the details of loans or the Bank’s other products via the Bank’s website for the bank to contact you. You may

receive communication via branches, websites, internet banking, social media, or any other channels specified by the Bank.

Please see the details of the usage and the purposes of the collection, use, disclosure, and/or overseas transfer of your personal

data under the legal bases of performance of contract and/or legitimate interests under personal data protection laws in Clause

2.2 (8).

In certain cases, the Bank will request your consent prior to sending certain marketing communications and marketing

materials where the Bank could not rely on other lawful bases, such as for the marketing of products and services of third

parties, which may be beyond your expectation. Please see the details of the usage and the purposes of the collection, use,

and/or disclosure, of your personal data under the lawful basis of consent in Clause 2.1 (1).

Therefore, the Bank may rely on the lawful bases of contract, legitimate interests, and/or consent for the Bank’s

marketing activities, depending on each case. Nevertheless, you have the rights to object or withdraw your consent if you do not

wish to receive marketing communications from the Bank by following the steps stated in this Privacy Policy.

4.2 Data analytics

The Bank may collect your personal data such as first name, last name, telephone number, and/or other data only as

necessary, which may be obtained directly from you or from other sources (such as via affiliates, selected business alliances,

government agencies, or third parties), for statistical analysis, data analytics, research and development, and improving the

Bank’s products or services.

11/12 (Updated : v.7.5 06/06/2023)

Generally, the Bank conducts activities relating to marketing research, analysis, statistical analysis, profiling, model

simulation and a development of services, products, distribution, systems, geographic structure, and conducting business by

mainly relying on the lawful basis of your legitimate interests. The Bank will be designing and developing products and services,

launching strategies and campaigns of the products of the Bank to meet your needs, improving the efficiency of business and

adjusting the content of the Bank to better match your preferences. The Bank will also assess and manage risks within your

expectation. The Bank may connect your data on various platforms owned or related to the Bank (for instance, connecting

Paotang with the Bank’s banking database) in order to provide services to you continuously and seamlessly. For example, the

Bank may use your service usage data to analyze the risk of approving your loan application, the Bank may analyze your service

usage data and the feedback you provide after using the Bank’s various platforms for the purpose of developing and designing

new products or services or improving existing products and services of the Bank to better meet the market’s conditions and

consumer’s needs, and the Bank may analyze the data for the purpose of forecasting market trends, etc. Please see the details

of the usage and the purposes of the collection, use, disclosure, and/or overseas transfer of your personal data under the legal

bases of contract and/or legitimate interests under personal data protection laws in Clause 2.2 (10).

In certain cases, the Bank will request your consent prior to conducting certain data analytics where the Bank could

not rely on other lawful bases, such as the analytics for developing credit models or the analytics for developing and designing

the Bank’s new products or services, by collecting data from other sources which is beyond your expectation. Please see the

details of the usage and the purposes of the collection, use, and/or disclosure of your personal data under the lawful basis of

consent in Clause 2.1 (2). Therefore, the Bank may rely on the lawful bases of legitimate interests and/or consent for statistical

analysis, data analytics, research and development, and improving the Bank’s products or services, depending on each case.

Nevertheless, you have the rights to object or withdraw your consent if you do not want the Bank to conduct data analytics on

your personal data by following the steps stated in this Privacy Policy.

5. Overseas transfer of your personal data

The Bank may transfer your personal data from Thailand to other countries which may have a different standard of

personal data protection than that of Thailand, for example, when the Bank stores your personal data on cloud platforms or

servers outside Thailand for information technology support or when the Bank must send information of international money

transfer transactions to overseas banks through an intermediary of international money transfer, as the case may be.

When it is necessary for the Bank to transfer your personal data to other countries which have a lower standard of

personal data protection than that of Thailand, the Bank will ensure that the personal data transferred will be sufficiently

protected, that relevant personal data protection laws allow such personal data transfers, and that the transfers of your

personal data to other countries comply with conditions and criteria set out by the personal data protection laws. For example,

the Bank may have to obtain a confirmation according to the contract from third parties who have access to such personal data

that your personal data will be protected under the personal data protection standard equivalent to that of Thailand.

6. Duration of personal data storage period

The Bank will retain your personal data for the duration necessary for the purposes which the Bank has obtained the

data for. For instance, the Bank will retain your personal data for the period where the Bank must perform its obligations under

a contract with you. However, in order to comply with the law, in some cases, the Bank may have to retain your personal data

for a longer period of time as required by law, for example, the law may require the data the be retained for a specific duration

(such as prescription period or period set out by the Civil and Commercial Code, Revenue Code, Anti-Money Laundering Law, etc.)

7. Your rights as the Data Subject

The rights stated in this section mean legal rights relating to your personal data. You may submit a request to exercise

these rights to the persons specified by law, as long as it is within the conditions stipulated by law and the Bank’s rights

management process. Such rights include the following rights:

(1) Right of access: You may have the right to access or request a copy of the personal data related to you that the

Bank collected, used, disclosed and/or transferred overseas. For your privacy and security, the Bank may request you

to verify your identity before providing you with the personal data you have requested.

(2) Right to rectification: You may have the right to rectify your personal data that the Bank collected, used, disclosed

and/or transferred overseas if such personal data is incomplete, incorrect, misleading, or not up-to-date.

(3) Right to data portability: You may request the Bank to provide you with the structured personal data related to

you in an electronic format. You may request the Bank to transfer such personal data to other data controllers

12/12 (Updated : v.7.5 06/06/2023)

providing that (a) the data is your personal data that you have provided to the Bank, (b) the Bank collected, used,

disclosed and/or transferred the personal data overseas with your consent or in order to perform the contract between

the Bank and you.

(4) Right to object: You may have the right to object to some types of collection, use, disclosure and/or overseas

transfer of your personal data, for example, you may object to the use of your personal data for direct marketing

purpose.

(5) Right to restriction: You may have the right to restrict the use of your personal data in some cases.

13/12 (Updated : v.7.5 06/06/2023)

(6) Right to withdraw consent: You may have the right to withdraw your consent for the purposes that you gave

your consent to the Bank to collect, use, disclose and/ or transfer your personal data overseas at any time.

(7) Right to erasure: you may have the right to request the Bank to erase or anonymize your personal data. However,

there is an exemption for the Bank not to take such actions if the Bank must retain such personal data in order to

comply with the laws, to lawfully establish legal claims, to lawfully exercise legal claims, or to lawfully defend against

legal claims.

(8) Right to lodge a complaint, you may have the right to lodge a complaint with the relevant authorities if you

believe that the collection, use, disclosure, and/or overseas transfer of your personal data is unlawful or violates

personal data protection laws.

If you want to exercise any right specified in this section, you can do so by contacting the Bank through the following channels:

For all Krungthai branches nationwide, you can exercise the right of access under (1), right to rectification under (2)

and right to withdraw consent under (6).

For Krungthai Contact Center (Tel. 02 111 1111), you can exercise all aforementioned rights from (1) to (7).

For Mobile Applications (e.g., Krungthai NEXT, Krungthai Connext, Paotang), you can exercise the right of access under

(1) and right to withdraw consent under (6).

A request for the exercise of any of the abovementioned rights may be restricted by the relevant laws. In some cases,

the Bank can appropriately and rightfully reject your request, for example, when the Bank must comply with the laws or court

orders.

You can exercise the right to withdraw consent under (6) (or make changes to the consent you have previously given)

through the Bank's branches nationwide, Krungthai Contact Center (Tel: 02-111-1111), the mobile applications, or other channels

as specified by the Bank. In the event that the Bank has received your request, the Bank will consider your request in accordance

with the obligations and conditions prescribed by laws. The processing period is 30 (thirty) days upon the day the Bank received

your request along with the complete supporting documents which are sufficient for the Bank to consider the request of the

data subject.

If you believe that the collection, use, disclosure and/or overseas transfer of your personal data by the Bank violates

personal data protection laws, you have the right to lodge a complaint with the personal data protection authorities. However,

you may first inform the Bank of your concern so that the Bank can consider solving your concern by contacting the Bank

through the Krungthai Complaint Center by letter at P.O. 44 Sorfor. Hualumphong Post Office, Bangkok, 10331, Thailand or

contacting the bank via Krungthai Contact Center Telephone number: 02 111 1111

8. Actions to be taken regarding to corporate customers

If you, as the Bank’s corporate customers, disclose personal data of Persons related to corporate customers, you have

a duty to take the following actions to enable the Bank to provide services or products to you:

(a) You have verified the accuracy and completeness of other persons’ personal data which are disclosed to the Bank

and will notify the Bank of there is any change in such data (if any)/

(b) You have obtained consent, or you can rely on other lawful bases to collect, use, disclose and/or transfer the

personal data of such persons in accordance with the applicable laws.

(d) You will proceed to enable the Bank to collect, use, disclose and/or transfer personal data for the purposes

specified in this Privacy Policy and for the purpose of completing the relevant transactions. The Bank has the right

to report the results of the transactions conducted by retail customers of the corporate customer as well as other

14/12 (Updated : v.7.5 06/06/2023)

relevant information to corporate customers.

9. Security Measures

The Bank has in place the appropriate security measures for personal data protection. They include management,

technical, and physical protective measures for access or control of personal data, to preserve the confidentiality, integrity,

and availability of personal data; to prevent loss as well as unauthorized and unlawful access, use, changes, alterations, and

disclosure of personal data. These measures are in accordance with applicable laws.

Moreover, the Bank has in place the control measures for accessing personal data and using personal data storage

and processing equipment. The measures are safe and appropriate for the collection, use, disclosure, and/or overseas transfer

of your personal data. The Bank also has in place measures to limit access to personal data, and the use of personal data

storage and processing equipment by setting user permission for accessing the data and for authorizing designated officers

to access the data, prescribing the responsibilities of the users to prevent any unauthorized access to, disclosure,

acknowledgement, or copying of personal data, or the theft of personal data storage and processing equipment. In addition,

the Bank has in place the measures for audit trails in order to review any access to, alteration, erasure, or transfer of personal

data, which are appropriate for the methods and mediums used in the collection, use, disclosure, and/or overseas transfer of

your personal data.

10. Changes to Privacy Policy

The Bank may make changes to this Privacy Policy from time to time if there is any change to the Bank's practice

guidelines on personal data protection due to various possible reasons, e.g., technological or legal changes. The changes to this

significantly affect you as a data subject, the Bank will notify you of such changes in advance before the changes come into

effect.

11. Contact the Bank

If you have any inquiries regarding this Privacy Policy, please contact the Bank or the Bank's Data Protection Officer

as detailed below:

(1) Krung Thai Bank Public Company Limited

• 35 Sukhumvit Road, Klong Toey Nua Subdistrict, Wattana District Bangkok 10110, Thailand

• Krungthai Contact Center: Telephone number: 02-111-1111

• https://krungthai.com

(2) Data Protection Officer (DPO)

Data Protection Department

• 35 Sukhumvit Road, Klong Toey Nua Subdistrict, Wattana District Bangkok 10110, Thailand

• Email: dpo.official@krungthai.com