Personal Data Protection

We are currently in the era of rapid technology advancement, incurring risks on infringement of privacy rights in the process of data collection, data utilization, disclosure of personal data of stakeholders— customers in particular. Therefore, the Bank emphasizes the appropriate management of personal data such as general personal data, financial transaction data, and customer behavior data in terms of the use of products and services. We always realize that winning trust and earning confidence from customers and stakeholders who use our products and services are truly priceless. Also, the storage of customer and stakeholder information in a secure and appropriate manner help boost the Bank’s credibility, reputation, and good image.

In this connection, the management of privacy and security of customer and stakeholder data is considered as compliance with legal requirements and relevant regulations including the Personal Data Protection Act B.E. 2562 (2019) which will go into effect in 2020. Therefore, Krungsri has regularly reviewed the policies and personal data protection measures to protect the rights of data owners as required by laws.

Management Approaches
Data quality management

• Established the ‘Data Governance Committee’ responsible for supporting the strategic plan of Bank of Ayudhya regarding information management to ensure correctness and accuracy. This is to strengthen the capability to access customer needs, offer tailor-made products and services to each customer, and issue a report in a correct manner in line with the requirements of external regulatory authorities, financial management, and enterprise-wide risk management.
• Established the ‘Data Governance Department’ responsible for stipulating the operating practices and data management standards through the ‘Data Management Governance Policy’. The Department is tasked with overseeing the Bank’s transactions throughout the entire processes starting from data input, management, analysis, and report insurance to ensure correctness and completeness. The said policy shall be applicable to the Bank, directors, executives, employees, and individuals and juristic persons performing tasks on behalf of the Bank such as outsourced staff whereby all these groups of stakeholders shall strictly comply with the said policy. In this connection, the policy shall be updated every two years or upon any significant change.
• Encouraged the establishment of ‘Key Data Elements (KDEs)’–a key data for customer services, risk and financial reports, and reports submitted to the relevant regulatory authorities
• Established ‘the process to review and improve data quality in a sustainable manner’ by focusing on five principles consisting of accuracy, correctness and completeness, compliance with relevant standards, alignment, and non-redundancy. Also, the roles and responsibilities of relevant persons regarding data management were stipulated under the concept of ‘Three Lines of Defense’ to ensure that all functional units of the Bank have in place data management and supervision guidelines.

Three Lines of Defense

• First Line of Defense; refers to business and supporting functions.
• Second Line of Defense; refers to the Data Governance Committee and the Data Governance Department.
• Third Line of Defense; refers to the Internal Audit Group.

Management of private information

• Established ‘Privacy Policy’ with the following objectives
  • To protect privacy of individuals with particular attention on ‘personal information’ of customers, business partners, employees and directors of the Bank.
  • To enhance employees’ understanding of the Privacy Policy with respect to acquisition, use, disclosure and storage of personal information in a responsible manner; to prevent violation of laws; to protect the Bank’s reputation, credibility and image.
  • To prevent conflict of interest as a result of the acquisition, use and disclosure of personal information; in this connection, the said policy shall be applicable to the Bank, companies in the financial business group, and overseas branches. Also, companies in the financial business group and overseas branches shall adopt this policy as a guideline to formulate their comparable policies, criteria, and operating process except for having other stricter and more comprehensive policies and regulations. The said policy shall be reviewed every two years or once any significant change is made.
  • Established the scope of applications and disclosure of personal data under the requirements of the Bank under the scope of legal application; usage and disclosure of information must be in line with the objectives and intention of the data owner. Moreover, the said ‘Privacy Policy’ must be updated once the Personal Data Protection Act B.E. 2562 has come into force in 2020.