1.2 Personal data which are collected by the Company

(1) Individual merchants

1) Personal information, such as title, first name, last name, gender, date of birth, age, nationality, signature, information relating to documents issued by government agencies (e.g. ID card, passport, taxpayer identification number, detail of driver’s license, etc.), information on a change of name certificate or related documents, documents relating to foreigners, work permit, photograph, documents relating to visa and other legal documents.

2) Work information, such as position, types of business, types of organization, workplace, personal information appearing on other related documents, such as business documents, commercial registration, certificate of value added tax registration (por. Por. 20) and company certificate.

3) Contact information, such as postal address on ID Card or house registration certificate, present postal address, present office postal address, delivery details, telephone number, location information, email address, LINE ID and other IDs from your online social network websites.

4) Financial information, such as Company statement, name and Company account number, credit card number, expiry date, types of credit cards, daily withdrawal or spending amount, Bankruptcy status information, tax amount and other financial information.

5) Information related to services provided to you, such as types of products or services you selected, details as specified in the application form for using products or services of the Company, data created for the Company’s internal use, details in the application form and information relating to KYC and CDD, information about relationships with politicians or people with politician status, your data information access level and information in power of attorney and any other information required within the applicable form for using products or services of the Company.

6) Transaction data, such as details of your incoming and outgoing transactions, date and/or time of fund transfer or payment due date, methods of payments and receipt of payments, transaction reasons, transaction information of products and services of the Company, information and details of agreements, supporting transaction documents (such as house registration certificate, photograph and image of place), details about request for payment refund, receipt, the recipient’s signature of transaction, transaction history, location, transaction status, request and claim, payment card and purchasing time.

7) Details of behaviour, such as information behaviour, information relating to other interactions and facts about your actions with products or services; your feedback and opinions towards the types of products or services received by you, details of your claims and complaints.

8) Details of marketing and communication, such as your options for receiving marketing information from the Company, affiliated company, subsidiary company, third party, business alliances and options for your communication.

(2) Personal data of third party

If you provide the Company with personal data of third parties such as guarantors, executives, authorities, authorized persons, directors, shareholders, staff members, employees, representatives, persons in the control line or ownership, co-owners and other persons who are not merchants of the Company, and any other person that you have relationship with respect to your relationship with the Company by providing personal data of such person to the Company, such as first name, last name, detail of address and telephone number for emergency contact. Please inform this Privacy Policy to such third parties for acknowledgement and request for consent if necessary or as required by law for disclosure of personal data of third parties to the Company. Notwithstanding the above, it is important to note that (1) In the case of personal data collected from third parties, you shall ensure that you are authorized to collect such third parties personal data (2) In the case of personal data transferred from third parties, you shall ensure that they are authorized to transfer such data to us (3) You shall be responsible for any liability or claim arising from the collection or transfer of personal data from third parties.

(3) Personal data of minors, quasi-incompetent persons and incompetent persons

The Company collects personal data relating to a minor, a quasi-incompetent person and an incompetent person only when the Company receives a consent from a guardian or a curator. The Company has no intention of collecting personal data from a person aged under 20 years old without a consent of a guardian or a curator, a person taking care of the person as required by laws (as the case may be). In case the Company was aware that the Company had unintentionally collected personal data from any person aged under 20 years old without a consent of a guardian or a curator, a person taking care of the person as required by laws (as the case may be), the Company will immediately delete such personal data or will collect, use and/or disclose only on other lawful basis other than a consent or to extent permitted by law.

2. The purpose of collection, use, disclosure and/or oversea transfer of your personal data by the Company

The Company may collect, use, disclose and/ or overseas transfer the personal data and sensitive personal data for the following purposes:

2.1 The purpose of obtaining your consent

(1) Marketing and communication purpose:for carrying out marketing and communication activities, marketing advertisement, sales, special offers, news, public relations, promotions and presentations of the Company’s products and services, the Company’s financial business group, the Company’ s affiliated companies, business alliances and other legal entities only in case that the Company requires your consent.

(2) Research, statistical data and data analytics business: for the use of data analytics business of personal data for the Company, the Company’s financial business group, the Company’ s affiliated companies, business alliances and other legal entities only in case that the Company requires your consent.

(3) Sensitive personal data: The Company may collect your sensitive personal data for the following purposes:

1) Sensitive personal data as appeared on identification documents (such as religion, race) only for the purpose of your personal identity verification and proof, the Company has no purpose nor the policy in the collection, use, disclosure of such sensitive personal data other than the purpose of your personal identity verification.

2) Sensitive personal data as appeared on transaction documents and/or juristic acts, contracts or supporting documents for the use of products and/or services (such as religion, race).

In this respect, the Company will cross out your sensitive personal data (such as religion, race) as appeared on identification documents or supporting transaction documents and/or juristic acts, contracts or supporting documents for the use of products and/or services whereby the Company may proceed such act on its own without notifying you or the Company may request you to cross out your sensitive personal data by yourself.

If any applicable law requires a request for consent, you have the right to withdraw your consent at all times.

The withdrawal of consent will not affect the collection, use and disclosure of your personal data and sensitive personal data that you had given your consent prior to such withdrawal.

2.2 Other purpose and any applicable law for collection, use, disclosure and/or overseas transfer of your personal data

The Company will collect, use, disclose and/or overseas transfer of your personal data by lawful basis on legitimate interest, by lawful basis on entering into and performing the contract or other lawful basis on permissible personal data protection, as the case may be, depending on the relationship between you and the Company and the Company’s services being used by you, for the following purposes:

• For a registration and personal identity verification, such as your registration of the products or services, your personal identity verification, authorized person or your representative, including your digital identity verification.
• For the supply of the products and services and the merchant relations management, such as for consideration of providing the products or services, for delivering the detail of agreements or contracts, products or services, financial transactions and services with respect to payment, including verification, confirmation and cancellation of transactions, for receiving or sending letters, parcels and important documents to you, for conducting reports informing the merchants about information relating to products or services, for delivering updated news regarding products or services, for payment processing, accounting activities, accounting and balance sheets and auditing, for evaluation of conflicts of interest, for providing or operating after sales services, for managing and cancelling inactive activities (such as cancellation of services or your account).
• For the build-up of after sales services impression, such as a communication with you in respect of products and services provided to you by the Company within the Company’s group, affiliates, subsidiaries or the Company’s business alliances, for processing and updating your information as the Company’s merchant, for providing advice, suggestion and facilitating your products and services use, for dealing with questions related to merchant services, complaints, requests, comments, your insurance claims, technical problems, for notifying and proceeding with the solutions to your problems, for conducting activities with respect to the merchants relationship management.
• For the services of proof and personal identity verification, such as providing services to support electronic know your customer (E-KYC), digital identity verification process.
• For purposes of marketing, sales promotions and communication, such as for carrying out activities related to marketing and communication, marketing advertising, sales, special offers, news, public relations, promotion and presentation of the Company’s products and services, financial business group, the Company’s affiliates, business alliances and other legal entities as specified by you or the services that you had used, including information of products and services that are directly and indirectly close to your interest and history, for enabling you to participate in the sales offering, offers and privileges, campaigns, events, seminars, contests, sweepstakes, lucky draws, booths and events with branches for meeting with you, including other sales promotions and all relevant advertising services for facilitating you to participate in the Company’s activities, in case the Company does not require your consent.
• For management of websites, mobile applications and platforms, such as administration, operation, monitor, examination and management of websites, applications and the Company’s platforms. All these activities are aimed to improve styles and contents of the Company’s websites and platform in order to reach higher level of merchant/user convenience and satisfaction and to ensure that all these platforms are properly functional, efficient, and safe for merchant/user of the Company.
• For management of information technology, such as for the purpose of business operations of the Company, including information technology operation, information technology security and information technology security monitoring, business management in compliance with internal regulations policies and procedures.
• For compliance with laws,such as compliance with laws, legal procedures or order of government agencies, including government agencies outside Thailand and/or in cooperation with courts, government authorities, law enforcement, when the Company has a reason to believe that the laws enforce the Company to do so. If it is necessary to disclose your personal data in compliance with laws, procedures or government orders, for conducting VAT collection and refund services, for tax invoices, or filing full tax returns, for recording and monitoring communication, for dealing with police tickets and road taxes, for reporting suspicious transactions to money laundering prevention and suppression agency, for disclosure of information to tax authorities, law enforcement of financial services and other government agencies and law enforcement agencies and crime investigation or crime prevention.
• For verification and prevention of the Company business risks, such as for your personal verification, for monitoring the compliance with the law and other regulations (for compliance with the money laundering prevention and suppression and corruption prevention regulations, cyber threats, breach of contract, violation of law (such as money laundering, supporting financial to terrorism and proliferation of weapons of mass destruction, wrongdoing in property, life, body, liberty and reputation)), conducting monitoring and internal record, property management, monitoring business risks in the Company database, disclosure of personal data for acceleration in the Company’s operations or legal entities in the same business group with the Company in prevention, dealing with, reducing or conducting the same manner in order to eliminate such risks.
• For risk management, such as management of risks, efficiency monitoring and risks evaluation in order to set risks index, making summary report for risks management in order to evaluate and predict potential risks, including solutions towards the products risk evaluation and giving suggestion in case there are changes and finding solutions for the risk management.
• For conducting other duties of the Company, for your personal data, depending on the relationship between the Company and you, such as you as the Company’s shareholder, the Company will conduct the shareholders meeting or you as a board of director member or an executive or an advisor to the Company that has been appointed by the Company or you as securities holder or the property that the Company is a securities registrar or a custodian of private funds, including you as any status that the Company shall proceed with the obligations of the relevant agreements.

In this respect, if you do not provide personal data to the Company, it may have impact on you, for instance, the Company may not proceed with your requests; you may experience some inconvenience or do not obtain the performance of agreements and you may receive damage or lose opportunities. In addition, your refusal to provide personal data may affect the compliance with any law that the Company or you must comply with and may have related penalties as a consequence.

2.3 Management of the sensitive personal data collected by the Company prior to the effective date of the PDPA with the Company

If you are an existing merchant of the Company prior to the effective date of the PDPA, the Company may collect sensitive personal data, such as (1) religion, (2) race, (3) sensitive personal data for transactions or legal transactions and (4) sensitive personal data for using the products and/or other services, in this regard, for collection of documentary evidence only, the Company will not use such sensitive personal data for other purposes.

3. Who does the Company disclose or transfer your personal data to?

The Company may disclose or transfer your personal data to the following third parties, whereby the collection, use or disclosure and/or overseas transfer of personal data for purposes under this Privacy Policy. These third parties may live or be incorporated in Thailand or abroad and you can check on the privacy policy of such third parties in order to understand the details regarding the methods of the collection, use and/or disclosure of your personal data, since you are a data subject as specified in the privacy policy of such third parties.

3.1 Affiliates

The Company may have to disclose your personal data, for the purposes specified in Clause 2 herein, to the Company’s affiliates. The disclosure of your personal data to such affiliates will make such other companies be able to use your consent obtained by the Company.

3.2 The Company’s Service providers

The Company may outsource the Company’s services on behalf of the Company in order to assist operations and to provide you with products and services, including any procedure for providing you benefits. The Company may share your personal data to the outsourcing parties, the representative’s service providers, service providers of supporting business entrepreneurship, subcontractors, any service providers or any service providers for supporting the Company’s services, including but not limited to (1) internet service providers, software developers, website developers, digital media developers, information technology service providers and service providers of digital products, such as creation and provision of digital platforms, including other services with respect to technologies (Platform as a Service), applications or any other working system to the Company, the services of personal identity verification to the Company, (2) logistics and transportation service providers, (3) payment and payment system service providers, (4) research service providers, (5) analytics service providers, (6) survey service providers, (7) auditors, (8) customers services hotlines, (9) marketing, advertising, design, creative and communication service providers, (10) event, campaign, marketing and merchant relationship management service providers, (11) telecommunications service providers, (12) administrative service providers, (13) cloud storage service providers, (14) printing service providers, (15) lawyers, legal counsels for the Company’s benefits, including exercising legal claims and defending against legal claims, audits and/or other professionals in assisting the Company’s business operations and (16) document storage and/or disposal service providers.

During the provision of such services, the service providers may have the right to access your personal data, however the Company will only provide your personal data to the service providers as necessary for the services. The Company will ensure that the service providers must protect a security of your personal data in compliance with the law.

3.3 Third parties as specified by laws

In some cases, the Company may have to disclose your personal data in compliance with the laws, including orders issued by laws which include law enforcement agencies, courts, Legal Execution Department, authorities, government agencies or other persons that the Company believes it is necessary to comply with the laws or to protect the Company’s rights, the rights of third parties or for the security of persons or for inspection, prevention or corruption problem solving, security, safety, including any other risk.

3.4 Third parties

The Company may disclose your personal data under the legal basis according to the purposes specified in this Privacy Policy to other third parties, such as representative company, partner bank, other banks, other persons who make a transaction with you or relating to your transactions, other persons as legally referred to, members of digital identity verification system and service providers of digital identity verification system, as the case may be.

4. Overseas transfer of your personal data

The Company may overseas transfer your personal data to other countries which may have a higher or lower standard of personal data protection than Thailand, such as when the Company collects your personal data on cloud platforms or servers outside Thailand for information technology support or when the Company must send information of international money transfer transactions to overseas Company through an intermediary of international money transfer, as the case may be.

When it is necessary for the Company to transfer your personal data to other countries which having a lower standard of personal data protection than Thailand, the Company shall procure to ensure that there is an appropriate protection measure or personal data protection laws allow the transfer of personal data, e.g., the Company may have to obtain a confirmation according to the contract from third parties who have access to such personal data that your personal data shall be protected under the same personal data protection standard of Thailand.

5. Duration of personal data storage period

The Company shall retain your personal data for a necessary period for compliance with the purposes stated in this Privacy Policy. In this respect, for compliance with the law, the Company may have to retain your personal data as long as is required by laws.

6. Your personal data security

We take reasonable measures to help protect information about you from loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. We limit access to your personal data to those employees, agents, contractors, affiliates, and other third parties who are necessary in order to conduct our business with you. They will only process your personal data per our instructions, and these third parties must keep your personal data confidential. We may also share your personal data with third parties when we have been given consent by you to do so and/or instructed by you to do so.

We have put in place procedures to deal with any suspected personal data breaches and we will notify you and any applicable legal authority or regulator of a breach when we are legally required to do so.

7. Online Collection of Personal Data from Third Party Sites

We also collect Information from other third-party online sources (the “Sites”). The Sites use cookies and other technologies to collect information about you. These technologies record information about your use of our Sites, including information about your Internet browser and device data pertaining to your:

1. IP address;

2. Device type;

3. Operating system;

4. Internet browser type;

5. Screen resolution;

6. Operating system name and version;

7. Device manufacturer and model;

8. Language;

9. Plug-ins;

10. Add-ons;

11. The language version of the Sites you are visiting;

12. Usage data (including but not limited to the time spent on the Sites, pages visited, links clicked, language preferences, and the pages that led or referred you to our Sites).

We also may collect information about your online activities on Sites and connected devices over time and across third-party websites, devices, apps and other online features and services. We use Google Analytics on our Sites to help us analyse your use of our Sites and diagnose technical issues.

In order to collect information on the Sites we use cookies. You can control our use of cookies and third- party analytics, please see our Cookies Policy for more information.

8. Your rights as the Data Subject

Rights stated in this section mean legal rights relating to your personal data whereby you may use these rights with persons required by laws, in this regard, under the conditions stipulated by law and the process of the rights management of the Company, such rights include the following rights:

(1) Right of access to personal data, you may have the right to access personal data or request for a copy of personal data that the Company collected, used, disclosed and/or overseas transferred of your personal data, for your privacy and security, the Company may request you to verify personal identity before providing you with personal data as requested.

(2) Right to rectification of personal data, you may have the right to rectify your personal data that the Company collected, used, disclosed and/or overseas transferred of your personal data if such personal data is incomplete, incorrect, misleading or not up-to-date.

(3) Right to data portability of personal data, you may request the Company to provide your personal data in electronic format with an explicit structure and to transfer such personal data to other data controllers, whereby this data is (a) your personal data provided to the Company, (b) the Company collected, used, disclosed and/or overseas transferred of personal data with your consent or for compliance with the contract between the Company and you.

(4) Right to object of personal data, you may have the right to object some types of the collection, use, disclosure and/or overseas transfer of personal data, such as objection to direct marketing purpose.

(5) Right to restriction on the use of personal data, you may have the right to restrict the use of your personal data in some cases.

(6) Right to withdraw consent, you may have the right to withdraw your consent at any time for purposes that you gave your consent to the Company to collect, use, disclose and/or overseas transfer your personal data.

(7) Right to erasure of personal data, you may have the right to request the Company to erase your personal data or anonymize your personal data, however there is an exemption for the Company not to take such actions if the Company must retain such personal data in order to comply with the laws or to lawfully establish legal claims or to lawfully exercise legal claims or to lawfully defend against legal claims.

(8) Right to complaint, you may have the right to complain to the relevant authorities if you believe that the collection, use, disclosure and/or overseas transfer of your personal data was unlawful or violated the law on personal data protection.

If you want to use any right specified in this section, you can do so by contacting through the following channels:

Request for using any right above may be restricted by the relevant laws, in some cases, the Company can appropriately and rightfully reject your request, such as when the Company must comply with the laws or court orders.

If you believe that the collection, use, disclosure and/or overseas transfer of your personal data by the Company violated personal data protection laws, you have the right to make a complaint to the relevant authorities with respect to personal data protection. However, you may initially inform the Company of your concern in order for the Company to consider solving your concern, please contact the Company through the following channels:

9. Amendment

The Company may revise, change, or amend this Privacy Policy in accordance with the Bank’s practice guidelines on personal data protection, the services under the Website/Platform, including the Merchant’s suggestion or opinions, the Company shall inform the Merchant of any revision, changes or amendment of this Privacy Policy in writing expressly prior to proceed those action, or may announce to the Merchant directly through any communication channel specified by the Company. If such revise, change, or amend significantly affects your personal data, the Company will notify you in advance regarding such revise, change, or amend prior to the effectiveness.

10. Applicable laws

This Privacy Policy shall be governed by data privacy laws in Thailand jurisdiction.

11. Contact Us

If you have any inquiry regarding this Privacy Policy, please contact the Company or the Company’s personal data protection officer as detailed below:

• Lianlian Pay Electronic Payment (Thailand) Co., Ltd.

  - 88 Paso Tower, 20th Floor, A2 Room, Silom road, Suriyawong, Bangrak, Bangkok 10500.

  - Tel: 02-062-2977

  - cs-thaipay@lianlianpay.com

  - https://www.lianlianpay.co.th/

• Data Protection Officer (DPO)

  Data Protection Department

  - 88 Paso Tower, 20th Floor, A2 Room, Silom road, Suriyawong, Bangrak, Bangkok 10500.

  - DPO@lianlianpay.com