Customer Privacy Policy

TMBThanachart Bank Public Company Limited (the “Bank”) realizes about the importance of personal data protection of our customers (“the Customer”). Therefore, the Bank uses the high standards and strict processes of data protection to safeguard the Customer’s personal data from unauthorized access, use, change or disclosure unlawfully. Customers can examine the information on personal data protection as follows;

Objective of this privacy policy

This privacy policy is made to inform the Customer as a data subject that (1) what kind of personal data the bank collects, uses, discloses, and transfer to other countries, (2) purposes of data processing and how to process personal data (3) how the Bank demonstrates transparently on data subject rights response prescribed under applicable law.


The Bank may review, amend this policy from time to time in compliance with applicable laws and/or subordinate legislation, regulations, announcement of any government authority which will be newly issued. If there is any amendment on this policy, the Bank will publish the updated version as early as possible to be up-to-date and in accordance with the new legislation.

What kind of personal data that Bank collects, uses and/or discloses?

“Personal data” under applicable law means any data of an individual which can identify such Customer whether directly or directly (except for the deceased) and irrespective of whether is provided by the Customer or in possession of the Bank or received by the Bank and/or accessed from other reliable sources (as set forth herein). Personal data of the Customer that is collected by, used by and/or disclosed by the Bank is general personal data and sensitive data.

General Personal Data are defined as follows;

  • Identification Information such as first name - last name, identity card number, passport number, birth date, address, e-mail address, telephone number etc.
  • Transaction Information such as account number for deposits/investment fund, credit card number, debit card number, statement of credit/debit account etc.
  • Financial Information such as income information, history of credit information with the Bank or repayment records, information from  the Legal Execution Department’s database, etc.
  • Marital Status such as single, married etc.
  • Online Behavior Information from surfing internet, such as website -browsing to search for the Bank’s products, Cookies, or any connection to search engines, etc.
  • Audio/Visual Information when the Customer contacts the Bank’s office or conduct transaction via video call or via ttb contact center at 1428 or +66 2241 1428 for customers in abroad

Sensitive Data

Sensitive Data means personal data about race, religion, politic opinion, criminal record, labor union, disability record, genetic information, health record, credit information, biometric information used  for verification purpose i.e. fingerprint, facial recognition, iris scan, voice recognition etc. The Bank has no policy to collect the Customer’s sensitive data unless the Bank received the Customer consent for (a) Customer/applicant authentication when they have transactions with the Bank and/or (b) as an electronic signature for any transaction via digital channels at branches or the Bank’s website.
Hereinafter referred to both types of personal data as the “Data”.
The Bank may collect personal data of the Customer from other reliable sources such as the Department of Business Development, Ministry of Commerce, Department of Local Administration, Ministry of Interior, Department of Consular Affairs, Ministry of Foreign Affairs, Credit Bureau Company, Legal Execution Department but not limited to financial institutions, financial group and/or the Bank’s business partners and/or financial advisors etc.

What is the basis/purpose and rights of the Bank to collect, use and/or disclose personal data?

Basis/purpose and rights of the Bank to collect, use and/or disclose personal data are as follows;

  1. Contractual basis between the Customer and the Bank includes;
    • To use products and/or services of the Bank by the Customer such as opening accounts, loan application, using various service via mobile application etc.
    • To comply with the Bank’s internal processes when the Customer would like to open an account or have transactions with the Bank, the Bank shall verify whether the Customer is the real account owner or not as well as the address and/or telephone number the Bank use to contact the Customer.
  2. To have collateral insurance, life insurance of the Customer whereby the Bank is identified as the beneficiary or debtor’s portfolio insurance such as requesting for a guarantor from the Thai Credit Guarantee Corporation for Small-Medium Entrepreneur customers, or default risk insurance with EXIM Bank etc.
  3. To sell loan portfolio to a third party such as transferring non-performing loan to an asset management company etc.
  4. To send, receive documents between the Customer and the Bank.
  5. To perform collection process as per defined in a loan agreement with the Bank.
  6. To perform as defined in legal obligation as follows:
    • To prevent and detect any irregular transactions which lead to unlawful activity such as money laundering, terrorisms, fraud, reporting the Customer’s information to the Revenue Department etc.
    • To report personal data to government authorities such as the Bank of Thailand, the Anti-Money Laundering Office or the Revenue Department or when receiving summons, precept of attachment from government sectors or courts, etc.

Legitimate interest of the Bank includes;

  1. To prevent, oppose, reduce the risk of fraud, cybersecurity, law violation (such as money laundering, financial support for terrorism and the proliferation of weapons of mass destruction, any offenses that damage property/life/body/freedom/reputation), which includes disclosing personal data in order to lift up the organizational operating standards in the financial group to prevent and mitigate the mentioned risks.
  2. To record CCTV of the Customer transaction activities with the Bank’s main offices or at the branches for security purpose in the Bank’s property.
  3. To manage risks/auditing/ internal management including personal data disclosure to subsidiaries in the same financial group but not cover cross-border data transfer to other countries outside Thailand.
  4. To verify sending-receiving emails or using internet between the employees and customers to prevent disclosing confidential data and secrets to third parties.
  5. To propose the similar products matching with the Customer’s needs and/or conduct marketing research for product development or maintain a customer relationship like complaint handling, etc.

However, if the Customer does not provide personal data to the Bank, it may affect to the Customer and the Bank in the case that both parties must perform according to contract or legal obligation relating to any transaction. In addition, the Customer may not get the right offer about the right product and services that suitable with his/her needs. This may also cause some damages, opportunity loss and may subject to penalty under applicable laws.

Whom the Bank will disclose the Customer’s data with? Which lawful basis will be applied?

The Bank will not disclose the Customer’s personal data to a third party that is not in the Bank’s financial group except (a) the Bank gets the Customer’s consent (b) perform any transaction as per the Customer’s request (c) lawful data processing or legal obligation (d) disclosure to the credit bureau or to any similar organization.
The Bank discloses personal data of the Customer to the following recipients;

  1. The Bank’s financial group which consists of TMBThanachart Broker Company Limited and Phahonyothin Asset Management Company Limited.
  2. Service Providers located in Thailand and outside Thailand such as Software Developers, Marketing-event’s Organizers, Researchers, Cloud Service Provider, Collection companies, etc.
  3. Other financial institutions whether located in Thailand or outside Thailand such as other Banks where provide payment services for Customers, etc.
  4. Assurance/ Life-Insurance companies.
  5. Juristic person that purchases bad loans from the Bank such as Asset Management Companies, etc.
  6. Government authorities and/or regulators such as the Bank of Thailand, Anti-Money Laundering Office, the Revenue Department, Office of Insurance Commission, Securities and Exchange Commission, Stock Markets, courts, police or any government agencies that issue summons, precept of attachment requesting the Bank to disclose personal data or send asset such as the Legal Execution Department etc.

How does the Bank protect the Customer’s personal data?

The Bank has developed and implemented policies, operating procedures and minimum standards to manage the Customer’s personal data both technical measure and organizational measure to safeguard personal data and prevent data privacy violation such as Information Technology Security Policy or Data Confidentiality Policy. In addition, the Bank revise and update those internal controls i.e. policy, procedure, minimum standard, on a regular basis in accordance with the requirements under applicable laws.


In addition, employees, personnel of any service providers have duty to protect the Customer’s personal data in accordance with the Confidentiality agreement signed with the Bank.


If the Bank needs to send or transfer the Customer’s personal data to any individual person or any entity outside Thailand which that party has lower standard of data protection than Thailand, the Bank will take action as necessary to comply with the minimum requirements under data protection standards in that country such as having a Confidentiality Agreement with a party in that country etc.

What are the rights of a Customer about his/her personal data?

The Bank realizes about the importance of the Customer’s rights under the Personal Data Protection Act B.E.2562 where the Customer should know as follows;

  • Right to Withdraw Consent

    The Customer shall have the right to withdraw his/her consent that already gave to the Bank for collection, use and/or disclosure of the Customer’s personal data at any time except if the consent withdrawal is limited under applicable laws or contracts which give benefit to the Customer as long as his/her still uses products and services of the Bank or the Customer still has liability/obligation with the Bank, etc.

  • Right to Access Information

    The Customer shall have the right to access and receive a copy of his/her personal data under the Bank’s data management or request the Bank to demonstrate the personal data collection without the Customer’s consent.

  • Right to Data Portability

    The Customer shall have the right to access his/her persona data from the Bank. To portability of such personal data to other parties shall be in readable and useable format by automatic tool or equipment. This request covers data disclosure automatically but not limited to (a) right to request the Bank to send or transfer personal data to other data controllers whenever the automatic tool is in place or (b) right to directly receive the personal data in mentioned format and it’s ready to use by other controllers unless there is any technical issue not allow the Bank to do so.

  • Right to Object

    The Customer shall have the right to object collection, use and/or disclosure his/her personal data in these following cases:

    1. To collect, use, and/or disclose personal data supporting public interest tasks or any legal obligation of the Bank except the Bank demonstrates the necessity based on a compelling legitimate interest, establish the right for legal claim, comply with or raise legal excuse under applicable laws.
    2. To collect, use and/or disclose personal data for direct marketing purpose.
    3. To collect, use and/or disclose personal data for researches in sciences, history, or statistic except the pubic tasks of the Bank.
  • Right to Erasure

    The Customer shall have the right to request the Bank to erase or destroy or depersonalize his/her personal data in these following events;

    1. When the retention period of personal data is expired for collection and disclosure.
    2. When the Customer withdraws his/her consent for collect, use, and/or disclose his/her personal data and the Bank is no longer an authorized body to collect, use, and/or disclose such personal data.
    3. When the Customer objects to the collection, use, and/or disclosure of his/her personal data that is no longer required in any applicable lawful basis or for direct marketing purpose.
    4. When the personal data is collected, used and/or disclosed unlawfully.
  • Right to Restrict Processing

    The Customer shall have the right to restrict the use his/her personal data in the following events;

    1. When the Bank is under investigating the Customer’s request.
    2. When the personal data must be deleted or destroyed as it is collected, used, and/or disclosed unlawfully but the Customer requests to suspend the usage of such personal data instead.
    3. When the personal data is no longer required for data collection but the Customer still needs the Bank to retain his/her personal data for establishing legal claim, complying with or exercising his/her rights or legal argument under applicable laws.
    4. When the Bank is in the process of demonstrating the legitimate interest is more important than data subject right or during establishing legal claim, complying with data subject rights or raising excuse against legal claim after the Customer objects to the collection, use, and/or disclosure by the Bank.
  • Right to Rectification

    The Customer shall have the right to request the Bank to amend information to be up-to-date, correct and not misleading.

  • Right to Complaint

    The Customer shall have the right to file a complaint to the special committee if the Bank or any data processor not limited to the Bank’s employees and the personnel of the third parties are in breach of the Personal Data Protection Act and/or relevant Ministerial Regulations announcement under the said Act.

    However, the Customer’s rights mentioned above are limited to the personal data the Customer provides to the Bank excluding any information the Bank creates for internal use such as data analysis for loan approval which depends on many factors which the Bank may not be able to process as per the Customer’s request especially when the uses the Legitimate Interest as a legal ground to collect personal data in line with the enforcement of the Personal Data Protection Act B.E.2562 and in accordance with the requirements of the Personal Data Protection Committee as follows:

    1. The Customer still has deposit account(s) or loan account(s) or other facilities with the Bank or the Bank must keep his/her personal data of the Customer in accordance with data retention period under applicable laws even though the Customer has no relationship with the Bank anymore.
    2. The rejection ordered by law or court, the access, and the request for a copy of personal data may cause the damages to the rights and freedom of the third party such as the information that the Customer requests includes the personal data of other individuals or it’s the information that the Bank must get the approval from the police, courts, authorized government officers or the requested information may include the internal information of the Bank or when the Bank still need to use such information for any transaction with the valid Customers whose his/her services or contracts are still active.

What is the Customer’s duty to provide personal data?

The Bank will be able to provide services to the Customer based on contracts if the Bank receives personal data from the Customer. Collecting personal data can refer to legal obligation in order to performing Customer Due Diligence which these data must be accurate and up-to-date. Consequently, it is necessary that the Customer shall co-operate with the Bank on this action.

How long does the Bank keep the Customer’s personal data?

If the relationship between the Customer and the Bank is over or terminated, the Bank shall retain the personal data for back-up purpose as required by applicable laws and  internal controls of the Bank defined in data retention and data disposal policies and operating procedures which prescribed in  the Anti-money Laundering Act requiring the Bank to retain such information for at least 10 years, etc.

How can the Customer contact the Bank?

If the Customer has any inquiry about his/her personal data collection, use, and/or disclosure, data subject rights exercises, consent withdrawal for marketing purpose or report unlawful process of his/her personal data, the Customer can contact the Bank through these channels:


ttb contact center: Call 1428 or +66 2241 1428 for customers in abroad and ttb branches countrywide or via ttbcontactcenter@ttbbank.com


Address: TMBThanachart Bank Public Company Limited, 3000 Phahon Yothin Road, Chom Phon, Chatuchak, Bangkok 10900

E-mail: dpo@ttbbank.com


If the Customer would like to exercise his/her rights as prescribed in Personal Data Protection Act B.E.2562 (PDPA) or file a complaint about data breach, please down load the request form (click here) , fill-in the form and submit to Personal Data Protection Officer (DPO) at dpo@ttbbank.com or contact any branch countrywide at your convenient location.


For filing a complaint or giving advice regarding product and service which not related to personal data such as mobile application bugs, manner of ttb staffs, interest rate or loan application status inquiry, please contact ttb contact center at 1428 or +66 2241 1428 for customers in abroad and ttb branches countrywide or via ttbcontactcenter@ttbbank.com or ttbcustomercare@ttbbank.com (for compliant)