Privacy Notice

Privacy Notice

Last Updated: 13 February 2023

Dear Customers, Investors/ Shareholders or Your Proxy Holders

Worldlease Company Limited (“Company”) values a privacy and strives for protecting your personal data or personal data relating to individuals connected to your business (“Personal Data”) based on the laws of Thailand.

This Privacy Notice explains: -

What kind of Personal Data does the Company collect? This includes what you tell the Company about yourself or the individuals connected to your business (“you”, “your” or “yourself”) which shall include employees, staff members, directors representatives, shareholders or ultimate beneficial owners of you if you are a juristic person and what the Company learns by having you as the customer, and the choice you give the Company about what marketing materials you want the Company to send to you?
In addition, this includes investors/ shareholders or their proxy holders.

How does the Company use your Personal Data?
Who does the Company disclose the Personal Data to?
What are the choices the Company offer, including how to access and update your Personal Data?
What are your privacy rights and how does the law protect you?

1.Collection of Personal Data

The Company collects many different kinds of Personal Data, depending on various circumstances and nature of requested products, services and/or transactions performed.

The Company collects the Personal Data about you from a variety of sources, including but not limited to:-

When you apply for the Company’s products and/or services
When you talk to the Company on the phone or in branch, including recorded calls, e-mails, notes and other means
When you use the Company’s websites or mobile device applications. This includes cookies and other internet tracking software to collect the Personal Data. Please refer to the Company’s Cookies Policy for more information
Information received from insurance claims or other documents
Any financial reviews and explanations
Customer surveys
When you take part in the Company’s marketing activities
When you manifestly publish your Personal Data, including via social media, in this case, the Company will collect your Personal Data from your social media profile(s), to the extent that you choose to make your profile publicly visible
When the Company receives your Personal Data from third parties, e.g., your employer, the Company’s customers, credit reference agencies, law enforcement authorities or any governmental agencies, etc.
When the Company receives Personal Data of investors/ shareholders or your proxy holders both directly from the data subject and/ or from the data collection executed by the securities registrar, e.g. Thailand Securities Depository Company Limited.

The Company sometimes collect the Personal Data from additional online and offline sources including commercially available third-party sources, such as credit reporting agencies (including the National Credit Bureau). The Company may combine this information with the Personal Data the Company has collected about you under this Privacy Notice.

In some instances, the Company may engage unaffiliated third parties to collect the Personal Data about your online activities when you visit the Company’s online sources. The Company may also use the Personal Data collected across non-affiliated websites for the purpose of serving you advertisements related to your browsing behaviour. While the Company engages in this practice, the Company will provide an appropriate notice and choice so that you can opt-out such collection.

The categories of Personal Data about you that the Company collects, subject to the applicable law, include but not limited to: -

Personal details: Name(s), last name, gender, date of birth, marital status, personal identification number, passport number, other government issued identification number(s) or Personal Data provided in any documents issued by government or authorities, tax identification number; nationality, image of passport, driving license, signatures, authentication data, information provided by you as answer to the Company’s authentication question (e.g., passwords, password recovery answers, PINs, facial and voice recognition data, etc.), photographs, CCTV images and motor vehicle registration number
Family details: Names and contact details of family members and dependents
Contact details: Address, telephone number, email address and social media profile details
Education history: Details of your education and qualifications
Financial details: Billing address, details of Company account, account holder’s name and details, instruction records, transaction details and counterparty details
Transactional data: Full beneficiary names, address and other details including communications on bank transfers of the underlying transaction
Electronic data: IP addresses, cookies, activity logs, online identifiers, unique device identifiers and geolocation data
CCTV data and geolocation data: Data showing locations of withdrawals or payments for security reasons, or to identify the location of the nearest branch or service suppliers for you
Sensitive Personal Data: The Personal Data that the law specifically prescribes, including Personal Data in relation to race, ethnic, political opinion, doctrinal, religious or philosophical beliefs, sexual behaviour, criminal records, health records, disability, labour union data, genetic or biometric data or any other data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee of Thailand.

2.Use of Personal Data

The Company may collect use and/or disclose your Personal Data only if the Company have proper reasons to do so. This includes sharing it outside the Company.

The Company will rely on one or more of the following lawful grounds when collecting, using and/or disclosing your Personal Data: -

When it is to fulfil a contract the Company has with you (contractual basis) – that is when the Company needs your Personal Data to deliver a contractual service to you or before entering into a contract with you;
When it is the Company’s legal obligation (legal obligation) – that is when the Company needs to collect, use and/or disclose your Personal Data to comply with the law or statutory obligation;
When it is in the Company’s legitimate interest (legitimate interest) – that is when the Company collects, uses and/or discloses your Personal Data for the Company’s legitimate interest as permitted under the law, so long as your fundamental rights are not overridden by the Company’s legitimate interest; and/or
When you consent to it (consent) – that is when you allow the Company to collect, use and/or disclose your Personal Data for certain purposes.

The purposes and legal basis for which the Company may collect, use and/or disclose your Personal Data are as follows: -

Purposes of data collection, use and/or disclosure	Lawful basis for collection, use and/or disclosure
Provision of products and services
To verify, authenticate you and perform credit reference check	Contractual basis
To deliver the Company’s services and/or products To carry out and manage a payment
To manage the Company’s relationship with you or your business
To communicate with you via email, telephone, text message, social media, post or in person about the Company’s products and/or services, information, notification (non-marketing purposes), e.g., notification of branch closure.
To facilitate insurance and financial services
To analyze your credit and repayment behavior scoring as part of a lending process
To collect, use and/or disclose the sensitive Personal Data which are religious, health record or biometric data, e.g., facial simulation, fingerprint simulation, iris simulation, voice identification, etc., for the purpose of identity proof and verification and/or transactions via digital means, branches, websites or any other modes, etc.	Consent Legal obligation
Fulfilling legal obligations
To submit regulatory reports to relevant authorities To prevent and detect money laundering or financing of terrorism and comply with regulation relating to sanctions and embargoes through the Company’s Know Your Customer (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile) and perform a Client Due Diligence (CDD) as prescribed by anti-money laundering law and other relevant law To comply with applicable laws and regulations	Legal obligation
Provision of customer support
To ensure customer satisfaction and provide professional customer support	Contractual basis
To communicate with you through various channels
To respond to inquiries and keep records of interactions, comments and/or complaints
To process your orders or requests such as data correction, request of document, etc.
Business operation
To identify issues with products and services	Contractual basis Legitimate interest
To carry out and improve business activities
To do statistical reports, market research, analytic report (non-marketing/promoting product and services)
To plan the improvements to the existing products and services
To carry out and improve a business performance
Security and risk management
To prevent crimes and manage security (for example, use of CCTV (which may collect / record your photos, videos or voice)	Legal obligation Legitimate interest Contractual basis
To investigate, report and seek for a financial crime prevention
To manage risk
To do internal audits
To seek and/or provide legal advisory within the Company
Marketing
To develop and carry out any marketing activities To communicate with you via email, telephone, text message, social media, post or in person about the Company’s, CIMB group and/or trusted partners’ products and/or services that you may be interested in To personalize the marketing messages and send to you To let the Company’s trusted partners send you the information regarding the products and/or services that you may be interested in To study how you use the products and/or services (analysis for promoting product/service) To test, research, analyze and develop new products/ new features of products and/or services	Consent Legitimate interest
Management of Affairs Related to Investors/ Shareholders or Their Proxy Holders
To execute various affairs, e.g. management of shareholders’ meeting, verification of identity and signature for entering into transaction or exercising statutory rights as a shareholder, document submission, which are in compliance with relevant laws and regulations, e.g. Financial Institutions Business Laws, Securities and Exchange Laws, Public Limited Company Laws. To execute various affairs for legitimate interest purpose, e.g. shareholders’ meeting minutes taking, recording/ broadcasting of photos, videos or voice during the meeting, implementing security measures.	Legal obligation Legitimate interest

When the Company relies on the legitimate interests as the reason for collecting, using and/or disclosing the Personal Data, it has considered whether your fundamental rights are overridden by the Company’s legitimate interests and has concluded that they are not.

If you fail to provide your Personal Data to the Company

Where the Company is required by law to collect your Personal Data or need to collect your Personal Data under the terms of a contract the Company has with you and you fail to provide your Personal Data when requested, the Company may not be able to perform obligation under the contract the Company has with you or plan to enter into with you (for example, to provide you with the Company’s account opening services). In this case, the Company may have to decline to provide the relevant services, but the Company will notify you if this is the case at the time your Personal Data is collected.

3. Disclosure of Personal Data

The Company may share your Personal Data with others where it is lawful to do so, including where the Company or other person: -

needs to perform obligations under a contract regarding the products or services (e.g., to fulfil a payment request, etc.)

has legal duties to do so (e.g., to assist with detecting and preventing fraud, tax evasion, financial crime and money laundering)
needs to, in connection with a regulatory reporting, litigation, asserting or defending legal rights
has legitimate interest to do so (e.g., to manage risk, verify identity, enable another company to provide you with the services you have requested or assess your suitability for the products and/or services) and/or
asks for your consent to share it, and you agree.

The Company may share your Personal Data for the above purposes with others, including: -

other CIMB group companies and any sub-contractors, agents or service providers who work for the Company or provide the services to the Company or other CIMB group companies, including their employees, sub-contractors, service providers, directors and officers
any trustees, beneficiaries, administrators or executors
people who give guarantee or other securities for any amount you owe the Company
people you make the payment to and/or receive the payment from
your intermediaries, correspondent and agent company, clearing houses, clearing or settlement systems, market counterparties and any company you carry out investment services through the Company
other financial institutions, lenders and holders of securities, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents
any fund managers who provide asset management services to you and any brokers who introduce you to the Company
any people or companies where required in connection with a potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of the Company’s rights or duties under the Company’s agreement with you
law enforcement, government, courts, court procedures, dispute resolution bodies, the Company’s regulators, auditors and any parties appointed or requested by the Company’s regulators to carry out investigations or audits of the Company’s activities
other parties involved in any disputes, including disputed transactions
fraud prevention agencies who will also use it to detect and prevent fraud and other financial crime and to verify your identity
anyone who provides instructions or operates any of your accounts, products or services on your behalf (e.g., Power of Attorney, solicitors, etc.)
anybody else that the Company has been instructed by you to share your Personal Data with and/or
other parties involved in any marketing purposes

There may be instances which the Company may share non-personally identifiable information about you to third parties, such as advertising identifiers or one-way coding (cryptographic hash) of a common account identifier, such as a contact number or e-mail address, to enable the conduct targeted advertising.

Except as described in this Privacy Notice, the Company will not use the Personal Data for any purposes other than the purposes as described to you in this Privacy Notice. Should the Company intend to collect, use or transfer additional information which are not described in this Privacy Notice, the Company will notify you and obtain your consent prior to the collection, use and disclosure unless the Company is permitted to do so without your consent under the law. You will also be given the opportunity to consent or to decline approval of such collection, use and/or transfer of your Personal Data.

The Company will continue to adhere to this Privacy Notice with respect to the information the Company has in its possession relating to prospective, existing and former clients and investors/ shareholders or their proxy holders.

Cross-border Transfer of Personal Data

Your Personal Data may be transferred to and collected and/or used in other countries, including Malaysia.

Such countries may not have adequate level of protection for the Personal Data as will be prescribed by the Personal Data Protection Committee of Thailand. When the Company do this, the Company will ensure that the transfer has an appropriate level of protection and that the transfer is lawful. For example, your Personal Data may be shared to other CIMB group companies in accordance with the Company’s Binding Corporate Rules (BCRs) or other relevant contractual arrangements, which require all CIMB group companies to follow the same rules or terms when collecting, using and/or disclosing your Personal Data. If you wish to request for a copy of the Company’s BCRs, you can do so by contacting the Company at dpo@worldlease.co.th.

The Company may need to transfer the Personal Data in this way to carry out the Company’s contract with you, fulfill the legal obligations, protect the public interests and/or for the Company’s legitimate interests. In some countries, the law might compel the Company to share certain Personal Data, e.g., with tax authorities or National Bank. Even in these cases, the Company will only share the Personal Data with people who have the right to see it.

4. Retention of Personal Data

The Company will only retain your Personal Data for as long as it is necessary to carry out the purposes for which it was collected, that is, for the purpose of satisfying any regulatory reporting requirements, carrying out the Company’s service per your request or compliance with the applicable laws.

The Company will keep your Personal Data for up to 10 years after you stop being the Company’s customer to ensure that any contractual dispute that may arise can be processed within that time. However, in the event of regulatory or technical reasons, the Company may keep your Personal Data for more than 10 years. If the Company does not need to retain your Personal Data for longer than it is legally necessary, the Company will destroy, delete or anonymize it (so that it can no longer be associated with you).

Where you receive the products and/or services from third party, e.g., insurance company, who has been introduced to you by the Company, such third party may keep your Personal Data in accordance with additional terms and conditions applying to their product and/or services.

5. Accuracy of your Personal Data

The Company need your help to ensure that your Personal Data is current, complete and accurate. Please inform the Company of any changes to your Personal Data by: -

contacting the Company’s representative at our branches or Worldlease Care Center Tel. 0 2096 4599

updating your information at/via our branches or Worldlease Care CenterTel. 0 2096 4599

The Company will occasionally request the updates from you to ensure the Personal Data the Company uses to fulfill the purposes of collection, use and/or disclosure are current, accurate and complete.

6. Your rights as data subject

Under certain circumstances, you have rights under data protection law in relation to your Personal Data. It is the Company’s policy to respect your rights and the Company will act promptly and in accordance with any applicable law, rule or regulation relating to the collection, use and/or disclosure of your information.

Details of your rights are set out below: -

Right to withdraw consent: When the Company collects, uses and/or discloses your Personal Data under your consent, this right enables you to withdraw your consent to the Company’s collection, use and/or disclosure of your Personal Data, which you can do at any time. The Company may continue to collect, use and/or disclose your Personal Data if the Company has another legitimate reason to do so.
Right of Access: This enables you to receive a copy of your Personal Data from the Company.

Right to rectification or correction: This enables you to have any inaccurate, outdated and/or incomplete Personal Data corrected. Please see above in 5. (Accuracy of your Personal Data) for detail of how you can request to have your Personal Data corrected.

Right to erasure or deletion: This enables you to ask the Company to delete, destroy or anonymize your Personal Data where there is no good reason for the Company to continue collecting, using and/or disclosing it. You also have the right to ask the Company to delete your Personal Data where you have exercised your right to object to collection, use and/or disclosure (see below). This is not a blanket right to require all Personal Data to be deleted. The Company will consider each request carefully in accordance with the requirements of any laws relating to the collection, use and/or disclosure of your Personal Data.

Right to restriction of processing: This enables you to ask the Company to suspend the collection, use and/or disclosure of your Personal Data, for example, if you want the Company to establish its accuracy or the reason for collecting, using and/or disclosing it.
Right to data portability: In certain circumstances, you can request to receive a copy of your Personal Data in a commonly used electronic format. This right only applies to your Personal Data that you have provided to the Company. The right to data portability only applies if the collection, use and/or disclosure is based on your consent or if the Personal Data must be collected, used and/or disclosed for the performance of obligation under a contract.
Right to object the collection, use, or disclosure: This enables you to object to the collection, use and/or disclosure of your Personal Data where the Company is relying on the legitimate interest. You also have the right to object where the Company is collecting, using and/or disclosing your Personal Data for direct marketing purposes and profiling activities.

Customers are able to file the complaint with a related government authority, including but not limited to, the Personal Data Protection Committee of Thailand in the case where, in your view, the Company, the Company’s employee or contractor violates or fails to comply with the Personal Data Protection Act of Thailand B.E. 2562 (2019) or notifications issued thereunder.

You may exercise any of your rights at any time using the contact details set out in 10. (Contact us) below. The Company may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, the Company may refuse to comply with your request in these circumstances.

The Company may need to request specific information from you to help the Company confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that your Personal Data is not disclosed to any person who has no right to receive it. The Company may also contact you to ask you for further information in relation to your request to speed up the Company’s response.

The Company tries to respond to all legitimate requests within 30 days. Occasionally, it may take the Company longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, the Company will notify you and keep you updated.

Handling of complaints

In the event that you wish to make the complaint about how the Company collects, uses and/or discloses your Personal Data, please contact the Company at our branches or Worldlease Care Center Tel. 0 2096 4599 and the Company will try to consider your request as soon as possible. This does not prejudice your right to file the complaint with a government authority that has a data protection authority.

7. Security of your Personal Data

Information is the Company’s asset and therefore the Company places a great importance on ensuring the security of your Personal Data. The Company regularly reviews and implements up-to-date physical, technical and organizational security measures when collecting, using and/or disclosing your Personal Data. The Company has internal policies and controls in place to ensure that your Personal Data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by the Company’s employees in the performance of their duties. The Company’s employees are trained to handle the Personal Data securely and with utmost respect, failing which they may be subject to a disciplinary action.

8. Your responsibilities

You are responsible for making sure that the Personal Data you give the Company or provided on your behalf, is accurate and up to date, and you must tell the Company as soon as possible if there are any updates.

You have some responsibilities under your contract to provide the Company with the Personal Data. You may also have to provide the Company with the Personal Data in order to exercise your statutory rights. Failing to provide the Personal Data may mean that you are unable to exercise your statutory rights.

Certain Personal Data, such as contact details and payment details, must be provided to the Company in order to enable the Company to enter into the contract with you. If you do not provide such Personal Data, this will hinder the Company’s ability to administer the rights and obligations arising as a result of contract efficiently.

9. Revision of the Company’s Privacy Notice

The Company keeps the Privacy Notice under a regular review and thus the Privacy Notice may be subject to change. The date of the last revision of the Privacy Notice can be found on the top of the page.

10. Contact us

If you have any questions in regard to the protection of your Personal Data or if you wish to exercise your rights, please contact: -

Any Customer Service Officer at any of the Company’s branches
Worldlease Care Center Tel. 0 2096 4599
Data Protection Officer: E-mail dpo@worldlease.co.th
Worldlease Company Limited Head Office, 44 CIMB THAI Bank Building, 16th Floor, Langsuan Road, Lumpini, Patumwan, Bangkok 10330
Worldlease Application*

Remark: This Privacy Notice shall be effective on the date on which the relevant provisions of Personal Data Protection Act B.E 2562 (2019) (as amended) becomes effective against the Company.

____________________________________________________
* Right to withdraw consent only