You Are Here: Home > About Us > Announcement
Privacy Notice for Customers

Dear Customers,

Industrial and Commercial Bank of China (Thai) Public Company Limited (the “Bank”) values your privacy and strives to protect your Personal Data or Personal Data relating to individuals connected to your business (collectively referred to as “Personal Data”) based on Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”).

The terms used herein shall have the same meaning prescribed in the PDPA.

This Privacy Notice explains:
• What kind of Personal Data does the Bank collect? This includes what you tell the Bank about yourself or the individuals connected to your business (collectively referred to as “you”, “your” or “yourself”) which shall include employees, staff members, directors or representatives of you if you are a juristic person) and what the Bank learn by having you as a customer and the choices you give the Bank on what marketing you want the Bank to send to you.
• How does the Bank use, collect and disclose your Personal Data?
• Who does the Bank disclose the Personal Data to?
• What are the choices the Bank offers, including how to access and update your Personal Data?
• What are your privacy rights and how does the law protect you?

1. What kind of Personal Data does the Bank collect?
The Bank collects many different kinds of your Personal Data, depending on the various circumstances and nature of the requested products, services and/or transactions performed.

The Bank may collect the Personal Data about you from a variety of sources as follows:
• When you apply for the Bank’s products and/or services
• When you talk to the Bank on the phone or in branches, including recorded calls, posts, e-mails, notes and other means.
• When you use the Bank’s websites or mobile device applications. This includes other internet tracking software to collect the Personal Data.
• Insurance claims or other documents.
• Financial reviews and interviews.
• Customer surveys.
• When you take part in our competitions or promotion.
• When you manifestly publish your Personal Data, including via social media (e.g., the Bank may collect your Personal Data from your social media profile(s), to the extent that you choose to make your profile publicly visible).
• When the Bank receives your Personal Data from third parties, e.g., your employer, the Bank’s customers, credit reference agencies, law enforcement authorities, etc.
• When you purchase any of the Bank’s products or services from third parties
• The Bank receives your Personal Data whenever you interact with the Bank online or through any social media such as Line or Facebook or any applications of the Bank.

The Bank sometimes collects the Personal Data from additional online and offline sources including commercially available third-party sources, such as credit reference agencies (including the National Credit Bureau). The Bank may combine this information with the Personal Data that the Bank has collected about you under this Privacy Notice.

In some instances, the Bank may engage third parties to collect the Personal Data about your online activities when you visit the Bank’s online sources. The Bank may also use the Personal Data collected across non-affiliated websites for the purpose of serving you advertisements related to your browsing behaviour. While the Bank engages in this practice, the Bank will provide an appropriate notice and choice so that you can opt-out such processing.

The categories of Personal Data about you that the Bank processes, subject to the applicable law, are as follows:
Personal details: given name(s), preferred name(s), surname, gender, date of birth, marital status, personal identification number, passport number, other government issued number(s) for verifying personal identity, tax identification number; nationality, image of passport, driving license or identification card, signatures, authentication data (e.g., passwords, answer in case you forget your password, PINs, facial and voice recognition data), photographs, visual images and CCTV images.
Family details: names and contact details of family members and dependents.
Contact details: address, telephone number, email address and social media profile details.
Education history: details of your education and qualifications.
Financial details: billing address, bank account numbers, credit card numbers, cardholders or account holders’ names and details, instruction records, transaction details and counterparty details.
Electronic data: IP addresses, cookies, activity logs, online identifiers, unique device identifiers and geolocation data.

2. How do the Bank use, collect and disclose your Personal Data?
The Bank may collect, use and disclose your Personal Data only if the Bank has proper reasons and it is lawful to do so. This includes sharing it outside the Bank.

The Bank will rely on one or more of the following lawful grounds when processing your Personal Data:
• When it is to fulfil a contract the Bank has with you (Contractual Basis) – that is when the Bank needs your Personal Data to deliver a contractual service to you or before entering into a contract with you;
• When it is the Bank’s legal obligation (Legal Obligation) – that is when the Bank needs to process your Personal Data to comply with the law or statutory obligation;
• When it is in the Bank’s legitimate interest (Legitimate Interest) – that is when the Bank processes your Personal Data for the Bank’s interest as permitted under the law, so long as your interests or the fundamental rights and freedom are not overridden by the Bank’s interest; and/or
• When you consent to it (Consent) – that is when you allow the Bank to process your Personal Data for certain purposes.

The purposes for which the Bank may process your Personal Data, subject to the legal basis on which the Bank may perform such processing, are:

Purposes of data processing Legal basis for processing

Products and services

• To deliver the Bank’s products and/or services
• To manage the Bank’s relationship with you or your business
• To study how you use the products and/or services from us and other organisations
• To work on which of the Bank’s products and/or services that may interest you
• To communicate with you about the Bank’s products and/or services
• To facilitate insurance and financial services

• Fulfilment of contract
• The Bank’s legitimate interest
• Your consent

Fulfilling Legal Obligations

• To submit regulatory reports to relevant authorities
• To prevent and detect money laundering and financing of terrorism and comply with regulation relating to sanctions and embargoes through the Bank’s Know Your Customer (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile) and Client Due Diligence (CDD) as prescribed by anti-money laundering law and other relevant law
• To comply with applicable laws and regulations

• Legal Obligation

Customer support

• To make and manage customer payments
• To collect and recover money that is owed to the Bank
• Fulfilment of contract

Business improvement

• To identify issues with existing products and services
• To plan the improvements to the existing products and services
• To develop the products and services
• To develop new ways to meet the Bank’s customers' needs and to grow the Bank’s business
• To test, analyze, develop and/or launch new products and services

• Fulfilment of contract
• The Bank’s legitimate interest 

Security and risk management

• To detect, investigate, report, and seek for financial crime prevention
• To manage risk for the Bank and the Bank’s customers
• To understand and analyze your needs and satisfaction
• To protect your Personal Data
• To comply with the laws and regulations that apply to the Bank
• To respond to complaints and seek for a resolution

• The Bank’s legal duty
• The Bank’s legitimate interest
• Fulfilment of contract


• To develop and carry out marketing activities
• To communicate with you via email, telephone, text message, social media, post or in person about the Bank’s, ICBC group companies and/or trusted partners’ products and/or services that you may be interested in
• To maintain and update your contact information where appropriate.

• Your consent
• The Bank’s legitimate interest

When the Bank relies on the legitimate interests as the reason for processing the Personal Data, this means that it has considered whether your rights are overridden by the Bank’s interests and has concluded that they are not.

If you fail to provide your Personal Data to the Bank 

Where the Bank is required by law to collect your Personal Data or needs to collect your Personal Data under the terms of a contract the Bank has with you and you failed to provide your Personal Data when requested, the Bank may not be able to perform obligation under the contract the Bank has with you or plans to enter into with you (for example, to provide you with the Bank’s account opening services). In this case, the Bank may have to decline to provide the relevant services but the Bank will notify you if this is the case at the time your information is collected.

3. Who does the Bank disclose the Personal Data to?
The Bank may share your Personal Data with others where it is lawful to do so, including where the Bank or they: 

• Need to provide you with a requirement under a contract, or products and/or services you have requested, e.g., to fulfill a payment request;
• Have public or legal duties to do so, e.g., to assist with detecting and preventing fraud, tax evasion and financial crime, etc.;
• Need to, in connection with a regulatory reporting, litigation or asserting or defending legal rights and interests;
• Have legitimate business reasons to do so, e.g., to manage risk, verify identity, enable another company to provide you with the services you have requested or assess your suitability for the products and/or services; and/or
• Ask for your permission to share it, and you agree

The Bank may share your Personal Data for these purposes with others, including:
• Other ICBC group companies  and any sub-contractors, agents, business partners or service providers who work for the Bank or provide the services to the Bank or other ICBC group companies, including their employees, sub-contractors, service providers, directors and officers
• Trustee, beneficiary, administrator or executor.
• People who give guarantees or other securities for any amount you owe the Bank.
• People you make payments to and receive the payments from.
• Your intermediaries, correspondents and agent banks, clearing houses, clearing or settlement systems, market counterparties and company you carry out investment services through the Bank.
• Other financial institutions, lenders and holders of securities over any properties or assets you charge to the Bank, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents.
• Fund managers who provide asset management services to you and any brokers who introduce you to the Bank or deal with the Bank for you.
• People or companies where required in connection with a potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of the Bank’s rights or duties under the Bank’s agreement with you.
• Law enforcement, government, courts, dispute resolution bodies, the Bank’s regulators, auditors and any parties appointed or requested by the Bank’s regulators to carry out investigations or audits of the Bank’s activities.
• In case that we are an insurance broker, we will disclose your personal data to the Office of Insurance Commission to regulate and promote insurance in accordance with the Insurance Commission Act, Life Insurance Act and/or Non-Life Insurance Act. For more details, please see at
• Other parties involved in any disputes, including disputed transactions.
• Fraud prevention agencies who will also use it to detect and prevent fraud and other financial crime and to verify your identity.
• Anyone who provides instructions or operates any of your accounts, products or services on your behalf, e.g., attorney, solicitors, intermediaries, etc.
• Anybody else that the Bank has been instructed to share your Personal Data with by you.
• Other parties involved in any marketing purposes.

There may be instances which the Bank may share non-personally identifiable information about you to third parties, such as advertising identifiers or one-way coding (cryptographic hash) of a common account identifier, such as a contact number or e-mail address, to enable to conduct targeted advertising.

Except as described in this Privacy Notice, the Bank will not use your Personal Data for any purpose other than the purposes described to you in this Privacy Notice. Should the Bank intends to collect, use or disclose additional information which is not described in this Privacy Notice, the Bank will notify you and obtain your consent prior to the collection, use and disclosure unless the Bank is permitted to do so without your consent under the law. You will also be given the opportunity to consent or to decline approval of such collection, use and/or disclose of your Personal Data.

The Bank will continue to adhere to this Privacy Notice with respect to the information the Bank has in the Bank’s possession relating to prospective, existing and former clients and investors.

Cross-border Transfer of Personal Data

Your Personal Data may be transferred to and stored/processed in other countries. Such countries may not have the same level of protection for the Personal Data. When the Bank does this, the Bank will ensure they have appropriate levels of protection and that the transfers are lawful. For example, your Personal Data may be shared to other ICBC group companies in accordance with the Data Transfer Agreement, which requires ICBC group companies receiving the Personal Data from the Bank must comply with the terms therein when processing your Personal Data. You can request a copy of the Data Transfer Agreement by contacting the Bank’s Data Protection Officer.

The Bank may need to transfer the Personal Data in this way to carry out the Bank’s contract with you, fulfill the legal obligations, protect the public interests and/or for the Bank’s legitimate interests. In some countries, the law might compel the Bank to share certain Personal Data to related parties, e.g., with tax authorities or National Bank. Even in these cases, the Bank will only share your Personal Data with people who have the right to see it.

4. Retention of Personal Data
The Bank retains your Personal Data for as long as it is necessary to carry out the purposes for which it was collected, e.g., for business and legal purposes or compliance with the applicable laws.

The Bank may keep your Personal Data for up to 10 years after you stop being the Bank’s customer to ensure that any contractual dispute that may arise can be processed within such time. However, in the event of regulatory or technical reasons, the Bank may keep your Personal Data for more than 10 years. If the Bank does not need to retain your Personal Data for longer than it is legally necessary, the Bank will destroy, delete or anonymize it (so that it can no longer be associated with you).

Where you receive the products and/or services from a third party, e.g., insurance company, who has been introduced to you by the Bank, such third party may keep your Personal Data in accordance with additional terms and conditions applying to their product and services.

5. Accuracy of Your Personal Data
The Bank needs your help to ensure that your Personal Data is current, complete, and accurate. Please inform the Bank of any changes to your Personal Data by contacting the Bank through channels prescribed in Clause 10 of this Privacy Notice.

The Bank will occasionally request updates from you to ensure the Personal Data the Bank uses to fulfill the purposes of collection, use and/or disclosure are current, accurate and complete.

6. What are your privacy rights and how does the law protect you?
Under certain circumstances, you have the rights under the data protection law in relation to your Personal Data. It is the Bank’s policy to respect your rights and the Bank will act promptly and in accordance with any applicable laws, rules or regulations relating to the processing of your information.

Details of your rights are set out below:
Right to Withdraw: This enables you to withdraw your consent for the Bank to process your Personal Data, which you can do at any time. The Bank may continue to process your Personal Data if the Bank has another legitimate reason to do so.
Right to Access: This enables you to receive a copy of your Personal Data that the Bank holds about you and to check whether or not the Bank is lawfully processing it.
Right to Correct: This enables you to have any incomplete or inaccurate information the Bank holds about you corrected. Please see above in paragraph 5 (Accuracy of Your Personal Data) for details of how you can request to have your Personal Data corrected.
Right to Erasure: This enables you to ask the Bank to delete or remove, destroy or anonymize your Personal Data where there is no good reason for the Bank to continue processing it. You also have the right to ask the Bank to delete or remove your Personal Data where you have exercised your right to object to processing (see below). This is not a blanket right to require all Personal Data to be deleted. The Bank will consider each request carefully in accordance with the requirements of any laws relating to the processing of your Personal Data.
Right to Object: This enables you to object to the processing of your Personal Data where the Bank is relying on the legitimate interest and there is something about your particular situation which makes you want to object to the processing on this ground. You also have the right to object where the Bank is processing your Personal Data for direct marketing purposes and profiling activities (the automated processing of your information to help the Bank evaluates certain things about you, for example, your personal preferences and your interests) relating to direct marketing.
Right to Restrict Processing: This enables you to ask the Bank to suspend the processing of your Personal Data, for example, if you want the Bank to establish its accuracy or the reason for processing it.
• Right to Portability: In some cases, you will be able to obtain a copy of your Personal Data that is generally available in electronic form. This right can only be used in the case of Personal Data you submit to us and the processing of such Personal Data is done with your consent or in the event that such Personal Data needs to be processed in order to be able to fulfil obligations under the contract.
Right to Lodge a Complaint: This enables you to file the complaint with a related government authority, including but not limited to, the Personal Data Protection Committee of Thailand  ("PDPC”) in the case where, in your view, the Bank or the Bank’s employees or contractors have violated or failed to comply with the PDPA or notifications issued thereunder.

The exercise of rights above may be restricted under relevant laws and it may be necessary for the Bank to deny or not be liable to carry out your requests, and the Bank will inform you of the reason. You could exercise your rights above on 1 June 2022 onwards.

Handling of Complaints
In the event that you wish to make the complaint about how the Bank processes your Personal Data, please contact the Bank’s Data Protection Officer and the Bank will try to consider your request as soon as possible. This does not prejudice your right to file the complaint with a related government authority, including but not limited to, the PDPC.

7. Security of Your Personal Data
Information is the Bank’s asset and therefore the Bank places a great importance on ensuring the security of your Personal Data. The Bank regularly reviews and implements up-to-date physical, technical and organizational security measures when processing your Personal Data. The Bank has internal policies and controls in place to ensure that your Personal Data is not lost, destroyed, misused or disclosed, and is not accessed except by the Bank’s employees in the performance of their duties. The Bank’s employees are trained to handle your Personal Data securely and with utmost respect, failing which they may be subject to a disciplinary action.

8. Your Responsibilities
You are responsible for making sure that the Personal Data you have given the Bank or provided on your behalf, is accurate and up to date, and you must tell the Bank as soon as possible if there are any updates.

You have some responsibilities under your contract to provide the Bank with your Personal Data. You may also have to provide the Bank with your Personal Data in order to exercise your statutory rights. Failing to provide such Personal Data may mean that you are unable to exercise your statutory rights.

Certain Personal Data, such as contact details and payment details, must be provided to the Bank in order to enable the Bank to enter into the contract with you. If you do not provide such Personal Data, this will hinder the Bank’s ability to administer the rights and obligations arising as a result of the contract efficiently.

9. Revision of the Bank’s Privacy Notice
The Bank keeps the Bank’s Privacy Notice under regular reviews and thus the Privacy Notice may be subject to change at the Bank’s sole discretion.

10. Contact Us
If you have any question with regard to the protection of your Personal Data or if you wish to exercise your rights, please contact:

- Data Protection Officer: E-mail
- Customer Hotline 0 2629 5588