Privacy Notice of
Principal Asset Management Company Limited
Under the Personal Data Protection Act B.E. 2562.
(Issue Date 30 November 2023)
Last Updated: 30 November 2023
Principal Asset Management Co., Ltd. (“Company”) recognizes the importance of safeguarding personal data that you provided to the Company with trust. In addition, the Company has security systems and strictly operational procedures to maintain the security of personal data, including data security measures to prevent unauthorized access, disclosure, use, or change of personal data in order to comply with the Personal Data Protection Act B.E. 2562 (“PDPA”), relevant laws and regulations.
As a result, the Company has developed this Privacy Notice to clarify the details regarding collection, use, or disclosure of personal data, retention period, data destruction, and rights of data subjects in connection with the Company's operations and any services provided relating to Mutual Funds, Provident Funds, and Private Funds, regardless of whether they are registered to open an account or not. In this regard, the Company recommends that you read and understand this Privacy Notice to acknowledge for the Company’s purpose to collect, use and disclose your personal data, the retention period, the data destruction, as well as the rights of the data subject. The details of the Privacy Notice are as follows:
1. Collection of Personal Data
In accessing and using the Company's services, you are required to provide personal data that identifies you in order to enable transactions related to Funds. This includes information provided in various service application forms, identification documents as supporting documents for account opening and financial information etc. In this regard, the Company may process your personal data in documented forms, images and/or electronic formats and includes automated processing.
The information and source of your personal data that the Company collects, uses, or discloses are as follows:
1.1. Identity Information – any information relating to an identified or identifiable natural person that can be identified, whether directly or indirectly such as title, name, surname, identification card number, passport number, date of birth, nationality, gender, photograph, tax identification number, unitholder number, private fund ID, provident fund member ID etc. The Company will not process all sensitive data and does not wish to collect or use the personal data that related to races, religions, blood groups, or any other information other than the personal data that has been specified above even if such information appears on your ID card, house registration, or any other documents that you voluntarily disclose to the Company.
1.2. Contact Data – e.g., physical address, email address, telephone number, IP Address or digital ID of customer or investor that can be identified yourself.
1.3. Personal Related Information – Information that can link to other personal data, such as marital status, information of children, family, education, restricted communication or decision making, work experience, investment experience, disclosure information in Customer Profile and Risk Profile, Knowledge Assessment information for investing in high-risk or complex funds, Vulnerable Investors information for sales process, information from Risk Acknowledgement of high-risk or complex funds, information survey of investment advisors' services, information uses for placing purchasing, selling and switching fund unit orders, certified qualification information of an Ultra High Net Worth / High Net Worth, information uses in the application forms for opening a fund account, the notification information of U.S. Individual Status (FATCA FORM).
1.4. Beneficiary Information - beneficiary of various fund accounts, and the Company’s products, including the Company’s services, who are natural persons and minor persons, family members or the beneficiary as specified by customers or investors.
1.5. Financial and Transaction Information – your financial and transaction information with the Company such as deposit/investment account number, credit card number, debit card number or transaction report data, income data, account balance and investment records with the Company, etc.
1.6. Medical and Health Information - only specific medical and health information that needs to be collected in order to provide you with the products and services that you have requested.
1.7. Litigation Information - in the respective of legal procedures or legal processes, information that customers or investors must disclose in accordance with the Anti-Money laundering Laws, Securities and Exchange Act, or other laws to which the Company is subjected.
1.9. Communication Information – between you and the Company such as tape records when communicate through Contact Center via telephone calls that may include pictures or voices, computer traffic etc., whether provided by you or the Company does have or has received or accessed from other credible sources, e.g., government agencies. companies in the financial group and/or our partners or advisors.
1.10. Other Information - provided by customers or investors to the Company during the interactions with the Company or as required by the Company in order to offer, recommend or provide services related to the Company's products or services.
The personal information collected varies depending upon the nature of your relationship with the Company, how you use the platforms, and the type of products or services you have with the Company.
For individuals that login as representatives of a business or corporate account, the Company may gather information based on your relationship with the Company for the purposes of providing customized services.
For visitors who voluntarily provide an email address or other information, such as contact information and/or site registration, such information is collected. Visitors who provide an email address may also be required to provide feedback about the Company’s website via surveys. Additionally, the visitors may receive periodic messages from the Company about the Company’s new products and services or upcoming events. If you do not wish to receive such e-mail or other mail from the Company, please update your subscription and delivery services or click the “unsubscribe” link in the email correspondence received from the Company.
Mobile applications information
2. The purpose of collection, use, process, or disclosure your personal data
2.1 Contract basis
To open an account for transactions or use of services through various channels related to the Company or related to funds under the Company's management. You are required to provide your personal data to the Company so that the Company can process and perform various operations related to account opening, use of products or services as your requested, calculation and vesting of investment, compliance with the Company's internal processes, communication with you, monitoring and notification of benefits, changes of products or services, response to inquiries and notification of changes in accordance with the contractual basis under Section 24 (3) of the PDPA.
2.2 Legal obligation basis
The Company may process your personal data in accordance with laws and regulations govern the Company's business operations, such as laws relating to Securities and Exchange, derivatives contracts, and trusts for transactions in the Capital Market, Provident Fund, including compliance with laws that govern transactions related to the Funds, Anti-Money Laundering Law (AML), Counter Financing of Terrorism and Proliferation of Weapon of Mass Destruction Financing (CTPF), Exchange Control, Taxation and other laws that require or oblige the Company to submit or report information, for instance, for the purpose of prevention and detection of irregularities in transactions leading to illegal activities, reporting customer information to the Revenue Department, reporting personal data to government agencies such as the Office of the Securities and Exchange Commission, Anti-Money Laundering Office or the Revenue Department, or when the Company receives a summons or a writ of execution from a government agency or a court, etc., in accordance with the legal obligation basis under Section 24 (6) of the PDPA.
2.3. Legitimate Interest basis
The Company may process your personal data in accordance with the Legitimate Interest basis under Section 24 (5) of the PDPA, for instance;
o prevention, response, and reduction of risks that may occur in various illegal activities. This includes sharing personal data to raise the standard of work of the companies in the same business, to prevent, cope and reduce with the above risks;
o recording image of visitors that come in contact with the Company on the CCTV system, including exchanging ID cards before entering the building, for security within the Company's office;
o Risk Management / Audit / System Maintenance for maintaining service standards and internal management, including transferring the personal data to the Company’s affiliates for such purposes under Binding Corporate Rules;
o customers' personal data may be disclosed to external service providers (Outsource) for the purpose of storing personal data in the Cloud Computing and for the purpose of developing the Company's information technology;
o monitoring employees' email or internet usage with customers to prevent disclosure of confidential information of the Company to outsider;
o data analysis to be used for offering products of the same type that customers have with the Company and other products of the Company to the customers that are appropriate to the customers’ needs and/or in conducting market research, plan and statistical analysis such as data analysis, evaluation, inquiries and reports about the Company's products and/or services and customer behavior to develop the Company's products;
o maintaining customer relationships, such as handling complaints and offering special benefits without marketing objectives to customers, etc.
2.4. Consent basis
The Company may use your personal data for processing to design or develop products and services, to offer and recommend products and services, the Company's marketing activities or collect, use or disclose your personal data for direct marketing purposes. If you wish to withdraw your consent to such processing, you can contact the company and make a request according to Clause 9.
If you do not provide your personal data to the Company, it may affect you to be unable to receive products, services, convenience, or unperformed contractual obligations that the Company have or are trying to enter with you. You may suffer damage or loss of opportunities and it may impact on legal compliance with any laws to which you or the Company must comply with, and it may impose relevant penalties.
3. Disclosure of Personal Data to Third Party
The Company may disclose your personal data to third party for processing in accordance with the related data processing purposes in the following cases.
• to the financial business group, business partners, brokers, the Stock Exchange of Thailand, Thailand Securities Depository, representatives, agents, custodians, intermediaries and/or other service providers (and/or jointly with other investors or customers) or appointed by the Company and any other third parties with reasonably necessary required to disclose your personal data in order to achieve your objectives for using the Company’s services;
• to agents and contractors or third party as service providers for providing services to the Company and customers e.g., affiliates, companies in the financial business group,selling agents, distributors, financial institutions, business partners of the Company, professionals, experts and any other service providers such as information and communication technology, insurance companies, seminar travel coordinators, conference organizers, credit card providers, international asset management companies that the Company’s feeder fund invested and other third parties with whom the Company works for the provision of services related to the Company's products and services;
• to the parent companies, subsidiary companies or affiliates located in Thailand or overseas in order to proceed the approval of customers’ account opening application. The disclosure in this case shall be in accordance with the Company's Group Disclosure Policy;
• to outsources/service providers to which the Company is a contracting party, both in Thailand and overseas, such as cloud computing service providers, registrars, marketing contractors, contracting companies that engage in research or develop information technology for the Company, such as AppsFlyer Ltd. and UXCam Inc., as well as other companies that the Company will enter into contracts to use services related to such activities;
• to disclose Beneficial Owner information to overseas securities companies/asset management companies in compliance with the foreign laws;
• to a person who joint account with customers or other persons under the same account.
• to government agencies or regulatory agencies to comply with laws or orders of government authorities such as the Securities and Exchange Commission, Anti-Money Laundering Office, Revenue Department, Legal Execution Department, Office of Insurance Commission, Royal Thai Police, and any authorized person as required by relevant laws or regulations. Disclosure at the request of foreign agencies or organizations recognized by Thailand's regulatory authorities to comply with legal requirements or in other specific cases, such as complying with court orders, including auditors;
• to exercise of the Company's right in claims or defense under contracts or laws;
• to investors that interested to invest in the Company or Funds under the management of the Company, to analyze and evaluate due diligence, whether it is a joint investment or sale of a business or assets, in whole or part;
• to third parties under your consent to the Company;
• to enable transactions and/or use of the service according to customers’ wishes.
4. Automatic Data Processing
Under your explicit consent, the Company may use your personal data for automated processing, which may affect your personal information or for other data collection. If you wish to withdraw your consent, you can contact us and can request it according to clause 9.
5. Rights of the Personal Data Subject
The Company considers your privacy rights under the PDPA that you should be aware of as the following;
• Right to Withdraw of Consent: You shall have the right to withdraw the consent given to the company for collecting, using, or disclosing your personal data at any time. If the Company does not have another legitimate basis for further to collect, use or disclose it and the Company will delete your information.
• Right to access personal data: You shall have the right to request to know and obtain copy of your personal data which is under the Company’s responsibility or request the Company to disclose the source of your information which consent have not been given.
• Right to Rectification: You shall have the right to request the Company to correct the information to be accurate, up to date and not misleading.
• Right to Data Portability: You shall have the right to obtain information about yourself from the Company. In the event that the Company provided such information in a format which can read or general usable with any automated tools or devices and can be used or disclosed with automated means, including (a) have the right to send or transfer information in such form to the other data controller with automatic means, or (b) can obtain the information sent or transferred by the Company in the above forms to other data controller, unless technical condition cannot unless the technical conditions are not feasible.
• Right to Erasure or Right to be Forgotten: You shall have the right to request the Company to delete or destroy or anonymized your personal data as the following cases;
o Personal data is no longer necessary for the purposes for which the personal data was collected or processed.
o The Data Subject withdraws the consent for data processing purposes, and then, the Company has no right to conduct the data processing.
o The Data Subject objects the data processing for the direct marketing purpose.
o It is unlawful data processing.
o The Data Subject objects to the data processing (other than the objection for data processing for direct marketing purpose) and the company does not have legitimate interest to conduct the data processing.
• Right to Restriction of Processing: You shall have the right to prohibit the data processing of your personal date upon the following conditions are met.
o Data Processing is no further necessary, but the retention of personal data is still necessary and required for exercising the legal claims.
o Unlawful data processing but the Data Subject wishes to prohibit such data processing instead of deleting or destroying their personal data.
o During the examination of the accuracy of information as requested by Data Subject.
o When the Company is in the process of proving more important legitimate grounds.
• Right to Object: You have the right to object the collect, use, or disclose your personal data in the following scenarios.
o In case of collection, use or disclosure of personal data for direct marketing purposes.
o In case of collection, use or disclosure of personal data for scientific, historical, or statistical research purposes, unless it is necessary for the performance of tasks for the public interest of the Company.
o In the case where the data collected is necessary for the performance of tasks for the public interest of the Company or necessary for the legitimate interests of the Company, unless the Company demonstrates a more important legitimate cause or it is for the establishment of legal claims, complying with, or exercising legal claims or defending legal claims.
• Right to Lodge a Complaint: You shall have the right to complain to the government authority in the case the company, employee, or its vendor violates or fails to comply with the PDPA.
Any request for using your rights as mentioned above must be made in writing and the company shall use the best effort to do so within a reasonable period and not exceed the period as specified by the law. The Company shall comply with the laws relevant to your right as the data subject.
In the event that you request the Company to delete, destroy, restrict the processing of data, temporarily suspend its use, convert personal data into non-personally identifiable data formats, or withdrawing consent may cause restrictions on the company in conducting transactions or providing services to you. Exercising your rights as mentioned above, the Company reserves the right to charge any fees that are relevant and necessary for the processing of personal data as requested by you.
6. Security Measures for Personal Data
The Company has established policies, manuals and standards for maintaining the security of customers' personal data, both Organizational Measures and Technical Measures to prevent unauthorized access to your personal data or personal data breaches, such as strict security information systems, customer confidentiality policies, etc., and the Company periodically updates such policies, manuals and minimum standards according to the criteria specified by law. In addition, the Company's staff, employees, and external service providers are obliged to maintain the confidentiality of customers' personal data in accordance with the confidentiality agreement signed with the Company.
In the event that, the Company is obliged to send or transfer your personal data to foreign countries that have a lower personal data handling standard than Thailand. The Company will take such measures as it deems necessary at least in accordance with the confidentiality standards required by the laws of those countries, for example, there is a confidentiality agreement with the counterparty in those countries, etc.
7. Personal Data Storage and Retention
The Company will retain personal data of customers or investors as specified in this Privacy Notice as follows;
• the Company keeps the personal data of customers or investors in form of hard copy and soft copy;
• the Company stores personal data of customers or investors in the digital file at a computer center that has the Company's security system. Hard copy data is stored at the company and document custody service provider that has a computerized storage control system and a security supervision system to prevent data leakage as well as modern and efficient fire protection systems. Back-up data is stored at a data management service provider that meets the standards for storing backup tapes and email data is stored in Cloud service with Microsoft Office 365;
The Company may not be possible to completely remove or delete all your information from our databases without any residual data because of backups and other reasons. The Company will retain your information for as long as it is still necessary for the purposes for which it was collected. In the event that you have terminated your business relationship with the Company, the Company will retain your personal data for a period of 10 years in accordance with laws such as Accounting Act, Anti-Money Laundering Law and the Company's Data Retention and Destruction Policy. In addition, at the end of the collection period, the Company will take appropriate steps to delete or make such information non-personally identifiable.
8. Changes to Privacy Notice
This Privacy Notice may be changed or amended from time to time without prior notice. If there is a change to the Privacy Notice, the updated version will be posted on the Company's website: www.principal.th
9. Contact Us
If you wish to contact the Company or have any questions regarding how the Company collects, uses and discloses the personal data or if you would like to exercise any rights under clause 5 or withdraw your consent or have any complaints, please contact us at:
- Principal Asset Management Co., Ltd. no. 44 CIMB Thai Bank Building 16th Fl, Langsuan Road, Lumpini, Pathumwan, Bangkok, Thailand 10330
- Client Service (662) 686 9595
- Data Protection Officer) email: DPO@principal.com
- company website www.principal.th.