Effective on May 25st , 2022
Bangkok Smartcard System Company Limited
Bangkok Smartcard System Company Limited (the “Company”, “we”, “us”, or “our”) recognizes the importance of the protection of Personal Data for our potential customers, customers, or retail merchants of our products and services, including any other relevant people (e.g., complainants or corporate social responsibility (CSR) related persons) (“you” or “your”). We follow security procedures when collecting, using, disclosing and/or internationally transferring Personal Data (as defined in “What Personal Data We Collect” section below) outside of Thailand. The information you share with us allows us, Companies under Rabbit’s Data Ecosystem, and BTS Group Companies (as defined in “To Whom We May Disclose or Cross-Border Transfer Personal Data” section below), affiliates and subsidiaries, our service providers, and our business partners, to provide the products and services you may need and want, while giving you the very best personalized experience and customer services.
- WHAT PERSONAL DATA WE COLLECT
We may collect your Personal Data directly from you or indirectly from other sources including Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and our business partners who are third parties. The specific type of data collected will depend on the context of your interactions with us, and the services or products you need or want from us. The following are examples of Personal Data that may be collected:
- ) Personal details, such as title, name, surname, gender, age, occupation, job title, position, business type, nationality, date of birth, marital status, marriage certificate, number of family members and child, identifiable information on documents issued by government agencies (e.g., national identification card, passport, driver’s license details, house registration, work permit, tax identification number), student identification card, signature, voice, voice record, picture, business card detail, photo, photograph, VDO records, video clip, educational backgrounds, work experience, workplace, electronic know-your-customer information (e-KYC), income tier, and income/salary/bonus, payslip, weight and height, CCTV records, license plate details, driving license picture, car registration picture, vehicle details (e.g. vehicle identification number and vehicle plate number), policy photocopy, relationship to the policyholder or claimant person, insurance policy, and electronic insurance policy, information relating to shareholding/securities (if any) (e.g., shareholder/securities holder registration number, number of shares/securities and dividend amount);
- ) Contact details, such as postal address, delivery details, house registration address, national identification card address, work address, billing details, phone number, mobile phone number, business phone number, facsimile number, email address, business email, LINE ID, Facebook account, Google account, Twitter account, and other account-related to the social networking sites;
- ) Account details, such as credit/debit card holder number, credit/debit card information, bank account details, member ID, customer ID, member type, customer type, Rabbit Card number, Rabbit Line Pay ID, customer credit score, service and product applications (e.g., service registration form, financial or insurance application), joined month and payment details, and copy of bank account/bank book;
- ) Transaction details, such as payment information, card usage and transaction data (such as Rabbit Card usage/transaction data and records, Rabbit Rewards point transaction data, lead and customer data of Rabbit Finance (as defined in “To Whom We May Disclose or Cross-Border Transfer Personal Data” section below)), campaign response data, payment slip details about refund, refund amount, points, and date and location of purchase, purchase/order number, appointment date for service, complaints and claims, incident report, medical treatment information, compensation and debt reduction information, legal proceeding information, documents related to such transaction (e.g. contract, deed, receipt), contract details, transaction, transaction history, location, transaction status, past sales transaction, prediction data, (e.g., loan prediction score, credit scoring), information relating to construction project transaction (e.g. project value), and purchasing behaviour and other details of products and services purchased;
- ) Technical details, such as Internet Protocol (IP) address, web beacon, log, devicetype, hardware-based identifiers such as universal device identifier (UDID) or Mac Address, software-based identifier such as identifier for advertisers for iOS operation system (IDFA), or identifier for advertisers for Andriod operation system (AAID), network, connection details, access details, single sign-on (SSO), login log, access time, time spent on our page, cookies, login data, search history, browsing detail, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices used to access the platform;
- ) Behaviour details, such as information about purchasing behavior and data supplied through the use of our products and services, such as location, train station and train exit usually used;
- ) Service details, such as information of the purchased service or the used service (e.g. logistic services, or insurance services), sky train ticket information (e.g., date, time and train station the service was used, sky train ticket number, sky train ticket information as reported, train number, amount), behavior and personal preference, complaint/incident report information and/or legal proceeding information, information relating to the incident such as the date and time of the incident, the date which was reported, location where the incident occurred, the damages found, details of the incident vehicle (e.g description of the vehicle, vehicle plate number, brand and color), insurance details (e.g., vehicle insurance detail, notification number, claim number, insurance policy number, copy of evidence of claim), information relating to police blotter and reports at the police station, daily report and copy of evidence of the daily report record, status of the disputant after the incident occurred (e.g., appointment date to settle the damages, method to pay the damages), information relating to the lost/found belongings (e.g., the date, time and location found/lost, details of the belonging, the date returned, registration number), and any other information depending on the type of complaint;
- ) Relationship management details, such as information of complaints relating to products and services, solutions for solving problems of complaints, information about customer account, management, operation, payment, dispute resolution, processing and reporting on behalf of the customer, such Personal Data may also include communication records with us;
- ) Profile details, such as username and password, profile, purchase, historical order, past order, purchase history, items bought, item quantity, orders or product recalls made, orders via websites, purchase order number, financial records, PIN, interests, preference, feedback and survey responses data, satisfaction survey, social media engagement, participation details, loyalty programs, use of discount codes and promotions, customer order description, customer service, attendance to trade exhibitions and event, and insurance policy details;
- ) Usage details, such as information on how the websites is used, platforms, products and services, Q&A record;
- ) Marketing and communication details, such as preference in receiving marketing from us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, third parties, our service providers, our business partners and communication preferences;
- ) CCTV details, please see out CCTV Policy for more details on how we collect, use and/or disclose Personal Data by our CCTV [*link]; and/or
- ) Sensitive data, such as sensitive data as shown in the government-issued cards (e.g., religion on national identification card), criminal records, and biometric data (e.g., facial recognition).
In addition, your Personal Data may be collected from our business partners in case you purchase a product or a service from one of our business partners whose products or services are displayed on our websites or other locations. Personal Data related to the product or the service you have purchased will be sent to us for the purposes of sale tracking and service improvement.
We do not intentionally collect your sensitive data (“Sensitive Data”). However, in case that we do, we will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.
We only collect the Personal Data of children, quasi-incompetent person and incompetent person where their parent or guardian has given their consent. We do not knowingly collect Personal Data from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent person and incompetent person without their legal guardian’s consent. In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from quasi-incompetent person and incompetent person without their legal guardian’s consent, we will delete it immediately or collect, use and/or disclose if we can rely on other legal basis apart from consent or where permitted by law.
2. WHY WE COLLECT, USE AND/OR DISCLOSE PERSONAL DATA
We may collect, use and/or disclose Personal Data for the following purposes:
2.1 THE PURPOSE OF WHICH WE RELY ON CONSENT:
We rely on consent for the collection, use, and/or disclosure of Personal Data by us, Companies under Rabbit’s Data Ecosystem, BTS Group Companies, and affiliates and subsidiaries, and for the disclosure of your Personal Data to our selected business partners for the following purposes:
- ) Marketing and Communications: To provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services of our Company, Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and our business partners which we cannot rely on other legal bases. Your Sensitive Data will also be collected to analyze and conduct personalized marketing;
- ) Data Analytics Services: To conduct data analytics services, research and statistics;
- ) For Other Businesses: To conduct other businesses, which are digital marketing, banking and financial, reward and loyalty programs, credit scoring, loans, insurance, telecommunications, asset management, investment, retail, e-commerce, including their related products and services; and/or
- ) Sensitive data:
1) Sensitive data as shown in the government-issued cards (e.g., religion on national identification card): To authenticate and verify the identity; and
2) Biometric data (e.g., facial recognition): To perform e-KYC process.
2.2.THE PURPOSE THAT WE MAY RELY ON OTHER LEGAL GROUNDS FOR COLLECTION, USE, AND/OR DISCLOSURE OF PERSONAL DATA
We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties (which we will balance the legitimate interest pursued by us and any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your Personal Data); (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and/or (5) public interest, for the performance of a task carried out in the public interest or for the exercising of official authorities or other legal grounds permitted under applicable data protection law as the case may be. Depending on the context of the interactions with us, we may collect, use and/ or disclose Personal Data for the following purposes:
- ) To provide products and services: such as, to register and enable the purchase and use of our products or services, including, but not limited to, for registration of Rabbit Card via online channels or Rabbit Kiosk, for membership of Rabbit Rewards, or for retails/ merchants registration; to enable the use of our websites, mobile applications, and platforms (e.g., to top-up Rabbit Card, or register to Rabbit Finance channels); to process a request for service application or benefits in connection with Rabbit Card, Rabbit Rewards, or Rabbit Finance; to enter into a contract and manage our contractual relationship; to support and perform other activities related to such services or products; to sell our products or services via online and offline channels; to deliver or ship the Rabbit Card or other products via online sale; to provide bulk sales of our products or services to our corporate customers; to lease the retails space on BTS stations; to provide our online media performance and digital marketing service; to process transaction with our business partners; to complete and manage bookings and to carry out financial transaction and service related to the payments including transaction check and verification and cancellation; to process orders, delivery, suspension, replacement, reimbursement, refund and exchange of products or services; to protect remaining balance when the Rabbit Card is lost or stolen; and to provide customer service operation, including call center;
- ) To provide marketing communications: such as, to provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services of our Company, Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and our business partners which all are within your reasonable expectations;
- ) To offer promotions, special offers, loyalty programs, reward programs, prize draws, competitions and other offers/promotions: such as, to allow the participation in promotions, promotional campaign, special offers, promotional offer, loyalty programs, co-registration program with our business partners, sweepstakes, privilege, prize draws, competitions and other offers/promotions (e.g., to send reminder emails), events and seminars. This includes to process and administer account registration, gift registration, event registration; to process points collection, addition, exchange, earning, redemption, and transfer of points; to examine entire user history, both online and offline; and to provide and issue gift voucher, gift cards and invoices;
- ) To contact and communicate: such as, to provide information, marketing communications, campaign, advertisement, required notices, special offers, benefits, and promotional materials of our products or services; to send you news, electronic newsletters, marketing messages and information about the products, services, brands, and operations;
- ) To manage the relationship: such as, to communicate in relation to the products and services obtained from us, Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and from our business partners; to handle customer service, call center and/or hotline-related queries, request, feedback, complains, claims, disputes or indemnity; to provide technical assistance and deal with technical issues; to process and update information; and to facilitate the use of the products and services;
- ) To conduct data cleansing, profiling and analytics: such as, to measure the engagement with the products and services; to undertake data cleansing and matching, data profiling and data analytics; to conduct market research, surveys, assessment, behaviour, statistics and segmentation, consumption trends and patterns; to know our customers better and understand their characteristics; to improve business performance; to better adapt our content to the identified preferences of our customers; to determine the effectiveness of our promotional campaigns; to identify and resolve of issues with existing products and services; to enhance the qualitative information development; to establish whether a relationship with the selected business partners already exists; and to provide the lead generation service to our business partners via Facebook or co-registration pages or any other social media or messenger platforms;
- ) To select and provide products or services that are likely to be of individual’s interest and tailored to individual’s needs: such as, to use the result from data cleansing and matching, data profiling and data analytics to recommend products and services that might be of interest to individual from us, Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and our business partners; to identify individual’s preferences, and personalize the experience; and to develop future editorial content targeted to meet individual’s interests, within your reasonable expectations;
- ) To improve business operation, products and services: such as, to evaluate, develop, manage, improve existing and design new services, products, system and business operation for all of our customers, including but not limited to, customers of Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and our business partners; to track and follow-up with sale transactions (sale tracking) for our service improvement; to identify and resolve issues; to create aggregated and anonymized reports and measure the performance of our physical products, digital properties, and marketing campaigns; and to manage, operate and maintain our payment systems. We may monitor and/or record any calls to train our staff and improve our services;
- ) To learn more: such as, to learn more about the products and services received from us, Companies under Rabbit’s Data Ecosystem, BTS Group Companies, affiliates and subsidiaries, our service providers, and our business partners and other products and services that individual may be interested in receiving, including profiling based on the processing of Personal Data, for instance by looking at the types of products and services that was used, how the individual likes to be contacted and so on;
- ) To ensure the function of our websites, mobile applications, and platforms: such as, to administer, operate, track, monitor and manage our websites, mobile applications, and platforms to facilitate and ensure that they function properly, efficiently and securely; to facilitate and enhance users experience on our websites, mobile applications, and platforms; and improve layout and content of our websites, mobile applications, and platforms;
- ) To manage IT system: such as, for our business management purpose including for our IT operations, management of communication system, operation of IT security and IT security audit; internal business management for internal compliance requirements, policies and procedures; and to update our database;
- ) To comply with regulatory and compliance obligations: such as, to comply with legal obligations, legal proceedings or government authorities’ orders which can include orders from government authorities outside Thailand and/or cooperate with court, regulators, government authority and law enforcement bodies when we reasonably believe that we are legally required to do so and when disclosing Personal Data is strictly necessary to comply with the said legal obligations, proceedings or government orders. This includes to issue tax invoice or full tax form; to comply with electronic e-payment business, financial, and anti-money laundering related legal obligation; to record and monitor communications; to disclose to tax authorities, financial service regulators, other regulatory and governmental bodies; and to investigate or prevent crime;
- ) To protect our interests: such as, to protect the security and integrity of our business operation; to exercise our rights or protect our interest where it is necessary and lawfully to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law; to manage and prevent loss of our assets and property; to secure the compliance of our terms and conditions; to produce report relating our products and services to Companies under Rabbit’s Data Ecosystem, Companies under BTS Group, affiliates and subsidiaries, our service providers, and our business partners; to detect and prevent misconduct within our premises; to follow up on incidents; to prevent and report criminal offences and to protect the security and integrity of our business;
- ) To detect, suppress, and prevent fraud/ illegal actions: such as, for authentication and identity verification, and to conduct legal and other regulatory compliance checks (e.g., to comply with e-payment business, financial, insurance, and anti-money laundering related laws and regulations, to perform Know-Your-Customer (KYC) process or e-KYC process; and to prevent fraud and detected suspicious transactions). This includes to perform sanction list checking, internal audits and records, asset management, system and other business controls;
- ) To transfer in the event of merger: such as, sale, transfer, merger, reorganization or similar event, we may transfer Personal Data to one or more third parties as part of that transaction;
- ) Risks: such as, to perform risk management, audit performance and risk assessments; to conduct credit checks and customer financial due diligence; and/or
- ) Life: such as, to prevent or suppress a danger to a person’s life, body or health.
Where the Personal Data to be collected from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your Personal Data when requested, we may not be able to provide (or continue to provide) our products and services to you.
3. TO WHOM WE MAY DISCLOSE OR CROSS-BORDER TRANSFER PERSONAL DATA
- ) Companies under Rabbit’s Data Ecosystem
- “Rabbit’s Data Ecosystem” refers to a group of companies whose names are listed in this link [link to list of Companies under Rabbit’s Data Ecosystem]; and
- “BTS Group Companies” refers to a group of companies whose names are listed in this link [link to list of Companies under BTS Group].
In limited circumstances, as the Company is part of Companies under Rabbit’s Data Ecosystem and BTS Group Companies which all collaborate and partially share customer services and systems, including website-related services and systems, we may need to transfer your Personal Data to, or otherwise allow access to such Personal Data by Companies under Rabbit’s Data Ecosystem, BTS Group Companies, and their affiliates and subsidiaries, for the purposes set out above. Companies under Rabbit’s Data Ecosystem, BTS Group Companies, and affiliates and subsidiaries will rely on the consent obtained by us to use your Personal Data.
2. ) Our service providers
We may use other companies, agents or contractors to perform services on behalf or to assist with the provision of products and services. We may share Personal Data including but not limited to (1) infrastructure, software and website developer and IT service providers; (2) warehouse and logistic service providers; (3) data storage and cloud service providers; (4) data cleansing and matching, data profiling, and data analytics service providers; (5) marketing, advertising media and communications agencies; (6) research agencies; (7) survey agencies; (8) campaign and event organizers; (9) tele-sale service providers; (10) call center service providers; (11) payment, payment system, authentication service providers; (12) outsourced administrative service providers; (13) telecommunications and communication service providers; and/or (14) licensed credit-referencing agencies to carry out certain credit checks for certain insurance products.
In the course of providing such services, the service providers may have access to your Personal Data. However, we will only provide our service providers with the Personal Data that is necessary for them to perform the services, and we require them not to use your Personal Data for any other purposes. We will ensure that all the service providers we work with will keep your Personal Data secure.
3.) Our business partners
4.) Social networking sites
We allow you to access our sites and platforms without the need to fill out a form. If you log in using the social network login system, you explicitly authorize us to access and store public data on your social network accounts (e.g. Facebook, Google, Instagram), as well as other data mentioned during use of such social network login system. In addition, we may also communicate your email address to social networks in order to identify whether you are already a user of the concerned social network and in order to post personalized, relevant adverts on your social network account if appropriate.
5.) Third parties permitted by law
In certain circumstances, we may be required to disclose or share Personal Data in order to comply with a legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority, embassy, consulate, or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety; or to detect, prevent, or otherwise address fraud, security or safety issues (e.g., Anti-Money Laundering Office (AMLO), Bank of Thailand (BOT), Office of Insurance Commission (OIC) and Revenue Department).
6.) Professional advisors
We may disclose Personal Data to our professional advisors including, but not limited to, (1) independent advisors, project advisors, financial advisors; (2) legal advisors who assist us in our business operations and provide litigation services such as defending or initiating legal actions; and/or (3) auditors who provide accounting services or conduct financial audit for the Company.
7.) Third parties connected with business transfer
8.) Other third parties
4. INTERNATIONAL TRANSFERS OF PERSONAL DATA
We may disclose or transfer Personal Data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards. We take steps and measures to ensure that Personal Data is securely transferred, that the receiving parties have in place adequate and suitable data protection standard and that the transfer is lawful by relying on the derogations permitted under the law.
5. HOW LONG DO WE KEEP PERSONAL DATA
We retain Personal Data for as long as it is reasonably necessary to fulfil purpose for which we obtained them and to comply with our legal and regulatory obligations. However, we may have to retain Personal Data for a longer duration, as required by applicable law.
6. COOKIES AND HOW THEY ARE USED
If you visit our websites, we will gather certain information automatically from you by using tracking tools and cookies (including, but not limited to, Google Tag Manager, Google Analytics, Hotjar, Matomo, Zendesk, Facebook Pixel Analytics, Facebook Ad Manager, and Google Cloud). Cookies are tracking technologies which are used in analyzing trends, administering our websites, tracking users’ movements around the websites, or to remember users’ settings. Some of the cookies are necessary because otherwise the site is unable to function properly. Other cookies are convenient for the visitors and they remember your username in a secure way as well as your language preferences.
Most internet browsers allow you to control whether or not to accept cookies. If you reject cookies, your ability to use some or all of the features or areas of our websites may be limited. Please see our Cookies Policy for more details [*link].
7. DATA SECURITY
As a way to protect personal privacy, we maintain appropriate security measures, which include administrative, technical and physical safeguards in relation to access control, to protect the confidentiality, integrity, and availability of Personal Data against any accidental or unlawful or unauthorized loss, alteration, correction, use, disclosure or access, in compliance with the applicable laws.
In particular, we have implemented access control measures which are secured and suitable for our collection, use, and disclosure of Personal Data. We restrict access to Personal Data as well as storage and processing equipment by imposing access rights or permission, user, access management to limit access to Personal Data to only authorized person, and implement user responsibilities to prevent unauthorized access, disclosure, perception, unlawful duplication of Personal Data or theft of device used to store and process Personal Data. This also includes methods enabling the re-examination of unauthorized access, alteration, erasure, or transfer of Personal Data which is suitable for the method and means of collecting, using and/or disclosing of Personal Data.
8. RIGHTS AS A DATA SUBJECT
Subject to applicable laws and exceptions thereof, a data subject has the following rights to:
- ) Access: Data subjects have the right to access or request a copy of the Personal Data we are collecting, using and/or disclosing. For privacy and security, we may require proof of the data subject’s identity before providing the requested Personal Data;
- ) Rectification: Data subjects have the right to have incomplete, inaccurate, misleading, or or not up to date Personal Data that we collect, use and/or disclose rectified;
- ) Data Portability: Data subjects have the right to obtain Personal Data we hold about that data subject, in a structured electronic format, and to transmit such data to another data controller, where this is (a) Personal Data which you have provided to us, and (b) if we are collecting, using and/or disclosing that data on the basis of data subject’s consent or to perform a contract with the data subject;
- ) Objection: Data subjects have the right to object to certain collection, use and/or disclosure of Personal Data such as objecting to direct marketing;
- ) Restriction: Data subjects have the right to restrict our use of Personal Data where the data subject believes such Personal Data to be inaccurate, that our collection, use and/or disclosure is unlawful, or that we no longer need such Personal Data for a particular purpose;
- ) Withdraw Consent: For the purposes the data subjects have consented to our collection, use and/or disclosure of Personal Data, data subjects have the right to withdraw consent at any time;
- ) Deletion: Data subjects have the right to request that we delete, destroy or de-identity Personal Data that we collect, use, and/or disclose, except we are not obligated to do so if we need to retain such Personal Data in order to comply with a legal obligation or to establish, exercise or defend legal claims; and
- ) Lodge a complaint: Data subjects have the right to lodge a complaint to the competent authority where the data subject believe our collection, use and/or disclosure of Personal Data is unlawful or non-compliance with applicable data protection law.
- OUR CONTACT DETAILS
Bangkok Smartcard System Company Limited
21 TST Tower, 19th and 24th Floors, Vibhavadi Rangsit Rd.
Chom Phon, Chatuchak, Bangkok 10900