Notice regarding Processing of Personal Data collected within Thailand
(“TH Privacy Notice”)
Effective from 1 June 2022
This TH Privacy Notice applies to the processing of personal data collected within Thailand or processed in the context of our affiliated companies in Thailand (“TH Personal Data”); it does not apply to personal data collected in other territories.
If you have obtained your JCB card from a third party issuer, then you should also consult their website for their privacy notice which will apply to their processing of your personal data.
The JCB Group (JCB Co., Ltd. and its affiliated companies) acknowledges that the protection of personal data is one of our most significant legal obligations.
As described below, this TH Privacy Notice applies to the activities of:
JCB Co. Ltd. (“JCB Co.”) | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686 |
JCB International Co., Ltd. (“JCBI”) | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686 |
JCB International (Thailand) Co., Ltd. (“JCBITH”) | 500 Amarin Plaza, 9th Floor, Room no. 3, Phloen Chit Rd., Lumphini, Pathum Wan, Bangkok 10310 |
Such entities shall be jointly and severally referred to as “we” and “us”.
This TH Privacy Notice sets out what TH Personal Data we collect, how we collect it, how we use it, and your rights in connection with how we process your TH Personal Data. We are committed to jointly protecting your TH Personal Data as data controllers in accordance with our duties under Thailand Personal Data Protection Act (“PDPA”) and other applicable laws. This TH Privacy Notice applies to all of us and for your convenience you may exercise any of your rights against any of us, and we will ensure it is routed to the correct department.
In addition, please refer to our “Cookie Policy” for more information regarding the data we collect when you access our website and how it is processed.
1. Collection, use and legal basis of TH Personal Data
We have set out below, in a table format, a description of the types of TH Personal Data we collect, the sources we collect it from, how we plan to use your TH Personal Data, whether we act as a data controller or a data processor, which are the legal basis we rely on to do so.
You can refer to section 11. Glossary for a description of the terms used in the table below.
Categories of TH Personal Data | Source of TH Personal Data | Use | Applicable JCB Entity | Role of the JCB Entity | Legal Basis |
---|---|---|---|---|---|
Transactional data relating to card transactions by cardholders including card data, transaction information (time, date, and amount), and merchant data (name and location). | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Merchants and acquirers. |
Authorise, settle and process transactions and franchised issuer cards. | JCB Co. | data controller *1 | Contract |
Support the operations of affinity partners of JCB proprietary cards and franchised issuer cards. | |||||
Switch authorisation request/ response messages and settlement data between third party issuers, acquirers and merchants. | JCB Co. and JCBI | data processor *1 | The legal basis of this category shall be determined by the data controller (merchant, acquirer, issuer, etc.) | ||
Process data related to managing merchants, acquirers, franchised issuer, third party issuers and deal with queries. | JCB Co. and JCBI JCBITH |
data controller *1 data controller |
Contract for JCB proprietary card and franchised issuer card. Legitimate interests for third party issuer card. |
||
Support the issuer, acquirer or merchants' operations, or provide or promote sales of goods and services for JCB cardholders and merchants. | |||||
Develop new products and services for our business. | |||||
For marketing purposes. | |||||
Measure the effectiveness of advertisement, publicity and marketing. | |||||
Investigate and analyse for accounting and audit purposes. | |||||
Card data collected from cardholder including card number, cardholder name and related information. | Cardholder | Deal with any enquiries from the cardholder. | JCB Co. and JCBI | data controller *1 | Contract for JCB proprietary card and franchised issuer card. Legitimate interest for third party issuer card. |
JCBITH | data controller | ||||
TH Personal Data pertaining to value added services for users of JCB Plaza Lounge including card number, name and other relevant information, information typically required for the reservation which may include the traveller's gender, passport number, and details of those accompanying the traveller | Visit or phone call to a JCB Plaza Lounge | Provide tailored travel and concierge services to JCB Cardholders. | JCB Co., JCBI and JCBITH | data controller | Legitimate Interests |
Develop new products and services for our business. | |||||
For marketing purposes. | |||||
Measure the effectiveness of advertisement, publicity and marketing. | |||||
Evaluate our products and services. | |||||
Brand-wide promotional and marketing activities data including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), electronic identification data on access to websites (IP address). | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Merchants and acquirers. Interaction with JCB websites, mobile applications, other online platform (such as Facebook). |
Provide promotional and marketing services. | JCB Co. and JCBI JCBITH |
data controller *1 data controller |
Contract for JCB proprietary card and franchised issuer card. Legitimate interests for third party issuer card. |
For marketing purposes. | |||||
Measure the effectiveness of advertisement, publicity, and marketing. | |||||
Improve the functions of our websites and mobile applications. | |||||
Notify you of changes on our site. | |||||
TH Personal Data pertaining to value added services for users of JCB Thailand Official Account including card number, name and other relevant information. | Use and register of JCB Thailand Official Account | For marketing purposes. | JCBI and JCBITH | data controller | Consent |
Data on dispute resolution including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), merchant-related data (name and location), and sales slips. | Cardholder Use of a JCB proprietary card, franchised issuer card and third party issuer card. Franchised issuers, third party issuers, acquirers and merchants. |
Mediate or arbitrate disputes among JCB cardholders, issuers, acquirers or merchants for resolution. | JCB Co. and JCBI | data controller *1 | Contract for disputes with JCB proprietary card and franchised issuer cardholder. Legitimate interests for disputes with third party issuer cardholder. |
JCBITH | data controller | ||||
Business contact information encompassing corporate and TH Personal Data for issuer, acquirer, merchant, business partner, processor, etc. (name, address, phone number, email address). | Commercial dealings with third party issuers, acquirers, merchants, business partners and processors. | To affect and facilitate the commercial dealings with these third parties. | JCB Co., JCBI and JCBITH | data controller | Legitimate interests. |
Employment data pertaining to employees such as their name, address, date of birth, phone number, sex, and information on conduct in operations. | Job applications, notification by employee and interviews. | Carry out responsibilities of an employer and transfer data to subcontractor. | JCB Co., JCBI and JCBITH | data controller | Contract Or Consent |
Monitoring and/or protecting fraudulent transactions. | Use of a JCB proprietary card, franchised issuer card and third party issuer card, acquirers, risk based authentication solution providers and merchants Franchised issuers, third party issuers, acquirers and merchants. |
Monitor and/or protect fraudulent transactions. | JCB Co., JCBI and JCBITH | data controller | Legitimate interest of complying with laws and regulations that apply to us. or Legal obligations. |
Notify the findings to franchised issuer or third party issuers. | |||||
Authentication transaction data relating to identifying cardholders through J/Secure authentication service including purchase information (card number, date, time, currency, amount, cardholder' billing address, shipping address, cardholder's name, cardholder's email address and cardholder's phone number), merchant data (name and location) and cardholder's internet-connected device information (IP address, location data, OS type, OS language, device ID, SIM information, and hardware serial number) (collectively, ‘Attribute Information’)*2 | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Merchants Cardholder's internet-connected devices. |
Monitor and prevent against fraudulent transactions for JCB proprietary cards and franchised issuer cards | JCB Co. | data controller | For JCB proprietary cards and franchised issuer cards : contract and legitimate interests of complying with laws and regulations that apply to us., though for example: Detection, investigation, assessment, monitoring and prevention of fraud and other crime; mitigation of financial and business risk; and/or compliance with anti-money laundering (AML), counter-terrorism financing (CTF), anti-bribery and corruption (ABC) and similar laws. |
Switch authentication request / response messages between third party issuers and merchants. | JCB Co. | data processor *1 | The legal basis of this category shall be determined by the data controller (merchant, acquirer, issuer, etc.). | ||
Allow the risk based authentication solution providers to calculate a risk score which may be used by third parties as part of the risk based authentication solution provider's service but only in pseudonymised form and in a way which the third party can never determine the identity of any data subject from TH Personal Data | JCB Co. | data controller *1 | For JCB proprietary cards and franchised issuer cards: contract. For the risk based authentication solution provider's use please see their data privacy notice. |
||
Location data and IP address *2 | Use of JCB websites and mobile applications. | To help users locate merchants and ATMs near them. | JCB Co. | data controller | Consent and contract for JCB proprietary card and franchised issuer card. Consent for third party issuer card. |
- *1
Where noted the JCB entity is of the specified position under the PDPA. Please note, however, that JCB entity may be acting as a data controller or a data processor under the data protection legislation other than PDPA in the same activity.
- *2
Where noted the processing of certain categories of TH Personal Data may not be subject to PDPA when the cardholder's internet-connected device is physically used in territories other than Thailand.
Please note that depending on the purpose for which we use your TH Personal Data, we may rely on more than one legal basis for processing. When we rely on legitimate interest, we do so because we have determined that this processing is required to be performed by us or a third party controller to ensure the safe and effective working of your JCB card and the settlement of transactions or it is in our legitimate business interest. In making this determination we have considered your rights under PDPA and balanced them against our legitimate interests. If you have any queries, you can contact us at the email address listed in section 12. Contact Us of this notice.
Generally we don't rely on your consent as a legal basis for processing other than in relation to sending direct marketing communications to you or collecting your location data through interaction with JCB websites and mobile applications. You have the right to withdraw your consent at any time (for more information on this see section 6(4) Right to stop your TH Personal Data being used for direct marketing purposes below).
We may use your TH Personal Data for purposes other than the ones listed above. Should this be the case, we will inform you of the purpose in accordance with applicable laws and regulations.
2. Recipients
In order to achieve our purposes set out in the table above, we may share your TH Personal Data with the following categories of recipients:
(1) franchised issuers;
(2) third party issuers;
(3) affinity partners;
(4) merchants;
(5) acquirers;
(6) service providers;
(7) risk based authentication solution providers; and
(8) public bodies.
We require all third parties who process TH Personal Data on our behalf to respect the security of your TH Personal Data and to treat it in accordance with their contractual or legal obligations.
We may need to share your TH Personal Data with more recipients than the ones listed above. Should this be the case, we will inform you of the change in accordance with applicable laws and regulations.
3. Automated decision making
Automated decision making takes place when our electronic systems process TH Personal Data to make a decision about you or your business without human intervention. We are allowed to use automated decision making in the following circumstances:
(1) authorising transactions; *3;
(2) authenticating transactions; *3;
(3) detecting suspicious transactions *4; and
(4) preventing and monitoring fraudulent transactions. *4.
- *3
For the JCB proprietary cards and franchised issuer cards only.
- *4
For the JCB proprietary cards, franchised issuer cards and third party issuer cards.
You will not be subject to decisions that will have a legal or significant impact on you based solely on automated processing, unless we have a lawful basis for doing so and we have notified you. For more information on your rights in connection with automated decision making, please see section 6(8) Right not to be subject to decisions based solely on automated processing below.
4. If you fail to provide TH Personal Data
Where we need to collect TH Personal Data by law, or under the terms of a contract we have with you and you fail to provide the data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with card services). If that is the case, we may have to cancel a product or service you have with us.
5. International Transfer of TH Personal Data
JCB Co., Ltd. is a Japanese corporation, and in order to provide you with our services we will process data in Japan. Transferring TH Personal Data to Japan is necessary for the purposes of use set out in sections 1 and 2 above. You should be aware that data protection law in Japan may differ from the data protection law applicable to you in Thailand. However, we have adequate safeguards in place based on valid legal grounds. We will transfer your personal data to a recipient outside of Thailand only where it is permitted by PDPA or other applicable laws.
If your JCB Card has been issued by a third party issuer, and you use your JCB card at merchants in Thailand, it is necessary for JCB Co. and JCBI to transfer your TH Personal Data to the relevant third party issuer in order to authenticate, authorise or settle your card transaction. Such third party issuer may be located in a country with different data protection standards. Please note that you can object to this transfer, at any time, by contacting us at the contact details set out at Section 12 below but this will limit your further use of the JCB Card in certain circumstances but not affect your obligations to us and the third party issuer.
If your JCB Card has been issued by JCB Co. or franchised issuers, and you use your JCB card at merchants in Thailand, which use the J/Secure authentication service, it is necessary for JCB Co. and franchised issuers to transfer your Attribute Information to risk based authentication solution providers in order to obtain the identity assurance rating which are used to prevent you from fraudulent transactions. Such risk based authentication solution providers may be located in a country with different data protection standards. Please note that you can object to this transfer, at any time, by contacting us at the contact details set out at Section 12 below but this will limit your further use of the JCB Card in certain circumstances.
6. Your rights in relation to TH Personal Data
You have the following rights regarding your TH Personal Data that we hold as a data controller:
(1) Right of access
You can request details of your TH Personal Data that we hold. We will confirm whether we are processing your TH Personal Data and we will disclose supplementary information including the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding data transfers to other countries, subject to the limitations set out in applicable laws and regulations. We will provide you free of charge with a copy of your TH Personal Data, but we may charge you a fee to cover our administrative costs if you request further copies of the same information.
We will decline your request for access if (i) it is a rejection under law or a court order or (ii) that request will create an impact which causes damage to rights and liberties of other persons.
(2) Right of correction
We will comply with your request to correct incomplete or inaccurate parts of your TH Personal Data, although we may need to verify the accuracy of the new information you provide us.
(3) Right to be forgotten
At your request, we will delete or pseudonymise your TH Personal Data promptly if:
- ・
it is no longer necessary to retain your TH Personal Data;
- ・
you withdraw the consent which formed the basis of your TH Personal Data processing;
- ・
you object to the processing of your TH Personal Data and there are no overriding legitimate grounds for such processing, or it is an objection relating to the direct marketing; or
- ・
the TH Personal Data was processed illegally.
We will decline your request for deletion if processing of your TH Personal Data is necessary:
- ・
to enjoy the liberty in giving opinions;
- ・
to comply with our legal obligations;
- ・
in pursuit of a legal action;
- ・
to detect, predict and monitor fraud; or
- ・
for the performance of a task in the public interest.
(4) Right to stop your TH Personal Data being used for direct marketing purposes.
At your request, we will stop using your TH Personal Data for the purpose of direct marketing. If you want to stop us from calling, emailing you in connection with marketing communications, please email us at the email address listed in section 12. Contact Us of this notice.
Please note that even if we stop all marketing communications, you may still receive administrative communications from us.
(5) Right to restrict processing of your TH Personal Data
At your request, we will limit the processing of your TH Personal Data if:
- ・
you dispute the accuracy of your TH Personal Data;
- ・
your TH Personal Data was processed unlawfully and you request a limitation on processing, rather than the deletion of your TH Personal Data;
- ・
we no longer need to process your TH Personal Data, but you require your TH Personal Data in connection with a legal claim; or
- ・
you object to the processing pending verification as to whether an overriding legitimate ground for such processing exists.
We may continue to store your TH Personal Data to the extent required to ensure that your request to limit the processing is respected in the future.
(6) Right to data portability
At your request, we will provide you free of charge with your TH Personal Data in a structured, commonly used and machine readable format, if:
- ・
you provided us with TH Personal Data;
- ・
the processing of your TH Personal Data is based on your consent or required for the performance of a contract; or
- ・
the processing is carried out by automated means.
Your request may not be exercised against the transmission or transfer of personal data by us, which is the performance of duties in the public interest or the performance of duties under law; or the exercise of such rights shall not infringe the rights or liberties of other persons.
(7) Right to object
Where we process your TH Personal Data based upon our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will comply with your request only in any of the following events:
- ・
In case where your TH Personal Data was collected by us for the purpose of (a) public interest, (b) our compliance with a governmental order or (c) any legitimate interest of us or other legal entity; except, we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims;
- ・
In case where we have processed your TH Personal Data for the purpose of direct marketing; and
- ・
In case where we have processed your TH Personal Data for any research purposes as specified in relevant laws, including for statistical purpose.
(8) Right not to be subject to decisions based solely on automated processing
You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your TH Personal Data, unless you have given us your explicit consent or where they are necessary for a contract with us.
(9) Right to withdraw consent
You have the right to withdraw any consent you may have previously given us at any time.
(10) Right to complain to a supervisory authority
If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority appointed by the Thai Personal Data Protection Commission and/or bring a claim against us in any court of competent jurisdiction.
If you wish to contact us in connection with the exercise of your rights listed above, please email us at the email address listed in section 12. Contact Us of this notice. We will respond to your written request as soon as possible and no later than thirty (30) days from receiving it.
Unless stated otherwise, we will not charge you any fee in connection with the exercise of your rights. In so far as it is practicable, we will notify the recipients of your TH Personal Data of any correction, deletion, and/or limitation on processing of your TH Personal Data.
Please note that if you decide to exercise your rights under sub-sections (3), (4), (5), (6), (7), (8) and (9), depending on our response, you may not be able to take full advantage of all of our benefits and services from that point on.
7. Retention Period
We will keep your TH Personal Data on file for as long as is necessary to achieve our purposes listed in the table in section 1 Collection, use and legal basis of TH Personal Data above.
We only keep TH Personal Data as permitted by law applicable to us, which is typically for a maximum period of 10 years or otherwise longer if it is specifically provided by law
Please note, JCB is subject to a number of applicable laws and regulations globally which may require TH Personal Data to be kept for longer periods such as in relation to tax filings, government investigations, the investigation of fraud and transaction monitoring and litigation and dispute resolution in accordance with our data retention policy. Your data will be kept securely. If you have any queries about how and for how long your TH Personal Data is kept, you may contact us at the email address listed in section 12. Contact Us of this notice.
8. Security
We have a management system to correct and prevent unauthorized access, loss, destruction, falsification, and leakage of TH Personal Data, as well as the appropriate technical and organizational measures to address such risks, as further detailed below. The goal of these measures is to maintain our data protection standards and to ensure we have the necessary safeguards for the processing of TH Personal Data.
- (1)
We limit access to TH Personal Data to authorised executives and employees only.
- (2)
We limit our collection and use of TH Personal Data to the extent necessary for providing our services and managing operations.
- (3)
If we outsource the processing of TH Personal Data to third parties, we base our selection on said third parties having adequate safeguards in place that meet our TH Personal Data protection standards, and we regularly audit their compliance with applicable data protection policies, laws and regulations.
- (4)
We strive to manage TH Personal Data accurately and efficiently.
- (5)
We pseudonymise and encrypt TH Personal Data where necessary.
- (6)
We strive to ensure our system and service's confidentiality, integrity, availability, and recoverability.
- (7)
We have systems in place to ensure we can restore the availability and access to TH Personal Data in a timely manner in the event of a physical or technical incident.
- (8)
We periodically inspect, assess, and evaluate the effectiveness of our technical and organizational measures to ensure the security of our processing.
9. Accountability
We are responsible for all the safeguards implemented in relation to the processing of TH Personal Data, and we maintain an electronic record of all processing activities of our TH Personal Data.
10. Updates
This TH Privacy Notice may be updated to reflect changes to our TH Personal Data processing policy. In the event there is material change to this Privacy Notice we will inform you via our website.
11. Glossary
Some of the words in this Privacy Notice have the meanings set out below:
- ・
acquirers: these are financial institutions or other parties that contract with merchants for JCB card transactions;
- ・
affinity partners: third parties that are authorised to offer co-branded JCB Cards;
- ・
consent: when you have explicitly given us your consent for processing of your TH Personal Data;
- ・
contract: to allow us to perform our contract with you;
- ・
franchised issuers: these are companies who can issue JCB branded cards jointly with us in Japan;
- ・
J/Secure authentication service: JCB's authentication program to verify the authenticity of a cardholder that enables the secure processing of payment card transactions in the remote environment;
- ・
legitimate interest: where it is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not outweigh those interests;
- ・
legal obligation: where we need to comply with a legal obligation (for example compliance with anti-money laundering and fraud laws or compliance with a court order);
- ・
merchants: these are merchants where JCB cards are transacted.
- ・
public bodies: they refer to supervisory authorities, government agencies and public entities that deal with TH Personal Data. We may provide your TH Personal Data to public bodies to comply with our legal and regulatory duties;
- ・
service providers: we may engage service providers including financial institutions that issue cards, financial institutions that acquire merchants and process card transactions, subcontractors for card transactions and provision of services and service providers that facilitate card transactions and monitor unauthorized card access. These third parties may come to access or otherwise process your personal data in the course of providing these services and may not process your TH Personal Data unless there are adequate legal reasons for them to do so. All third party service providers and subcontractors are required by contract to comply with all relevant data protection laws and security requirements in relation to your TH Personal Data;
- ・
risk based authentication solution provider: we may engage specialist service providers that assist us in authenticating cardholders and transactions by analyzing transaction data and related information from a wide range of sources; and
- ・
third party issuers: these are companies who can independently issue by license JCB branded cards.
12. Contact Us
If you have any questions or opinions regarding this Privacy Notice, or if you have a request regarding information you provided us, you may either email us or send us a letter to the address below:
JCB Co., Ltd. | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan | JCB Co., Ltd. jcb-eudataprotection@info.jcb.co.jp |
JCB International Co., Ltd. | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan | JCB International Co., Ltd. jcbinter-eudataprotection@info.jcb.co.jp |
JCB International (Thailand) Co., Ltd. | 500 Amarin Plaza, 9th Floor, Room no. 3, Phloen Chit Rd., Lumphini, Pathum Wan, Bangkok 10310 | JCB International (Thailand) pdpa@jcb.co.th |
In addition, our Data Protection Officer may be contacted at dpo@jcb.co.th.
Last updated: 1 June 2022