top of page

Privacy Notice

SCB DataX Company Limited


We, SCB DataX Company Limited ("DataX", "we", "our", or "us") care about your privacy. Thus, we provide this privacy notice to inform about the collection, use and disclosure of your personal data in accordance with the Personal Data Protection Act B.E. 2562 (“PDPA”). This privacy notice describes how we collect, use and/or disclose your personal data, what and why we collect, use or disclose your personal data, how long we hold it, who we disclose it to, your rights, what steps we will take to make sure your personal data stays private and secure, and how you can contact us.


There are also statutory requirements and other contractual requirements we have to comply with in relation to our relationship with you. If we are not able to carry out the processing activities described in this privacy notice from your failure to provide certain personal data, we may not be able to enter into or comply with crucial aspects of contractual performance or agreements we have with you or legal entity associated with you, or impact our compliance with applicable legal obligations.

This privacy notice applies to:


  1. individual customers;

  2. authorized persons, directors, shareholders, employees, personnel, persons authorized to foster business relationships, and any other persons with the same status, including the contact persons of corporate clients and attorney-in-fact ("Related Parties");

  3. other persons, e.g., website users, visitors, participants in company events, any individual involving in incidents occurred, government officials.

This privacy notice will also apply to other persons who are related to the aforementioned persons and whose personal data is received by us from the aforementioned persons (hereinafter referred to as the "customer", "you" or "your")

Privacy Notice

1. How we collect, use, or disclose your personal data


We only collect, use or disclose your personal data where it is necessary or there is a lawful legal basis for collecting, using or disclosing it. Except in limited instances where we indicate that certain information is processed based on your consent, we collect, use, and/or disclose your personal data on the legal basis of (1) contractual basis, for performance of activity in relation to our relationship with you; (2) legal obligation, for fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties, proportionate to your interest and fundamental rights and freedoms to the protection of your personal data; (4) vital interest, for the prevention or suppression of danger to a person's life, body, or health; (5) public interest, for the performance of task carried out in the public interest or for exercising of official authorities duties; and/or (6) the reason for an establishment and defenses of legal claims in the future.

1.1 The purposes on which we rely on your explicit consent.

We may collect, use, and disclose the following personal data based on your explicit consent for the following purposes, if we cannot rely on other appropriate legal basis:

  • Sensitive personal data

    • Religion and/or Race (from the official documents), in which religion and/or race data may appear in the official documents and we may process your official documents for identification and authentication purposes.

  • Marketing activities, we may process your personal data such as name, surname, personal information, contact details, and other necessary information for provision of marketing communications from DataX or its affiliated companies, for which we cannot rely on other legal bases.

Where legal basis is consent, you have the right to withdraw consent at any time. This can be done so, by contacting us through channels as specified in "How to contact us". The withdrawal of consent will not affect the lawfulness of the collection, use and disclosure of your personal data and sensitive personal data based on your consent before it was withdrawn. You are well aware that if you withdraw your consent for the collection, use and disclosure of personal data for purposes set out above, we may not be able to perform certain contractual obligations we have with you, or to pursue certain actions per your request.

1.2 The purposes on which we rely on other legal bases.

We may collect, use, and disclose your personal data for the following purposes:


  1. Identity proofing and authentication;

  2. Communications and marketing, including:

a. Communications and announcements of news, seminars, events, exhibitions, and other activities;

b. Communication and cooperation with customers, including their contact persons and stakeholders;

c. Preparation of marketing materials;

d. Preparation of marketing, product and service plans;

e. Developing our public relation and policy strategies;

f. Improving product marketing performance;

   3. Provision of seminars, trainings, tests, events, exhibitions and other activities, including:

a. Communication with event attendees, speakers, and service providers;

b. Delivery of souvenirs and awards;

c. Preparing lists of attendees;

d. Collecting and assessing feedback, and conducting survey;

e. Increasing the awareness of data protection;

   4. Record management, including retaining as legal evidence and for future reference;

   5. Provision and management of services and products, including:  

a. Planning, overseeing, carrying out, managing, and monitoring projects according to targets set;

b. Budget and resource allocation for each project;

c. Performing according to instructions;

d. Developing our products and services;

e. Developing, installing and delivering products as instructed;

f.  Setting prices and payment collection process;

g. Delivery of products;

h. Enhancing and analyzing data according to instructions;

i. Cooperating and working to resolve technical difficulties and delivering data-related products;

j. Overseeing the development and testing of products;

k. Setting and overseeing terms regarding levels of customer services;

   6. Entering into contracts and conducting transactions, including:

a. Conducting risk assessment before entering into contracts and conducting transactions;

b. Preparing, reviewing, revising and negotiating contracts before executing contracts;

   7. Risk management, including:

a. Designing, monitoring and developing risk management policies, procedures or reports;

b. Developing and implementing systems, measures or tools for risk management or assessment;

c. Assessing, monitoring, overseeing, and solving problems when risks occurred, including risks from data breach or cybersecurity breach;

   8. Business management and development, including:

a. Handling complaints and cooperating to address the issues;

b. Communication and cooperation;

c. Studying market forces and customer requirements so as to improve our business concepts and ideas;

d. Overseeing the management of concepts, implementation, strategies and guidelines of products and work plans;

e. Designing and developing internal systems;

f.  Developing dashboard reports, insights, analytics, and internal tools;

g. Internal and external report preparation;

h. Analyzing and enhancing business operation according to the needs and requirements of business;

i.  Researching and developing tools or ways to support data science;

j.  Monitoring and reviewing the progress and studies relating to business operation;

k. Operating our business;

l.  Performing according to suggestions from systems' owners;

m. Managing technology resources;

n. Improving database performance;

o. Preserving tools and provide information services;

p. Developing and improving software and applications;

q. Procuring and preserving technology assets;

r. Analyzing and developing technical and business processes;

s. Setting guidelines on data development and conversion, as well as improving database performance;

t. Business development;

u. Market research;

v. Providing advice on legal issues;

w. Maintenance of security and safety

  9.Financial and accounting, including:

a. Financial planning and financial management;

b. Recording and reporting our financial transactions;

c. Setting budgets;

d. Planning and developing our financial policies;

e. Implementing financial control;

f.  Financial close process, including preparing disbursement documents and account records;

g. Preparing relevant documents;

h. Performing duties according to rules, including filing of tax returns, financial statements, and other relevant documents to government agencies or other relevant agencies;

 10.Conducting audits, including:

a. Preparing, reviewing, analyzing and reporting audit plans;

b. Improving internal control;

 11.Compliance, data protection and data security, including:

a. Ensuring that our business operation, policies, strategies, work plans, and systems are carried out in compliance with relevant standards, policies, regulations, and laws;

b. Receiving complaints and conducting legal actions;

c. Designing and managing security architecture;

d. Developing and implementing systems / tools for cybersecurity, including measures to oversee the security of information;

e. Monitoring and developing policies / procedures for information security;

f. Investigating and responding to data breach;

g. Advising and managing data-related complaints;

 12.Provision of access to building and controlled premise;

 13.Protection of your vital interests or that of another individual;

 14.Business organization such as merger, sale, purchase, joint venture, assignment, transfer or other disposition of our business, assets, or stock, or rehabilitation, capital venture, or any similar transaction, we may disclose your personal data to our assignee(s) of rights as part of such transactions.

2. What personal data we collect, use, or disclose


The type of personal data which we collect, use, and/or disclose may vary depending on the objectives, necessities, and the relationship between you and us. The type of personal data shall include but not limited to:


3. Sources of your personal data

Normally, we will collect your personal data directly from you, but sometimes we may get it from other sources.

Personal data we collect from other sources may include but not limited to:

a. Data obtained by us from companies in SCBX Group,


b. Data obtained by us from business partners (e.g., production company, legal counsel.), third-party service providers [(e.g. data service providers)] and/or any other persons who we have relationship with;


c. Data obtained from publicly available sources (e.g., website of the Department of Business Development, Ministry of Commerce);


d. Data obtained by us from governmental authorities, regulatory authorities (e.g., the Department of Business Development, Ministry of Commerce, the Revenue Department);


 e. Information you have asked us to collect for you.

4. Your rights

The PDPA aims to give you more control of your personal data. You can exercise your rights under the PDPA, details as specified below, through the channels prescribed by us:

4.1 Right to access and obtain copy


You have the right to access and obtain copy of your personal data holding by us, unless we are entitled to reject your request under the laws or court orders, and if such request will adversely affect the rights and freedoms of other individuals.

4.2 Right to rectification


You have the right to rectify your inaccurate personal data and to update your incomplete personal data.

4.3 Right to erasure


You have the right to request us to delete, destroy or anonymize your personal data, unless there are certain circumstances where we have the legal grounds to reject your request.

4.4 Right to restrict


You have the right to request us to restrict the use of your personal data under certain circumstances (e.g. when we are pending examination process in accordance with your request to rectify your personal data or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary as you have necessity to retain it for the purposes of establishment, compliance, exercise or defense of legal claims).

4.5 Right to object


You have the right to object the collection, use or disclosure of your personal data in case we proceed with legitimate interests basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistic research, unless we have legitimate grounds to reject your request (e.g. we have compelling legitimate ground to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise legal claims, or for the reason of our public interests).

4.6 Right to data portability


You have the right to receive your personal data in case we can arrange such personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. Also, you have the right to request us to send or transfer your personal data to third party, or to receive your personal data which we sent or transferred to third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.

4.7 Right to withdraw consent


For the purposes, you have provided your consent to us to collect, use, and/or disclose personal data, in certain cases you may have the right to withdraw your consent at any time pursuant to the methods and means prescribed by us. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.

4.8 Right to lodge a complaint


You have the right to make a complaint to the Personal Data Protection Committee or their office in the event that we do not comply with the PDPA.

5. How we share your personal data

We may disclose your personal data to the following parties:

a. Group company: companies within SCBX Group (including its shared services). You acknowledge to further review relevant privacy policies of companies within SCBX Group (including its shared services) where applicable.

b. Business partners and service providers: business partners, service providers, suppliers, agents and other entities where the disclosure of your personal data has a specific purpose and under lawful basis, as well as appropriate security measures. The said service provider shall include, but not be limited to, production companies, advertising service providers, consultant, auditors, legal counsel, bank and financial institution, and/or information technology service providers. You acknowledge that each service provider may have its own privacy notice that governs the processing of their data. In the event that the service provider is acting in a capacity of a data processor, we will have in place an appropriate data processing agreement to limit their scope of processing and responsibilities pursuant to the laws;

c. Governmental authorities: governmental authorities and/or supervisory or regulatory authorities, which shall include, but not be limited to, Revenue Department, Bank of Thailand and Thailand Board of Investment (BOI).

d. Others: any persons whom we are required or permitted by laws, regulations, or orders to share personal data, your attorney, sub-attorney, authorized persons or legal representatives who have lawfully authorized power, persons or juristic persons you requested us to disclose your personal data to, the exercise of rights to inspect records from CCTV, the general public, and/or other public disclosures.

e. Assignee of rights and/or duties: we may undergo business reorganization, to which we may be required to disclose your personal data to the assignee(s) of rights and/or duties.

6. International transfer of personal data


In case where it is necessary for DataX to transfer your personal data internationally (e.g. to SaaS, ICT or cloud service providers for purposes regarding our business operation, data storage and identity proofing and authentication system, business partners / vendors / suppliers for business development and developing our alerting system, to companies within SCBX Group abroad for internal communication and cooperation, or other external data recipients as instructed, which may be located outside of Thailand (such as Singapore), we will ensure that your personal data is securely transferred and that the receiving parties have in place an appropriate level of data protection standard or other derogations as allowed by the PDPA, and to take a step to ensure that there is no unauthorized or unlawful processing of your personal data.


We will request your consent where consent to cross-border transfer is required by law, including the case where you are informed of the inadequate personal data protection standards of the destination country.

7. Retention period of personal data


We will keep your personal data for as long as you still have a relationship with us for the purposes specified in this privacy notice. We may continue to keep your personal data if it is necessary for any other lawful grounds or as allowed by applicable laws or there is a dispute.


The period we keep your personal data may be linked to the prescription period or the period under the relevant laws and regulations.

8. Information about third parties

If you provide us with personal data about third parties (e.g., information about Related Parties, persons relating to data breach / cybersecurity breach) for the purposes set forth in the privacy notice, it is your responsibility to inform them of this privacy notice and their rights herein as applicable to them. You are also responsible for obtaining any required consent of these persons, and ensuring that you have the right to provide their personal data to us so we could legally collect, use and/or disclose their personal data for the purposes set forth in this privacy notice.   

9. Minors, incompetent person, or quasi-incompetent person


In some cases, as required by the applicable law, we cannot collect, use or disclose the personal data of a minor, incompetent person, or quasi-incompetent person without the consent of the person with parental authority, guardian, or curator. As such, if you are under the age of 20 and have not yet become sui juris, an incompetent person, or a quasi-incompetent person, you must ensure that you have obtained consent from parents, guardian, or curator (in the case where consent is required). In the case where we unintentionally collect personal data of a person under the age of 20 and has not yet become sui juris, an incompetent person, or quasi-incompetent person, without consent from the parent, guardian, or curator (as the case may be), we will delete that personal data without delay, or will collect, use and/or disclose such personal data only if we can rely on legal bases other than consent, or as permitted by law only.

10. Security Measures

We use systems, policies, and measures to protect your personal data from access to, use, alteration, modification, or disclosure of personal data unlawfully or without authorization and pursuant to the requirements under the applicable laws. Such measures include limiting access to appropriate personnel who have a legitimate business need to access personal data.

11. Use of Cookies

We may collect and use cookies and similar technologies when you use our products and/or services or visit our website.

The collection of such cookies and similar technologies helps us recognise you, remember your preferences and customise how we provide our products and/or services to you. We may use cookies for a number of purposes (e.g. enabling and operating basic functions, helping us understand how you interact with our websites or emails, or enabling us to improve your online experiences or our communications with you, particularly, to ensure that online adverts displayed to you will be more relevant to you and of your interests), for details please see Cookie Notice.

12. How to contact us


If you have any questions or would like more details about our privacy notice, please contact us through the following channels:


SCB DataX Company Limited
No.18 SCB Park Plaza West B, 7 Floor,

Rutchadapisek Road, Chatuchak, Bangkok 10900 Thailand

Tel.: 027951636


SCB DataX Data Protection Officer


13. Changes to this privacy notice


We may change or update this privacy notice from time to time and we will upload such updated privacy notice at

Version March 2024

bottom of page