Privacy Notice
WSOL Public Company Limited
WSOL Public Company Limited and its affiliated companies listed at the end of this Notice, as may be amended from time to time (collectively referred to as the “Company”), recognize the importance of personal data protection and data security.
This Privacy Notice is issued to inform customers of the Company’s policies regarding the collection, use, disclosure, and transfer of personal data, including the rights of data subjects or customers (“you”). The Company will process personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and other applicable data protection laws.
1. Persons covered by this Notice
1.1 Individual Customers
Individual customers of the Company, including persons who use or have used the Company’s services, contact the Company, or have a legal relationship with the Company through any service channels made available by the Company, whether directly or indirectly such as applications or digital channels.
1.2 Corporate Customers and Related Persons
Corporate customers and related persons, including directors, shareholders, guarantors, beneficial owners, agents, or lawful representatives of past and present corporate customers, or any person acting on behalf of a corporate customer.
2. Categories of Personal Data Collected, Used, or Disclosed
The Company collects, uses, or discloses your personal data under the terms and conditions of the services for which you have applied, previously applied, or expressed an intention to use. This includes data automatically collected through the Company’s websites, applications, or information technology systems. Such data may include the following categories:
2.1 General Information : such as full name, national identification number or passport number, date of birth, gender, nationality, photographs, images of identification cards, information contained on identification cards, and signatures.
2.2 Contact Information : such as address, telephone number, email address, Line ID, or other contact channels.
2.3 Account and Financial Information : such as bank account number, account name, transaction history, payment information, and transaction reference numbers.
2.4 Technical and Security Data : such as IP address, device ID, system access logs, transaction usage behavior, and cookie data.
2.5 Sensitive Personal Data (Collected Only When Necessary) : such as health data, biometric data (e.g., facial recognition or fingerprints), or criminal record information.
The Company will process sensitive personal data only upon obtaining your explicit consent or where permitted by law, including cases where the data is lawfully obtained from government authorities, such as criminal record checks for legal compliance, prevention or establishment of legal claims, or for substantial public interest as prescribed by law.
In such cases, the Company will implement strict and appropriate security measures proportionate to the risks associated with such data.
2.6 Personal Data of Minors, Incompetent, or Quasi-Incompetent Persons
The Company will process personal data of minors, incompetent persons, or quasi-incompetent persons only upon obtaining explicit consent from a parent, legal guardian, or custodian, or where consent is provided by a minor legally capable of giving consent independently upon reaching the age of majority, or where exemptions apply as permitted by law.
3. Sources of Personal Data
The Company may obtain personal data directly from you or from other sources, including government agencies, regulatory authorities, financial institutions, credit bureaus, external service providers, referees, related counterparties, public sources, and/or automatically through the Company’s information technology systems, websites, applications, or devices.
The Company will process such data in accordance with the Personal Data Protection Act and other applicable laws.
4. Purposes of Collecting, Using, and/or Disclosing Personal Data
As WSOL Public Company Limited and Prompt Capital Co., Ltd., including affiliated companies, are regulated by the Bank of Thailand and subject to applicable laws, the Company is required to collect, use, disclose, and process personal data only to the extent necessary for the purposes notified to you and as permitted under the Personal Data Protection Act and other relevant laws, as follows:
4.1 Legal Obligation
The Company is required to process your personal data to comply with legal obligations without obtaining your consent. Such obligations include, but are not limited to, compliance with data protection laws, labor laws, anti-money laundering laws, and other applicable laws in Thailand and abroad, court orders, or lawful orders of competent authorities.
Examples include identity verification, Know Your Customer (KYC), Customer Due Diligence (CDD), suspicious transaction monitoring, regulatory reporting, and data retention as required by law.
4.2 Contractual Basis
The Company will process your personal data to take steps at your request prior to entering into a contract and/or after approval for you to use the Company’s services through available service channels. This includes identity verification, processing transactions, carrying out your instructions (such as bill payments), responding to inquiries or suggestions, handling complaints, and recording images, audio, and/or similar activities for convenience, service efficiency, and/or as evidence of transactions conducted under your instructions.
In addition, under contracts you have entered into with the Company, the Company may send transaction alerts and service notifications, monitor or record transactions, prepare reports, collect outstanding debts, and enforce the Company’s legal or contractual rights.
In the event of a sale or transfer of rights, assets, receivables, debts, or business, restructuring, rehabilitation, or similar circumstances, the Company may disclose and/or transfer your data to external parties who are transferees or involved in such transactions.
If the Company is unable to process your personal data, it may be unable to provide services or perform contractual obligations.
4.3 Legitimate Interests
The Company collects, uses, or discloses your personal data based on the legitimate interests of the Company or third parties, provided that such processing is within your reasonable expectations and does not override your fundamental rights and freedoms.
Examples include fraud prevention, system security, CCTV recording (with clear signage in monitored areas) for safety, risk management, and service improvement.
Prior to processing under this legal basis, the Company will conduct a Legitimate Interest Assessment (LIA) to evaluate the impact on data subjects’ rights.
4.4 Consent-Based Marketing and Commercial Communications
The Company collects, uses, or discloses your personal data based on your consent for marketing and commercial communication purposes, such as sending information about products or services, offering promotions or privileges, conducting satisfaction surveys, and analyzing behavior to provide products or services tailored to your needs.
You have the right to withdraw your consent at any time through the channels specified in this Notice. The Company will ensure that withdrawing consent is simple, convenient, and no more difficult than providing consent.
Withdrawal of consent will not affect the lawfulness of processing carried out prior to the withdrawal, unless further consent is obtained or another legal basis applies.
5. Disclosure of Personal Data
The Company may disclose your personal data, to the extent necessary and in accordance with the stated purposes and applicable legal bases, to the following persons or entities:
- Government authorities or regulators with legal authority, such as courts or financial regulatory authorities
- Financial institutions
- Business partners or parties involved in providing services to you
- Affiliated or group companies for internal business administration
- External service providers acting as data processors, such as IT system providers, cloud service providers, data centers, auditors, legal advisors, or parties involved in business transfers or restructuring
The Company will require recipients to maintain confidentiality and implement appropriate security measures in accordance with applicable laws. Where recipients act as data processors, the Company will enter into a Data Processing Agreement (DPA) to ensure processing is carried out only under the Company’s instructions.
Where group companies jointly determine the purposes and means of processing, they may act as joint controllers, with responsibilities allocated in writing. All disclosures will be made on a need-to-know basis and in accordance with the stated purposes, unless otherwise required by law.
6. Cross-Border Transfer of Personal Data
The Company may transfer, disclose, or transmit personal data to foreign countries where necessary, such as when using cloud services or IT systems located abroad, conducting international transactions, or transferring data within the Company’s international group.
In such cases, the Company will comply with the Personal Data Protection Act by ensuring that personal data is transferred to countries or international organizations with adequate data protection standards as prescribed by the Personal Data Protection Committee, or by implementing appropriate safeguards, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Other legally recognized safeguards
Where such measures cannot be implemented, the Company may rely on legal exceptions, such as transfers necessary for the performance of a contract between you and the Company, compliance with legal obligations, protection of life, body, or health, or where explicit consent has been obtained.
7. Data Subject Rights
You have the following rights under the Personal Data Protection Act (PDPA):
- The right to access and obtain a copy of your personal data
- The right to request correction of inaccurate personal data
- The right to request erasure or destruction of personal data
- The right to request restriction of processing
- The right to object to processing
- The right to data portability
- The right to withdraw consent, whereby such withdrawal shall not affect the lawfulness of processing carried out prior to the withdrawal
- The right to lodge a complaint with the Personal Data Protection Committee
The Company may refuse a request to exercise these rights where permitted by law, where the request may adversely affect the rights of others, or where legal exemptions apply.
8. Data Retention Period
The Company will retain personal data only for as long as necessary to fulfill the purposes of processing and in accordance with legally prescribed retention periods. For example, financial and accounting transaction data may be retained for 10 years from the termination of the relationship.
Upon expiration of the retention period, the Company will delete, destroy, or anonymize the data so that it can no longer identify an individual, unless retention is required due to disputes, legal claims, or applicable laws requiring longer retention.
9. Security Measures
The Company implements appropriate technical and organizational security measures to protect personal data against loss, unauthorized access, use, alteration, correction, or disclosure. Such measures include, but are not limited to Data encryption, Role-based access control, Log management and monitoring, Regular security testing and assessments, Policies and employee training on personal data protection.
The Company conducts periodic privacy risk assessments to ensure that the measures remain appropriate to the nature, volume, and risks of the data processed. The Company also maintains a Personal Data Breach Response Plan and incident management procedures, including periodic reviews of access rights.
10. Consequences of Failure to Provide Personal Data
If you fail to provide personal data necessary for the Company’s operations, the Company may be unable to consider your service request, enter into a contract, or provide services to you as normal. Where such data is legally required, the Company may be unable to proceed with the transaction.
11. Personal Data Breach Notification
In the event of a personal data breach, the Company will notify the Personal Data Protection Committee within 72 hours of becoming aware of the breach. The Company will also notify affected data subjects if the breach is likely to result in a high risk to their rights and freedoms.
12. Amendments to the Notice
The Company may review, update, or amend this Notice from time to time to ensure compliance with applicable laws and practices. Any updated version will be published on the Company’s website and shall become effective from the date of publication.
13. Use of Cookies
The Company may collect, use, and process cookies and/or similar technologies when you access, register for, or use the Company’s services through channels such as websites or applications.
14. Contact Information
If you have any suggestions, inquiries, or wish to exercise your rights under data protection laws, you may contact:
Data Protection Officer (DPO)
WSOL Public Company Limited
Address: 238 Bang Khun Thian–Chai Thale Road, Samae Dam, Bang Khun Thian, Bangkok 10150
Tel: 02-009-0500
Email: dpo@wsol.co.th
Rights request channel: https://www.wsol.co.th/pdpa-request
The Company will respond within 30 days or as required by law.
Last Updated: 24 February 2026
Effective Date: 26 February 2026