Personal Data Protection Policy for Employee, Trainee and Candidate
Thaire Life Assurance Public Company Limited recognizes the importance of privacy right and personal data right which construed as a fundamental human right that shall be protected and respected. The Company, therefore, establishes this Personal Data Protection Policy to guide the compliance to Personal Data Protection Act B.E.2562 and protect the privacy right of the Data Subject and notify the detail on processing the personal data as required by law. Detail as follows:
1. Definition
2. Personal Data Collected by the Company
The Company collects the Personal Data of the Data Subject which might include the Personal Data of an employee, trainee or job candidate. The Company may directly acquire the Personal Data of the Data Subject or from the recruitment agency. The category of Personal Data collected are as follows:
For the criminal data, the Company shall acquire the data from the evidence received from Data Subject or the evidence acquired from the competent authority.
3. Objectives in processing the Personal Data
The Company processes the Personal Data according to the business objective and comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 10 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
The Company may collect the Personal Data of employee’s family member(s) as long as necessary for serving a welfare purpose according to internal human resource management rule.
In case the Company processes the Personal Data according to the given consent, the Company shall process the Personal Data until the consent has been withdrew and the Company considers to withdraw the consent as per the request. However, if the employee status has been terminated, the Company shall immediately delete or destroy a sensitive personal data i.e. health record, biometric data, criminal record, except where it is necessary for legitimate interest of the Company, In such case, the Company shall collect the sensitive personal data of the employee as long as permitted by law.
The Company may collect the Personal Data of the candidate for future job opportunity, if the candidate does not wish the Company to collect his or her Personal Data for the mentioned purpose, you might contact the Company to exercise the Data Subject Right as per the detail below.
The Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th
1. Definition
| Company, We | Thaire Life Assurance Public Company Limited |
| PDPA | Personal Data Protection Act B.E2562 |
| Personal Data | Any data which, directly or indirectly, identify the individual, but not include the data of the death. |
| Data Subject | Any natural person whom Personal Data has been processed. |
| Process | Any processing to the Personal Data |
2. Personal Data Collected by the Company
The Company collects the Personal Data of the Data Subject which might include the Personal Data of an employee, trainee or job candidate. The Company may directly acquire the Personal Data of the Data Subject or from the recruitment agency. The category of Personal Data collected are as follows:
- Personal identification data i.e. first name, last name, identification/passport number, date of birth, age, occupation, gender, marital status, signature, educational background, photograph.
- Contact data i.e. telephone number, address, E-mail, IP address, social media
- Financial data i.e. Salary, income tax, provident fund, bank account, loan
- Activity attendance data i.e. VDO recording, voice recording, survey
- Other Personal Data i.e. Personal Data of spouse, child and family member, work experience, driving license, military exemption, attendance list, complaint, disciplinary examination or penalty, reference person.
- Health data i.e. weight, height, annual health check-up result, medical condition, blood type, allergic history, doctor’s certification, treatment and medicine history, medical treatment receipt. The purpose for collecting these sensitive data is to manage a proper welfare regarding the medical welfare and evaluate the working capacity.
- Biometric data i.e. finger print, facial recognition.
- Criminal record and AML designated person record.
For the criminal data, the Company shall acquire the data from the evidence received from Data Subject or the evidence acquired from the competent authority.
3. Objectives in processing the Personal Data
The Company processes the Personal Data according to the business objective and comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
- For Contractual Obligation i.e. enter the employment agreement, comply with employment agreement, comply with internal rule and regulation or code of conduct, training, performance evaluation, promotion and salary increment, health and security management.
- For Legal obligation i.e. comply with the law or order of the competent authority i.e. labor protection law, social security insurance, safety and environment law, infectious disease control regulation.
- For Legitimate interest i.e. Human resource management, analyze and allocate the resource, training and performance evaluation management, welfare and insurance management, employee activity, budget control, internal and external communication, registration filing , power of attorney, work experience, working environment development, user access control, complaint and fraud management, establishment of legal right.
- For Vital interest i.e. emergency contract
- For Public task i.e. health record or illness history to control the pandemic
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 10 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
The Company may collect the Personal Data of employee’s family member(s) as long as necessary for serving a welfare purpose according to internal human resource management rule.
In case the Company processes the Personal Data according to the given consent, the Company shall process the Personal Data until the consent has been withdrew and the Company considers to withdraw the consent as per the request. However, if the employee status has been terminated, the Company shall immediately delete or destroy a sensitive personal data i.e. health record, biometric data, criminal record, except where it is necessary for legitimate interest of the Company, In such case, the Company shall collect the sensitive personal data of the employee as long as permitted by law.
The Company may collect the Personal Data of the candidate for future job opportunity, if the candidate does not wish the Company to collect his or her Personal Data for the mentioned purpose, you might contact the Company to exercise the Data Subject Right as per the detail below.
The Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
- A limited number of the Company’s employees shall be able to access and process the personal data. The Company shall check the access right regularly to ensure that the Personal Data is used only as necessary and on a reasonable ground.
- Government agencies or other agencies that carry out their duties or legal authorities, such as the Office of Insurance Commission, the Anti-Money Laundering Office, the Bank of Thailand, the National Anti-corruption Commission, the Securities and Exchange Commission, and the Royal Thai Police or other relevant person relating to the establishment of legal right.
- Insurance associates organizations I.e. Thai Life Assurance Association and other relevant association.
- Other stakeholder’s i.e. financial institute, IT service provider, Data analysis service provider, Marketing researcher, researcher, consultant, professional service, lawyer, doctor consultant, financial auditor, payment agency or other service provider.
- Security registrar
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th