Personal Data Protection Policy for Shareholders and Directors
Thaire Life Assurance Public Company Limited recognizes the importance of privacy right and personal data right which construed as a fundamental human right that shall be protected and respected. The Company, therefore, establishes this Personal Data Protection Policy to guide the compliance to Personal Data Protection Act B.E.2562 and protect the privacy right of the Data Subject and notify the detail on processing the personal data as required by law. Detail as follows:
1. Definition
2. Personal Data Collected by the Company
The Company collects the Personal Data of the Data Subject which might include shareholders, proxy, custodian or legal representative of the shareholder’s company director and the director’s candidate. The Company may directly acquire the Personal Data of the Data Subject or from the registrar. The category of Personal Data collected are as follows:
3. Objectives in processing the Personal Data
The Company processes the Personal Data according to the business objective and comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 10 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
The Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th
1. Definition
| Company, We | Thaire Life Assurance Public Company Limited |
| PDPA | Personal Data Protection Act B.E2562 |
| Personal Data | Any data which, directly or indirectly, identify the individual, but not include the data of the death. |
| Data Subject | Any natural person whom Personal Data has been processed. |
| Process | Any processing to the Personal Data |
2. Personal Data Collected by the Company
The Company collects the Personal Data of the Data Subject which might include shareholders, proxy, custodian or legal representative of the shareholder’s company director and the director’s candidate. The Company may directly acquire the Personal Data of the Data Subject or from the registrar. The category of Personal Data collected are as follows:
- Personal identification data i.e. first name, last name, identification/passport number, date of birth, age, occupation, gender, marital status, photograph.
- Contact data i.e. telephone number, address, E-mail, IP address
- Financial data i.e. Bank account, No. of shares, dividend, attendance fee
- Meeting attendance data i.e. VDO recording, voice recording
- Other Personal Data i.e. Personal Data of spouse, child and family member, work experience, directorship history, meeting attendance record, director’s performance.
3. Objectives in processing the Personal Data
The Company processes the Personal Data according to the business objective and comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
- For Legal obligation i.e. Company internal management, establishment of the company, capital injection, corporate structure adjusting, change of registration, director selection and appointment, Board of Director’s meeting, shareholder meeting, shareholder duty and obligation management, dividend payment, audit report, documents management and to comply with the law or order of the competent authority.
- For Legitimate interest i.e. Company internal management, VDO or voice recording, security, activity, Director’s insurance, newsletter or special offer for shareholder or director and establishment of legal right
- For Vital interest i.e. emergency contract
- For Public task i.e. health record or illness history to control the pandemic
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 10 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
The Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
- A limited number of the Company’s employees shall be able to access and process the personal data. The Company shall check the access right regularly to ensure that the Personal Data is used only as necessary and on a reasonable ground.
- Government agencies or other agencies that carry out their duties or legal authorities, such as the Office of Insurance Commission, the Anti-Money Laundering Office, the Bank of Thailand, the National Anti-corruption Commission, the Securities and Exchange Commission, and the Royal Thai Police or other relevant person relating to the establishment of legal right.
- Insurance associates organizations I.e. Thai Life Assurance Association and other relevant association.
- Other stakeholder’s i.e. financial institute, IT service provider, Data analysis service provider, Marketing researcher, researcher, consultant, professional service, lawyer, doctor consultant, financial auditor, payment agency or other service provider.
- Security registrar
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th