Personal Data Protection Policy for Reinsurance
Thaire Life Assurance Public Company Limited recognizes the importance of privacy right and personal data right which construed as a fundamental human right that shall be protected and respected. The Company, therefore, establishes this Personal Data Protection Policy to guide the compliance to Personal Data Protection Act B.E.2562 and protect the privacy right of the Data Subject and notify the detail on processing the personal data as required by law. Detail as follows:
1. Definition
2. Personal Data Collected by the Company
The Company’s core business is a life reinsurance business, the contractual party is mainly a direct life insurance company, and our core business can be considered as “business to business” operation (B2B). The direct insurer will transfer all or some portion of risk from its insurance coverage to the Company. The Company does not directly contact the insured, we acquire the personal data of the insured or beneficiaries from the disclosure of the life insurance company who is our contractual party, pursuant to Section 27 paragraph 2 of the Personal Data Protection Act B.E. 2562 (2019).
The Company may collect the Personal Data of the Data Subject which might include the insured, beneficiary, legal representative, life insurance agent or broker and any other relevant persons. The general personal data in which the Company collects shall be as follows:
3. Objectives in processing the Personal Data
The Company processes the Personal Data according to the objective of reinsurance agreement i.e. underwriting, claim or benefit payment in order to comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 10 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
The Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th
1. Definition
| Company, We | Thaire Life Assurance Public Company Limited |
| PDPA | Personal Data Protection Act B.E2562 |
| Personal Data | Any data which, directly or indirectly, identify the individual, but not include the data of the death. |
| Data Subject | Any natural person whom Personal Data has been processed. |
| Process | Any processing to the Personal Data |
2. Personal Data Collected by the Company
The Company’s core business is a life reinsurance business, the contractual party is mainly a direct life insurance company, and our core business can be considered as “business to business” operation (B2B). The direct insurer will transfer all or some portion of risk from its insurance coverage to the Company. The Company does not directly contact the insured, we acquire the personal data of the insured or beneficiaries from the disclosure of the life insurance company who is our contractual party, pursuant to Section 27 paragraph 2 of the Personal Data Protection Act B.E. 2562 (2019).
The Company may collect the Personal Data of the Data Subject which might include the insured, beneficiary, legal representative, life insurance agent or broker and any other relevant persons. The general personal data in which the Company collects shall be as follows:
- Personal identification data i.e. first name, last name, identification/passport number, date of birth, age, occupation, gender, marital status, photograph.
- Contact data i.e. telephone number, address, E-mail.
- Financial data i.e. income, source of income, bank account, bank statement, loan, investment, credit card or other payment information.
- Health and disability data i.e. history of medical treatment, record of medical examinations, medication dispensing history including health-related questions and any data or matter concerning life insurance policies or claims.
- Biometric data i.e. Blood type
- Sexual behavior data
3. Objectives in processing the Personal Data
The Company processes the Personal Data according to the objective of reinsurance agreement i.e. underwriting, claim or benefit payment in order to comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
- For Legitimate interest: where the Company obtains the Personal data from life insurance company. The Company shall process the Personal Data for reinsurance underwriting purpose and the Company may process the Personal Data for other internal management purpose i.e. product or service development, pricing, risk management, actuarial analysis, claim or benefit payment, internal audit, marketing or product survey. In this regards, the processing of Personal Data as per the abovementioned, the legitimate interest of the Company shall overwhelm the fundamental right of Data Subject.
- For Consent: The sensitive personal data which the Company obtains from the direct insurer, the company shall process under the consent from Data Subject, thus, the Company shall ensure that the consent has been properly given and such consent shall include reinsurance activity.
- For Legal obligation i.e. the compliance to regulatory requirement, including but not limited to a competent authorities, court or authorized government body.
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 10 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
The Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
- A limited number of the Company’s employees shall be able to access and process the personal data. The Company shall check the access right regularly to ensure that the Personal Data is used only as necessary and on a reasonable ground.
- Government agencies or other agencies that carry out their duties or legal authorities, such as the Office of Insurance Commission, the Anti-Money Laundering Office, the Bank of Thailand, the National Anti-corruption Commission, the Securities and Exchange Commission, and the Royal Thai Police.
- Other stakeholder’s i.e. financial institute, IT service provider, Data analysis service provider, Marketing researcher, researcher, consultant, professional service, lawyer, doctor consultant, financial auditor, agency or service provider.
- Other reinsurer, reinsurance broker and the life insurance company who disclose the Personal Data to the Company.
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th