Personal Data Protection Policy for Individual
Thaire Life Assurance Public Company Limited recognizes the importance of privacy right and personal data right which construed as a fundamental human right that shall be protected and respected. The Company, therefore, establishes this Personal Data Protection Policy to guide the compliance to Personal Data Protection Act B.E.2562 and protect the privacy right of the Data Subject and notify the detail on processing the personal data as required by law. Detail as follows:
1. Definition
2. Personal Data Collected by the Company
The Company collects the Personal Data of the Data Subject which might include Vendor, Supplier, Business Partner or legal representative of such company. The category of Personal Data collected are as follows:
The Company processes the Personal Data according to the objective of reinsurance agreement i.e. underwriting, claim or benefit payment in order to comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 11 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
Without a prior notification to the Data Subject, the Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th
| Company, We | Thaire Life Assurance Public Company Limited |
| PDPA | Personal Data Protection Act B.E2562 |
| Personal Data | Any data which, directly or indirectly, identify the individual, but not include the data of the death. |
| Data Subject | Any natural person whom Personal Data has been processed. |
| Process | Any processing to the Personal Data |
2. Personal Data Collected by the Company
The Company collects the Personal Data of the Data Subject which might include Vendor, Supplier, Business Partner or legal representative of such company. The category of Personal Data collected are as follows:
- Personal identification data i.e. first name, last name, identification/passport number, date of birth, age, occupation, gender, marital status, photograph.
- Contact data i.e. telephone number, address, E-mail, IP address.
- Technical data i.e. Website and system data, Computer traffic data, Application, Cookies
The Company processes the Personal Data according to the objective of reinsurance agreement i.e. underwriting, claim or benefit payment in order to comply the professional standard. The legal basis for processing the Personal Data shall be as follows:
- For Contractual Obligation: To enter the contract between the Company and Individual.
- For Legitimate interest: In case the Company acquires the Personal Data from the disclosure of any third party, the Company shall process such personal data for internal management purpose, product development, collaboration with the business partner, offer or design a product and/or service related to life insurance, market research, insight analysis and actuary or statistic research for processing the customer website, application or platform’s access behavior. For security of the employee, third party or Company’s asset. However, the important of the activity shall overwhelm the fundamental right of the Data Subject.
- For Consent: To process the Personal Data for marketing purpose, the Company shall acquire prior consent from the Data Subject or ensure that the vendor or business partner has properly acquired the consent from Data Subject. However, the Data Subject shall, at his/her sole discretion, withdraw the consent at any time, except where the consent is the pre-condition to acquire a special privilege, if the consent has been withdraw, the Company reserves the right to reject a special privilege offered.
- For Legal obligation i.e. the compliance to regulatory requirement, including but not limited to a competent authorities, court or authorized government body.
4. Personal Data collection and retention period
The Company will store Personal Data as necessary to perform as per the objective of processing, however, the retention period shall not exceeding 11 years after the business relationship is terminated, except where it is necessary to comply with the law, or any establishment or capable to establish the Company’s legal right.
Without a prior notification to the Data Subject, the Company shall take appropriate action to erase, destroy, or anonymous the Personal Data upon the end of retention period, or when requested by the Data Subject.
5. Disclosure of Your Personal Data
The Company may disclose the Personal Data to the following stakeholders:
- A limited number of the Company’s employees shall be able to access and process the personal data. The Company shall check the access right regularly to ensure that the Personal Data is used only as necessary and on a reasonable ground.
- Government agencies or other agencies that carry out their duties or legal authorities, such as the Office of Insurance Commission, the Anti-Money Laundering Office, the Bank of Thailand, the National Anti-corruption Commission, the Securities and Exchange Commission, and the Royal Thai Police.
- Other stakeholder’s i.e. financial institute, IT service provider, agency or service provider, professional service provider.
- Business partner i.e. Life insurance broker, the business partner who co-developing the product or service related to life insurance business.
6. Cross-border transfer
The Company may cross-border transfer the Personal Data to any person or entity located outside Thailand, also the Personal Data might be stored on third party service provider server or cloud service or standard software.
In case there is a cross-border transfer, the Company shall comply with the condition of PDPA and/or any sub-regulation and shall seek for an appropriate protection to ensure the security of Personal Data and Company shall ensure that the receiver has an appropriate measure to protect the Personal Data and process the Personal Data as necessary within the scope and objective as agreed by the Company, also ensure that the receiver is able to prevent the misuse or unauthorized disclosure of the Personal Data.
7. Personal Data security measure
The Company realizes the important of personal data security measure and establishes a proper technical, physical and organizational measures to ensure the personal data security. The security standard shall be consistent with the 3 principles which are Confidential, Integrity and Availability i.e. The security standard in access control which includes the permission to access the personal data, access control, user responsibility, access management, audit trail, physical security measure to prevent the loss, access, damage, use, modify or unauthorized disclosure of Personal Data.
The Company shall arrange a regular review of security measure or when necessary or in case of abruptly change to the technology to ensure the soundness of security measure.
8. Data Subject Rights
PDPA specifies the rights of Data Subject as follows:
(1) Right to withdraw consent: the Data Subject has the right to withdraw consent at any time (whether the consent has been given before or after the enforcement of PDPA), except where there is a limitation on withdrawing the consent as specified by law or there is a contractual obligation which benefit to the Data Subject. However, the withdrawal of consent does not effect on collection, use or disclosure of personal data based on consent before its withdrawal and the withdrawal might result to the incomplete transaction or service.
(2) Right to be informed: the Data Subject has a right to be informed the detail of processing the Personal Data before or at the time of Personal Data collection.
(3) Right to access: the Data Subject has a right to request access and copies of personal data relating to him or her which is under the possession of the Company.
(4) Right to object: the Data Subject has a right to object the collection, use or disclosure of your personal data at any time.
(5) Right to be erased or right to be forgotten: the Data Subject has a right to request for the erasure of his/her personal data or de-identify the Personal Data.
(6) Right to restrict the processing: the Data Subject has a right to request the Company to suspend use of personal data.
(7) Right to rectification: In case the Personal Data stored by the Company is outdated, incorrect or incomplete, the Data Subject has the right to request the Company to rectify your data to be accurate, up to date, complete and not misleading.
(8) Right to data portability: the Data Subject has a right to request the Company to transfer the personal data to the other data controllers if doable by automatic means.
(9) Right to lodge a complaint: the Data Subject has a right to file the complaint to Personal Data Protection Commissioner, in case the Company breach or does not comply with PDPA.
The Company shall process the Data subject’s right request as per the request from the Data Subject and shall notify the result of consideration to the requestor within 30 days after received the Data Subject right request form and the reference document(s). In this regards, the Company reserves the right to reject the request as appropriate and permitted by law.
9. Review and change of the policy
From time to time, the Company may modify or edit the policy as appropriate to ensure the consistency with the regulatory requirement, the change of Company’s direction and the comment from competent authority. In this regards, the Company shall notify the change to the public.
10. Contact DPO
In cases where you have questions concerning the collection, use and/or disclosure of your personal data or you wish to exercise rights as the Data Subject, you can contact the Company at:
Data Protection Officer (DPO)
THAIRE LIFE ASSURANCE PUBLIC COMPANY LIMITED
48/15 Soi Rajchadapisek 20, Rajchadapisek Road,
Samsennok, Huaykwang Bangkok 10310
Tel: (662) 666 9000 Facsimile: (662) 277 6227
E-mail: pdpa@thairelife.co.th